Jump to content

High CPU usage by ekrn.exe at address NODIoctl+0x19910

Recommended Posts

System Information:
Product: ESET Internet Security, Version
OS: Windows 7 Ultimate (32-bit)
CPU: Pentium(R) Dual-Core CPU E5700 @ 3.00GHz 
Memory: 2.00 GB RAM
Whenever EIS finds a threat 1 on the hard drive 2, ekrn.exe uses a constant amount of about 50% of CPU. Running an in-depth computer scan for a couple of minutes doesn't use a constant amount, but rather a variable one that almost never reaches 49%. Process Explorer showed that the ekrn.exe thread that caused the spike is at address NODIoctl+0x19910. NODIoctl is a function exported from multiple EIS modules like ekrnScan.dll and ekrnAmon.dll. Process Monitor basically shows that ekrn.exe was trying to access non-existent files by "guessing" 4 their names using existent registry values, folder names, file names, environment variables 3, etc. Most of those files had extensions like .sys, .scr, .exe, .dll, .com, .bat, and .cmd.

1 The problem is not threat-specific. I confirmed this with the EICAR test file to make sure.
2 Threats discovered in web pages like https://secure.eicar.org/eicar.com.txt, don't cause this problem. However, if I restore the discovered threat from the quarantine to any place on the computer, the spike occurs.
3 Deleting Path and PATHEXT, two of the system variables, reduced the spike time, but didn't make it disappear.
4  For example, ekrn.exe was trying to access G:\938b207aa93805367dcf11ff.exe, a non-existent file that it guessed its name via a registry value: "InstallSource: g:\938b207aa93805367dcf11ff\", a temporary directory that was created when I installed a C++ Redistributable.

Link to comment
Share on other sites

  • Administrators

Does the cpu utilization take minutes? During cleaning, it's possible that one core of the cpu is utilized to the maximum. It's not an issue since no threat should be found in the first place and, if a threat is found, CPU resources are not that important that we could not utilize them to finish the cleaning asap since cleaning the threat is top priority at that point.

If the problem is that cpu utilization doesn't go down let's say after 10 seconds or more, please provide a Procmon log as well as a full dump of ekrn from that time.

Link to comment
Share on other sites

Sorry, I can't believe I forgot to mention that. The spike takes about five minutes but it was reduced when I deleted Path and PATHEXT.

And unfortunately, my connection speed is slower than you can imagine. Uploading anything as much as 10 MB would take forever, let alone uploading a Procmon log (100+ MB) and a full dump of ekrn (300+ MB).

Are there no other ways to figure out the problem?

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...