Jump to content

ESET Extremely high disk usage from ekrn.exe at Windows startup


Go to solution Solved by Marcos,

Recommended Posts

Hello, 

 

I´m facing today with extremely high ekrn.exe I/O write operation, even if Windows10 machine uptime is around 5 hours.

Could someone help me diagnose this issue which is mentioned in a similar closed Topic (https://forum.eset.com/topic/26339-eset-extremely-high-disk-usage-from-ekrnexe-at-windows-startup/)

I have ready esetlogcollector .zip output and I´m appending here a few PrintScreens. 

 

Thanks for any hit.

 

ekrn.PNG

taskmanager.PNG

Link to comment
Share on other sites

  • Administrators
  • Solution

Please provide the logs if esetperf.etl has been generated.

Link to comment
Share on other sites

Have you enabled Eset idle scan option?

Does this high I/O activity only occur after an Eset signature or module update?

Link to comment
Share on other sites

Hi, 

Our Eset current version is  8.0.2028.0

And yes, the Idle scan option is Enabled. 

It does this high I/O across many computers in any time.

@Marcos I´ll provide the download link for the .zip log collection and hide the answer, will be this option secured, to prevent public reading? It is 480MB. Yes, the esetperf.etl was generated.

 

Link to comment
Share on other sites

  • Administrators

You can drop me a personal message with the link enclosed. Also please try disabling the idle-state scan just for a test.

Link to comment
Share on other sites

Hello Marcos, 

 

I did the second log collection without the idle-scan option. I noticed that the process I / O were circumstances different from those present when the Firefox Web browser is presented on the machine. ie. 91 GB per night with Firefox and 17 GB per night with Chrome, otherwise the I/O are still out of control.

 

 

Link to comment
Share on other sites

  • Administrators

It looks like a disk problem. Ekrn doesn't showcase any unusual read/write operations but it took explorer.exe ~240s to read a small blocks of data and it happened several times.

image.png

Link to comment
Share on other sites

Hello Marcos,

it is very odd, have you any suggestions for ESET settings? Could you please explain how can couse explorer.exe significant I/O write operation for ekrn.exe which I posted here from the Task Manager?

Were in log collections any differences with and without the Idle check option?

 

Thanks in advance for your reply.

Link to comment
Share on other sites

  • Administrators

Please provide also a Procmon log from time when the issue occurs. Prior to launching Procmon, temporarily disable Protected service in the HIPS setup and reboot the machine. Leave Procmon capturing operations for a few minutes, then stop logging, save the log, compress it,  upload it to a safe location and drop me a personal message with a download link.

Link to comment
Share on other sites

5 hours ago, Marcos said:

It looks like a disk problem.

The problem with this theory is:

23 hours ago, metranscz said:

It does this high I/O across many computers in any time.

Highly unlikely that all these devices have disk issues.

There might be something to this however since browsers are spawned by explorer.exe:

6 hours ago, metranscz said:

I did the second log collection without the idle-scan option. I noticed that the process I / O were circumstances different from those present when the Firefox Web browser is presented on the machine. ie. 91 GB per night with Firefox and 17 GB per night with Chrome, otherwise the I/O are still out of control.

 

Link to comment
Share on other sites

Hello all,

 

I tried to disable "idle scan" in the configuration option and it seems to be a solution for this behavior. After that, the I/O write operation goes under control and it's written among MB per day, not GB as before.

 

Thansk for your help with investigation, special thanks for @itman, which mention "idle scan" in his first clue.

 

Have you any suggestion for ESET configuration which can replace "idle scan"?

Link to comment
Share on other sites

  • Administrators

The idle-state scan scans files on your local disks whenever the screen is locked or if no user is logged in so it may run very often on some systems. There is no solution to this as you cannot scan drives and keep IO operations low at the same time.

Link to comment
Share on other sites

@Marcos  

In the documentation on the https://help.eset.com/ees/7/en-US/idh_config_kernel.html is explained how this option works, but in my case, the I/O write operation happened during logged user usual work. An efficient increase was during the night when the user machine was in the "lock screen" state, then "idle scan" should expectedly scan these computers, which is not explained the behavior when the user is logged in and do his usual work. The idle scan was written to the disk hundreds of GB per day. In the case when I did disable this option, the write operation does to a normal state (a few MB per day).

This happened on many computers with centralized management.

Then the main question is how to configure the machine settings to avoid options like "idle scan" but still have a feature, scanning the computer, when is the low machine utilization. 

It seems to be an impossible challenge, but I hope for some solution.

Link to comment
Share on other sites

6 hours ago, metranscz said:

which is not explained the behavior when the user is logged in and do his usual work. T

Disable screen saver mode setting in Idle scan options per below screen shot and see if that resolves your issue:

Eset_Idle.thumb.png.d11491219c9611121886ed5ba3dca0a4.png

 

Link to comment
Share on other sites

@itman thansk for your suggestion. 

 

I already applied the suggested configuration since 2021/03/29 and it seems to prevent the high ekrn.exe writing to the disk.

I believe, that the reported issue is solved.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...