Jump to content

EKRN.EXE 6TB of Data I\O in 20 hours -KILLING MY SSD (Attached Screenshots + Sysinspect)


Go to solution Solved by Marcos,

Recommended Posts

Please see attached screenshots.

Here is the current state of EKRN.EXE

image.thumb.png.1e60acf95c632acb1b8d160df5fcf549.png



Here is the Total I/O + System Uptime

image.png.c21a0acca2e031dad161b8613c84fdac.pngimage.png.8203ac679a24926f81b2d5c9f579a461.png


Besides this issue I have ANOTHER ISSUE with Logs quickly becoming 44GB in size. Eating up ALL available SSD Space.

Check this out.

image.thumb.png.5916bba3b58700dd65a215d4b36f0733.png



Now the good news is since I'm the one who manages the cloud security my personal PC is not running the same policies as my client.

I'd be quite unhappy if I come to find these same issues on my clients network pcs.

Anywho If anyone can help figure out what setting I'm probably missing here that'd be great

There was an earlier post about disabling fast boot however, that's not an option for me.

During this time I turned on presentation mode and after 10 minutes EKRN.EXE stopped with the heavy I\O As soon as I disable Presentation mode the I\O started right back up.


Now I've tried this.


image.png.d25e3c756af3769a3cd3e0d7fd94416a.png

And still. Heavy I\O 

I also Tried Pausing it too... .Still High I\O

Attached is an anon sysinspector generated log 

sysInspector_26-07-2022_16-58-41.zip

Link to comment
Share on other sites

Adding SI - Procmon64 ekrn.exe 

It would seem the culprit is with the logging in the application.

What setting am I missing?

image.thumb.png.f28f811932537e7525cbc8a78c6f3920.png

Link to comment
Share on other sites

  • Administrators

Most likely you have logging of all scanned files enabled in a particular on-demand scanner profile used in scans:

Make sure to disable this setting:

image.png

I'd also recommend  deleting all files in the escan folder then.

 

Link to comment
Share on other sites

Posted (edited)
2 hours ago, Marcos said:

Most likely you have logging of all scanned files enabled in a particular on-demand scanner profile used in scans:

Make sure to disable this setting:

image.png

I'd also recommend  deleting all files in the escan folder then.

 

I do not  see this option here on my Endpoint security gui. I am using it full unrestricted mode 


image.thumb.png.aa604192b2a3e38703b18cff8198133a.png

 

 

 

Is the feature you are recommending on the cloud management interface?

(P.S. Yes I looked in advanced > logging and other places as well)

Edited by nullcure
Link to comment
Share on other sites

Hmmm here's procmon unfiltered capture of 3 seconds.



image.thumb.png.41440d6b6608f78d7284028c916c511b.png



I will attempt to close Samsung Magician and see if the problem is fixed. 


So I Killed off SamsungMagician and stopped the system service problem persists. 

So far EKRN.EXE has accessed 8.89TB. I need this to stop somehow, 

Anymore Ideas?

Link to comment
Share on other sites

So a couple of days ago I noticed my C:\ was nearly full.
( I didn't catch whether there was heavy I\O as I discovered that part of the problem today) 
Anyway a simple run of WinDirStat was able to show me 6, 44GB, Files each of being in the escan log folder.

I deleted them a couple of days ago and my SSD space was reclaimed. 

Today I noticed the Heavy I\O and through troubleshooting in this forum thread I noticed a correlation through procmon to the log file being read over and over which then I realized the 44 GB log files came back. (The ones in this forum thread)

I deleted them after having to reboot the PC and turn off 

HIPS: Self Defense
HIPS: Protect Service

With the log file no longer in use I was able to delete it and it appears that the Heavy I\O has ceased.

But wait.... Remember? I noticed 6 big log files the other day just didn't happen to notice if there was heavy I\O or not and now today there's 2 huge log files back.

I will monitor this situation for 48 hours before declaring a successful resolution

Thank you Marcos.

Link to comment
Share on other sites

  • Administrators

Those logs could be generated also by a scheduled scan so if you have one scheduled and the big logs are created, check the appropriate on-demand profile settings used in the scan.

Link to comment
Share on other sites

So far so good, Things are looking much better but I would like to monitor the situation another 24 hours to see if the log files end up populating for a 3rd time.

EKRN.EXE 15.18GB over 1 day and 3 hours is much better than 8ish TB over 22 hours. 

image.thumb.png.0be0cd4ff71f179c2ac89e7f4614ff67.png

image.png.ffd7d79c33fd6ac52aee9cd324e28683.png

Link to comment
Share on other sites

  • Administrators
  • Solution

You could disable creation of module snapshots in the update setup to decrease the amount of R/W data even more.

image.png

Link to comment
Share on other sites

Here we are another 26 hours later and things are still looking great! after another 26 hours passing EKRN only RW'd another 4.5ish GB of data. 

To recap I deleted these large log files a couple of days before noticing them back with a high I\O from ekrn.exe it appear this time the problem did not return due to changing some of the logging settings reviewed in this threaad.

I am posting with successful resolution

image.png.e868a4c7a0d4e139a4c0ac8336f7d7cb.pngimage.thumb.png.32229af388da72a8de8085aff6c9339b.png

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...