EKRN.EXE 6TB of Data I\O in 20 hours -KILLING MY SSD (Attached Screenshots + Sysinspect)

[nullcure 0]

Please see attached screenshots.

Here is the current state of EKRN.EXE





Here is the Total I/O + System Uptime




Besides this issue I have ANOTHER ISSUE with Logs quickly becoming 44GB in size. Eating up ALL available SSD Space.

Check this out.





Now the good news is since I'm the one who manages the cloud security my personal PC is not running the same policies as my client.

I'd be quite unhappy if I come to find these same issues on my clients network pcs.

Anywho If anyone can help figure out what setting I'm probably missing here that'd be great

There was an earlier post about disabling fast boot however, that's not an option for me.

During this time I turned on presentation mode and after 10 minutes EKRN.EXE stopped with the heavy I\O As soon as I disable Presentation mode the I\O started right back up.


Now I've tried this.




And still. Heavy I\O 

I also Tried Pausing it too... .Still High I\O

Attached is an anon sysinspector generated log 

sysInspector_26-07-2022_16-58-41.zip

[nullcure 0]

Adding SI - Procmon64 ekrn.exe 

It would seem the culprit is with the logging in the application.

What setting am I missing?

[Marcos 5,074]

Most likely you have logging of all scanned files enabled in a particular on-demand scanner profile used in scans:

Make sure to disable this setting:

I'd also recommend  deleting all files in the escan folder then.

 

[nullcure 0]

2 hours ago, Marcos said:

Most likely you have logging of all scanned files enabled in a particular on-demand scanner profile used in scans:

Make sure to disable this setting:

I'd also recommend  deleting all files in the escan folder then.

 

I do not  see this option here on my Endpoint security gui. I am using it full unrestricted mode 

 

 

 

Is the feature you are recommending on the cloud management interface?

(P.S. Yes I looked in advanced > logging and other places as well)

Edited July 26, 2022 by nullcure

[nullcure 0]

Nevermind I found it. and I turned it off.

Problem persists.

[nullcure 0]

Hmmm here's procmon unfiltered capture of 3 seconds.







I will attempt to close Samsung Magician and see if the problem is fixed. 


So I Killed off SamsungMagician and stopped the system service problem persists. 

So far EKRN.EXE has accessed 8.89TB. I need this to stop somehow, 

Anymore Ideas?

[Marcos 5,074]

You didn't delete the content of the escan folder, please do so.

[nullcure 0]

So a couple of days ago I noticed my C:\ was nearly full.
( I didn't catch whether there was heavy I\O as I discovered that part of the problem today) 
Anyway a simple run of WinDirStat was able to show me 6, 44GB, Files each of being in the escan log folder.

I deleted them a couple of days ago and my SSD space was reclaimed. 

Today I noticed the Heavy I\O and through troubleshooting in this forum thread I noticed a correlation through procmon to the log file being read over and over which then I realized the 44 GB log files came back. (The ones in this forum thread)

I deleted them after having to reboot the PC and turn off 

HIPS: Self Defense
HIPS: Protect Service

With the log file no longer in use I was able to delete it and it appears that the Heavy I\O has ceased.

But wait.... Remember? I noticed 6 big log files the other day just didn't happen to notice if there was heavy I\O or not and now today there's 2 huge log files back.

I will monitor this situation for 48 hours before declaring a successful resolution

Thank you Marcos.

[Marcos 5,074]

Those logs could be generated also by a scheduled scan so if you have one scheduled and the big logs are created, check the appropriate on-demand profile settings used in the scan.

[nullcure 0]

So far so good, Things are looking much better but I would like to monitor the situation another 24 hours to see if the log files end up populating for a 3rd time.

EKRN.EXE 15.18GB over 1 day and 3 hours is much better than 8ish TB over 22 hours. 

[Marcos 5,074]

You could disable creation of module snapshots in the update setup to decrease the amount of R/W data even more.

[nullcure 0]

Here we are another 26 hours later and things are still looking great! after another 26 hours passing EKRN only RW'd another 4.5ish GB of data. 

To recap I deleted these large log files a couple of days before noticing them back with a high I\O from ekrn.exe it appear this time the problem did not return due to changing some of the logging settings reviewed in this threaad.

I am posting with successful resolution