100% disk usage in v8 & v9

[drasp 3]

Noticed over the last week that my HDD activity light has been on a LOT.  Been running NOD32 for many years now & always appreciated that in most cases I never noticed it "doing its thing".  Updated to v9 to see if that would change anything, but its back to maxing out my 3TB internal drive.  The # of objects in "protection statistics" does keep counting up, was north of 20,000,000 when I noticed it had no record of having done an auto scan since updating to v9, so I started one manually, which reset the object count.  Even as I type this, the ESET service is using ~15MB/s & ~80% of my big storage/media drive.  Is there any way to sort out if this is "normal" behavior, and why its taking so long!?  Was never aware of such long/sustained periods of high activity!!!

[Marcos 5,069]

Please drop me a pm and provide:

- information about the oper. system

- the output from ESET Log Collector (hxxp://support.eset.com/kb3466/)

- information if temporarily disabling real-time protection makes a difference

- a Process Monitor log from time when the issue occurs (https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx).

 

You can upload larger logs in compressed form to a safe location and pm me the download link.

[drasp 3]

Thanks Marcos!  Working on putting that together right now. . . will send as soon as I've got the logs.  

[drasp 3]

Sent you a PM w/ the logs on 5/10, haven't heard back, did you get the PM?

[Marcos 5,069]

I see in the log that SysInspector was running while you had Process Monitor logging operations. I assume this is because you were collecting logs using ESET Log Collector at the same time.

 

Other than that, I don't see anything weird in the Procmon log. About 27,000 files were accessed by ekrn out of which 12,300 were jpg files that were not scanned like many other files. Do you mean that the problem goes away after temporarily disabling real-time protection?

[drasp 3]

The problem never goes away, as I described in my original post, HDD activity for my large internal storage drive is near 100% all the time, with high CPU & memory usage, all with the ESET service listed as the #1 consumer.  

 

Protection statistics resets every time I reboot, but is currently upwards of 20,000,000 objects.  At this point I'm getting concerned about the wear & tear on my drive.  The activity light is on solid & I can hear the drive chattering away all day long, 24/7 unless I manually kill ESET. . .

[kurobosi 0]

Same here.

After I uninstalled, it gets back normally.  Definitely your software bug.

[Marcos 5,069]

During the 5,5 min. period that you captured, 234 MB were read by ekrn out of which 101 MB was from jpg files. Try excluding e:\pictures from scanning and let us know if it makes a difference.

[Marcos 5,069]

Same here.

After I uninstalled, it gets back normally.  Definitely your software bug.

 

Please follow the instructions from my post #2 above.

[drasp 3]

Yeah, I'd love a follow-up on this, hard to imagine that there is nothing wrong when I've got a secondary/non-OS optical drive suddenly @ 100% nearly all of the time when I'm away from the computer.  When I sit down & start to use it, it stops, then starts right back up a few minutes after I'm done using the machine.  

 

Under protection statistics, I'm showing 174,265,034 objects, which seems like an awfully lot more than I've got across all my drives.  Really seems like ESET is in some kind of weird "permanently scanning" loop, and as much as I've been loyal to ESET, I'm not willing to risk the health of a brand new 3TB drive letting it just constantly run @ 100%. . .

 

edit - Didn't see your reply.  I'll try excluding the pictures directory & report back.

Edited May 21, 2016 by drasp

[kurobosi 0]

 

Same here.

After I uninstalled, it gets back normally.  Definitely your software bug.

 

Please follow the instructions from my post #2 above.

 

 

As I wrote, I already uninstalled cuz I was afraid that the software makes my SSD worn out.

The software horribly access drive C: and made my system super super slow, even I have low CPU usage (it was like 0~5 %) besides of 100% disk usage .

It was very difficult to uninstall by the way.

 

To me, this happened after Windows Update came (KB3156421), I stopped HIPS temporally but nothing happend.

next I stopped realtime scan temporally nothing changed neither.  So I decided to uninstall ESET and it works like a charm!

This is only what I can help about this topic.

 

And I don't feel like to go back ESET cuz I already had a nightmare-experience about it.

(Recover system, reinstall os... etc I already waste a whole day and the solution what I found was uninstall ESET.)

 

I just want to *vote* Mr.drasp's pain! 

Edited May 22, 2016 by kurobosi

[Marcos 5,069]

According to the Procmon log you provided, ESET wrote only 440 kB data in 5,5 minutes but it scanned 24,440 jpg files because of being opened by runtimebroker.exe. This probably also accounts for a bigger local.db database than usual.

 

As for RuntimeBroker.exe, I've found the following:

 

RuntimeBroker.exe is the medium process through which access to (Universal) / (Metro Apps) is granted. This means, that the process RuntimeBroker.exe runs the apps as the name suggests, on behalf of other apps. Some users have experienced issues with it where the process is consuming almost all or too much of the CPU which causes the system to go slow. We can disable it via Registry Editor and also via a setting that is constantly using RuntimeBroker.exe to make calls to Windows Update Settings from within the Updates.  Since this is a work around; we’ll still need to wait for Microsoft to release a patch or update for a permanent solution in future; when this happens, it will automatically push and apply the update provided that your Windows Updates are turned on.

 

Note: Disabling RuntimeBroker.exe will prevent the store apps from running. Users have also reported weird behavior when they have disabled RuntimeBroker.exe; so i would suggest you attempt the two other methods first and if they don’t help then disable RuntimeBroker. The two other methods are listed below. (Method 2 & Method 3)

[drasp 3]

I don't believe I'm experiencing the RuntimeBroker.exe issue.  I know that the process DOES sometimes have high disk usage, but its NEVER happened when I'm using the system, or caused a system slowdown, so it doesn't seem to match the experience of other users who are having that issue. . .

 

As suggested above, I've excluded E:\pictures & found that at least during the first chunk of time it SEEMS to have made a HUGE difference in the HDD usage I'm seeing when away from the computer.  Will continue to monitor & report back. . .

[Marcos 5,069]

I don't believe I'm experiencing the RuntimeBroker.exe issue.  I know that the process DOES sometimes have high disk usage, but its NEVER happened when I'm using the system, or caused a system slowdown, so it doesn't seem to match the experience of other users who are having that issue. . .

 

As suggested above, I've excluded E:\pictures & found that at least during the first chunk of time it SEEMS to have made a HUGE difference in the HDD usage I'm seeing when away from the computer.  Will continue to monitor & report back. . .

The Process Monitor you've provided showed that runtimebroker.exe was actually accessing the jpg files which subsequently triggered a scan by real-time protection. It's a fact as it was logged; it was not ekrn.exe itself which scanned the files without a reason. Scanning such a big number of files will obviously have some impact on the amount of read data by ekrn.exe. Ekrn.exe read 8192 bytes from most of these 24,440 jpg files which is ~205 MB in total.

[drasp 3]

So, problem seems to be solved since excluding those files from scanning, but that isn't really a "solution".  I know you're suggesting that ESET was only scanning b/c another program was looking at those files, but 24/7 100% disc activity has absolutely stopped with the only change made being excluding ESET on my E:/pictures directory, so whatever other programs may seem to be involved, the culprit for constant 100% disc load is ESET.  

 

Any ideas on a fix that doesn't require leaving a huge # of files un-protected?

[Marcos 5,069]

Please run the following command from the command prompt started with administrator rights:

wpr -start GeneralProfile

Then reproduce the problem. When done, stop logging by running:
wpr -stop trace.etl

 

Compress the log trace.etl and send it to me for further analysis.

[drasp 3]

You want that log run w/ or w/o the exclusion of the E:\pictures directory in ESET?

[Peter Randziak 1,130]

Hello Drasp,

 

as it seems, that excluding makes the problem go away please do the log without it, so it will capture the issue.

[drasp 3]

Log is uploading now, I'll PM the link.  Thanks again.

[drasp 3]

Had a chance to look at the log?  

[drasp 3]

Hello?  Is this thing on. . .?

[Marcos 5,069]

Please hold on, we'll update you soon.

[drasp 3]

Saw it'd been a full week since I submitted my log, no confirmation that it'd been received or was being analyzed.  Thanks for the reply - will hold on.  

[Marcos 5,069]

Based on the log we recommend disabling Idle-state scan. We've found out that the process bzfilelist.exe which is probably a part of Blackblaze backup has opened / read from many files. Try pausing the backup and see if it makes a difference.

Please let us know about your findings.