Forum Discussion
Modern Unified MsSense.exe and CPU/disk usage on 2012 R2 after March updates
After updating servers this month, the 2012 R2 that have the ATP modern unified solution agent are seeing a massive increase in disk and cpu activity. Process monitor revealed that MsSense.exe is aggressively scanning the C:\Windows\System32\catroot directory which contains thousands of files. It seems to do this about every 10 minutes and it takes a while so it's pushing CPU to near 100 constantly.
There was a MsSense.exe version update to 10.8047.22439.1056 with security update KB5005292. I am suspecting that is the cause and will be doing some comparison testing in attempts to confirm it. Anyone else seeing this behavior?
I had the same issue after upgrading to the Unified Agent and updating the Sense client to 10.8048.22439.1065. Updating to - KB5005292 (Version 10.8049.22439.1084) seems to have fixed it for me. You can get the updated Sense Client from https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005292
and verify that Client has updated by running the following PowerShell command
Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=1}
- melgendy330Copper Contributor
I had the same issue after upgrading to the Unified Agent and updating the Sense client to 10.8048.22439.1065. Updating to - KB5005292 (Version 10.8049.22439.1084) seems to have fixed it for me. You can get the updated Sense Client from https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005292
and verify that Client has updated by running the following PowerShell command
Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=1}
- ScottMoseleyCopper ContributorThe 1084 update worked for us as well.
- gregpakesCopper Contributor
ScottMoseley I am still getting this issue on 1084.
The cpu just sits at 15% all day. Is there a full fix for this?
- BaileycolCopper Contributor
Exactly the same scenario and seeing the same issue.
Seems to be much more impactive on one of our 2012 R2 servers than others which shows a constant stream of "Query Directory" C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\*.cat by MsSense.exe
- watercooldCopper Contributor
Baileycol MS just acknowledged via my support ticket that this a new known bug with no workaround other than offboarding the modern unified solution and installing the MMA sensor. Ugh
Be prepared if you choose to do that, there is also a known issue for repeatedly crashing Sense, but at least appears there is a work-around for that. More Ugh. Plan to test this today.
"Currently, if you choose to offboard and uninstall the modern, unified solution and re-onboard the previous MMA-based EDR sensor, you may encounter repeated MsSenseS.exe crashes."
Quoted from:
- BaileycolCopper Contributor
- Paul_HuijbregtsMicrosoftThis should be (have been) addressed through a configuration update.
- JeffreyIron Contributor
Seeing the same thing.
- CiyareshBrass ContributorWe are having the same issue. Defender is using all the available CPU/memory it can find.
- Paul_HuijbregtsMicrosoftHi, this thread is mentioning MsSense.exe - when you say "Defender" are you referring to msmpeng.exe (AV) or MsSense.exe (EDR)? If AV, please ensure you test with exclusions - using all the available CPU/memory is not an expected issue unless there is something causing interference (typically, other security software).
- CiyareshBrass Contributor
In our case it is the MsSense.exe. I have right clicked on the process that is using 99% CPU, file location and it highlights MsSense.exe
- Paul_HuijbregtsMicrosoftIf you haven't already, please update using the latest KB5005292 to get to Sense version 10.8048.22439.1065
- CiyareshBrass Contributor
Paul_Huijbregts Looks like we have the correct version already. I did raise a ticket with the support team and provide the information they asked using the MDEClientAnalyzer. Just waiting for a reply. But I thought I'd dig into the forums to see if anyone had a solution already 🙂
- Kenneth van SurksumCopper Contributor
Hi there,
I just did an enrolment on Windows Server 2012R2 and I'm also experiencing this issue. the KB has been installed and MsSense.exe is on 10.8048.22439.1065
Any updates on this issue?
/Kenneth