Forum Discussion

watercoold's avatar
watercoold
Copper Contributor
Mar 22, 2022

Modern Unified MsSense.exe and CPU/disk usage on 2012 R2 after March updates

After updating servers this month, the 2012 R2 that have the ATP modern unified solution agent are seeing a massive increase in disk and cpu activity. Process monitor revealed that MsSense.exe is aggressively scanning the C:\Windows\System32\catroot directory which contains thousands of files. It seems to do this about every 10 minutes and it takes a while so it's pushing CPU to near 100 constantly. 

 

There was a MsSense.exe version update to 10.8047.22439.1056 with security update KB5005292. I am suspecting that is the cause and will be doing some comparison testing in attempts to confirm it. Anyone else seeing this behavior?

  • I had the same issue after upgrading to the Unified Agent and updating the Sense client to 10.8048.22439.1065. Updating to - KB5005292 (Version 10.8049.22439.1084) seems to have fixed it for me. You can get the updated Sense Client from https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005292

    and verify that Client has updated by running the following PowerShell command

    Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=1}

     

  • melgendy330's avatar
    melgendy330
    Copper Contributor

    I had the same issue after upgrading to the Unified Agent and updating the Sense client to 10.8048.22439.1065. Updating to - KB5005292 (Version 10.8049.22439.1084) seems to have fixed it for me. You can get the updated Sense Client from https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005292

    and verify that Client has updated by running the following PowerShell command

    Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=1}

     

      • gregpakes's avatar
        gregpakes
        Copper Contributor

        ScottMoseley I am still getting this issue on 1084.

        The cpu just sits at 15% all day.  Is there a full fix for this?

  • Baileycol's avatar
    Baileycol
    Copper Contributor

    watercoold 

     

    Exactly the same scenario and seeing the same issue. 

     

    Seems to be much more impactive on one of our 2012 R2 servers than others which shows a constant stream of "Query Directory" C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\*.cat by MsSense.exe

  • Ciyaresh's avatar
    Ciyaresh
    Brass Contributor
    We are having the same issue. Defender is using all the available CPU/memory it can find.
    • Paul_Huijbregts's avatar
      Paul_Huijbregts
      Icon for Microsoft rankMicrosoft
      Hi, this thread is mentioning MsSense.exe - when you say "Defender" are you referring to msmpeng.exe (AV) or MsSense.exe (EDR)? If AV, please ensure you test with exclusions - using all the available CPU/memory is not an expected issue unless there is something causing interference (typically, other security software).
      • Ciyaresh's avatar
        Ciyaresh
        Brass Contributor

        Paul_Huijbregts 

         

        In our case it is the MsSense.exe. I have right clicked on the process that is using 99% CPU, file location and it highlights MsSense.exe

         

         

  • If you haven't already, please update using the latest KB5005292 to get to Sense version 10.8048.22439.1065
    • Ciyaresh's avatar
      Ciyaresh
      Brass Contributor

      Paul_Huijbregts Looks like we have the correct version already. I did raise a ticket with the support team and provide the information they asked using the MDEClientAnalyzer. Just waiting for a reply. But I thought I'd dig into the forums to see if anyone had a solution already 🙂 

       

       

      • Kenneth van Surksum's avatar
        Kenneth van Surksum
        Copper Contributor

        Hi there,

         

        I just did an enrolment on Windows Server 2012R2 and I'm also experiencing this issue. the KB has been installed and MsSense.exe is on 10.8048.22439.1065 

         

         

        Any updates on this issue?

         

        /Kenneth

Resources