Mar 22 2022 01:33 PM
After updating servers this month, the 2012 R2 that have the ATP modern unified solution agent are seeing a massive increase in disk and cpu activity. Process monitor revealed that MsSense.exe is aggressively scanning the C:\Windows\System32\catroot directory which contains thousands of files. It seems to do this about every 10 minutes and it takes a while so it's pushing CPU to near 100 constantly.
There was a MsSense.exe version update to 10.8047.22439.1056 with security update KB5005292. I am suspecting that is the cause and will be doing some comparison testing in attempts to confirm it. Anyone else seeing this behavior?
Mar 23 2022 02:32 AM
Exactly the same scenario and seeing the same issue.
Seems to be much more impactive on one of our 2012 R2 servers than others which shows a constant stream of "Query Directory" C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\*.cat by MsSense.exe
Mar 23 2022 07:56 AM
@Baileycol MS just acknowledged via my support ticket that this a new known bug with no workaround other than offboarding the modern unified solution and installing the MMA sensor. Ugh
Be prepared if you choose to do that, there is also a known issue for repeatedly crashing Sense, but at least appears there is a work-around for that. More Ugh. Plan to test this today.
"Currently, if you choose to offboard and uninstall the modern, unified solution and re-onboard the previous MMA-based EDR sensor, you may encounter repeated MsSenseS.exe crashes."
Quoted from:
Mar 23 2022 09:07 AM
Apr 01 2022 02:11 PM
Seeing the same thing.
Apr 06 2022 06:04 AM
@watercoold - thx for posting this. Do you know if MS has plans for resolving the issue? Also may I have the support ticket Id for reference?
Thanks again
Br
Lars
Apr 12 2022 06:14 AM
Apr 12 2022 08:21 AM
Apr 12 2022 08:22 AM
Apr 12 2022 08:25 AM
Apr 12 2022 08:25 AM
Apr 12 2022 08:28 AM
In our case it is the MsSense.exe. I have right clicked on the process that is using 99% CPU, file location and it highlights MsSense.exe
Apr 12 2022 08:29 AM
Apr 12 2022 08:31 AM
Apr 12 2022 08:32 AM
Apr 12 2022 08:40 AM
@Paul_Huijbregts Looks like we have the correct version already. I did raise a ticket with the support team and provide the information they asked using the MDEClientAnalyzer. Just waiting for a reply. But I thought I'd dig into the forums to see if anyone had a solution already :)
May 13 2022 08:12 AM
Hi there,
I just did an enrolment on Windows Server 2012R2 and I'm also experiencing this issue. the KB has been installed and MsSense.exe is on 10.8048.22439.1065
Any updates on this issue?
/Kenneth
May 13 2022 08:29 AM
May 13 2022 08:34 AM
May 13 2022 11:12 AM
Thanks for the quick response all.
@Ciyaresh Verified, service is running on all servers and set to automatic
@Paul_Huijbregts I'll advise my customer to create a support ticket
/Kenneth
Aug 10 2022 12:16 PM - edited Aug 10 2022 12:33 PM
SolutionI had the same issue after upgrading to the Unified Agent and updating the Sense client to 10.8048.22439.1065. Updating to - KB5005292 (Version 10.8049.22439.1084) seems to have fixed it for me. You can get the updated Sense Client from https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005292
and verify that Client has updated by running the following PowerShell command
Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=1}