Modern Unified MsSense.exe and CPU/disk usage on 2012 R2 after March updates

Copper Contributor

After updating servers this month, the 2012 R2 that have the ATP modern unified solution agent are seeing a massive increase in disk and cpu activity. Process monitor revealed that MsSense.exe is aggressively scanning the C:\Windows\System32\catroot directory which contains thousands of files. It seems to do this about every 10 minutes and it takes a while so it's pushing CPU to near 100 constantly. 


There was a MsSense.exe version update to 10.8047.22439.1056 with security update KB5005292. I am suspecting that is the cause and will be doing some comparison testing in attempts to confirm it. Anyone else seeing this behavior?

25 Replies



Exactly the same scenario and seeing the same issue. 


Seems to be much more impactive on one of our 2012 R2 servers than others which shows a constant stream of "Query Directory" C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\*.cat by MsSense.exe

@Baileycol MS just acknowledged via my support ticket that this a new known bug with no workaround other than offboarding the modern unified solution and installing the MMA sensor. Ugh


Be prepared if you choose to do that, there is also a known issue for repeatedly crashing Sense, but at least appears there is a work-around for that. More Ugh. Plan to test this today. 


"Currently, if you choose to offboard and uninstall the modern, unified solution and re-onboard the previous MMA-based EDR sensor, you may encounter repeated MsSenseS.exe crashes."


Quoted from:



Appreciate the update and the heads up. What a pain!

@watercoold - thx for posting this. Do you know if MS has plans for resolving the issue? Also may I have the support ticket Id for reference? 

Thanks again 



We are having the same issue. Defender is using all the available CPU/memory it can find.
Hi, this has been fixed for a while now to ensure you can in fact roll back if needed.
This should be (have been) addressed through a configuration update.
what's the rollback process? I have only deployed the agents on our test machines @ 28/03/2022 and we are seeing this issue. I deployed them using the Windows Server 2012 R2 and 2016 (Preview) option and then using a local script.
Hi, this thread is mentioning MsSense.exe - when you say "Defender" are you referring to msmpeng.exe (AV) or MsSense.exe (EDR)? If AV, please ensure you test with exclusions - using all the available CPU/memory is not an expected issue unless there is something causing interference (typically, other security software).



In our case it is the MsSense.exe. I have right clicked on the process that is using 99% CPU, file location and it highlights MsSense.exe




Hi - you just missed my other message. Rollback is only applicable if you were running the previous solution: otherwise, running the offboarding script and then uninstalling will do the trick.
If you haven't already, please update using the latest KB5005292 to get to Sense version 10.8048.22439.1065
Please make sure you are on the latest Sense version 10.8048.22439.1065 ( - if this doesn't help and you have a working repro it would help a lot if you could open a support case to help investigate.

@Paul_Huijbregts Looks like we have the correct version already. I did raise a ticket with the support team and provide the information they asked using the MDEClientAnalyzer. Just waiting for a reply. But I thought I'd dig into the forums to see if anyone had a solution already :) 




Hi there,


I just did an enrolment on Windows Server 2012R2 and I'm also experiencing this issue. the KB has been installed and MsSense.exe is on 10.8048.22439.1065 




Any updates on this issue?



Hi Kenneth! This should no longer occur. Please open a support ticket.
Check if the diagtrack service is disabled. If it is, enable on all servers and set it to auto load when system starts.

Thanks for the quick response all.


@Ciyaresh Verified, service is running on all servers and set to automatic

@Paul_Huijbregts I'll advise my customer to create a support ticket



1 best response

Accepted Solutions
best response confirmed by Yong Rhee (Microsoft)

I had the same issue after upgrading to the Unified Agent and updating the Sense client to 10.8048.22439.1065. Updating to - KB5005292 (Version 10.8049.22439.1084) seems to have fixed it for me. You can get the updated Sense Client from

and verify that Client has updated by running the following PowerShell command

Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=1}


View solution in original post