Forum Discussion
MsSenseS.exe high CPU usage
Good Afternoon - We have a few servers in Azure that have extremely high CPU usage due to the "MsSenseS.exe" process. Is there anything that can be done to alleviate this? Seems like this process is related to Defender or some sort of Microsoft sensor.
I have opened a ticket with Microsoft Support which has not been that helpful.
- RayOfSunshineCopper ContributorWhy is this not a much bigger thing? We have rolled out Defender ATP with our Microsoft 365 E5 license stack and pushed this to 70+ autopilot machines as a POC for the rest of the business. All eventually started to onboard etc but it's killing the CPU with 20-30% use on the MSSense.exe (Defender ATP not the AV engine) all day every day.... what the hell is it doing? Looking at resource manager to see disk usage/files etc, it eventually shows nothing being accessed but still running at 25%.... it causes our Dell machines to overheat and the fans to go continuously..... Everywhere mentions the MsMPeng.exe but the MSSense.exe is the problem...Right Click task manager and set affinity doesn't work even if you have full permissions because you can't interfere with the Defender ATP services, it defeats the purpose of Defender ATP....
- hackerman138Copper Contributor
Yup, same problem here except our issue with with SenseNdr.exe. Surface laptops used to last 6-8 hours. They last 2 hours at most now. Horrendous and defeats the purpose of a laptop if you have to have it always plugged in. Killing productivity.
- AnuragSrivastavaIron Contributor
jham01
This process is part of Microsoft Defender Advanced Threat Protection service.
In case of high CPU Utilization, you can alleviate this by setting up a maximum CPU limit for the process.
Open Task Manager
1. Go to the Details tab
2. Right-click on the process name MsSense.exe and select Set affinity
3. Choose the CPU limit that you allow the process to use- ransems-itoCopper ContributorI get an error access denied
- AnuragSrivastavaIron ContributorMight need to use local admin privileges
- jbmartin6Iron Contributor
AnuragSrivastavaCPU affinity limits a process to a single core, and is not persistent across reboots. This isn't an effective mitigation
- SuperNotDuperCopper ContributorCompletely agree. This issue is HUGE.
I have no idea why MS havent properly addressed this and provides information to admins to curb the resources that this service devestates a VM to the extent with.
Ofcourse a simple fix like limiting CPU limit/allocation could help, but if you've ever actually tried to do this (and not just typing it in a response on a forum post etc) then you'd know, this cannot be done as you get an error - access denied.- henrikmcCopper Contributor
SuperNotDuperI know you guys are trying to get if working properly, but I have been working on getting ATP off-boarded for month, including MS support cases etc. for the same reason and because we use Mcafee ENS. It simply uses a lot of resources all the time. I managed to get it off-boarded but now it has installed the extension again even that its not enabled in Azure. It's like a virus, hard to get rid of! And I don't think you can tamper with the priority as it has protection against that.
- SaajanSJ_ChubbCopper ContributorI am also facing the same issue, have you got a resolution for this?
- dmki1Copper ContributorSame problem. We need a way to turn this substandard process off, or have Azure discount of at least 50% - that's how much CPU this process eats.
- jbmartin6Iron ContributorIf you look at the full command line for the MSSense process, you can see that it is the core network traffic inspection process. This is where all the Zeeke integrations are implemented. So it makes sense that it will use *some* CPU continuously, it is examining network traffic for things like named pipes, LDAP queries, etc. that all contribute to detections in MDE.
You can reduce the CPU usage somewhat by turning off device discovery completely. This also works by inspection of network traffic, so also contributes to CPU usage by the process.
But you can't reduce it too much beyond that since it is doing part of the core function of MDE.