MsMpEng.exe

I have two problems that may or may not be related:

My wife has a netbook (Gateway LT3103 with Vista) that she recently started using at times during the day to listen to Internet radio. She has complained that after a hour and a half the machine goes silent and appears to lock up. Last night I was able to reproduce the issue. Although it really never "locks up" it did become very unresponsive. What was odd was I had ProcessExplorer or task manager (not both at the same time, each one in a different experiment) running at the same time and then the radio went silent, ProcessExplorer or Task Manager's CPU spiked to around 99%. Thats right both monitoring apps themselves started to consume almost all CPU cycles. Rebooting the machine cleared the issue. (That is Problem #1)

Update: The next section has been resolved! It was the result of a missed Microsoft Security Essentials Scan and appears to be unrelated to Problem #1 above. (Thanks coolguy aka Rajesh for pointing that out!)
Today, I brought the machine with me to try to diagnose the issue. Wanting to rule out the Internet radio app (WinAmp), I let the machine sit idle with nothing running. After fifteen minutes the screensaver (stock Vista Bubbles) kicked in. After a short time the bubbles slowed way down. I let that go for a couple of minutes and the slow display persisted. I hit the touchpad and the screensaver cleared. I then saw that the CPU history in Process Explorer showed that "MsMpEng.EXE" had spiked until I hit the touch pad then it dropped to zero. MsMpEng.EXE is part of Microsoft Security Essentials (the ONLY anti-malware app on the machine.)

I thought it was odd that the MsMpEng would kick in like that as I have it set to scan on Sunday nights. (Checking calendar... nope it is not Sunday night. Grin.) So I surmised that it was somehow set to trigger when the screensaver kicked in. So I dropped the screensaver timeout to one minute and waited. The screensaver kicked in one minute latter but ran at full speed. I waited a few minutes... still full speed. Hit the touchpad and ProcessExplorer shows that MsMpEng had not consumed any CPU.

I am now guessing the screensaver and MsMpEng are NOT on the same timer, but they both must have been on SEPARATE 15 minute ones. So I reset the screensaver timer to 15 minutes, started up Task mangers resource monitor so I can see the specific file names of any disk IO (then killed Task manager itself) and am now waiting...

Well the screensaver just kicked in. Ran full speed for 30 seconds or so and now is creeping along. I see disk activity. So I suspect MsMpEng is doing something again, but what???

Hit the touchpad and sure enough, MsMpEng had started consuming CPU. What's more, from the resource monitor, it appears that it was scanning files! I see a list of the files it was reading.

So what the hell is going on? Is MsMpEng supposed to scan in the background after an idle time? (That is problem #2)

I now enlist the aid of my fellow "detectives" here. In your reply please clearly indicate if you are addressing Problem #1 or Problem #2, or if you think your reply pertains to BOTH. Update: since problem #2 has been addressed please restrict your replies to problem #1.


Gary

 

First, although I am a big fan of Microsoft Security Essentials, download and run MalwareBytes free Full scan (after updating it of course) before doing anything else. We want to rule out malware completely, or as close to completely as possible.

While it is incredibly unlikely to fix anything, I recommend running a disk cleanup (keep system restore points) followed by a Vista Defragment. Then open up a command prompt with administrator rights (type cmd into vista search bar, right click and run as administrator) and then run a system file check. The command is "sfc /scannow" (without the quotes). When that completes, it might show that some items were not repairable, don't worry as that is most likely just an issue with the vista sidebar.

As I was saying, when the sfc completes, in the same window schedule a long chkdsk. The command for that is "chkdsk /r" (without quotes), it will ask you to press Y so that the chkdsk can run during the next reboot and I often recommend typing the command "chkdsk /r" twice, because some systems will not always run the chkdsk otherwise.

Last but not least, check windows updates for any available optional or hardware related updates and try to run those as well.

This is nothing more than a shotgun treatment for your issue, but I'm just not quite sure what could be causing the CPU spikes.

 

Problem 1:

Was there any disk activity occuring at the time taskmgr or process explorer went nuts?

Since this is somewhat reproducible, my next step would be to load Process Monitor (since you are already familiar with system internals tools) and have that running as well during a third trial. Then filter the logs looking for errors at the time the spike occurs.

To quote Dave Soloman...when in doubt, run process monitor

 

I appreciate the advice, but I am not looking for a shotgun approach. I want to pinpoint the root cause. I have the machine set up to run Windows Update automatically, so it is current. And I ran Malwarebytes as my first step.

Gary

 

I realized there might be another factor in this I neglected to mention. Because of outbound email restrictions by our ISP (who is our email provider) I have my wife use a VPN to my office so she can connect to the ISP's SMTP server. She tends to keep that VPN running all the time. So I suspect it was also running. At the moment I am running a 1.5 hour test with WinAmp without the VPN, to see if it is a factor.

RE: ProcessMonitor, why it instead of Process Explorer? I don't think I have used it before. There was no disk activity when Process Explorer's own CPU use spiked.

Gary

 

Have you checked windows task scheduler? Some task will run during idling.

 

That certainly was the issue with Problem #2. A task scheduled durring idle time checks to see if a scan was missed and if so runs it.

Re: Problem #1 though I don't think it is an issue. I am still running WinAMP without the VPN connection and am approaching 2 hours without a lockup. So now more than ever I suspect the VPN may be a real factor. I do know that the VPN occasionally just drops connectivity. The VPN appears to be running just no traffic gets through and I have to log out and back in. So I supect the VPN dropped and since 100% of the tcp/ip traffic was traversing it WinAmp lost its feed. Just not sure WHY that would cause Task Manager or Process Explorer to spike their own CPU use at 100%.

Gary

 

Process Monitor logs file system, registry, process, thread and DLL activity in real-time--it collects a ton of data in a very short time frame that process explorer simply does not. Even the shortest file or disk access gets catalogued and it is invaluable in finding things you might not otherwise think is possible.

For example, I had a program that failed to start last week and I suspected file corruption. Process Monitor showed what file the application could not access at start up (recorded as a failure) and I was able to locate the file and replace it from another machine.

I suspect that process exporer and task manager are hanging up when trying to access a process or DLL--process monitor may help identify the issue.

To quote Dave Soloman...when in doubt, run process monitor

 

Thanks gerryf19, I will look into it.

Gary

 

A followup. Today my wife was back in her studio with the netbook and was able to run all day without the weirdness recurring. She did not have the VPN running at all, so I have to suspect it was indeed the culprit. Well actually it was the trigger. I am convinced it was WinAmp or audio driver that went haywire when the VPN connection, which had been feeding it, dropped.

Luckily today I discovered a way around the need for the VPN, so this saga should now be behind us. Thanks for all the tips and suggestions.

I still remain confused by how Process Explorer or Task Manager can spike their own CPU use to over 90% though.

Gary

 

i have had this issue or a similar issue, if you add the .scr extension to the excluded list it will no longer scan any screensavers that will run, Microsoft Security Essentials is strange in a way in how it works but if a particular type of file extension is causing problems you can add it to the exclusion list but you must understand that since it no longer scans say the .scr or say .txt extension if you have any malicious screensavers or text files it will no longer protect you against those but if your confident that you don't have any malicious screensavers or text files then it is worth it.

 

Hi Gary,

How did you solve problem 2?

Im using MSE for the first time on my netbook and getting a high usage on MsMpENG.exe.

 

I solved it by letting it run the missed scan. Just as I said in the update in the original post.

What are the specifics of your circumstances?

Gary

 

The process is using up around 62mb+ of RAM constantly in XP Home

I dont seem to have any missed scans. Ive scheduled it to run on 2am Sundays which has yet to come.

 

The RAM usage seems to be normal.

 

Seems a bit high compared to other AV software?

Im trying to keep the memory footprint low on my netbook, yet this process sits the highest on the usage scale and i dont know why.

Also a msseces.exe process is also running using 10mb, id say that one is normal.

 

How much RAM do you have? MSE has a little bit higher RAM usage than the rest of the free AV. I wouldn't consider the total 70MB RAM usage as a very high memory footprint.

 

You are concentrating on the wrong metric. The CPU use is the one to be concerned about. Let the OS worry about the memory, unless you find some sort of memory leak that causes a process to grow very large over time. Vista and Win7 both do a great job of managing memory.

Gary

 

I only had a stick of 1gb earlier but ive now upgraded it to a 2gb stick. With Office, VPN, Firefox and all my other programs running the same time, i was getting close to maxing out the RAM.

Yes ive noticed it doesnt really use much CPU, at this point im just curious. I find MSE very good as it integrated with windows very well.

Also I am using XP home which doesnt have the same memory management as Vista/W7