Windows System Assessment Scan consumes 100% of CPU usage during vulnerability scan on Windows Server 2003 SP1+, Windows XP SP3 and Windows Server 2008 clients.

Associated errors:

Error Popup: 'Altiris Patch Assessment encountered a problem and needed to close'

Client is unable to maintain optimal performance during the Assessment Scan.

The following resolutions may need to be implemented:

1. Review KM: TECH213155; Windows System Assessment Scan is affected when MSXML4 is installed on the Client.
    
2. Ensure the Windows System Assessment Scan package, Patch Install Tools package and other patch packages are not being excluded by Virus Scan, and that they are able to download to the client.
   1. See also KM: TECH159956 for additional troubleshooting steps.
       
3. Throttle the Scan; Open RegEdit on the affected Client:
   1. Stop the Symantec Management Agent & Client Services
   2. Drill down to HKLM\SOFTWARE\Altiris\Altiris Agent\Patch Management\Patch Assessment\
   3. Change the value of the DWORD reg key named ‘Throttling’
      1. Change Hexadecimal value: 2710 (Decimal Value: 10000)
         1. This value is optional and may be set to higher or lower as deemed necessary.
         2. Default Hexadecimal value: 7d0 (Decimal Value: 2000)
   4. Start the Symantec Management Agent & Client Services
   5. Note: the client may display 100% CPU usage for some time as this not an instant fix, for it merely helps other applications to utilize CPU resources in an appropriate manner. 
       
4. Ensure the Agent Blockout / Throttling settings are not causing the slowing / restrictive behavior:
   1. Go to the Console > Settings > Agents/Plug-ins > Symantec Management Agent 
   2. Settings > Symantec Management Agent Settings - Targeted;
      1. Downloads Tab; 
         1. Use bandwidth throttling; configure to no less than 50 KB/s
            1. Watch client processing to see if this is the cause, for this may need to be increased
            2. If increasing this setting is not possible; the process will merely take the resources to run and finish accordingly
         2. Disable multicast; this setting enabled allows clients to download packages from eachother and could cause the heavy run time. Disable to limit the clients to download only from the Package Servers and/or SMP as configured for the package management.
      2. Blockouts Tab;
         1. Disable any blockout communications if possible, for this will allow the client to run the scan and return on schedule. 
         2. Note: Configure the Windows System Assessment Scan (detailed below in Step 6) to run outside this blockout time to ensure it is not affected by blockouts.
             
5. Configure the processor to allocate resources to Programs:
   1. Open the System Properties > Advanced system settings > Advanced tab > Performance header > Settings button > Advanced tab > Processor scheduling header
   2. Enable the setting for 'Programs' under the 'Adjust for best performance of' configuration as follows:
      
       
   3. Test this process on a client having this issue and see if the configuration helps to resolve the problem.
       
6. Ensure there are no 3rd Party Software conflicts affecting the Windows System Assessment Scan:
   1. Review steps outlined on KM: HOWTO10560 to isolate the cause of this interference
      1. Check Virus Scanner (SEP etc) and ensure the scans are not overlapping.
         1. Confirm the Altiris Directory is excluded from these scans and not being targeted for processing.
      2. Run tools like Process Monitor to oversee what is being executed on the client
   2. Further isolate by running the 'msconfig' on the client
      1. Start > Run > msconfig; review how the client is booting
         1. Isolate the software so the OS is the only thing booting with Altiris and try a scan
         2. Note: if the scan runs with the same undesired behavior; it could be group policies or environmental restrictions
             
7. Ensure there are no Group Policies causing hindrances on the Windows System Assessment Scan:
   1. Run 'CMD' as Admin; run the following on the affected client: gpresult
      1. This will display all parameter switches for this command
      2. Example: gpresult /v; provides the group policies of the client
         1. Review the listing with environment Administrator and ensure they are not restricting the scan's abilities
         2. If possible; compare to a working client in the environment to further isolate the GPO causing the issue
             
8. Configure Patch Management to limit the Windows System Assessment Scan from running during environmental heavy-load hours (configuration locations detailed on KM: HOWTO56242) 
   1. Configure the Default Software Update Plug-in Policy to schedule the Software Update Cycle to run in a Windowed Schedule and blockout the production hours.
   2. Configure the Windowed Scheduled on the Windows System Assessment Scan to blockout the production hours.
   3. Note: the only other time the Windows System Assessment Scan will run is when the Client first boots up and that is not avoidable.
       
9. If the Client is a Virtual Machine:
   1. Check CPU configuration:
      1. If only one core is present; add another core to the CPU to improve performance 
   2. Check RAM configuration:
      1. If only minimal RAM is present to run the OS; add more RAM (1-2GB if possible)
   3. Other affecting items regarding VM clients:
      1. Virtual Environment Configuration 
      2. Multiple VM Clients running on the same VM Host
      3. Virtual Host Server's hard disk throughput
      4. Virtual Host Server maintenance tasks
   4. Note: 100% CPU usage can be normal for some VM clients due to the process being a single thread process utilizing all resources until scan is complete.
       
10. Ensure the client's 'Users' have needed permissions:
    1. Go to the client's Altiris Folder
       1. Rightclick > Properties > Security; ensure 'Users' is listed and permissions are in place for this folder
       2. Default: Allow; 'Read & execute,' 'List folder contents,' and 'Read'
    2. Go to the client's C:\Windows\Temp
       1. Rightclick > Properties > Security; ensure 'Users' is listed and permissions are in place for this folder
       2. Default: Allow; 'Special Permissions'
    3. Note: These are only two main folder checks; perform this check on any other folders that would be suspect to this being the root cause of the problem, for if the user is unable to run the process, the process could be pegging until the 20 minute time out window for the scan.

Applies To

Patch Management 7.1 SP1, SP2 and MP1