High Memory usage due to Service SepWscSvc64
Article ID: 239735
Updated On:
Products
Issue/Introduction
You have a system with Endpoint Protection (SEP) that is experiencing high memory usage. You determine the issue is caused by Service SepWscSvc64
Cause
Procdump Analysis :
The default process heap (with handle 00340000) of SepWscSvc64.exe is consuming 99.17 % of memory (7.462 GB).
In the process heap with this handle (00340000), top three allocations are like this:
|
size (in bytes) |
#blocks |
total bytes |
percentage of total busy bytes. |
|
2773b |
4451 |
a87365ab (2.69 GB) |
35.59 |
|
26758 |
4451 |
a43612d8 (2.62 GB) |
34.69 |
|
1f948 |
4451 |
86d6ffc8 (2.15 GB) |
28.49 |
A sample memory allocations (of size 26758 and 1f948) look like there is some reference to the system certificates in it.
The above two images look to be the contents of Microsoft's certificate trust list (authrootstl.cab --> authroot.stl).
This kind of memory allocation comes from within crypt32.dll when WinVerifyTrust is called and when it's happening too often then this kind of memory allocation can be seen piling up.
Resolution
1. Generate a SepWscSvc64 process dump :
- Download ProcDump.
- Right-click Procdump.zip, select Extract All... and extract the files to the Windows folder.
- Create a dump directory such as c:\dumps\
- Reproduce the issue
- Open a Command Prompt (cmd.exe) window.
- Run the below command to collect the process dump. Refer article : How to gather a process dump using the ProcDump Tool
- procdump -ma SepWscSvc64 -i c:\dumps
2. Check for Event ID 4107 in the Event viewer.
Description : Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
3. Update the Certificate trust list from certificate store.
Additional Information
Feedback
