ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

High Memory usage due to Service SepWscSvc64

book

Article ID: 239735

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You have a system with Endpoint Protection (SEP) that is experiencing high memory usage. You determine the issue is caused by Service SepWscSvc64

Cause

Procdump Analysis :

The default process heap (with handle 00340000) of SepWscSvc64.exe is consuming 99.17 % of memory (7.462 GB).

In the process heap with this handle (00340000), top three allocations are like this:

 

size (in bytes)

#blocks

total bytes

percentage of  total busy bytes. 

2773b 

4451

a87365ab (2.69 GB)

35.59

26758

4451

a43612d8 (2.62 GB)

34.69

1f948

4451

86d6ffc8 (2.15 GB)

28.49

 

A sample memory allocations (of size 26758 and 1f948) look like there is some reference to the system certificates in it.

The above two images look to be the contents of Microsoft's certificate trust list (authrootstl.cab --> authroot.stl).

This kind of memory allocation comes from within crypt32.dll when WinVerifyTrust  is called and when it's happening too often then this kind of memory allocation can be seen piling up.

Resolution

1. Generate a SepWscSvc64  process dump :

  1. Download ProcDump.
  2. Right-click Procdump.zip, select Extract All... and extract the files to the Windows folder.
  3. Create a dump directory such as c:\dumps\
  4. Reproduce the issue
  5. Open a Command Prompt (cmd.exe) window.
  6. Run the below command to collect the process dump. Refer article : How to gather a process dump using the ProcDump Tool
  7. procdump -ma SepWscSvc64 -i c:\dumps

2. Check for Event ID 4107 in the Event viewer.

Description : Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

3. Update the Certificate trust list from certificate store.

Additional Information

Event ID 4107 or Event ID 11 is logged in the Application log

Attachments