ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

High Memory usage due to Service SepWscSvc64


Article ID: 239735


Updated On:


Endpoint Protection


You have a system with Endpoint Protection (SEP) that is experiencing high memory usage. You determine the issue is caused by Service SepWscSvc64


Procdump Analysis :

The default process heap (with handle 00340000) of SepWscSvc64.exe is consuming 99.17 % of memory (7.462 GB).

In the process heap with this handle (00340000), top three allocations are like this:


size (in bytes)


total bytes

percentage of  total busy bytes. 



a87365ab (2.69 GB)




a43612d8 (2.62 GB)




86d6ffc8 (2.15 GB)



A sample memory allocations (of size 26758 and 1f948) look like there is some reference to the system certificates in it.

The above two images look to be the contents of Microsoft's certificate trust list ( --> authroot.stl).

This kind of memory allocation comes from within crypt32.dll when WinVerifyTrust  is called and when it's happening too often then this kind of memory allocation can be seen piling up.


1. Generate a SepWscSvc64  process dump :

  1. Download ProcDump.
  2. Right-click, select Extract All... and extract the files to the Windows folder.
  3. Create a dump directory such as c:\dumps\
  4. Reproduce the issue
  5. Open a Command Prompt (cmd.exe) window.
  6. Run the below command to collect the process dump. Refer article : How to gather a process dump using the ProcDump Tool
  7. procdump -ma SepWscSvc64 -i c:\dumps

2. Check for Event ID 4107 in the Event viewer.

Description : Failed extract of third-party root list from auto update cab at: <> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

3. Update the Certificate trust list from certificate store.

Additional Information

Event ID 4107 or Event ID 11 is logged in the Application log