You have a system with Endpoint Protection (SEP) that is experiencing high memory usage. You determine the issue is caused by Service SepWscSvc64
Procdump Analysis :
The default process heap (with handle 00340000) of SepWscSvc64.exe is consuming 99.17 % of memory (7.462 GB).
In the process heap with this handle (00340000), top three allocations are like this:
size (in bytes) |
#blocks |
total bytes |
percentage of total busy bytes. |
2773b |
4451 |
a87365ab (2.69 GB) |
35.59 |
26758 |
4451 |
a43612d8 (2.62 GB) |
34.69 |
1f948 |
4451 |
86d6ffc8 (2.15 GB) |
28.49 |
A sample memory allocations (of size 26758 and 1f948) look like there is some reference to the system certificates in it.
The above two images look to be the contents of Microsoft's certificate trust list (authrootstl.cab --> authroot.stl).
This kind of memory allocation comes from within crypt32.dll when WinVerifyTrust is called and when it's happening too often then this kind of memory allocation can be seen piling up.
1. Generate a SepWscSvc64 process dump :
2. Check for Event ID 4107 in the Event viewer.
Description : Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
3. Update the Certificate trust list from certificate store.