After a 14.3.x Symantec Endpoint Protection (SEP) client upgrade, the svchost.exe process hosting the User Access Logging Service (UALSVC) consumes a high amount of memory. Servers may become unresponsive, and event ID 2004 Resource Exhaustion Detector events may be seen. You would like to know if this issue is caused by Symantec Endpoint Protection.

Windows server 2012-2022

The Windows Server versions 2012r2 through 2022 have a service that logs user access.  There is an issue with this service that causes a memory leak and the server may stop responding after a while.

This is a confirmed Memory Leak by Microsoft. Please reach out to Microsoft for additional support.

Workarounds:

• Disable the UALSVC if it is not required for your organization
  Manage User Access Logging | Microsoft Docs
  
  
• Monitor and restart the UALSVC if memory usage is high

CRE-8040, CRE-8783, CRE-10782