none
eseutil.exe and conhost.exe each running more than hundred times on Exchange 2013 CU11 Server RRS feed

  • Question

  • On an customers Exchange 2013 CU11 Server on Server 2012 R2 I discovered, that there were hundreds of eseutil and conhost processes open in taskmanager.

    eseutil 142 times
    conhost 149 times

    Any idea what that could be?

    (List shortened due to character limit)

    Image name PID Session name Memory usage
    conhost.exe 30036 Services 1.500 K
    conhost.exe 26760 Services 1.496 K
    conhost.exe 29648 Services 2.956 K
    conhost.exe 26188 Services 764 K
    conhost.exe 37572 Services 1.500 K
    conhost.exe 26744 Services 2.948 K
    conhost.exe 39728 Services 1.504 K
    conhost.exe 5564 Services 2.948 K
    conhost.exe 30448 Services 880 K
    conhost.exe 40348 Services 900 K
    conhost.exe 11692 Services 580 K
    conhost.exe 37376 Services 2.960 K
    conhost.exe 5636 Services 2.076 K
    conhost.exe 46432 Services 1.504 K
    conhost.exe 50524 Services 2.952 K
    conhost.exe 43168 Services 408 K
    eseutil.exe 7404 Services 13.548 K
    eseutil.exe 56796 Services 13.752 K
    eseutil.exe 55524 Services 12.004 K
    eseutil.exe 39576 Services 6.840 K
    eseutil.exe 21352 Services 14.548 K
    eseutil.exe 37296 Services 10.084 K
    eseutil.exe 34420 Services 14.572 K
    eseutil.exe 44104 Services 15.232 K
    eseutil.exe 41460 Services 9.204 K
    eseutil.exe 49364 Services 15.188 K
    eseutil.exe 47288 Services 8.024 K
    eseutil.exe 61944 Services 6.312 K
    eseutil.exe 50244 Services 12.872 K
    eseutil.exe 52184 Services 70.440 K
    eseutil.exe 41812 Services 70.452 K
    eseutil.exe 62452 Services 70.448 K

    Thursday, September 13, 2018 11:12 AM

All replies

  • Hi L_Herzog,

    Maybe some connected remote users are running cmd.exe & eseutil.exe on this server.


    Best Regards,
    Niko Cheng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Friday, September 14, 2018 9:07 AM
    Moderator
  • Can you try to use netstat to see the PID and find the source IP address connecting to use the process.

    Please mark as an answer if this answers your question .

    PREM RANA

    MCSE Exchange 2013, MCSA 2012 Server MCTS Exchange 2007,

    2010, MCITP Exchange 2007, 2010 MCSE 2003 Server,

    MCSA Exchange 2003 ITIL V3 Foundation

    https://ranaprem.wordpress.com/

    This posting is provided AS IS with no warranties and confers no rights.

    Friday, September 14, 2018 10:02 AM
  • Hi L_Herzog,

    Is there any update on this thread? If the issue has been resolved, please mark the helpful replies as answers, this will make answer searching in the forum easier and be beneficial to other community members as well. Thanks for your understanding.


    Best Regards,
    Niko Cheng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Friday, September 21, 2018 1:12 AM
    Moderator
  • Hi,

    the processes have no networks ports open as checked with netstat.
    User: they run as local system.

    After some days I rechecked the server and found multiple processes of eseutil again. Not so many as before but number is slightly increasing.


    In Taskmanager I found the command line befind the eseutli process:

    eseutil /?
    Extensible Storage Engine Utilities for Microsoft(R) Exchange Server
    DESCRIPTION:  Database utilities for the Extensible Storage Engine for Microsoft(R) Exchange Server.

    MODES OF OPERATION:
            ...
             Checksum:   /k <file name> [options]
            ...

    So what is it doing: trying a checksum check of the Esxchange edb Database in the VSS Storage area?

    Maybe thats the point because VSS is limited to 100GB on this Volume and this space is fully utilized. Also by "Previous versions" of files and folders because the server is also acting as a file server share.

     I guess conhost invokes the eseutil command by some scheduled task.

    Is it safe to disable integrity checks of the database? Or should we mount a dedicated Shadow copy volume with more space to the server?





    • Edited by L_Herzog Monday, September 24, 2018 11:39 AM
    Monday, September 24, 2018 11:36 AM
  • Maybe thats the point because VSS is limited to 100GB on this Volume and this space is fully utilized. Also by "Previous versions" of files and folders because the server is also acting as a file server share.

     I guess conhost invokes the eseutil command by some scheduled task.

    Is it safe to disable integrity checks of the database? Or should we mount a dedicated Shadow copy volume with more space to the server?



    Hi L_Herzog,

    Agree with your points, these processes would be invoked by some scheduled task. By default, if the database is mounted and works without any issue, we don't need to run integrity checks, however, for this issue, I'd recommend you mount a dedicated shadow copy volume with more space to the server, this may fix the root cause of this issue.


    Best Regards,
    Niko Cheng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Tuesday, September 25, 2018 9:48 AM
    Moderator