none
High CPU Usage Windows Firewall

    Question

  • Hi

    We have a deployed 100 clients with Windows 7 and we have seen a strange problem on several client and the problem seems to escalate for know we have 15 confirmed case where we have a very high CPU usage. The process that cause this CPU load is “svchost.exe” that runs with 50% all the time and consuming about 400-600MB” and the services in that causing this high seems to be  DPS “Diagnostics Policy Service” BFE Base Filtering Engine” MpcSvc “Windows Firewall”

    The consequence for users are that their computers get very slow and not usable, open Outlock can take several minutes.  We have isolated the problem to the Windows Firewall when we disable the Windows Firewall “Turn it Off” the CPU load are gone this is not a solution just a workaround. We need to have the Windows Firewall enabled.

    The Firewall settings are controlled by a GPO when we turn it off by a GPO all problem disappear.

    Some troubleshooting steps we have tried with no result.

    ·        The problem happens on different hardware both laptop computers and desktop so we don’t suspect any hardware related problems.

    ·        We have updated to the latest drivers.

    ·        We suspected Cisco VPN program but unfortunately some of the computers are desktop computers so they don’t have VPN Software.

    ·        We have removed the Firewall GPO so the Windows Firewall are not configured which means Firewall ON for Inbound Roles Outbound OFF

    ·        Created a new Firewall GPO in case the old one have been corrupted.

    ·        Removed all GPOs except Windows Firewall

    ·        Disconnect network when having the problem .

    ·        Uninstalled antivirus program

    ·        Disabled Windows Defender

     

    Non of this actions have solved the problem.


    Any help would be appreciated.

    Best Regards

    Thomas Zetterman
    Tuesday, January 19, 2010 7:33 PM

Answers

  • Hi,

    There system services should be OK and no third party process is listed.

    I know that the hardware drivers have been updated, but I also would like to suggest you update the BIOS and the hardware drive firmware, if they are available.

    Regards,
    Arthur Li - MSFT
    Monday, January 25, 2010 4:22 AM
    Moderator

All replies

  • Hi Thomas,

    follow my guide here:

    http://www.msfn.org/board/get-cause-high-cpu-usage-caused-apps-t140264.html

    Which function is causing the usage?

    André

    "A programmer is just a tool which converts caffeine into code" CLIP- Stellvertreter http://www.winvistaside.de/
    Wednesday, January 20, 2010 3:58 PM
  • Hi Thomas,

     

    I would like to confirm what is the result when the problematic computers are running in Clean Boot?

     

    Regards,

     

     


    Arthur Li - MSFT
    Thursday, January 21, 2010 6:53 AM
    Moderator
  • Hi the program that cause this seems to be ntdll.dll mpsvc.dll ntkernel.dll fwlpucnt.dll bfe.dll ntkrpamp.dll  tcpip.sys netios.sys looks like internal processes.  If you need the entire latency.etl file and print screens from stack counts summary send me an emait to thomas.zetterman@hotmail.com and I will forward the files.

    Thanks for your help so far

    Best Regards

    Thomas

    Thursday, January 21, 2010 11:14 PM
  • Hi

    We recive the same result when doing a Clean Boot.

    We have now registred a case to MS PSP

    Any other suggestions how to continue the trobleshotting?

    Thanks for your help so far

    Best Regards

    Thomas
    Thursday, January 21, 2010 11:18 PM
  • Hi Thomas,

     

    I would like to confirm the following questions

     

    1.    What’s the result when disconnecting to the Server?

    2.    Do you have any third party firewall or antivirus program installed?

     

    I would like to suggest you run Process Explorer, click View and select Show Process Tree. Please check which process takes the highest CPU usage.

     

    Regards,


    Arthur Li - MSFT
    Friday, January 22, 2010 4:46 AM
    Moderator
  • Hi

    "1  What’s the result when disconnecting to the Server?" No difference occur svchost.exe still takes 50% cpu
    "2 Do you have any third party firewall or antivirus program installed?" No third party Firewall we use Forefront as antivirus program

    When running proccess explorer we see svchost.exe takes about 50% cpu when doubleclick and choose services tab there are 3 listed services
    BFE Base Filtering Enginie C:\windows\system32\bfe.dll
    DPS Diagnostic Policy Service C:\windows\system32\dps.dll
    Mpssvc Windows Firewall C:\windows\system32\mpssvc.dll

    Regards

    Thomas Z
    Friday, January 22, 2010 8:57 AM
  • Hi,

    There system services should be OK and no third party process is listed.

    I know that the hardware drivers have been updated, but I also would like to suggest you update the BIOS and the hardware drive firmware, if they are available.

    Regards,
    Arthur Li - MSFT
    Monday, January 25, 2010 4:22 AM
    Moderator
  • Hi we have registred a case so perhaps PSP will solve this. I will post the answer here when they found the solution.


    Regards

    Thomas Z
    Monday, February 15, 2010 11:40 AM
  • Hi

     

    The problem are now identified it was casused by Forefront leaked firewall rules which caused the svchost.exe to have a hard time. We did run a beta 2 product so this will probably be fixed in next release. We also used a Swedish MUI on the Windows 7 which caused the Forefront deletion function not to work which is a bug. So after a client have been on the network for a month there could be over 100000 rules. We did a workaround with netsh command that deleted the  duplicated rules and the client become like Ferraris again....

    • Proposed as answer by Thomas Z Thursday, April 08, 2010 2:10 PM
    • Proposed as answer by Thomas Z Thursday, April 08, 2010 2:10 PM
    Thursday, April 08, 2010 2:10 PM
  • I also meet similar scenario today.

    I just woke up my laptop from sleep, I found that "svchost.exe" and "services.exe" running at about 50% CPU. I checked "svchost.exe" in resouce monitor, found BFE - "base filtering engine" cost about 39% CPU. So I googled, and found this post.

    Fortunately, soon I found in "Network and Sharing Center", my OpenVPN connection always showing "identifying ...", normally it should say "unidentified network". So I reconnect OpenVPN, all is fine now.

    Yes, before I put my laptop to sleep, I didn't disconnect OpenVPN connection. It's so a weird problem.
    Sunday, May 23, 2010 7:27 AM
  •  

    i can confirm  that we have exactly the same problem with dell latitude e5400 windows 7 pro

    only disable the firewall will work.

    Monday, December 27, 2010 12:11 PM
  • We are experiencing the same issue.

    Images were deployed with WDS.

    It would take 5 - 7 minutes before computers would be able to access network resources, disabling the firewall solves the problem.

    3rd party AV - Sophos

    Wednesday, March 02, 2011 1:26 PM
  • do you use the Sp1?

    "A programmer is just a tool which converts caffeine into code" CLIP- Stellvertreter http://www.winvistaside.de/
    Wednesday, March 02, 2011 2:35 PM
  • This problem continues to plague my own GPO / Firewall policies. If I change my GPO policies, the next GPO update causes the exact symptoms described above.  The symptoms require a reboot to stop the CPU usage, and in the meantime IPsec is not functional. 
    Saturday, November 30, 2013 3:35 AM