This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Possible Memory Problem after Windows 10 1903 Update

 

 

Currently have Sophos Central with Sophos Endpoint running on several machines here, i was the first to update to the latest Windows 10 1903 Update and noticed after the machine sitting idle for a while that the above service is consuming a lot of RAM.

 

Any solutions to this?



This thread was automatically locked due to age.
Parents Reply Children
  • Do you see the problem if you disable "Enable Threat Case creation"?

    Also, if you "restart" the computer, how quickly does the problem occur?  Does it take minutes or hours?

    Does it happen at a certain time(s) following the startup and is that the same time(s)?  if it starts occurring at a certain time each day, what happens on the machine at this time which could be the trigger?

    I suppose the question is, can you predict when it will occur?

    Regards,

    Jak

     

  • > Do you see the problem if you disable "Enable Threat Case creation"?

    Have only just disabled this so ... dunno.  Will let you know.

    >Also, if you "restart" the computer, how quickly does the problem occur?  Does it take minutes or hours?

    Well it generally takes hours for the problem to reach the point where a machine actually crashes.

    But that's not to say it doesn't *start* happening soon after boot, it's not easy to tell increasing memory use due to increasing system activity from increasing memory use due to a leak.

    (For users experiencing the problem crashes per user per day range from 0.5 to 2)

    > Does it happen at a certain time(s) following the startup and is that the same time(s)?

    No.

    > if it starts occurring at a certain time each day, what happens on the machine at this time which could be the trigger?

    > I suppose the question is, can you predict when it will occur?

    No.

    I promise that if I do find out I will not hold this information back.

     

     

     

     

  • Thank you for your response. To get better data on when it might start, I would suggest:

    1. Restart the computer.

    2. Once logged in, start an admin prompt and run the command:

    typeperf "\Process(SSPService)\Handle Count" "\Process(SSPService)\Pool Nonpaged Bytes" "\Process(SSPService)\Pool Paged Bytes" "\Process(SSPService)\Private Bytes" "\Process(SSPService)\Working Set" "\Process(SSPService)\Working Set - Private" -O %temp%\sspservice.csv -si 30

    Note: It's all one line. 

    This will sample some of the Windows performance counters for the SSPService every 30 seconds and record the data in %temp%\sspservice.csv.

    If you leave it running until the issue starts and then leave it as long as possible when the issue is occuring it will tell us:
    1. When it started relevant to startup.

    2. The rate of the memory usage over time.

    Maybe you can attach the file here when complete?  Ideally repeating the test twice following the restart to see if:

    1. It does start at a certian time.
    2. It starts at a certain amount of time following startup.

    I suspect it's pretty flat, some event takes place and then it goes up.

    Many thanks again,
    Jak

  • Okay, why not.

    FWIW I've already uploaded extensive perfmon logs of the SSPService process to my support case.

    Over a 23 hour period from ~ 11:20 to ~10:20 on an affected machine with user session logged on throughout but inactive and locked between ~17:30 and ~09:20:

    Handle count varied between 106k and 152k with an average of 131k with the highest points being shortly after user unlock.

    Pool non-paged bytes varied between 5.4m and 15.3m with a steady climb seen after ~ 7 hours and which continued through user unlock with no change in the rate of increase.

    Pool paged bytes varied between 61m and 93m with several rapid increases including one at user unlock.

    Private bytes and Working set showed a general gentle upward trend with a slightly greater rate of increase following user unlock.

    Working set - private showed a general upward trend with a sharp increase after ~7.5 hours followed by a greater rate of increase than the previous trend and a spike (rapid increase followed by rapid decrease to a point on the previous, steeper trend line) around user unlock.

    I won't attach the huge file but here's a screenshot interesting counters include Working Set - Private highlighted in bold black, Pool Paged Bytes in red, I/O Other in cyan:

  • > Do you see the problem if you disable "Enable Threat Case creation"?

    Possibly not.