The agent is using a large amount of CPU or memory, is there anything I should check?

Article ID: 304
Category: Configuration
Applies to: All Versions
Created: 2016-03-23

Please ensure that you do not have Registry Auditing enabled for the following registry path:
HKEY_LOCAL_MACHINE\SOFTWARE\netikus.net\EventSentry\bootscan
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432node\netikus.net\EventSentry\bootscan

Usually registry auditing becomes enabled for this path due to auditing the EventSentry registry path or auditing the Software path, and these settings are inherited by the bootscan path. The bootscan path contains many numeric checkpoints which are updated every second, and this causes an endless processing loop (the agent reads the event log, updates the numeric checkpoint, an event is generated because the registry was modified, the agent reads the new event, the agent updates the numeric checkpoint...) and causes high CPU and/or memory usage.

To disable registry auditing for the bootscan path, right-click bootscan and choose Permissions, and click Advanced. Go to the Auditing tab and un-check "Include inheritable auditing permissions" and click Remove when prompted about the existing bootscan audit settings. It may take a few minutes for the processing loop to end, at which point the agent CPU and/or memory usage will return to their normal range.

What is the normal CPU and/or memory range for the EventSentry agent?
The agent normally uses 1-3% CPU and less than 100MB of memory. If you observe values larger than this, and the resource usage does not return to the normal range after 5-10 minutes, please open Task Manager and right-click eventsentry_svc.exe and choose Create Dump File. Contact our support department (link below) for information about uploading your dump file for analysis.