haiku

OAsrv.exe *32 running at 50% CPU utilization

Recommended Posts

Hi -

 

O/S system: Windows 7 Ultimate 64-bit. Browser is Internet Explorer 10. Online Armor is version 7.0.0.1866 Premium Edition.

 

My machine - used mainly for browsing & email - is rebooted every morning.

 

Unfortunately this has not prevented the machine from slowing down as the day progresses, frequently requiring a reboot if one is to "regain" the speed.

 

This evening I decided to check using Task Manager and discovered that OAsrv.exe *32 was running at 50% CPU utilisation with no applications - other than IE and the window required to create this message - running.

 

A search of the forum showed that this problem has been raised in the past, unfortunately with no definite resolution.

 

Your assistance would be appreciated.

 

Regards

 

-- haiku

Share this post


Link to post
Share on other sites

Lets start by getting an OTL log, and see if it shows the cause of the issue. Please run OTL by following the instructions below:

  • Click this link to save OTL onto your desktop (please make sure to click 'Save' instead of 'Run').
  • Double click on the OTL icon on your desktop to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan will take a few minutes.
  • When the scan completes, it will open two Notepad windows. OTL.Txt and Extras.Txt. The first one (OTL.txt) will be automatically saved on your desktop next to OTL, and the second one will need to be saved manually.
  • Please make sure that both OTL.txt and Extras.txt are saved on your desktop, and then attach both of them to a reply so that we can take a look at them.

Share this post


Link to post
Share on other sites

What happens when you shut down SABnzbd and DoNotTrackMe/DoNotTrackPlus? Does shutting either of those down have any effect on Online Armor's CPU usage?

Share this post


Link to post
Share on other sites

DoNotTrackMe - a browser plug-in - was only implemented within the last week, so it has no effect.

 

Will test SABnzbd tomorrow.

 

Regards

 

-- haiku

Share this post


Link to post
Share on other sites

DoNotTrackMe - a browser plug-in - was only implemented within the last week, so it has no effect.

It does appear to have a part that runs in the background, so I wasn't certain if that could have any effect. Might just be intended to keep the browser plugin up to date.

Share this post


Link to post
Share on other sites

I rebooted the system at 08h00 this morning and exited SABnzbd immediately.

 

At 14h00 OAsrv.exe was running at 50%.

 

Will repeat with DoNotTrackMe disabled.

 

Regards

 

haiku

Share this post


Link to post
Share on other sites

Disabled the DoNotTrack plug-in and rebooted the system at 15h00

 

NB: The DoNotTrack service did not start.

 

At 21h00 OAsrv,exe was running at 48%

 

Regards

 

-- haiku

Share this post


Link to post
Share on other sites

Lets try this:

  • Click on the Start button, go to All Programs, go to Online Armor, and click on the Online Armor icon to open it.
  • Click on Options in the menu on the left.
  • Go to the Exclusions tab.
  • Click on the Add button.
  • Use the little [+] and [-] icons to the left of folder names to open and close them, find the Dropbox folder (C:\Users\Rowan\AppData\Roaming\Dropbox), click on it to highlight it, and then click OK at the bottom.
  • Close the Online Armor window.
  • Restart your computer.

Share this post


Link to post
Share on other sites

Hi Arthur -

 

No change with Dropbox added to the Exclusions.

 

BTW my last post appears to be missing ??

 

My machine has a dual-core processor, so when I say that the CPU is running at 50% utilization I mean that OAsrv is hogging one of the CPU's.

 

I therefore believe that this thread should be read in conjunction with the thread started by ruirib: "OA taking up 100% CPU"

 

Regards

 

-- haiku

Share this post


Link to post
Share on other sites

OK, lets get Debug Logs, and see if they show the cause of the issue. Please open Online Armor, go to Options in the menu on the left, click the little check box to enable debug mode, restart your computer, and then try reproducing your problem (or at least verify that the CPU usage is too high). After that, please ZIP your entire logs folder (normally C:\Program Files\Online Armor\Logs), upload it to a website such as RapidShare/DepositFiles/BayFiles/etc (which one you use is up to you), and then copy and paste the link to download the file into a reply (or you can send it to me in a Private Message if you don't want the link posted publicly on the forums). Note that, if you don't have a utility such as 7-Zip, WinZip, or WinRar that you can ZIP files and folders by right-clicking on them, going to Send To, and clicking on Compressed (zipped) Folder.

Note that RapidShare and BayFiles have been having issues lately, and we may not be able to download the files from them. If you have DropBox, Google Cloud Storage, or Microsoft SkyDrive then those services would be more reliable. Also, you can attach files to private messages on these forums, and I would believe the limit is up to 128MB, so if the file is smaller than 128MB then you can just attach it to a private message to me on these forums.

Share this post


Link to post
Share on other sites

Hi Arthur -

 

Your request will require me to run in debug mode for most of the day, as the load builds.

 

This is not exactly practical.

 

Given that there are several threads with the same complaint surely you should consolidating / escalating the problem ??

 

haiku

Share this post


Link to post
Share on other sites

Right now we don't know if they are all caused by the same thing, so we are taking each case as a separate issue.

Share this post


Link to post
Share on other sites

Hi Arthur -

 

I wasn't very busy (on the computer) today so was able to create the requested log file - see attached.

 

NB: I also note the Oasrv.exe starts relatively small (7,500Kb) but soon increases in size (over 50,000Kb) averaging this afternoon around 36,000Kb.

 

haiku

Share this post


Link to post
Share on other sites

Just to let you know, I am creating a bug report on this issue so that our developers can look in to it further.

Share this post


Link to post
Share on other sites

Hi Arthur -

 

Any progress on this problem ? 

 

I am now at the stage where I reboot my machine several times a day just to reset Oasrv <sigh>

 

A few days back I sat watching Task Manager. With no applications running (other than services) the CPU & memory utilisation for Oasrv continued to increase ... :(

 

haiku

Share this post


Link to post
Share on other sites

I have not seen any updates from our developers on this issue.

Does it temporarily resolve the issue temporarily (at least without needing to reboot) if you right-click on the System Tray icon for Online Armor and select to close and shutdown Online Armor, then restart it from the Start Menu?

Share this post


Link to post
Share on other sites

Hi Arthur -

 

I did try - unsuccessfully - closing down OA on one occasion, but that was a long time ago.

 

Will give your suggestion a whirl.

 

Thanks

 

-- haiku

Share this post


Link to post
Share on other sites

Hi Haiku , There is an app called Process Explorer from System Internals which will also give a clue which process makes Online Armor gives the CPU hike. Once that process is identified , you can exclude it from OA 's option. I did the same way for me and it served the purpose for me.

Share this post


Link to post
Share on other sites

Hi trujwin / Arthur -

 

I returned to this posting to find the suggestion re Process Explorer.

 

I have Process Explorer. How do I see which processes are affecting OASRV.EXE ?

 

Many thanks

Share this post


Link to post
Share on other sites

Can someone answer the previous poster's question, as I'd like to use PE or ProcessHacker to try to get an idea why OAsrv is frequently very busy here.

Share this post


Link to post
Share on other sites

In general what happens if Online Armor is using excessive amounts of CPU time is that one of the applications running on your system is causing an abnormal amount of either network or HIPS events. There is unfortunately no easy way to track the cause down. The easiest way is to just close all running applications while watching the CPU usage. Once the application causing the issue is closed, CPU should go back to normal. If that isn't an option, you can create Debug Logs and we can find out the cause of that issue that way. Instructions on how to create debug logs can be found here:

 

http://support.emsisoft.com/topic/3819-how-to-configure-online-armor-debug-logs/

Share this post


Link to post
Share on other sites

A few weeks ago I noticed that sometimes the OAsrv busy condition could be interrupted by issuing

 

  ipconfig /flushdns

 

in a command window.  It doesn't always help, and certainly not for long - it seems to me that OAsrv may go relatively idle for a second or two then go busy again... but I quite often find that that brief interval is enough to get - say - a browser page to load.

 

I tried for about ten days to run my system without the DNS Cache 'service' running.  Despite the dire warnings in XP's Services dialog which suggest that one's internet use will fail completely if this is stopped, it doesn't fail - you just - as you might hope - lose DNS result cacheing.  I found that not having XP cache DNS results didn't make much difference: when OAsrv was behaving properly DNS lookups weren't much slower as far as I could tell (on a fast broadband connection), and when OAsrv was busy the delays were just as long as before.  Incidentally, these delays are typically several minutes long - it's REALLY annoying.

 

It 'feels' a lot like OAsrv is 'blocking' while waiting for a DNS lookup result to be returned.  I also have an impression that it's more likely to happen when a series of DNS requests are made all at once (eg when a browser is trying to load all the constituent parts of a website); apps that only do small amounts of DNS lookups (eg my email client) seem to be delayed much less.

 

Having said that, it's still impossible to tell on a lone netbook whether when the problem happens it's caused by OAsrv, or whether something else in my network connection is the problem.  But I am experiencing it in two houses - which have different manufacturer's cable-modems and routers in them, though they're both using the same ISP.

 

Another thought - does OA ever try to make a decision about something by asking an externam server?  Is there a situation where such a question not being answered could stall OA?

Share this post


Link to post
Share on other sites

It 'feels' a lot like OAsrv is 'blocking' while waiting for a DNS lookup result to be returned.  I also have an impression that it's more likely to happen when a series of DNS requests are made all at once (eg when a browser is trying to load all the constituent parts of a website); apps that only do small amounts of DNS lookups (eg my email client) seem to be delayed much less.

OA does not issue DNS lookups with the exception of the online update and cloud lookups. However, those are done only once are then cached. OA does watch DNS traffic though. That being said: Waiting for a result to be returned does not consume CPU. For OA to consume CPU it has to process stuff, not waiting to process stuff. Can you disable the HIPS completely to see if that makes a difference and to remove it as a possible cause of your problem? If it does, some application is causing an excessive amount of HIPS events. If it doesn't, the problem is somewhere in the actual network filtering. Most likely located in the static filter garbage collection.

 

Another thought - does OA ever try to make a decision about something by asking an externam server?  Is there a situation where such a question not being answered could stall OA?

It does, but only once per process during the first time it sees it. It also does not explain the CPU usage, as waiting for a reply does not use any CPU at all.

Share this post


Link to post
Share on other sites

I understood that OA itself is not likely to be the source of the DNS lookups, but it does look a lot like that's where the delays occur.

 

If I disable the HIPS features, will I later be able to re-enable them?  That is, do I lose all the HIPS-related configuration choices I've made, by doing that?

Share this post


Link to post
Share on other sites

For myself, I find that OASRV starts off at around 2% then gradually increases until it consumes 50%.

 

This appears to happen irrespective of whether or not I am using the machine e.g. during the week-end, when basically all I do is retrieve my email using Outlook.

 

I'll grant that it takes longer to get to 50% when the machine is not used, but the end result is the same. This (to me) indicates that the problem might lie with OA fighting with one of the services, rather than an application.

 

My current "solution" - as suggested by Arthur (above) - is to restart Online Armor when the machine slows <sigh>

 

PS I use IE11 for browsing.

Share this post


Link to post
Share on other sites

@bobbonomo ...  Interesting; you obviously think this is DNS-related too.    Do you find that disabling DNS pre-fetch in FF entirely fixes the problem, or just helps a bit?   I use Firefox too, mainly. 

 

For anyone reading this who doesn't know about DNS Pre-fetch, there's general info at:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Controlling_DNS_prefetching

 

If you want to alter a configuration preference (eg: network.dns.disable.prefetch) you can access the preferences by typing 'about:config' (without the quotes, but include the colon) in the URL bar in Firefox and press enter.  Acknowledge the 'here be dragons' warning and you'll be shown a long list of preferences that govern how Firefox works.  You can see a subset by typing part of some group of preferences names in the 'search' field, eg if you type just 'network.d' you'll see just those whose names start with those letters.  When a list is displayed you can see if the options are built-in to FF, or have been changed by you (which includes being changed even if you were unaware of this, by any plugin you use).  To change the value of a preference you can right-click it and - say - choose Toggle, which reverses its value.  Values you change are shown in the list in bold type and say "User set" next to them, so you can see when eg you change a default value to something else.  I would recommend that anyone who changes a value here keep some notes somewhere saying what they changed and why, otherwise the change may be a mystery to you later.

Share this post


Link to post
Share on other sites

If I disable the HIPS features, will I later be able to re-enable them?  That is, do I lose all the HIPS-related configuration choices I've made, by doing that?

Sure. You can enable and disable the HIPS without any issues as often as you want without loosing settings.

Share this post


Link to post
Share on other sites

Just an update - I didn't turn off the HIPS features, but did turn off Firefox's DNS pre-fetch.  This produced a significant improvment.  I do still see a few prolonged periods of OAsrv high cpu, but mainly spikes in its cpu use which last maybe 10-15 seconds and fall again... which could just be OA doing its job.

I've not had a chance to investigate this firther (different machines, more than one internet connection) yet. 

Share this post


Link to post
Share on other sites

Thanks Jeremy. We did find a problem when it comes to parsing UDP packets that can lead to the static endpoint rule table overflowing. DNS requests are technically UDP packets so it makes sense that disabling the pre-fetching reduces the system load if you run into this particular issue.

Share this post


Link to post
Share on other sites
We did find a problem when it comes to parsing UDP packets that can lead to the static endpoint rule table overflowing

 

 

Ah Fabian remember me with the same type of problem. Does the "fix" for this make it's way into the automatic product update.

 

BTW JeremyNicoll, I reinstalled my product and my problem went away.

 

http://support.emsisoft.com/topic/15208-oasrv-running-at-50-cpu/

Share this post


Link to post
Share on other sites

... Does the "fix" for this make it's way into the automatic product update.

Online Armor program updates are currently on hold until Emsisoft Internet Security 9 is released. After that we do have plans to do some updates to Online Armor. ;)

Share this post


Link to post
Share on other sites

Thanks Jeremy. We did find a problem when it comes to parsing UDP packets that can lead to the static endpoint rule table overflowing. DNS requests are technically UDP packets so it makes sense that disabling the pre-fetching reduces the system load if you run into this particular issue.

Could this be why I keep having to delete over 5,000 dns logs per week from OA's log folder? If I download anything using Tixati torrent client then OA begins creating dns log files one after the other.

Share this post


Link to post
Share on other sites

Could this be why I keep having to delete over 5,000 dns logs per week from OA's log folder? If I download anything using Tixati torrent client then OA begins creating dns log files one after the other.

No. Your issue is unrelated.

Share this post


Link to post
Share on other sites

CPU load during high amounts of traffic is better in EIS. It is still not where we want it to be though. Especially single applications creating large amounts of connections (P2P based applications) can still cause elevated CPU load.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.