bobbonomo

OAsrv running at 50% CPU

Recommended Posts

Today this oasrv.exe 50% problem hit me after being away from the computer for a few hours. (so emsi updates would have come in) It seemed I could not go to any site then I noticed I was in "Bank mode" which I did not set. Set it back to standard. Disabled/Enabled OA. Rebooted too. It seems that whenever there is any traffic oasrv.exe goes to 50% (IE or FF). I could not even log to this forum. At times the network icon showed no network. I am on another PC now so it is not my network.

 

Disabling OA makes the PC operate like it did early this morning.

 

Smells like traffic is being blocked somewhere. So bad the PC thinks the network is down.

 

Read the thread above about debug on. Will try that. Will try with my Wireshark on just to see if traffic is coming back from the Internet.

Share this post


Link to post
Share on other sites

Just reading this forum and your blog keeps the oasrv.exe at 50%. Feels like I'm using a pentium 1.

Clicking a link on your blog to a Wired article takes over 2 minutes to come in. It's been over 5 minutes and the wheel is still turning and 50%.

 

With OA disabled I used IE to get the same Wired article and it was just ~15 seconds

Share this post


Link to post
Share on other sites

bobbonomo -

 

I reboot my PC every morning. Even then I find that I have to stop/restart OA at least twice a day in order to 'reset' OA.

 

Worse still, I find that if I leave my PC for a couple of hours - with no applications running - the OA usage still climbs.

 

This makes Fabian's suggestion (i.e. close down all applications and monitor OA) a tad difficult since the "interaction" appears to point to one of the Microsoft services or one of those TSR (terminate and stay resident) stubs.

 

My network traffic is limited to browsing with IE11 with only the Shockwave add-in enabled, so network traffic is minimal. I would be very interested to hear if Wireshark reports anything of interest.

 

Finally, you will find a number of topics on this forum - going back some time - complaining about OA's high utilisation. Unfortunately we all still wait a resolution <sigh>

 

- haiku

Share this post


Link to post
Share on other sites

The wireshark test gives too much data. I have closed all application but monitor OA means what?

I use process explorer instead of the task manager and OAsrv.exe is at 50%. If there were MS services interaction it would show activity.

50% only if http traffic. FTP does not seem to affect.

 

The real test is a page like this from their blog:

http://www.wired.com/2014/07/hacking-google-maps/

 

I used FF with a cleared cache and the status bar on so I can see which URLs it is accessing. About 5 minutes before this status bar shows no activity with OA on. About 40 seconds without OA on. On this computer with Norton 360, about 40 seconds.

 

Conclusion: OA

 

Maybe I never noticed this before but doubt it. My process explorer meter is always on. I would have noticed a steady 50% before. Since yesterday the Internet on that computer is not usable.

Share this post


Link to post
Share on other sites

Just to clarify: my OA starts normally, but over time - and this does not appear to relate to keyboard activity i.e. files opened etc. - OASRV usage increases to 50% on a dual core PC.

Share this post


Link to post
Share on other sites

Post 4 above should read:

About 40 seconds without OA off

I only see this while surfing. I can see it taking a little longer since OA has to process all the traffic inbound but from 40 seconds to a little under 5 minutes is NOT "a little"

 

I will do the same test a little later.

 

Today I was able to login to this forum.

Share this post


Link to post
Share on other sites

I have a similar thread running on this forum. As a temporary measure I have disabled DNS prefetch in Firefox. Not sure how to do it in other browsers.

 

The other thing want to mention is that when I first noticed this "problem" I saw a $ sign on the OA icon. I had never turned on banking mode. Coincidence or clue? unknown.

 

For OA to consume CPU it has to process stuff, not waiting to process stuff.

Agreed on this.

Share this post


Link to post
Share on other sites

I'm not 100% sure about the DNS-related thing. It does not fix the problem entirely.

Explanation:

I notice this slowness on a local static page (file://) produced by my web statistics program. How could this be I said. Ah yes. In my reports there are referring URLs and FF does a prefetch for each one. Disabling prefetch did fix this specific problem totally.

 

Using this link from this forums blog with a cleared cache (FF) it took 2 minutes 45 seconds to totally finish. 45 seconds before anything appeared on my screen. ~45 seconds without OA

http://www.wired.com/2014/07/hacking-google-maps/

When I say totally finished I mean that I look at the status line at the bottom of FF where I see what URL it is fetching. When that stops I call it finished. So yes DNS activity. Lots.

 

Hmmm! So I should perform more testing to validate or not this DNS theory.

 

Unlike haiku above, OA drops to zero when there is no Internet traffic so his problem is of a different variety.

 

I always have the CPU meter running.

Share this post


Link to post
Share on other sites

This just struck me. I agreed with the statement below:

For OA to consume CPU it has to process stuff, not waiting to process stuff.

Now what if that were the problem. Instead of idling it is looping while waiting to process stuff.

Share this post


Link to post
Share on other sites

Here are the results of an unscientific test (only the wall clock used)
I hit http://blog.emsisoft.com/2014/07/31/emsisoft-runs-4-month-malware-protection-marathon-at-av-comparatives-finishes-first/?ref=newsbox_news140805&utm_source=software&utm_medium=newsbox&utm_content=news140805&utm_campaign=newsbox_news140805

This will fill my ISP's DNS with the required entries.

My testing:
All this time FF prefetch is disabled. I close FF before each test.

1) With OA on I clear the FF cache and Win7 DNS cache and hit:
http://blog.emsisoft.com/2014/07/31/emsisoft-runs-4-month-malware-protection-marathon-at-av-comparatives-finishes-first/?ref=newsbox_news140805&utm_source=software&utm_medium=newsbox&utm_content=news140805&utm_campaign=newsbox_news140805

1 minute 30 seconds

2) With OA on I clear the FF cache and Win7 DNS cache again and hit the same page again:
1 minute 45 seconds. This is close

3) I clear the FF cache and Win7 DNS cache again and hit the same page but this time with OA off:
15 seconds

4) I turn OA on but this time the FF cache is still loaded and so is the Win7 DNS cache
1 minute 20 seconds

5) I do the same test 4 again
1 minute 20 seconds

6) As a last test I repeat test 1 above and get
1 minute 35 seconds

While there is Internet activity the CPU meter is at 50%. I define totally finished in post 33 above.

I believe this eliminates DNS activity as a reason for slowness.

Share this post


Link to post
Share on other sites

Those are load times re-starting from a hibernate 3 days ago. A Big EMSI update occurred a bit before since the computer had been off 3 days. I also made sure there was no MS update coming in. I can retry from a boot but will bet a Guinness it changes nothing.

Share this post


Link to post
Share on other sites

I shutdown hard then restarted the machine.

 

I populate my ISP's DNS cache by going to the test page.

My testing:
All this time FF prefetch is disabled. I close FF before each test.

1) With OA on I clear the FF cache and Win7 DNS cache and hit the test page:
1 minute 45 seconds

2) I turn OA off, clear the FF cache and Win7 DNS cache again and do the test:
15 seconds

3) I turn OA on but this time the FF cache is still loaded and so is the Win7 DNS cache
1 minute 25 seconds

While there is Internet activity the OAsrv.exe is at ~50%

Share this post


Link to post
Share on other sites

It looks like the amount of static packet rules is too high on your system. Can you please export your settings and reinstall to see if the problem still occurs? If it doesn't try importing the settings again and check if it reappears.

Share this post


Link to post
Share on other sites

OK will try that and get back.

 

But even before starting that PC here is something I noticed before my first post here. When I looked at the domain list there was a whole lot (and I mean lots) of reverse domain entries like nn.nn.nn.nn.in-addr.arpa that were labelled trusted. I found that odd and wondered why. So I deleted them figuring that was it. But it was not. Your reply almost suggests that whatever file these are contained in has not been compressed and export/import will do that. I started to see this "problem" after running my web statistics program which does RDNS to resolve domains. Hmmm

Share this post


Link to post
Share on other sites

I presume you mean backup and restore in the options menu of OA. Did this and the problems still occurs. After a restore my network icon showed no Internet connectivity. I could not ping yahoo.com. But I could access my local router so it was just Internet. I stopped OA and restarted it. But the problem persists. I even did a full restart of Win7. I did backup a few times just to see files sizes.

Share this post


Link to post
Share on other sites

I uninstalled and reinstalled. What could I lose? System seems to respond correctly. We will see.

 

I'm disappointed that support was a bit poor to non-existant for this problem.

Share this post


Link to post
Share on other sites

I uninstalled and reinstalled. What could I lose? System seems to respond correctly. We will see.

Which would suggest the problem is the amount of rules that were collected on your system over time. We are looking into it. I assume you haven't imported your old settings backup yet?

Share this post


Link to post
Share on other sites

You had mentioned "static packet rules is too high on your system". I see an accumulation of rules in the program tab but these are for programs I installed and batch files I created. All this is at the application level. I presume that once a program is cleared to run then packet rules out/in are at some IP level. OA is busy scanning something which must be certain IP traffic. HTTP yes. Not FTP. Not Streaming.

I have not and will not import whatever it is you say. It is not clear what you are saying. I see no import/export. I presume you mean backup and restore in the options menu of OA. You did not answer this in my previous post. These were saved as OA files. I still have them.

After I had done this backup/restore in my previous post I noticed that it had to re-learn some program rules. It was now asking about some basic Microsoft DLLs. That is when I decided to uninstall and start over.
 

Which would suggest the problem is the amount of rules that were collected on your system over time

 

Exactly what are these rules we are talking about. Can I see them?

Share this post


Link to post
Share on other sites

You had mentioned "static packet rules is too high on your system". I see an accumulation of rules in the program tab but these are for programs I installed and batch files I created. All this is at the application level. I presume that once a program is cleared to run then packet rules out/in are at some IP level. OA is busy scanning something which must be certain IP traffic. HTTP yes. Not FTP. Not Streaming.

Online Armor doesn't actually care about the protocol with very few exceptions. On a network level everything looks the same anyways. So the type of traffic won't matter. What does matter is the amount of traffic and the amount of rules that each packet needs to be matched against. The number of rules OA can cache in kernel mode is limited though and if this limit is reached all network packets are forced to go through the Online Armor service in user mode, which absolutely destroys performance.

Exactly what are these rules we are talking about. Can I see them?

Those rules are internal only. It will be hard to make sense of them even if you see them. This is especially true since there are most likely thousands of them. One likely reason is that Online Armor doesn't recognize when an application closes a connection properly. This may result in Online Armor not cleaning out temporary rules properly, causing the kernel mode rule table to exceed its size limitation, causing the low performance user mode processing. As I mentioned before, we are looking into this particular issue.

Share this post


Link to post
Share on other sites
The number of rules OA can cache in kernel mode is limited though and if this limit is reached all network packets are forced to go through the Online Armor service in user mode, which absolutely destroys performance

 

Makes sense. So are you saying I should reboot more often. I presume these rules should be cleaned on reboot. Guessing they are not

Share this post


Link to post
Share on other sites

Makes sense. So are you saying I should reboot more often. I presume these rules should be cleaned on reboot. Guessing they are not

A reboot can help to alleviate the problem, if rule table exhaustion is indeed the cause of the slow downs on your system.

Share this post


Link to post
Share on other sites

For now all is good  The CPU meter hardly goes up while on the Internet. Will keep my eyes open.

I realise I will have to "accept" all that I did before but I was aware of this when I uninstalled.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.