The first time I began using Windows 10 on my Laptop, I’ve noticed that there is a lot of CPU activity the first minutes after the system’s startup …
The Windows Task Manager shows me that this CPU activity is caused by my Sophos Antivirus !
And I was asking my self, why my Antivirus is using CPU like that ? I guess he is doing his job, by scanning for viruses or other threats …
But, I was wondering, why it do that each time I start Windows ?
So, I decided to use Windows Performance Toolkit to figure this out.
- First, I’ve restarted my Laptop.
- Just after I logged in Windows, I’ve started Windows Performance Recorder (WPR) to record a trace.
- When the High CPU activity happened, I waited a few seconds to allow WPR to record a trace.
See this post to learn more about recording a trace with WPR https://goo.gl/77vEqb
In WPA I’ll use CPU Precise graph for my investigations.
You can see from the graph, the Antivirus’ High CPU activity, that represent 60% of total CPU activity over time.And by moment it reachs 100%.
My Theory was; There is a process that are doing some thing on the system, may be accessing files and the antivirus is checking this activity. But in the graph I don’t see any other process with a high CPU activity !
To get my answer, I’ll use, the Readying process and the the Waits Columns.
The Readying Process, is the Process that make the New Process (in our case SavService.exe) Ready to execute in the CPU. In simple words, the Readying Process tells the New Process: Hi, I finished running, and it’s your turn tu run in the the CPU.
The Waits columns, informs us about the total time the New Process (Sophos AV) spent waiting on the Readying process to finish executing in the CPU, to get chance to execute in turn.
So finding the Readying process with the high waits time, will probably reveals to us the culprit.
There are many Thread running in the Savservice.exe process context. I’ll expand, the first ones and check for the readying process with the highest waits time.
One process appears with a high wait time. It’s CompatTelRunner.exe process…
How you can interpret that ?
The Sophos Antivirus Thread 4412, waits a total of 28 s, on CompatTelRunner.exe Threads to finish running to get in the CPU to run code.
The same thing is happening for the other Antivirus’ threads.
So there is a big chances that the CompatTelRunner process is causing all this Antivirus activity.
The next step is to identify the CompatTelRunner process and how it starts.
You can do a google search on CompatTelRunner key word and get results telling you that this is the Microsoft Compatibility Telemetry program that collect data of how frequently you use features and applications, system files, and likely more other stuff. more often it causes a high CPU or disk activities. And it’s recommanded that you should disable it.
But let’s continue our troubleshooting as if this not a known issue, just to show the steps to go through to solve this kind of issue using WPT.
So, to identify the Images and the CompatTelRunner.exe processes I’ll uses the Images table and the processes table;
In the Images table, you can read in the “file description” column “Microsoft Compatibility Telemetry”. You can read more about this program here http://www.zdnet.com/article/windows-10-telemetry-secrets/
After that I need to know, how this program is started, by using the processes table.
In the “Command line” column, there is this parameter “DoScheduledTelemetryRun”. It seems like a scheduled task.
Now I’ve to go to the scheduled tasks and disable this task. But how to find it, quickly, between the others Windows tasks ?
There is command line that will extract all the scheduled tasks and copy them in a csv file. So that I can import it in an Excel file and get the information I need.
This command is “schtasks /query /fo LIST | clip.exe”
By disabling this task the problem was solved.