When I first began using Windows 10 on my Laptop, I noticed a lot of CPU activity in the first minutes after the system’s startup.
The Windows Task Manager shows me that my Sophos Antivirus causes this CPU activity!
I was asking myself why my Antivirus was using the CPU like that. I guess it is doing its job by scanning for viruses or other threats.
But I was wondering why it does that each time I start Windows.
So, I decided to use the Windows Performance Toolkit to figure this out.
- First, I’ve restarted my Laptop.
- Just after I logged in to Windows, I started Windows Performance Recorder (WPR) to record a trace.
- When the High CPU activity happened, I waited a few seconds to allow WPR to record a trace.
See this post to learn more about recording a trace with WPR.
In WPA, I’ll use the CPU Usage (Precise) graph for my investigations.
The graph shows the Antivirus’ High CPU activity, which represents 60% of total CPU activity over time. And by the moment, it reaches 100%.
My Theory was that there is a process doing something on the system, maybe accessing files, and the antivirus is checking this activity. But in the graph, I don’t see any other process with a high CPU activity!
To get my answer, I’ll use the Readying process and the Waits Columns.
Why?
The Readying Process is the Process that makes the New Process (in our case SavService.exe) Ready to execute in the CPU. In simple words, the Readying Process tells the New Process: Hi, I finished running, and it’s your turn to run in the CPU.
The Waits columns inform us about the total time the New Process (Sophos AV) spent waiting for the Readying process to finish executing in the CPU so that it can execute in turn.
So, finding the Readying process with the high wait time will probably reveal to us the culprit.
Many threads are running in the Savservice.exe process context. I’ll expand on the first ones and check for the readying process with the highest wait time.
One process appears to have a high wait time. It’s CompatTelRunner.exe process…
How can you interpret that?
The Sophos Antivirus Thread 4412 waits for a total of 28 seconds for CompatTelRunner.exe Threads to finish running so it can get into the CPU to run code.
The same thing is happening for the other Antivirus threads.
So there is a big chance that the CompatTelRunner process is causing all this Antivirus activity.
The next step is to identify the CompatTelRunner process and how it starts.
You can do a Google search on the CompatTelRunner keyword and get results telling you that this is the Microsoft Compatibility Telemetry program that collects data on how frequently you use features and applications, system files, and likely other stuff. More often, it causes high CPU or disk activity, and it’s recommended that you disable it.
But let’s continue our troubleshooting as if this is not a known issue, just to show the steps to go through to solve this kind of issue using WPT.
So, to identify the Images and the CompatTelRunner.exe processes I’ll use the Images table and the processes table;
In the Images table, you can read in the “file description” column “Microsoft Compatibility Telemetry”. You can read more about this program here http://www.zdnet.com/article/windows-10-telemetry-secrets/
After that, I need to know, how this program is started, by using the processes table.
In the “Command line” column, there is this parameter “DoScheduledTelemetryRun”. It seems like a scheduled task.
Now I’ve to go to the scheduled tasks and disable this task. But how to find it, quickly, between the other Windows tasks?
There is a command-line that will extract all the scheduled tasks and copy them in a CSV file. So that I can import it in an Excel file and get the information I need.
This command is “schtasks /query /fo LIST | clip.exe“
By disabling this task the problem was solved.