The first time I began using Windows 10 on my Laptop, I’ve noticed that there is a lot of CPU activity the first minutes after the system’s startup …
The Windows Task Manager shows me that this CPU activity is caused by my Sophos Antivirus!
And I was asking my self, why my Antivirus is using CPU like that? I guess he is doing his job, by scanning for viruses or other threats …
But, I was wondering, why it does that each time I start Windows?
So, I decided to use Windows Performance Toolkit to figure this out.
- First, I’ve restarted my Laptop.
- Just after I logged in Windows, I’ve started Windows Performance Recorder (WPR) to record a trace.
- When the High CPU activity happened, I waited a few seconds to allow WPR to record a trace.
See this post to learn more about recording a trace with WPR.
In WPA I’ll use the CPU Usage (Precise) graph for my investigations.
You can see from the graph, the Antivirus’ High CPU activity, which represent 60% of total CPU activity over time. And by moment it reaches 100%.
My Theory was; There is a process that is doing something on the system, maybe accessing files and the antivirus is checking this activity. But in the graph, I don’t see any other process with a high CPU activity!
To get my answer, I’ll use, the Readying process and the Waits Columns.
Why?
The Readying Process is the Process that makes the New Process (in our case SavService.exe) Ready to execute in the CPU. In simple words, the Readying Process tells the New Process: Hi, I finished running, and it’s your turn to run in the CPU.
The Waits columns, informs us about the total time the New Process (Sophos AV) spent waiting on the Readying process to finish executing in the CPU, to get a chance to execute in turn.
So finding the Readying process with the high waits time will probably reveal to us the culprit.
There are many threads running in the Savservice.exe process context. I’ll expand, the first ones and check for the readying process with the highest waits time.
One process appears with a high wait time. It’s CompatTelRunner.exe process…
How you can interpret that?
The Sophos Antivirus Thread 4412, waits for a total of 28 s, on CompatTelRunner.exe Threads to finish running to get in the CPU to run code.
The same thing is happening for the other Antivirus’ threads.
So there is a big chance that the CompatTelRunner process is causing all this Antivirus activity.
The next step is to identify the CompatTelRunner process and how it starts.
You can do a google search on the CompatTelRunner keyword and get results telling you that this is the Microsoft Compatibility Telemetry program that collects data of how frequently you use features and applications, system files, and likely more other stuff. more often it causes a high CPU or disk activities. And it’s recommended that you should disable it.
But let’s continue our troubleshooting as if this is not a known issue, just to show the steps to go through to solve this kind of issue using WPT.
So, to identify the Images and the CompatTelRunner.exe processes I’ll use the Images table and the processes table;
In the Images table, you can read in the “file description” column “Microsoft Compatibility Telemetry”. You can read more about this program here http://www.zdnet.com/article/windows-10-telemetry-secrets/
After that, I need to know, how this program is started, by using the processes table.
In the “Command line” column, there is this parameter “DoScheduledTelemetryRun”. It seems like a scheduled task.
Now I’ve to go to the scheduled tasks and disable this task. But how to find it, quickly, between the other Windows tasks?
There is a command-line that will extract all the scheduled tasks and copy them in a CSV file. So that I can import it in an Excel file and get the information I need.
This command is “schtasks /query /fo LIST | clip.exe“
By disabling this task the problem was solved.
