High CPU use by mcshield.exe, and wmiprvse.exe/mcshield.exe repeatedly open/close tzres.dll/tzres.dll.mui
Last Modified: 2023-01-12 19:57:42 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
High CPU use by mcshield.exe, and wmiprvse.exe/mcshield.exe repeatedly open/close tzres.dll/tzres.dll.mui
Technical Articles ID:
KB88026
Last Modified: 2023-01-12 19:57:42 Etc/GMT Environment
Endpoint Security (ENS) Threat Prevention 10.x
ProblemThe
The 0.0000237 PID# wmiprvse.exe IRP_MJ_CREATE SUCCESS C:\Windows\System32\tzres.dll 0.0000050 PID# wmiprvse.exe FASTIO_QUERY_INFORMATION SUCCESS C:\Windows\System32\tzres.dll 0.0000319 PID# wmiprvse.exe IRP_MJ_CLEANUP SUCCESS C:\Windows\System32\tzres.dll 0.0000143 PID# wmiprvse.exe IRP_MJ_CLOSE SUCCESS C:\Windows\System32\tzres.dll 0.0001728 PID# wmiprvse.exe IRP_MJ_CREATE SUCCESS C:\Windows\System32\tzres.dll 0.0000079 PID# wmiprvse.exe FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION FILE LOCKED WITH ONLY READERS C:\Windows\System32\tzres.dll 0.0000296 PID# wmiprvse.exe FASTIO_QUERY_INFORMATION SUCCESS C:\Windows\System32\tzres.dll 0.0000034 PID# wmiprvse.exe FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION SUCCESS C:\Windows\System32\tzres.dll 0.0000114 PID# wmiprvse.exe FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION SUCCESS C:\Windows\System32\tzres.dll 0.0000028 PID# wmiprvse.exe FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION SUCCESS C:\Windows\System32\tzres.dll 0.0000170 PID# wmiprvse.exe IRP_MJ_CLEANUP SUCCESS C:\Windows\System32\tzres.dll 0.0000124 PID# wmiprvse.exe IRP_MJ_CLOSE SUCCESS C:\Windows\System32\tzres.dll The 0.0000124 PID# wmiprvse.exe FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION FILE LOCKED WITH ONLY READERS C:\Windows\System32\en-US\tzres.dll.mui 0.0000069 PID# wmiprvse.exe FASTIO_QUERY_INFORMATION SUCCESS C:\Windows\System32\en-US\tzres.dll.mui 0.0000038 PID# wmiprvse.exe FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION SUCCESS C:\Windows\System32\en-US\tzres.dll.mui 0.0000181 PID# wmiprvse.exe FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION SUCCESS C:\Windows\System32\en-US\tzres.dll.mui 0.0000030 PID# wmiprvse.exe FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION SUCCESS C:\Windows\System32\en-US\tzres.dll.mui 0.0000470 PID# wmiprvse.exe IRP_MJ_CLEANUP SUCCESS C:\Windows\System32\en-US\tzres.dll.mui 0.0000153 PID# wmiprvse.exe IRP_MJ_CLOSE SUCCESS C:\Windows\System32\en-US\tzres.dll.mui Cause
A process that tasks the WMI service host provider ( The Solution
It is an issue with a third-party application that is exposed by ENS. To determine why After you have identified the application that is causing the issue, contact the manufacturer for more investigation. Affected ProductsLanguages:This article is available in the following languages: |
|