High CPU usage on RDS-server

Email It to Me Print this Page
Symptoms After installing Account Lockout Examiner remote desktop servers are seeing CPU spikes with the process wmiprsve.exe.
This has been traced back to WMI calls originating from the server running ALE. If we stop the ALE service while the CPU is spiking, the CPU drops immediately.
Cause Account Lockout Examiner tracks lockout events and invalid logon events from WIndows security log of specified DCs.
Once an invalid logon event is collected from the DC, Account Lockout Examiner connects to the machine where the invalid logon originated and search for details in its security log. 

By default the WMI service is used to connect to security logs.

Every invalid logon event on a DC initiates a WMI query to the workstation (servers) on which that logon occurred. In case there are a lot of invalid logons on the target machine, numerous WMI calls can affect CPU usage.
Resolution There are two options here 

1. Switch method that is used to connect to security logs.

In this case WMI service will not be used by Account Lockout Examiner, but a .Net-based mechanism will be. This will reduce the CPU usage of servers, however might cause CPU spikes on the Account Lockout Examiner machine.

In order to do this perform the following on the machine where Account Lockout Examiner is installed:
  1. Run Registry Editor (regedit),
  2. Go to HKLM\Software\[Wow6432Node]\NetWrix\Account Lockout Examiner (Wow6432Node only for x64 OS)
  3. Change the UseWMI_Workstations value to 0
  4. Restart the Netwrix Account Lockout Examiner service via Services.msc
User-added image



2. If step 1 is not enough, disable searching for detailed info about invalid logons.

In this case Account Lockout Examiner will not try to search for information on workstation or servers, the only source will be Domain controllers.
With this scenario you will never see the name of the process that caused invalid logon. 


In order to do this perform the following on the machine where Account Lockout Examiner is installed:
  1. Run Registry Editor (regedit)
  2. Go to HKLM\Software\[Wow6432Node]\NetWrix\Account Lockout Examiner (Wow6432Node only for x64 OS),
  3. Create a new DWORD called PF_Enabled and set its value to 0.
  4. Restart the Netwrix Account Lockout Examiner service via Services.msc
User-added image
(*) Netwrix Auditor replaces former Change Reporter products
Was this information helpful?