High CPU usage on Domain Controllers

Email It to Me Print this Page
Symptoms After installation of Account Lockout Examiner I can see CPU spikes on monitored domain controllers. If I stop Account Lockout Examiner, these spikes are gone.

Cause Account Lockout Examiner tracks lockout events and invalid logon events from the Windows security log of specified DCs. By default is uses WMI calls that may result in high CPU usage of DCs.
Resolution There are two options here:

1. Switch method of communication with Domain Controllers. In this case Account Lockout Examiner will stop querying Domain Controllers for new events in the log, but Domain controllers will notify about new events themselves (WMI feature). This will reduce the number of WMI calls and as a result - reduce CPU usage.

In order to do this perform the following on the machine where Account Lockout Examiner is installed:
  1. Run Registry Editor (regedit),
  2. Go to HKLM\Software\[Wow6432Node]\NetWrix\Account Lockout Examiner (Wow6432Node only for x64 OS)
  3. Create a DWORD called UseWatcher with value to 1
  4. Restart the Netwrix Account Lockout Examiner service via Services.msc
User-added image


2. If the above does not help, disable usage of WMI to communicate with Domain controllers. A .Net-based mechanism will be used for it.

In order to do this perform the following on the machine where Account Lockout Examiner is installed:
  1. Run Registry Editor (regedit),
  2. Go to HKLM\Software\[Wow6432Node]\NetWrix\Account Lockout Examiner (Wow6432Node only for x64 OS)
  3. Change the UseWMI value to 0
  4. Restart the Netwrix Account Lockout Examiner service via Services.msc
User-added image
(*) Netwrix Auditor replaces former Change Reporter products
Was this information helpful?