1

After last windows updates, we have high cpu load and page faults on services.exe aprox 2% cpu per Session... we deinstalled all windows updates done on this date , but situation is persistant. processexplorer reveals for services.exe only ntdll as consumer ...

How to debug and resolve this issue ?

services.exe cpu load services.exe graph process explorer properties

yagmoth555
  • 16,300
  • 4
  • 26
  • 48
Gerhard W. Recher
  • 11
  • 1

1 Answers1

0

ntdll.dll!DbgUiRemoteBreakin is triggered when the debugger break into a process.

Can you validate the published application ? If it run fine and don't display a debugger popup to the end-user ?

I would tend to think the application you publish is no longer running ok, maybe a update on their side might help.

yagmoth555
  • 16,300
  • 4
  • 26
  • 48
  • nope it's only published dektop, not a single application published.... this behaviour comes up after installing m$ updates... but we removed all 6 m$ updates... – Gerhard W. Recher Aug 08 '18 at 13:54
  • @GerhardW.Recher Can you validate what cause the process then ? as like I told it's something that crashed, but that was coded with debugging runtime.It could even be a bad printer driver, so please test with a enduser connection. – yagmoth555 Aug 08 '18 at 14:32
  • as said, we only use published desktop, only ricoh drivers used and they are clean ... i suppose a hidden infection, not recognized by trendmicro officescan. – Gerhard W. Recher Aug 08 '18 at 15:53
  • @GerhardW.Recher I agree, but even if a published desktop, I guess they use almost all the same office app ? I would test with an account without openning anything, and I would test with an account without GPO or printer. Only a thirdpart driver/app cause such error you face – yagmoth555 Aug 08 '18 at 16:15
  • i just deisabled with gpedit.msc debug only for a bulit in citrix user, rebooted machine and the debugui's and cpu load is gone! curing the symptoms... still no glue which piece of software is triggering this . scans with 5 antivirus products beside trendmicro ... no results ! so i'm lost in a maze ... – Gerhard W. Recher Aug 08 '18 at 18:13
  • @GerhardW.Recher Isolate an user, no GPO to him. Check msconfig what oepn when the user start a session – yagmoth555 Aug 08 '18 at 18:31
  • we have no domain controller ... autostarts from sysinternals is also without any suspicious entries, not for administrator and not for any users ... – Gerhard W. Recher Aug 08 '18 at 19:24
  • @GerhardW.Recher without a domain controller, and with disabled policy in gpedit, you know then it's a local group policy that trigger that.. check all setting that got applied – yagmoth555 Aug 08 '18 at 19:34