rundll32.exe invagent.dll eating 100% CPU

13

6

I am running Windows 8.1 Update in a Parallels VM. After about 5 minutes of inactivity, a rundll32.exe process is spawned and consumes a core. MsMpEng.exe activity also increases. (probably due to lots of IO but I can't confirm) If I interact with the VM in any way, the rundll32.exe immediately exits until I let it idle for another 5 minutes.

Task Manager reports that the command line is C:\Windows\system32\rundll32.exe invagent.dll,RunUpdate

There is no other unusual behaviour on this Windows install.

Update: Further googling has revealed a scheduled task under Microsoft/Windows/Application Experience called ProgramDataUpdater which seems to be the culprit. It's supposed to take care of cleanup after installing/uninstalling programs. I still haven't tracked down the core reason why it's misbehaving. Disabling it is a possible workaround but not a very good one.

mm201

Posted 2015-03-18T17:50:34.857

Reputation: 401

…and your question is? MsMpEng.exe is Win Defender & rundll32 is a core system file, responsible for a million tasks. invagent.dll file is used by Windows to load up a variety of vital settings, including registry settings, color settings and some URL paths. Windows uses this file an awful lot – Tetsujin – 2015-03-18T18:13:10.760

Start your windows in safe mode, perform clear boot and troubleshoot windows. – vembutech – 2015-03-18T18:21:40.847

@Tetsujin Obviously a Windows process eating the entire CPU for extended periods while idle is not normal.

Further googling has revealed a scheduled task under Microsoft/Windows/Application Experience called ProgramDataUpdater which seems to be the culprit. It's supposed to take care of cleanup after installing/uninstalling programs. I still haven't tracked down the core reason why it's misbehaving. – mm201 – 2015-03-18T18:30:52.697

then include that information in your question, otherwise other people have to do research you have already done. That's how Stack Exchange works. – Tetsujin – 2015-03-18T18:50:00.290

Answers

15

Opt out of the Windows Customer Experience Improvement Program and uninstall KB2976978.

The offending invagent.dll is part of Windows Update KB2976978, which seems to be about gathering app compatability telemetry in preparation for Windows 10 upgrades. Only users who opt into the CEI are offered this update.

By uninstalling the update (and opting out so I'm not re-offered it), invagent.dll was removed from my system and the scheduled task.

To opt out:

  • Open Control Panel
  • Navigate to Action Center, Change Action Center Settings, Customer Experience Improvement Program Settings
  • Select, "No, I do not want to participate in the program."

To uninstall the update:

  • Open Control Panel
  • Navigate to Programs and Features, View Installed Updates
  • Locate Update for Microsoft Windows (KB2976978), right click, and select Delete.
  • You will be prompted to restart your computer.

mm201

Posted 2015-03-18T17:50:34.857

Reputation: 401

Indeed files information match invagent.dll date 2015-02-04 testing what will happen if I disabled telementry in control panel. – Chameleon – 2015-03-19T16:37:17.497

When I just disabled the WCEIP, invagent.dll continued to run, but for shorter periods of time than before. – mm201 – 2015-03-19T16:38:07.430

Most likely you can disable the scheduled task as well. I didn't want to go this route since it looks like it performs important cleanup tasks after installs. – mm201 – 2015-03-19T16:55:03.073

Disabling CIE helps I am not sure but my computer not eats 100% in idle - MIscrosoft support tested my computer and not found any malware so it clear that invagent and Customer Experience Improvement Program do this for me :) I was not uninstalling KB2976978 - only disable CIE. – Chameleon – 2015-03-20T13:33:30.350

Thank you it works - only disabling CIE is need - uninstall is not need. – Chameleon – 2015-03-25T09:43:44.350

WCEIP was already disabled (of course!), so uninstalling the update (for whatever reason I got it two weeks ago) was the only option and indeed did the trick. – xehpuk – 2015-05-11T22:56:44.133

1Windows keeps reinstalling the update without my consent even though I've hidden it. I haven't found a solution to this yet. – mm201 – 2015-07-29T16:06:48.003

2This doesn't work for Windows 10. Selecting "No, I do not want to participate in the program." does not prevent the issue, and KB2976978 does not exist. – Jon – 2016-01-29T00:35:39.363

1

Hi I have found this same problem with updating to Win 10 and not a single common answer to this issue worked for me, when my computer would go idle the C:Drive usage would go up to 100% and make any task impossible, leading to manual shutdown by holding the power button. Windows Process explorer would show rundll32.exe and in the properties of this file would be C:\Windows\system32\rundll32.exe invagent,RunUpdate -noappraiser (then random numbers and letters).

Yesterday I installed Take ownership of file supplied in the following link:

(http://www.howtogeek.com/howto/windows-vista/add-take-ownership-to-explorer-right-click-menu-in-vista/) Take ownership of file

And then changed invagent.dll found in system32 to invagent.dll.bak (@beatcracker). I left my computer idle for a few hours and the C:drive 100% problem is now gone and I can use my PC normally again. invagent.dll also known as inventory agent. I have researched and can't seem to find a solid answer for what this dll is used for, but so far I have not had any problem disabling it.

This has stopped my computer from freezing, however, rundll32.exe now opens multiple times in process explorer!? with the file>properties command line reading:

C:\Windows\system32\rundll32.exe invagent,RunUpdate -noappraiser.

With different random numbers and letters at the end of each command line for every rundll32.exe file!?

So I have fixed 100% C:drive problem by changing invagent.dll to invagent.dll.bak. But potentially opened up a new problem that is currently not causing me any issues. I will edit this answer if I have any further issues over the next week, or discover why multiple versions of rundll32.exe are now running.

Thanks, I hope this helps somebody

Digital Cog

Posted 2015-03-18T17:50:34.857

Reputation: 11

0

Control Panel -> Administrative Tools -> Task Scheduler -> Microsoft -> Windows -> Customer Experience Improvement

then right click & disable items as shown on the picture below:

enter image description here

Matija Grcic

Posted 2015-03-18T17:50:34.857

Reputation: 1 229

0

Another way to solve it is to export the scheduled task to an xml file, change the priority from 4 to 7, and then delete the task and import the xml back to the same place. Most scheduled tasks run at a lower priority of 7. Having a scheduled task that runs at normal i/o and cpu priority is unusual. Here's a link about task scheduler priority: https://bdbits.wordpress.com/2010/04/29/setting-a-scheduled-task-process-priority/

js2010

Posted 2015-03-18T17:50:34.857

Reputation: 321

0

EDIT: Wrong answer, it'll just stay here for the history's sake.

Task Manager reports that the command line is C:\Windows\system32\rundll32.exe invagent.dll,RunUpdate

This looks like Symantec™ Inventory Solution powered by Altiris™ technology

Is this file is in <Path>\Program Files\Altiris\Inventory\Standalone\bin (source)? You could try to rename\unregister it and see if it helps. To unregister it run:

regsvr32 /u InvAgent.dll

beatcracker

Posted 2015-03-18T17:50:34.857

Reputation: 2 334

regsvr32 /u InvAgent.dll give error impossible to unregister. – Chameleon – 2015-03-19T13:06:51.917

@Chameleon Then just try to rename, like: InvAgent.dll.bak and see if it helps. Btw, could you post a screenshot of the file information tab for this file (right-click - properties - details), so we would know what you're dealing with? – beatcracker – 2015-03-19T13:23:37.293

No. It's part of Windows service called ProgramDataUpdater. The path is C:\Windows\system32\invagent.dll. screenshot

– mm201 – 2015-03-19T14:05:27.753

@mm201 I'm running Windows 8.1 x64, and I have no such file. Moreover, my ProgramDataUpdater task (there is no such service) points to the entirely different file: aepdu.dll screenshot

– beatcracker – 2015-03-19T14:39:03.930

I googled Microsoft and found: https://support.microsoft.com/en-us/kb/2976978

The DLL was either added or modified in this update. Do you have it installed? (I also find it highly likely that this update is the culprit. Will try removing it when I get the chance.)

– mm201 – 2015-03-19T15:25:30.403

@mm201 Just checked, and I don't have this update installed.So you're right, it's definitely not Symantec's stuff. Is there is anything suspicious in your Task Scheduler log? Event Viewer → Applications and Services Log → Microsoft → Windows → Task Scheduler → Operational – beatcracker – 2015-03-19T15:37:16.170

Even though this is wrong, you still helped me solve my problem, since I wasn't aware invagent.dll wasn't present on every Windows install. That's what prompted me to look for the knowledge base article. – mm201 – 2015-03-21T22:07:14.570

Asked: 2015-03-18T17:50:34.857

Viewed: 16 241 times

Active: 2017-03-03T18:56:16.320