Product: Stratusphere FIT/UX
Product Version: 6.7.0-1, 6.7.0-2, 6.7.0-3 (up to Windows CID version 6.7.0-5)
Expires on: 365 days from publish date
Updated: September 12, 2024
Problem:
The Connector ID key agent tntupdsvc service is responsible for capturing Process Writes Metrics. Capturing process write data is resource-intensive, which can lead to spikes in tntupdsvc CPU usage to spike on client machines. Navigate to Hub Administration > Connector ID Keys > Connector ID Key Properties > expand Configure Metrics to see the setting:
The 6.7.0-5 version of the CID Key automatically begins collecting Process Write data when the tntupdsvc service starts even if the check box displayed above is disabled. The CID Key simply does not upload the collected data if the Collect Process Write Metrics CID property is unchecked. Thus, even disabling the feature in the UI does not stop the CID Key from collecting this information since start of the service which causes the CPU to spike on endpoints.
Additionally, if the Collect Process Write Metrics setting is enabled for a large number of machines, the CID Key can collect a significant amount of data on the endpoint and upload it to the database. Depending on number of machines enabled, and duration of time collected, it may begin filling up the database much sooner than expected. This would inevitably cause premature purging of detail data due to large amounts of Process Write metrics collected.
Resolution OPTION 1:
As a temporary measure, if the CPU spikes need to be stopped and if the Process Write Metrics are not required to be collected, then Liquidware has a patch that will implement two changes:
- Hide the option to enable the Collect Process Write Metrics within the UI to prevent data being uploaded, saved into the database, filling up the database, and causing premature purging of detail data.
- Upgrade the CID Key version to 6.7.0-6 which will effectively disable the collection of Process Write Metrics by the tntupdsvc service on startup. This will stop the CPU spikes from occurring.
Instructions:
IMPORTANT: UPGRADE TO VERSION 6.7.0-3
After upgrading all appliances to 6.7.0-3, console or SSH into your Hub AND Collector Appliances as the standard friend, ec2-user, or azureuser credentials, then run the following command on each appliance:
sudo bash
wget https://s3.us-east-1.amazonaws.com/download.liquidwarelabs.com/stratusphere/hotfix/patch-disable-file-write.sh
bash patch-disable-file-write.sh
If the appliance does not have internet access, you may right click here and "Save link as..." to download the file to your desktop, WinSCP the file to your hub and collectors, then run the last command above to install the patch.
The shell script will install the patch and restart services. Logging into the web UI should show the Connector ID Key Software page updated with the latest 6.7.0-6 version of the Windows CID:
Finally, follow the standard process for updating your Connector ID agents to 6.7.0-6.
Resolution OPTION 2:
There is a registry key option for disabling process Process Write metrics, which is available for any 6.7.x version of the CID key agent: Tntupdsvc DisableETWFileStats registry key