SNMP eating 100%cpu

[@(none)]

heres an interesting problem. a windows 2000 pro test server that I was
working on was being particularly slow today so i checked the process
list. the top process was SNMP.exe using 100% cpu power.

the server is running symantec antivirus and symantec doesnt report any
viruses (which was my first guess) so does anyone have any second
guesses? attached is a capture of all the keys and handles that were in
use by the process.

when i watched process explorer real-time it seemed like SNMP.exe was
accessing and then timeing out over and over again on the very last line

"0x430 File 0x00120089 \Device\SU20"

We dont use SNMP so its not a big deal to have the service turned off
but I'm curious as to what is causing this.

-alex





Process PID CPU Description User Name Priority Handles Window Title
SNMP.EXE 1524 95 SNMP Service NT AUTHORITY\SYSTEM 8 265
procexp.exe 896 04 Sysinternals Process Explorer
NWHUMANSERVICES\vbkup 13 125 Process Explorer - Sysinternals:
www.sysinternals.com
pvlsvr.exe 2364 01 NWHUMANSERVICES\vbkup 8 148
XFR.EXE 1980 00 CBA - Message Resource NT AUTHORITY\SYSTEM 8 71
WZQKPICK.EXE 3308 00 WinZip Executable NWHUMANSERVICES\vbkup 8 21
WINS.EXE 1660 00 WINS SERVER NT AUTHORITY\SYSTEM 8 309
WinMgmt.exe 1644 00 Windows Management Instrumentation NT
AUTHORITY\SYSTEM 8 110
WINLOGON.EXE 616 00 Windows NT Logon Application NT AUTHORITY\SYSTEM 13 147
WINLOGON.EXE 216 00 Windows NT Logon Application NT AUTHORITY\SYSTEM 13 369
TFTPDS.EXE 1484 00 NT AUTHORITY\SYSTEM 8 87
termsrv.exe 376 00 Terminal Server Service NT AUTHORITY\SYSTEM 10 130
taskmgr.exe 2676 00 Windows TaskManager NWHUMANSERVICES\vbkup 13 49
Windows Task Manager
System Idle Process 0 00 <access denied> 0 0
System 8 00 NT AUTHORITY\SYSTEM 8 556
svchost.exe 1672 00 Generic Host Process for Win32 Services NT
AUTHORITY\SYSTEM 8 154
svchost.exe 488 00 Generic Host Process for Win32 Services NT
AUTHORITY\SYSTEM 8 361
svchost.exe 1004 00 Generic Host Process for Win32 Services NT
AUTHORITY\SYSTEM 8 330
svchost.exe 2824 00 Generic Host Process for Win32 Services NT
AUTHORITY\SYSTEM 8 169
spoolsv.exe 524 00 Spooler SubSystem App NT AUTHORITY\SYSTEM 8 241
SPLConfig.exe 1596 00 SPLConfig Module NT AUTHORITY\SYSTEM 8 83
snmptrap.exe 1572 00 SNMP Trap Service NT AUTHORITY\SYSTEM 8 82
SMSS.EXE 164 00 Windows NT Session Manager NT AUTHORITY\SYSTEM 11 43
services.exe 244 00 Services and Controller app NT AUTHORITY\SYSTEM 9 793
Rtvscan.exe 1216 00 Symantec AntiVirus NT AUTHORITY\SYSTEM 8 390
regsvc.exe 1428 00 Remote Registry Service NT AUTHORITY\SYSTEM 8 31
rdpclip.exe 3236 00 RDP Clip Monitor NWHUMANSERVICES\vbkup 8 34
PROMon.exe 1032 00 Intel(R) PROSet Tray Icon NWHUMANSERVICES\vbkup 8 28
pds.exe 1056 00 CBA -- Ping Discovery Service NT AUTHORITY\SYSTEM 8 102
ntfrs.exe 1388 00 File Replication Service NT AUTHORITY\SYSTEM 8 535
nsvr.exe 736 00 Backup Exec Notification Server NWHUMANSERVICES\vbkup 8 108
NscTop.exe 1264 00 NscTop Module NT AUTHORITY\SYSTEM 8 254
MxMessageRouter 2080 00 MxMessageRouterFM NT AUTHORITY\SYSTEM 8 146
mstask.exe 1456 00 Task Scheduler Engine NT AUTHORITY\SYSTEM 8 115
MSGSYS.EXE 1884 00 CBA -- Message System NT AUTHORITY\SYSTEM 8 162
msdtc.exe 760 00 MS DTC console program NT AUTHORITY\SYSTEM 8 206
mmc.exe 3188 00 Microsoft Management Console NWHUMANSERVICES\vbkup 8
107 Event Viewer
MibService.exe 1144 00 MibService Module NT AUTHORITY\SYSTEM 8 76
lserver.exe 1628 00 Microsoft® Terminal Services Licensing NT
AUTHORITY\SYSTEM 8 236
LSASS.EXE 256 00 LSA Executable and Server DLL (Export Version) NT
AUTHORITY\SYSTEM 9 863
logon.scr 2720 00 Logon Screen Saver NT AUTHORITY\SYSTEM 4 17
LOCATOR.EXE 1440 00 Rpc Locator NT AUTHORITY\SYSTEM 8 41
LLSSRV.EXE 1092 00 Microsoft® License Server NT AUTHORITY\SYSTEM 9 195
ismserv.exe 1076 00 Windows NT Intersite Messaging Service NT
AUTHORITY\SYSTEM 8 340
inetinfo.exe 1744 00 Internet Information Services NT
AUTHORITY\SYSTEM 8 706
IAO.EXE 1948 00 Alert Originator Manager NT AUTHORITY\SYSTEM 8 112
HNDLRSVC.EXE 1820 00 AMS2 Handler Manager Service NT AUTHORITY\SYSTEM 8 113
hh.exe 3024 00 Microsoft® HTML Help Executable
NWHUMANSERVICES\vbkup 8 166 Windows 2000
explorer.exe 3380 00 Windows Explorer NWHUMANSERVICES\vbkup 8 375
Administrative Tools
DNS.EXE 1712 00 Domain Name System (DNS) Server NT AUTHORITY\SYSTEM 8 152
dfssvc.exe 988 00 Windows NT Distributed File System Service NT
AUTHORITY\SYSTEM 8 116
DefWatch.exe 952 00 Virus Definition Daemon NT AUTHORITY\SYSTEM 8 44
CSRSS.EXE 3464 00 Client Server Runtime Process NT AUTHORITY\SYSTEM 13 145
CSRSS.EXE 192 00 Client Server Runtime Process NT AUTHORITY\SYSTEM 13 731
beserver.exe 3264 00 Backup Exec RPC Server NWHUMANSERVICES\vbkup 8 259
benser.exe 2772 00 Backup Exec Naming Service NWHUMANSERVICES\vbkup 8 54
bengine.exe 2456 00 Backup Exec Job Engine NWHUMANSERVICES\vbkup 8 212
benetns.exe 2576 00 Backup Exec Agent Browser NWHUMANSERVICES\vbkup 8 99
ati2plxx.exe 872 00 ATI2PLXX Polling Program NT AUTHORITY\SYSTEM 8 33
alertserver.exe 1700 00 Backup Exec Alert Server
NWHUMANSERVICES\vbkup 8 189

Process: SNMP.EXE Pid: 1524

Handle Type Access Name
0x14 Directory 0x00000003 \KnownDlls
0x18 File 0x00100020 C:\WINNT\system32
0x1C Directory 0x000F000F \Windows
0x28 Mutant 0x00000001 \NlsCacheMutant
0x30 Key 0x000F003F HKLM
0x38 File 0x0012019F \Device\NamedPipe\net\NtControlPipe24
0x50 Directory 0x0002000F \BaseNamedObjects
0x58 Thread 0x001F03FF SNMP.EXE(1524): 1520
0x60 File 0x0012019F \Device\NamedPipe\svcctl
0x68 Thread 0x001F03FF SNMP.EXE(1524): 1540
0x74 Thread 0x001F03FF SNMP.EXE(1524): 1540
0x7C Key 0x000F003F
HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
0x84 Key 0x000F003F
HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
0x90 WindowStation 0x000F016E \Windows\WindowStations\Service-0x0-3e7$
0x94 Desktop 0x000F00CF \Default
0x98 WindowStation 0x000F016E \Windows\WindowStations\Service-0x0-3e7$
0xA8 Event 0x001F0003 \BaseNamedObjects\userenv: User Profile setup event
0xBC Key 0x000F003F HKU\.DEFAULT
0xE0 Key 0x00020019 HKLM\SOFTWARE\MICROSOFT\Tracing\RASAPI32
0xE8 Mutant 0x00100000 \BaseNamedObjects\RasPbFile
0x104 File 0x001F01FF \Device\Tcp
0x108 File 0x001F01FF \Device\Tcp
0x10C File 0x001200A0 \Device\Ip
0x110 File 0x00100003 \Device\Ip
0x114 File 0x00100081 \Device\Ip
0x11C Key 0x00020019 HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage
0x120 Key 0x00020019 HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters
0x124 Key 0x00020019
HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
0x128 Key 0x00020019 HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters
0x12C File 0x001F01FF \Device\Tcp
0x130 File 0x00100001 \Device\KsecDD
0x134 File 0x001F01FF \Device\Afd\Endpoint
0x13C File 0x001F01FF \Device\Udp
0x140 File 0x001F01FF \Device\Afd\Endpoint
0x144 Thread 0x001F03FF SNMP.EXE(1524): 1600
0x148 Thread 0x001F03FF SNMP.EXE(1524): 1604
0x150 Key 0x00020019 HKLM\SYSTEM\ControlSet001\Services\SNMP\Parameters
0x154 Key 0x00020019
HKLM\SYSTEM\ControlSet001\Services\SNMP\Parameters\TrapConfiguration
0x158 Key 0x0002001B
HKLM\SYSTEM\ControlSet001\Services\SNMP\Parameters\ValidCommunities
0x164 Key 0x00020019 HKLM\SOFTWARE\MICROSOFT\Tracing\RASADHLP
0x16C Key 0x00020019
HKLM\SYSTEM\ControlSet001\Services\SNMP\Parameters\ExtensionAgents
0x17C Key 0x00020019
HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
0x1D0 Key 0x000F003F
HKLM\SOFTWARE\MICROSOFT\RFC1156Agent\CURRENTVERSION\Parameters
0x1DC File 0x0012019F \Device\NamedPipe\EVENTLOG
0x1E4 Key 0x0002001B HKLM\SOFTWARE\MICROSOFT\SNMP_EVENTS\EVENTLOG\Parameters
0x1F0 Thread 0x001F03FF SNMP.EXE(1524): 2300
0x200 Thread 0x001F03FF SNMP.EXE(1524): 2300
0x218 Mutant 0x001F0001 \BaseNamedObjects\SnmpEventLogMutex
0x220 Key 0x00020019 HKLM\SOFTWARE\MICROSOFT\WINDOWS
NT\CURRENTVERSION\PERFLIB
0x228 Section 0x000F0007 \BaseNamedObjects\RSVP_STATS
0x22C Section 0x000F0007 \BaseNamedObjects\MSIDLPM_STATS
0x230 File 0x0013019F C:\WINNT\system32\Perflib_Perfdata_5f4.dat
0x234 Section 0x000F0007 \BaseNamedObjects\Perflib_Perfdata_5f4
0x248 Key 0x0002001F HKLM\SYSTEM\ControlSet001\Services\ASP\Performance
0x24C Mutant 0x001F0001 \BaseNamedObjects\ASP_Perf_Library_Lock_PID_5f4
0x250 Key 0x0002001F HKLM\SYSTEM\ControlSet001\Services\Backup
Exec\Performance
0x254 Mutant 0x001F0001 \BaseNamedObjects\Backup
Exec_Perf_Library_Lock_PID_5f4
0x258 Key 0x0002001F
HKLM\SYSTEM\ControlSet001\Services\ContentFilter\Performance
0x25C Mutant 0x001F0001
\BaseNamedObjects\ContentFilter_Perf_Library_Lock_PID_5f4
0x260 Key 0x0002001F
HKLM\SYSTEM\ControlSet001\Services\ContentIndex\Performance
0x264 Mutant 0x001F0001
\BaseNamedObjects\ContentIndex_Perf_Library_Lock_PID_5f4
0x268 Key 0x0002001F HKLM\SYSTEM\ControlSet001\Services\DNS\Performance
0x26C Mutant 0x001F0001 \BaseNamedObjects\DNS_Perf_Library_Lock_PID_5f4
0x270 Key 0x0002001F HKLM\SYSTEM\ControlSet001\Services\Fax\Performance
0x274 Mutant 0x001F0001 \BaseNamedObjects\Fax_Perf_Library_Lock_PID_5f4
0x278 Key 0x0002001F
HKLM\SYSTEM\ControlSet001\Services\FileReplicaConn\Performance
0x27C Mutant 0x001F0001
\BaseNamedObjects\FileReplicaConn_Perf_Library_Lock_PID_5f4
0x280 Key 0x0002001F
HKLM\SYSTEM\ControlSet001\Services\FileReplicaSet\Performance
0x284 Mutant 0x001F0001
\BaseNamedObjects\FileReplicaSet_Perf_Library_Lock_PID_5f4
0x288 Key 0x0002001F HKLM\SYSTEM\ControlSet001\Services\IAS\Performance
0x28C Mutant 0x001F0001 \BaseNamedObjects\IAS_Perf_Library_Lock_PID_5f4
0x290 Key 0x0002001F HKLM\SYSTEM\ControlSet001\Services\InetInfo\Performance
0x294 Mutant 0x001F0001 \BaseNamedObjects\InetInfo_Perf_Library_Lock_PID_5f4
0x298 Key 0x0002001F
HKLM\SYSTEM\ControlSet001\Services\ISAPISearch\Performance
0x29C Mutant 0x001F0001
\BaseNamedObjects\ISAPISearch_Perf_Library_Lock_PID_5f4
0x2A0 Key 0x0002001F HKLM\SYSTEM\ControlSet001\Services\MSDTC\Performance
0x2A4 Mutant 0x001F0001 \BaseNamedObjects\MSDTC_Perf_Library_Lock_PID_5f4
0x2A8 Key 0x0002001F HKLM\SYSTEM\ControlSet001\Services\NTDS\Performance
0x2AC Mutant 0x001F0001 \BaseNamedObjects\NTDS_Perf_Library_Lock_PID_5f4
0x2B0 Key 0x0002001F HKLM\SYSTEM\ControlSet001\Services\NTFSDRV\Performance
0x2B4 Mutant 0x001F0001 \BaseNamedObjects\NTFSDRV_Perf_Library_Lock_PID_5f4
0x2B8 Key 0x0002001F HKLM\SYSTEM\ControlSet001\Services\PerfDisk\Performance
0x2BC Mutant 0x001F0001 \BaseNamedObjects\PerfDisk_Perf_Library_Lock_PID_5f4
0x2C0 Key 0x0002001F HKLM\SYSTEM\ControlSet001\Services\PerfNet\Performance
0x2C4 Mutant 0x001F0001 \BaseNamedObjects\PerfNet_Perf_Library_Lock_PID_5f4
0x2C8 Key 0x0002001F HKLM\SYSTEM\ControlSet001\Services\PerfOS\Performance
0x2CC Mutant 0x001F0001 \BaseNamedObjects\PerfOS_Perf_Library_Lock_PID_5f4
0x2D0 Key 0x0002001F HKLM\SYSTEM\ControlSet001\Services\PerfProc\Performance
0x2D4 Mutant 0x001F0001 \BaseNamedObjects\PerfProc_Perf_Library_Lock_PID_5f4
0x2D8 Key 0x0002001F
HKLM\SYSTEM\ControlSet001\Services\RemoteAccess\Performance
0x2DC Mutant 0x001F0001
\BaseNamedObjects\RemoteAccess_Perf_Library_Lock_PID_5f4
0x2E0 Key 0x0002001F HKLM\SYSTEM\ControlSet001\Services\RSVP\Performance
0x2E4 Mutant 0x001F0001 \BaseNamedObjects\RSVP_Perf_Library_Lock_PID_5f4
0x2E8 Key 0x0002001F HKLM\SYSTEM\ControlSet001\Services\SMTPSVC\Performance
0x2EC Mutant 0x001F0001 \BaseNamedObjects\SMTPSVC_Perf_Library_Lock_PID_5f4
0x2F0 Key 0x0002001F HKLM\SYSTEM\ControlSet001\Services\Spooler\Performance
0x2F4 Mutant 0x001F0001 \BaseNamedObjects\Spooler_Perf_Library_Lock_PID_5f4
0x2F8 Key 0x0002001F HKLM\SYSTEM\ControlSet001\Services\TapiSrv\Performance
0x2FC Mutant 0x001F0001 \BaseNamedObjects\TapiSrv_Perf_Library_Lock_PID_5f4
0x300 Key 0x0002001F HKLM\SYSTEM\ControlSet001\Services\Tcpip\Performance
0x304 Mutant 0x001F0001 \BaseNamedObjects\Tcpip_Perf_Library_Lock_PID_5f4
0x308 Key 0x0002001F
HKLM\SYSTEM\ControlSet001\Services\TermService\Performance
0x30C Mutant 0x001F0001
\BaseNamedObjects\TermService_Perf_Library_Lock_PID_5f4
0x310 Key 0x0002001F HKLM\SYSTEM\ControlSet001\Services\W3SVC\Performance
0x314 Mutant 0x001F0001 \BaseNamedObjects\W3SVC_Perf_Library_Lock_PID_5f4
0x318 Key 0x0002001F HKLM\SYSTEM\ControlSet001\Services\WINS\Performance
0x31C Mutant 0x001F0001 \BaseNamedObjects\WINS_Perf_Library_Lock_PID_5f4
0x328 Thread 0x001F03FF SNMP.EXE(1524): 2328
0x344 Key 0x00020019 HKLM\SOFTWARE\MICROSOFT\Tracing\IPMULTICASTMIB
0x354 Key 0x00020019 HKLM\SOFTWARE\MICROSOFT\Tracing\IPRIPMIB
0x368 Key 0x00020019 HKLM\SOFTWARE\MICROSOFT\Tracing\BOOTP Subagent
0x388 Mutant 0x001F0001 \BaseNamedObjects\BESNMPMutex
0x38C Section 0x000F0007 \BaseNamedObjects\BESNMPSharedMemory
0x390 Event 0x001F0003 \BaseNamedObjects\BESNMPNotifyEvent
0x394 Semaphore 0x001F0003 \BaseNamedObjects\TapeAlert_History_Semaphore
0x398 Section 0x000F0007 \BaseNamedObjects\TapeAlert_History_Name
0x39C Event 0x001F0003 \BaseNamedObjects\TapeAlert_Traps_Events
0x3A0 Semaphore 0x001F0003 \BaseNamedObjects\TapeAlert_Traps_Semaphore
0x3A4 Section 0x000F0007 \BaseNamedObjects\TapeAlert_Traps_Name
0x3B4 Thread 0x001F03FF SNMP.EXE(1524): 2416
0x3C4 Mutant 0x00100000 \BaseNamedObjects\XLogAccessMutex
0x3C8 Mutant 0x001F0001 \BaseNamedObjects\sMsGsYs.Mb
0x3CC Mutant 0x00100000 \BaseNamedObjects\XLogAccessMutex
0x3D0 Key 0x00020019 HKU\.DEFAULT\Control Panel\International
0x3D4 Section 0x00000006 \BaseNamedObjects\mMsGsYs...
0x3D8 Semaphore 0x001F0003 \BaseNamedObjects\sMsGsYs.ExE
0x3DC Process 0x001F0FFF MSGSYS.EXE(1884)
0x3E0 Semaphore 0x001F0003 \BaseNamedObjects\oMsGsYs.ExE
0x3E8 Thread 0x001F03FF SNMP.EXE(1524): 2460
0x3EC Thread 0x001F03FF SNMP.EXE(1524): 2464
0x3F0 Thread 0x001F03FF SNMP.EXE(1524): 2468
0x3F8 Semaphore 0x001F0003 \BaseNamedObjects\sMsGsYs.Rx.5f4
0x400 Event 0x001F0003 \BaseNamedObjects\AMS2_SNMP_TRAP_GEN
0x408 Thread 0x001F03FF SNMP.EXE(1524): 1600
0x410 File 0x001F01FF \Device\Udp
0x418 Thread 0x001F03FF SNMP.EXE(1524): 1600
0x420 File 0x0012019F \Device\NamedPipe\EVENTLOG
0x430 File 0x00120089 \Device\SU20

 

[Brian Oakes [MSFT]]

Hmmmm SU20 could be related to

Intruder Alert 3.5/3.6 policy handles SNMP traps for Symantec NetProwler
3.5x Security Update 20

Either way something has it hooks into SNMP causing it to ride high with
CPU. I would start with 3rd party monitoring type applications etc.
--

Brian Oakes

This posting is provided "AS IS" with no warranties and confers no rights.
Please reply to the newsgroup so that others may benefit.