High cpu and high memory usage when back from sleep

GlassWire Help
1

Glasswire 210
Windows 10 pro 2004.
The RAM usage is getting high after WiFi peripherals coming back from sleep.

To my knowledge it doesn’t happen on my cable connected desktops or VM.
So it happens only on my low end laptop devices that I own.
It can happen because of a sub condition of dns still being acquired since my setup is specific. The dns is going through a raspberry pi directly cable-connected. The usual traffic is not going through.
So the reason can be that the WiFi access is going to sleep and a buffer is building up or something alike. After a few hours of that, I have 1.62 GB with Glasswire control service

The high cpu problem is still the same for me as it always has been on my low end device when I m using at 100% for a long period of time then glasswire goes nuts and is stucked in a loop for countless time and since we don’t have a smart way to get some useful logs to debug this, I don’t know what to provide as information

2

Are you using BitTorrent or something similar?

As was mentioned in another thread we answered for you, we do have logging, but it is not necessary to turn it on yet because we have asked you some questions first.

Opening multiple threads for the same issue can make it more difficult to solve your issue.

3

No. I m going to make an exhaustive list and you will be able to take your pick into that.

It’s 2 differents threads a because the second one involves the RAM usage. And the 2 conditions can be separate problems or one, I don’t know

4

And yes I know that there is logging but not enough like we’ve seen with the ucrtbase.dll crash problem and where you even said that you wasn’t understanding since it’s not used by your software

5

@Servo_GlassWire @Ken_GlassWire
So.
crashes still happening like in 204 version with same dll specified.

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Application Error" /> 
  <EventID Qualifiers="0">1000</EventID> 
  <Version>0</Version> 
  <Level>2</Level> 
  <Task>100</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x80000000000000</Keywords> 
  <TimeCreated SystemTime="2020-06-20T13:24:44.0553303Z" /> 
  <EventRecordID>29018</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="0" ThreadID="0" /> 
  <Channel>Application</Channel> 
  <Computer>antiqueV</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data>GWCtlSrv.exe</Data> 
  <Data>2.2.210.0</Data> 
  <Data>5eea16e3</Data> 
  <Data>ucrtbase.dll</Data> 
  <Data>10.0.19041.1</Data> 
  <Data>587bd36d</Data> 
  <Data>c0000409</Data> 
  <Data>0009eddb</Data> 
  <Data>175c</Data> 
  <Data>01d645bebedfdbab</Data> 
  <Data>C:\Program Files (x86)\GlassWire\GWCtlSrv.exe</Data> 
  <Data>C:\WINDOWS\System32\ucrtbase.dll</Data> 
  <Data>616ee384-8ff1-429f-8e1d-0007d8ece353</Data> 
  <Data /> 
  <Data /> 
  </EventData>
  </Event>

(by the way the code formatting is not working for our widnows event, on discourse)

list of the programs that might interferrred .

  • kaspersky total protection
  • nextcloud
  • multiple instances of skype
  • riot.im
  • session loki messenger
  • tutanota desktop
  • termius with several ssh connections activated
  • onedrive
  • dropbox
  • backup from google which is the old google drive
  • boxcryptor
  • tresorit
  • backblaze backup solution
  • mattermost
  • wire messenger
  • proton vpn software
  • protonmail bridge software
  • multiple instances of thunderbird
  • microsoft outlook
  • firefox up to date
  • vivaldi up to date
  • brave software up to date
  • edge chromium stable up to date
  • edge canary version
  • terminus terminal with some ssh connection running
  • telegram messenger
  • signal messenger
  • real vnc viewer
  • libry app
  • jetbrains toolbox
  • jetbrains different IDE
  • nzxt CAM
  • virtualbox
  • desktop for windows relying on WSL v2
  • WSL v2
  • standard notes
  • crytpee webapp installed with edge chromium
  • process hacker nightly build
  • apache netbeans 12.0
  • rocket.chat
  • rainmeter
  • ultracopier
  • 1password
  • bitwarden
  • gitter.im
  • keybase
  • steam
  • boinc client
  • apple mobile services coming from itunes installation
  • shadow launcher from blade.tech
  • logitech services
  • sublime text
  • vscode
  • vscodium
  • brackets
  • and this host is connected to 2 differents subnets

What I can say is that process hacker with the nightly builds is making services go a little up in terms of cpu usage which is immediately resorbed when it is closed but that’s mainly due to refresh rate of the list of process and their statistics that services.exe needs to refresh.
the most probably impact here are:

  • kasperky
  • the vmmem process from wsl2 for docker
  • the different messenger apps
  • maybe some browsers
  • maybe processhacker
  • protonvpn.
  • termius
  • maybe the cloud storage solution who needs to try several times in the example of dropbox because of dns blocking of trackers
    glasswirev210_Annotation 2020-06-21 103607
    glasswirev210_Annotation 2020-06-21 103607790×529 155 KB

    And all those software specified above are yes running at the same time.
    that’s glasswire restarting.
    glasswire is going from 10 -45%
    The lowest is at 8% and it’s still in I/O haeavy duty of 3-13MB/s

So where is the log option because I don’t see it.

the options of glasswire activated are

  • Apllication info monitor
  • remote glasswire connections
  • virustotal scan result
  • first network activity
  • system file monitor

That’s all.

6

I’ve deactivated remote connection of glasswire, no changes.
If there was a malware infection or something alike I would see the usage of the network on my rainmeter widgets.
The bandwith is between 666B and 20 KB So really nothing. So unless it’s a rootkit that avoid and the network API of windows and everything else, I don’t see really what would that be.

7

And also a clean install had been done when I installed the v210 version, with the option of the installer.

8

@boistordu

Do you see any .dmp files on your desktop after the crash? These logs can help us diagnose the issue.

1 Like
9

done already as you’ve seen in your mail earlier

10

@boistordu

We are checking it, thank you.

11

@boistordu

You were sent a custom version for testing through the forum. Please check your private messages.

12

@boistordu

Please check your private messages again so I can find this issue. I messaged you privately again just now.

13

@Ken_GlassWire
log sent

14

@boistordu

I don’t have it, not sure why? Could you just post it in a private message on the forum between just me and you?

It should not have any private info anyway you’ll see if you check it.

15

@boistordu

I’m sorry, I do have it! For some reason I didn’t see your private message. I think I tapped it from my phone.

I do have the logs, thanks!

16

Thank you for this information

17

Indeed it is useful for all memer in this forum

18

@Catalin_Bicu What are you talking about? We are at the moment looking and testing different version for problems into bad interaction between kaspersky, bitlocker and glasswire. That’s why you have this aberrant exchange between @Ken_GlassWire and me because we are crossing each other between here and PM. Is that what you are complaining about or is it something else?