Since August 4th I've been having problem with some of my Windows 7 vms (and 1 or 2 Windows 2008 R2 vms). There may be other OSes too, but I've only found mostly win 7 machines so far. Seems to affect newly created VMs and recently I found a couple of VMs that are almost a year old with the problem. Seems totally random and I can't determine which machines might be affected, and which ones won't
About every hour, for an hour, the CPU goes to 100% with svchost.exe using all the cycles. As far as I can tell it seems related to the Endpoint Protection client. I don't control the SCCM/Endppint protection stuff but I've been working with the people who do but don't have a reliable solution. We've tried deleting the C:\SoftwareDistrubution folder, they have tried to "push the client" to a few of the affected VMs but it only seems to have worked on 2 of the 3 we tested with. I've updated the endpoint client, we've tried some wmi hotfix and I already has some windows update for fixing long scans/errors with low memory and windows update (I forget the patch number at the moment). The people who manage this tell me they have cleaned up old patches/expired updates on the server but that isn't helping either.
If I disable the Windows update service, everything is fine but domain policies revert that change a few hours later. The machines in question do NOT have any windows updates pushed to them via SCCM.
This is what I see in the C:\WindowsUpdate.log. I've even noticed I only get AV definition updates every 2-5 days on these problem vms, I don't know why it doesn't find the newer defs on a daily basis. I can provide ccm logs from the machine but there are so many, I don't know which ones would be needed.
These are all test vms so we have windows update set to never check for updates but it still hooks into the SCCM stuff after installing the ccmsetup/scep stuff.
Has anyone seen this before or know where/what to look for to find a permanent fix to the problem?
2015-09-02 10:49:15:598 5944 1040 Misc =========== Logging initialized (build: 7.6.7601.18847, tz: -0400) ===========
2015-09-02 10:49:15:598 5944 1040 Misc = Process: c:\Program Files\Microsoft Security Client\MpCmdRun.exe
2015-09-02 10:49:15:598 5944 1040 Misc = Module: C:\Windows\system32\wuapi.dll
2015-09-02 10:49:15:598 5944 1040 COMAPI -------------
2015-09-02 10:49:15:598 5944 1040 COMAPI -- START -- COMAPI: Search [ClientId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2015-09-02 10:49:15:598 5944 1040 COMAPI ---------
2015-09-02 10:49:15:614 5944 1040 COMAPI <<-- SUBMITTED -- COMAPI: Search [ClientId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2015-09-02 10:49:15:614 2804 14b4 Agent *************
2015-09-02 10:49:15:614 2804 14b4 Agent ** START ** Agent: Finding updates [CallerId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2015-09-02 10:49:15:614 2804 14b4 Agent *********
2015-09-02 10:49:15:614 2804 14b4 Agent * Online = Yes; Ignore download priority = No
2015-09-02 10:49:15:614 2804 14b4 Agent * Criteria = "(IsInstalled = 0 and IsHidden = 0 and CategoryIDs contains 'a38c835c-2950-4e87-86cc-6911a52c34a3' and CategoryIDs contains 'e0789628-ce08-4437-be74-2495b842f43b')"
2015-09-02 10:49:15:614 2804 14b4 Agent * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
2015-09-02 10:49:15:614 2804 14b4 Agent * Search Scope = {Machine}
2015-09-02 10:49:15:692 2804 14b4 PT WARNING: Cached cookie has expired or new PID is available
2015-09-02 10:49:15:692 2804 14b4 PT Initializing simple targeting cookie, clientId = 887996fe-f6c6-4835-ac4c-d42de26235a7, target group = , DNS name = vm1315.mycompany.com
2015-09-02 10:49:15:692 2804 14b4 PT Server URL = http://MYCOMPANY.COM:8530/SimpleAuthWebService/SimpleAuth.asmx
2015-09-02 10:49:19:061 2804 14b4 PT +++++++++++ PT: Starting category scan +++++++++++
2015-09-02 10:49:19:061 2804 14b4 PT + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://MYCOMPANY.COM:8530/ClientWebService/client.asmx
2015-09-02 11:38:47:693 2804 14b4 PT +++++++++++ PT: Synchronizing server updates +++++++++++
2015-09-02 11:38:47:693 2804 14b4 PT + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://MYCOMPANY.COM:8530/ClientWebService/client.asmx
2015-09-02 11:38:47:802 2804 14b4 PT WARNING: Cached cookie has expired or new PID is available
2015-09-02 11:38:47:802 2804 14b4 PT Initializing simple targeting cookie, clientId = 887996fe-f6c6-4835-ac4c-d42de26235a7, target group = , DNS name = vm1315.mycompany.com
2015-09-02 11:38:47:802 2804 14b4 PT Server URL = http://MYCOMPANY.COM:8530/SimpleAuthWebService/SimpleAuth.asmx
2015-09-02 11:38:51:156 2804 14b4 Agent * Found 0 updates and 4 categories in search; evaluated appl. rules of 4414 out of 9514 deployed entities
2015-09-02 11:38:51:156 2804 14b4 Agent *********
2015-09-02 11:38:51:156 2804 14b4 Agent ** END ** Agent: Finding updates [CallerId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2015-09-02 11:38:51:156 2804 14b4 Agent *************
2015-09-02 11:38:51:156 5944 35c COMAPI >>-- RESUMED -- COMAPI: Search [ClientId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2015-09-02 11:38:51:156 5944 35c COMAPI - Updates found = 0
2015-09-02 11:38:51:156 5944 35c COMAPI ---------
2015-09-02 11:38:51:156 5944 35c COMAPI -- END -- COMAPI: Search [ClientId = System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)]
2015-09-02 11:38:51:156 5944 35c COMAPI -------------
2015-09-02 11:38:56:164 2804 14b4 Report REPORT EVENT: {D373C3A0-28DC-4B53-B951-DCB8279E8296} 2015-09-02 11:38:51:156-0400 1 147 101 {00000000-0000-0000-0000-000000000000} 0 0 System Center Endpoint Protecti Success Software Synchronization Windows Update Client successfully detected 0 updates.