EMSS Agent is recording excessive WRITE-DENIED events by LMHost.exe process for "NT AUTHORITY\SYSTEM" user

Version 1

    Details

     

    One or more EMSS Agents are recording excessive WRITE-DENIED Device Control events by the LMHost.exe process for NT AUTHORITY\SYSTEM user resulting in large Device Control Log Queries, large EMSS Server disk usage or large growth of the UPCCommon SQL database for EMSS.

    These events are caused by an issue with an EMSS agent internal action which is not related to any real endpoint user activity.

     


    Resolution

     

    Implement a specific filter for these events using the below steps and then contact EMSS Support for assistance with cleaning up the EMSS Application Server disk-space and the UPCCommon SQL Database.

    Instructions:
    1. Go to EMSS Web Console=>Manage=>Device Control Policies
    2. Edit the Device Control Global Policy.
     
    3. Select “Exclude endpoint events that match any of these rules:” and click the ADD button.
    4. Put in a Rule description and add fields as per this screenshot:
     
    The items are:
    Event Type = WRITE-DENIED
    NT User = NT AUTHORITY\SYSTEM
    (Note that this may be spelled differently if you OS languages are not English)
    Process Name = lmhost.exe
        (that begins with a lower-case L)
    5. Give the Filtering Rule the title “Exclude WRITE-DENIED events from LMHost.exe by NT AUTHORITY\SYSTEM”
    6. Click the OK button to close this window. The Global Device Policy page should now look like this:
     
    7. Click the FINISH button to save the changes.
    8. The next time the endpoints check in, they will receive this new rule an no longer proccess it up to the EMSS Application server.