6 Replies Latest reply on Mar 12, 2018 12:27 PM by Jon Miller

    Multiple LDAV.exe Processes Running

    Jon Miller Apprentice

      I have recently noticed on a couple clients that the LDAV.exe process multiplies over time. The core is 2017.3 and the client is x64 Windows 10 Enterprise build 1709. I have attempted to reinstall and reimage the machine with no luck. Initially, the computer acts and runs fine; LDAV.exe will have 1-2 processes running. I have the understanding that multiple processes are normal for different AV tasks but to have an excess of 10-20 processes seems a bit much. These processes are consuming loads of resources. I have only noticed this on one other 1709 build in our environment. The majority of our Windows 10 devices are pre-1709 or Windows 7 and they do not exhibit this behavior, nor do the remainder of the 1709 builds. The agent builds and AV versions are identical throughout the company. Is anyone aware of a recent Windows update, Kaspersky update, or other public change that may be at play here? Below I have attached an output of the current running processes on one of the computers in question after roughly 16 hours of a fresh boot.

       

      Thanks for your help and suggestions.

        • 1. Re: Multiple LDAV.exe Processes Running
          michael.odriscoll SupportEmployee

          Hi Jon,

           

          Thanks for posting to the Community.

           

          Please update this thread with any updates you receive on this issue. It may help others with a similar issue.

          • 2. Re: Multiple LDAV.exe Processes Running
            phoffmann SupportEmployee

            You may want to get in touch with support for one.

             

            Not so much because there's "a clearly identified thing", but because I am aware that there's some investigations going on about "some of the time, Win 10 build 1709 runs into issues" ... this doesn't seem to happen for all vendors / all of the time, but where it does happen, it is consistent. (I happened to chat to one of the guys trying to figure out what's going on yesturday).

             

            So far, the single common factor is indeed Build 1709. I'm not sure if the relevant folks have found / seen any LDAV issues (like you're reporting), but it'd be sensible to throw it on the pile of "Build 1709 shenanigans" at the very least, so you're on the radar & folks can try to compare notes / commonalities or whatnot with you.

             

            It's still very much at the "trying to make sense of things" stage, but at least we have an image & hardware that has the issue, so we're currently digging into that to try & make sense of things. HOPEFULLY your stuff will be related to it ...*fingers crossed*.

            • 3. Re: Multiple LDAV.exe Processes Running
              RogueOne Rookie

              Hello All,

               

              We have run into the same problem in our environment but I believe we have solved the problem.

               

              Symptoms: LDAV.exe pegging out CPU across multiple processes. This only occurs on Windows 10 with feature update 1709 and does not always occur on every computer that has 1709 installed.

               

              Explanation: It appears that the Landesk AV service is attempting to read or write to a registry key, which has no permissions assigned to it. My guess would be that this is an installer bug as the computers which do not suffer from this problem have the same key but with normal permissions (normal based on parent keys above).

               

              Below is the key in question, the solution is updating the security so that administrators have Full Control (I also add "System" with full control for good measure). Once you apply the permissions, the LDAV process should stop pegging the CPU out. I also noticed that the AV license was not activated before applying this key, that's likely where things were getting stuck.

               

              HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\landesk\managementsuite\WinClient\Antivirus\Patches\Kaspersky Endpoint Security 10 Service Pack 1 Maintenance Release 3

               

              Notes: Once permissions are applied you'll see registry entries appear within the registry key as seen above. The permissions themselves on the key will also start inheriting normally from their parent key so if you check again the permissions list will look quite different. Also, the AV service upon applying this fix may start using some CPU but in my case that was just a legitimate scan kicking off, no need for another face palm!

               

              Hope this helps!

              3 of 3 people found this helpful
              • 4. Re: Multiple LDAV.exe Processes Running
                phoffmann SupportEmployee

                Very interesting & good debugging.

                 

                Thanks for sharing this valuable info!

                • 5. Re: Multiple LDAV.exe Processes Running
                  crowe Rookie

                  Hey, first post, made my account to say thank you for the tip and troubleshooting efforts that went into said tip. We were scratching our heads as to what was going on with our brand new windows 10 machines. Anyway, as we didn't want to locate the key by hand in Regedit on the 200+ machines that were experiencing this bug I endeavored to remedy this through a powershell script. Most of the methods for editing permissions that I tried such as get/set-acl would throw a permissions error even though I was logged in as the builtin administrator and the owner of the key was the Administrators group. Took me a while to get the syntax down as I am still very new to powershell but here is the script.

                   

                  • $key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("SOFTWARE\WOW6432Node\landesk\managementsuite\WinClient\Antivirus\Patches\Kaspersky Endpoint Security 10 Service Pack 1 Maintenance Release 3",[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::ChangePermissions)
                  • $acl = $key.GetAccessControl()
                  • $rule = New-Object System.Security.AccessControl.RegistryAccessRule ("SYSTEM","FullControl","Allow")
                  • $acl.setAccessRule($rule)
                  • $key.SetAccessControl($acl)

                   

                  As you can see, I only add one permission entry. As @RogueOne mentioned in his previous post, once you add a Full Control permission entry for either SYSTEM or Administrators the key starts correctly inheriting the permissions of the parent. For thoroughness I also tried adding a ReadKey entry for Everyone. The key values propagate but not the rest of the permissions. Seems like Full Control is the key.

                   

                  -Crowe

                  • 6. Re: Multiple LDAV.exe Processes Running
                    Jon Miller Apprentice

                    Thanks for all the help folks! I opened a case with ivanti and they ended up issuing me a SU that corrected the issue. Unfortunately, the support agent I was working with did not tell me the root cause and of course, they couldn't reproduce the issue. He happen to stumble across the release notes for this SU and saw that it corrected the issue- low and behold, it did! It was 2017.3 SU2 if I recall correctly if you are curious.