cancel
Showing results for 
Search instead for 
Did you mean: 

Excel has high %privileged Time (Kernel) when Mcafee Mcshield service is running

Hi,
My company is using VirusScan Enterprise 8.5.0i (Engine 5301.4018, DAT 5601.0000), and Excel VBA used to runs fast in Excel 2003 runs very slow in Excel 2007.

I ran the perfmon on Windows XP and notice that it has very high "% Privileged Time" when the McShield service enabled. The process that takes up all the CPU is Excel itself instead of McShield.

I ran the Kernrate with and without Mcafee enabled and here is the result for zooming in win32k, hal and ntkrnlpa. I noticed there are a lot of different function calls when Mcafee is turned on.

Excel runs without Mcafee service enabled

 


----- Zoomed module win32k.sys (Bucket size = 16 bytes, Rounding Down) --------
Percentage in the following table is based on the Total Hits for this Zoom Module

Time 17 hits, 25000 events per hit --------
Module Hits msec %Total Events/Sec
EngSetLastError 5 2796 45 % 44706
XLATEOBJ_hGetColorTransform 2 2796 18 % 17882
EngSetPointerTag 1 2796 9 % 8941
EngLockSurface 1 2796 9 % 8941
EngDeleteSurface 1 2796 9 % 8941
EngFreeUserMem 1 2796 9 % 8941


----- Zoomed module hal.dll (Bucket size = 16 bytes, Rounding Down) --------
Percentage in the following table is based on the Total Hits for this Zoom Module

Time 17 hits, 25000 events per hit --------
Module Hits msec %Total Events/Sec
KeAcquireInStackQueuedSpinLock 8 2796 40 % 71530
KeReleaseQueuedSpinLock 6 2796 30 % 53648
ExTryToAcquireFastMutex 1 2796 5 % 8941
ExReleaseFastMutex 1 2796 5 % 8941
KeGetCurrentIrql 1 2796 5 % 8941
KfLowerIrql 1 2796 5 % 8941
KeRaiseIrqlToSynchLevel 1 2796 5 % 8941
KeRaiseIrqlToDpcLevel 1 2796 5 % 8941


----- Zoomed module ntkrnlpa.exe (Bucket size = 16 bytes, Rounding Down) --------
Percentage in the following table is based on the Total Hits for this Zoom Module

Time 14 hits, 25000 events per hit --------
Module Hits msec %Total Events/Sec
PoShutdownBugCheck 2 2796 13 % 17882
NtBuildNumber 2 2796 13 % 17882
KeSynchronizeExecution 2 2796 13 % 17882
LsaDeregisterLogonProcess 1 2796 6 % 8941
ProbeForRead 1 2796 6 % 8941
PsAssignImpersonationToken 1 2796 6 % 8941
Kei386EoiHelper 1 2796 6 % 8941
wcschr 1 2796 6 % 8941
vsnprintf 1 2796 6 % 8941
strupr 1 2796 6 % 8941
MmCommitSessionMappedView 1 2796 6 % 8941
KeRegisterBugCheckReasonCallback 1 2796 6 % 8941

================================= END OF RUN ==================================




Mcafee Service Enabled

 


----- Zoomed module win32k.sys (Bucket size = 16 bytes, Rounding Down) --------
Percentage in the following table is based on the Total Hits for this Zoom Module

Time 26 hits, 25000 events per hit --------
Module Hits msec %Total Events/Sec
XLATEOBJ_hGetColorTransform 3 10155 30 % 7385
EngSetLastError 2 10155 20 % 4923
EngSetPointerTag 1 10155 10 % 2461
STROBJ_vEnumStart 1 10155 10 % 2461
EngLockSurface 1 10155 10 % 2461
EngPaint 1 10155 10 % 2461
EngFreeUserMem 1 10155 10 % 2461


----- Zoomed module hal.dll (Bucket size = 16 bytes, Rounding Down) --------
Percentage in the following table is based on the Total Hits for this Zoom Module

Time 1007 hits, 25000 events per hit --------
Module Hits msec %Total Events/Sec
KeAcquireQueuedSpinLock 515 10155 49 % 1267848
KeReleaseQueuedSpinLock 467 10155 44 % 1149679
KeReleaseInStackQueuedSpinLock 22 10155 2 % 54160
KeAcquireInStackQueuedSpinLock 15 10155 1 % 36927
KeAcquireQueuedSpinLockRaiseToSynch 10 10155 0 % 24618
KeGetCurrentIrql 5 10155 0 % 12309
KfLowerIrql 5 10155 0 % 12309
READ_PORT_UCHAR 2 10155 0 % 4923
HalDisableSystemInterrupt 2 10155 0 % 4923
HalMakeBeep 1 10155 0 % 2461
HalFreeCommonBuffer 1 10155 0 % 2461
KfAcquireSpinLock 1 10155 0 % 2461


----- Zoomed module ntkrnlpa.exe (Bucket size = 16 bytes, Rounding Down) --------
Percentage in the following table is based on the Total Hits for this Zoom Module

Time 1571 hits, 25000 events per hit --------
Module Hits msec %Total Events/Sec
ObCreateObjectType 385 10155 24 % 947808
ObFindHandleForObject 374 10155 23 % 920728
MmTrimAllSystemPagableMemory 335 10155 21 % 824716
MmIsAddressValid 132 10155 8 % 324963
ObInsertObject 105 10155 6 % 258493
PoStartNextPowerIrp 82 10155 5 % 201870
NtFreeVirtualMemory 32 10155 2 % 78778
PoSetPowerState 20 10155 1 % 49236
LsaDeregisterLogonProcess 19 10155 1 % 46774
NtBuildNumber 16 10155 1 % 39389
wctomb 13 10155 0 % 32003
RtlTimeToElapsedTimeFields 6 10155 0 % 14771
KeTickCount 6 10155 0 % 14771
ObQueryNameString 4 10155 0 % 9847
KeSynchronizeExecution 4 10155 0 % 9847
Kei386EoiHelper 4 10155 0 % 9847
ZwYieldExecution 4 10155 0 % 9847
ProbeForRead 3 10155 0 % 7385
wcschr 3 10155 0 % 7385
MmIsDriverVerifying 3 10155 0 % 7385
IoCsqRemoveIrp 3 10155 0 % 7385
KeRegisterBugCheckReasonCallback 2 10155 0 % 4923
IoWMISetNotificationCallback 1 10155 0 % 2461
SeTokenIsWriteRestricted 1 10155 0 % 2461
PsDereferencePrimaryToken 1 10155 0 % 2461
NtSetInformationProcess 1 10155 0 % 2461
PoShutdownBugCheck 1 10155 0 % 2461
PoQueueShutdownWorkItem 1 10155 0 % 2461
local_unwind2 1 10155 0 % 2461
RtlIpv6AddressToStringW 1 10155 0 % 2461
RtlIpv4AddressToStringExA 1 10155 0 % 2461
RtlIpv6AddressToStringExA 1 10155 0 % 2461
MmMapLockedPagesSpecifyCache 1 10155 0 % 2461
KeQueryRuntimeThread 1 10155 0 % 2461
KeQueryPriorityThread 1 10155 0 % 2461
KeRundownQueue 1 10155 0 % 2461
KeInitializeApc 1 10155 0 % 2461
KeRemoveQueueDpc 1 10155 0 % 2461
FsRtlFastUnlockSingle 1 10155 0 % 2461

================================= END OF RUN ==================================



Appreciate if anyone can suggest what is the next step to find out why it happened.

Thanks,
TF
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community