Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
9221 Views 2 Replies Latest reply: Jun 27, 2008 12:16 PM by Jprader RSS
maxim0512 Newcomer 1 posts since
Oct 4, 2005
Currently Being Moderated

Mar 6, 2006 2:25 PM

RPCserv.exe at high CPU, Exchange drops connections

I've had a problem twice in the last few days.

System: Exchange 2000 SP3, VirusScan 8.0i (centrally managed through ePO 3.5), GroupShield 6.02.

The Exchange server suddenly starts freezing up all of its Outlook clients. Logging in to the server and checking task manager shows RPCserv.exe running at 90+% CPU. Event viewer contains a McAfee event indicating that VirusScan has just started. After RPCserv.exe calms down (about 10 minutes or so), the McAfee services (McInUse.exe, McScript.exe) start using heavy CPU for a few minutes. After a total of about 10-15 minutes, everything returns to normal.

Any ideas?
  • Code_Green Senior Member 53 posts since
    Jun 4, 2004
    Check you are running the latest patches on GroupShield.

    The following is a KB article from McAfee which may help:


    Solution ID: kb40834
    Title: RPCServ.exe generates high CPU usage (DisableAutoRev)


    Question or Problem:
    RPCServ.exe generates high CPU usage.
    RPCServ.exe generates high Memory/Load usage.

    RPCServ.exe generates high Paging File usage.

    Restarting GroupShield Services returns the load to normal usage for the next few days.


    Solution1: IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, see the following Microsoft Knowledge Base article:

    Create the following registry key and set the value accordingly.

    Click Start, Run, type Regedit and click OK.
    Navigate to: [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\McAfee GroupShield].
    In the right-pane, right-click and choose New, DWORD Value.
    Type DisableAutoRev and press ENTER.
    Change the value of this new entry to either 0 or 1 according to the behavior required below:

    0 (VSAPI stamp changes to reflect Engine, DAT and EXTRA.DAT version)
    1 (VSAPI stamp is not updated)

    Close the Registry Editor.


    See also:

    KB40837: Resubmitting items for scanning when using DisableAutoRev with McAfee GroupShield 6.0.1


    McAfee GroupShield 6.0.1 for Microsoft Exchange 2000
    McAfee GroupShield 6.0.2 for Microsoft Exchange 2000
    Microsoft Exchange 2000
    Microsoft Exchange 2003

    Cause of Problem:

    In previous versions of McAfee GroupShield, it was possible to disable the changing of the Virus Scanning API (VSAPI) stamp value via the user interface (AutoRevDat version). In McAfee GroupShield 6.0 this property was not available, therefore the product updated the stamp upon every time a new Engine, DAT, or EXTRA.DAT was used.

    The VSAPI stamp registry value is compared to the VSAPI message property upon accessing message. If there a discrepancy exists, the message will be re-scanned by the On-Access scanner.

    While this may be best for keeping all messages scanned with the latest Engine and DAT combinations, it also puts the highest load on the server because messages are re-scanned upon access after a DAT update. This issue is compounded by daily DAT updates provided by McAfee.

    With Service Pack 1, a new registry entry is created which allows an administrator more control of this behavior.

    Changes Affecting
    this Problem:
    Installed Patch 1.

    Last Modified:

    McAfee MANIAC
    Green not Red -
  • Newcomer 5 posts since
    Jun 23, 2008
    Currently Being Moderated
    2. Jun 27, 2008 12:16 PM (in response to Code_Green)
    RPCServ.exe issue resolved
    We saw high CPU utilization with RPCServ.exe. We resolved the issue by using the Default Config. file (rather than the config file we imported from another server) AND
    by using the fix in McAfee KB40834. We are running Groupshield 6.0.2 w/Patch1.

More Like This

  • Retrieving data ...

Bookmarked By (0)