0 Replies Latest reply on May 19, 2009 10:40 AM by meimeifung

    Excel has high %privileged Time (Kernel) when Mcafee Mcshield service is running

      Hi,
      My company is using VirusScan Enterprise 8.5.0i (Engine 5301.4018, DAT 5601.0000), and Excel VBA used to runs fast in Excel 2003 runs very slow in Excel 2007.

      I ran the perfmon on Windows XP and notice that it has very high "% Privileged Time" when the McShield service enabled. The process that takes up all the CPU is Excel itself instead of McShield.

      I ran the Kernrate with and without Mcafee enabled and here is the result for zooming in win32k, hal and ntkrnlpa. I noticed there are a lot of different function calls when Mcafee is turned on.

      Excel runs without Mcafee service enabled

       


      ----- Zoomed module win32k.sys (Bucket size = 16 bytes, Rounding Down) --------
      Percentage in the following table is based on the Total Hits for this Zoom Module

      Time 17 hits, 25000 events per hit --------
      Module Hits msec %Total Events/Sec
      EngSetLastError 5 2796 45 % 44706
      XLATEOBJ_hGetColorTransform 2 2796 18 % 17882
      EngSetPointerTag 1 2796 9 % 8941
      EngLockSurface 1 2796 9 % 8941
      EngDeleteSurface 1 2796 9 % 8941
      EngFreeUserMem 1 2796 9 % 8941


      ----- Zoomed module hal.dll (Bucket size = 16 bytes, Rounding Down) --------
      Percentage in the following table is based on the Total Hits for this Zoom Module

      Time 17 hits, 25000 events per hit --------
      Module Hits msec %Total Events/Sec
      KeAcquireInStackQueuedSpinLock 8 2796 40 % 71530
      KeReleaseQueuedSpinLock 6 2796 30 % 53648
      ExTryToAcquireFastMutex 1 2796 5 % 8941
      ExReleaseFastMutex 1 2796 5 % 8941
      KeGetCurrentIrql 1 2796 5 % 8941
      KfLowerIrql 1 2796 5 % 8941
      KeRaiseIrqlToSynchLevel 1 2796 5 % 8941
      KeRaiseIrqlToDpcLevel 1 2796 5 % 8941


      ----- Zoomed module ntkrnlpa.exe (Bucket size = 16 bytes, Rounding Down) --------
      Percentage in the following table is based on the Total Hits for this Zoom Module

      Time 14 hits, 25000 events per hit --------
      Module Hits msec %Total Events/Sec
      PoShutdownBugCheck 2 2796 13 % 17882
      NtBuildNumber 2 2796 13 % 17882
      KeSynchronizeExecution 2 2796 13 % 17882
      LsaDeregisterLogonProcess 1 2796 6 % 8941
      ProbeForRead 1 2796 6 % 8941
      PsAssignImpersonationToken 1 2796 6 % 8941
      Kei386EoiHelper 1 2796 6 % 8941
      wcschr 1 2796 6 % 8941
      vsnprintf 1 2796 6 % 8941
      strupr 1 2796 6 % 8941
      MmCommitSessionMappedView 1 2796 6 % 8941
      KeRegisterBugCheckReasonCallback 1 2796 6 % 8941

      ================================= END OF RUN ==================================




      Mcafee Service Enabled

       


      ----- Zoomed module win32k.sys (Bucket size = 16 bytes, Rounding Down) --------
      Percentage in the following table is based on the Total Hits for this Zoom Module

      Time 26 hits, 25000 events per hit --------
      Module Hits msec %Total Events/Sec
      XLATEOBJ_hGetColorTransform 3 10155 30 % 7385
      EngSetLastError 2 10155 20 % 4923
      EngSetPointerTag 1 10155 10 % 2461
      STROBJ_vEnumStart 1 10155 10 % 2461
      EngLockSurface 1 10155 10 % 2461
      EngPaint 1 10155 10 % 2461
      EngFreeUserMem 1 10155 10 % 2461


      ----- Zoomed module hal.dll (Bucket size = 16 bytes, Rounding Down) --------
      Percentage in the following table is based on the Total Hits for this Zoom Module

      Time 1007 hits, 25000 events per hit --------
      Module Hits msec %Total Events/Sec
      KeAcquireQueuedSpinLock 515 10155 49 % 1267848
      KeReleaseQueuedSpinLock 467 10155 44 % 1149679
      KeReleaseInStackQueuedSpinLock 22 10155 2 % 54160
      KeAcquireInStackQueuedSpinLock 15 10155 1 % 36927
      KeAcquireQueuedSpinLockRaiseToSynch 10 10155 0 % 24618
      KeGetCurrentIrql 5 10155 0 % 12309
      KfLowerIrql 5 10155 0 % 12309
      READ_PORT_UCHAR 2 10155 0 % 4923
      HalDisableSystemInterrupt 2 10155 0 % 4923
      HalMakeBeep 1 10155 0 % 2461
      HalFreeCommonBuffer 1 10155 0 % 2461
      KfAcquireSpinLock 1 10155 0 % 2461


      ----- Zoomed module ntkrnlpa.exe (Bucket size = 16 bytes, Rounding Down) --------
      Percentage in the following table is based on the Total Hits for this Zoom Module

      Time 1571 hits, 25000 events per hit --------
      Module Hits msec %Total Events/Sec
      ObCreateObjectType 385 10155 24 % 947808
      ObFindHandleForObject 374 10155 23 % 920728
      MmTrimAllSystemPagableMemory 335 10155 21 % 824716
      MmIsAddressValid 132 10155 8 % 324963
      ObInsertObject 105 10155 6 % 258493
      PoStartNextPowerIrp 82 10155 5 % 201870
      NtFreeVirtualMemory 32 10155 2 % 78778
      PoSetPowerState 20 10155 1 % 49236
      LsaDeregisterLogonProcess 19 10155 1 % 46774
      NtBuildNumber 16 10155 1 % 39389
      wctomb 13 10155 0 % 32003
      RtlTimeToElapsedTimeFields 6 10155 0 % 14771
      KeTickCount 6 10155 0 % 14771
      ObQueryNameString 4 10155 0 % 9847
      KeSynchronizeExecution 4 10155 0 % 9847
      Kei386EoiHelper 4 10155 0 % 9847
      ZwYieldExecution 4 10155 0 % 9847
      ProbeForRead 3 10155 0 % 7385
      wcschr 3 10155 0 % 7385
      MmIsDriverVerifying 3 10155 0 % 7385
      IoCsqRemoveIrp 3 10155 0 % 7385
      KeRegisterBugCheckReasonCallback 2 10155 0 % 4923
      IoWMISetNotificationCallback 1 10155 0 % 2461
      SeTokenIsWriteRestricted 1 10155 0 % 2461
      PsDereferencePrimaryToken 1 10155 0 % 2461
      NtSetInformationProcess 1 10155 0 % 2461
      PoShutdownBugCheck 1 10155 0 % 2461
      PoQueueShutdownWorkItem 1 10155 0 % 2461
      local_unwind2 1 10155 0 % 2461
      RtlIpv6AddressToStringW 1 10155 0 % 2461
      RtlIpv4AddressToStringExA 1 10155 0 % 2461
      RtlIpv6AddressToStringExA 1 10155 0 % 2461
      MmMapLockedPagesSpecifyCache 1 10155 0 % 2461
      KeQueryRuntimeThread 1 10155 0 % 2461
      KeQueryPriorityThread 1 10155 0 % 2461
      KeRundownQueue 1 10155 0 % 2461
      KeInitializeApc 1 10155 0 % 2461
      KeRemoveQueueDpc 1 10155 0 % 2461
      FsRtlFastUnlockSingle 1 10155 0 % 2461

      ================================= END OF RUN ==================================



      Appreciate if anyone can suggest what is the next step to find out why it happened.

      Thanks,
      TF