"

High CPU usage on domain controllers

Last review: Jun 06, 2013
https://kb.netwrix.com/1371
Copy Article URL Copied

After installation of Account Lockout Examiner(ALE) I can see CPU spikes on monitored domain controllers. If I stop ALE, these spikes are gone.


ALE tracks for lockout events and failed logon events from the Windows security event log of domain controllers. By default it uses WMI calls that may result in high CPU usage of domain controllers.


There are two options to fix the issue:

1. Switch method of communication with domain controllers. In this case ALE will stop querying domain controllers for new events in the log, but domain controllers will notify about new events themselves (WMI feature). This will reduce the number of WMI calls and as a result – reduce CPU usage.

In order to do this perform the following on the machine where ALE is installed:

  1. Run Registry Editor (regedit),
  2. Go to HKLM\Software\[Wow6432Node]\NetWrix\Account Lockout Examiner (Wow6432Node only for x64 OS)
  3. Create a DWORD called UseWatcher with value to 1
  4. Restart the Netwrix Account Lockout Examiner service via Services.msc

User-added image

2. If the above does not help, disable usage of WMI to communicate with domain controllers. (A .Net-based mechanism will be used for it.)

In order to do this perform the following on the machine where ALE is installed:

  1. Run Registry Editor (regedit),
  2. Go to HKLMSoftware[Wow6432Node]NetWrixAccount Lockout Examiner (Wow6432Node only for x64 OS)
  3. Change the UseWMI value to 0
  4. Restart the Netwrix Account Lockout Examiner service via Services.msc

User-added image

Go Up