UserNotPresentSession.etl is causing 40%+ CPU usage

Topic

New Reply

BUT

C:\Windows\System32\SleepStudy\UserNotPresentSession.etl

is NOT THERE!!

I thought I had patched this problem long ago, with a startup .bat file that deleted .etl files from that folder.

I can add and remove that startup program, and RESTART, with no effects now.

Windows 10 22H2 is writing 3.8MB/sec to a file that Windows 10 says IS NOT THERE??

 

Reply | Quote

Replies

now, checking the Properties for the SleepStudy folder,
I’m seeing

ANONYMOUS LOGON
-and-
Account Unknown (etc.)

Have I been hacked by an anonymous intruder?

Reply | Quote

You haven’t been hacked…

I see the same accounts in Properties > Security for that .etl file.

You’ll find them in other files as well.

 

1 user thanked author for this post.

SupremeLaW

Reply | Quote

Many thanks for the prompt response.

I probably should have tried these 2 tests separately,
but I was getting frustrated and I tested both at the same time:

(1) I power-cycled the entire system by disconnecting/reconnecting the AC power cable
-and-
(2) I changed “SleepStudy” to “SleepStudyOLD” and “ScreenOn” to ScreenOnOLD”

I re-booted and the overhead disappeared; but, at present I don’t know which test was responsible for the fix.

At this point, a logical experiment would be to revert those folder names to test if the original folders names are somehow responsible for the overhead.

Reply | Quote

The fact that you say that the disk activity went away with shutting down and rebooting the computer suggests to me that what you saw was a system (PID 4) process that was actively handling the file in question, therefore the word “Normal” instead of “Background” in the column for I/O Priority. Disk activity that high can be something as innocuous as a disk defrag (if you have an HDD) or optimization (if you have an SSD).

Since you’ve rebooted your machine as part of your experiment, Windows might have recreated the folders that you renamed (depending on your system settings), so go in there and take a look to see if they’re back and are right alongside the ones you renamed. You might not need to rename anything.

On my system, I had to click through a special cautionary box about getting access to the SleepStudy folder to get permission to look at it for the first time, even logged in with an administrator account, so be careful handling some of the files and folders in here. That cautionary box usually only comes up for folders and files that are supposed to be specially protected operating system files and folders.

1 user thanked author for this post.

SupremeLaW

Reply | Quote

Thanks again!

I just remembered that I had not started that PC for several days,
and the first STARTUP today took much longer than usual.

.etl = Event Trace Log

I can manually delete all .etl files in both folders,
and they do not automatically re-appear after my 2 tests.

What seems very bizarre to me is the high WRITE speed (~3.8MB/second)
to a single .etl file — BUT the OS says that file does NOT exist
when I do a DIR command inside each folder.

That bizarre behavior suggests to me that Windows was
writing to its NTFS file system buffers BUT
NOT actually recording any data in that one .etl file.

I don’t believe those 2 folders are “Hidden”;
I tried the ATTRIB command, and Windows reported
both had the “I” attribute enabled (“Index-able”).

I’ll try a few more things tomorrow;
that PC is shutdown right now.

Reply | Quote

This filename is definitely very close to THE PROBLEM:
C:\Windows\System32\SleepStudy\UserNotPresentSession.etl

Now that I know how and where to look,
the same/similar CPU overhead is happening
on our HP Z220 workstation, Intel Core i7-3770 CPU.

Google UserNotPresentSession.etl
finds about 1,130 results today

BING UserNotPresentSession.etl
finds about 124,000 results today !!

The CPU overhead is boosting the clock to ~3.7 GHz
(SpeedStep is obvious NOT activated).

It would be nice if there were a simple Registry tweak
to simply turn OFF event trace logging for event=UserNotPresentSession .

Here’s one proposed solution:
https://www.youtube.com/watch?v=q7ZqQKuhKos

Instructions:

1. Go to the path C:\Windows\System32\SleepStudy
2. Right click on UserNotPresentSession.etl, choose Properties.
3. Check on Read-only, press OK
4. Back to C:\Windows\System32\, right click on folder SleepStudy and choose Properties.
5. Go to Security tab, edit permission and remove SYSTEM permission.
You should remove ADMINISTRATORS permission as well, just to make sure.
6. Restart your PC.

Reply | Quote

FYI: I just now tried the latter “Instructions:” .
They did NOT work.

Reply | Quote

I found these recommended steps;
they did NOT work either:

go to Start
> Windows Administrative Tools
> Task Scheduler
> expand the tree
> Task Scheduler Library
> Microsoft
> Windows
> Power Efficiency Diagnostics
> right-click on the “AnalyzeSystem” trigger
> disable/delete

Reply | Quote

Partial SUCCESS!

 

First, the good news:

I’ve succeeded in stopping all of the  intense WRITEs to:

C:\Windows\System32\SleepStudy\UserNotPresentSession.etl

The latter .etl file is not showing up now in Resource Monitor.

 

If anyone needs the list of our TWEAKs to Windows 10 22H2, please REPLY here.

 

I also downloaded and updated the device driver for the Highpoint SSD7103:

that driver update sequence executed perfectly;  although, the SSD7103 is now a “legacy” product at the Highpoint website.

The bad news is that the CPU overhead is still hovering around 22%.

So, I’ve DISABLED SpeedStep in the motherboard BIOS:

CPU clock is now fixed at 3.4GHz which is factory DEFAULT for Intel Core i7-3770.

The above progress is satisfactory, for now:  the reduced wear on our SSD7103 is welcome because it is hosting C: / E: partitions (C: is 100GB, E: is 900GB).

Reply | Quote

A very relevant CLUE re: Highpoint SSD7103 as boot drive:

https://www.amazon.com/High-Point-SSD7103-Bootable-Controller/dp/B07S8F1BGJ

“Windows 10 cannot sleep or hibernate if you use this as a boot device”

Reply | Quote

That particular review is from 2021…

There might be a driver update.

I would suggest downloading and installing Sysinternals Process Explorer.

Right-click on a high-CPU process and select Properties.

Click on the Threads tab to see the state of each thread in the process.

1 user thanked author for this post.

SupremeLaW

Reply | Quote

Yes, I’m familiar with Sysinternals Process Explorer.

I’ll need to try it, perhaps on Monday if not sooner.

Reply | Quote

Another thing you can do is download Sysinternals free program Process Monitor, and let it run for a while. It has nice filtering features that will allow you to narrow down what was running at the time, as well as setting “watch” filters.

https://technet.microsoft.com/en-us/sysinternals/bb896645

Set up Process Monitor and let it run continuously. There is a logging feature. Turn it on by clicking on File > Backing Files…. There will be two options: Use virtual memory (which is the default), and Use file named:.

Click on the Browse button (the one with 3 dots) and it will take you to the folder where Process Monitor is installed. Enter a file name. It will automatically be given an extension of .PML. Click Save.

When Process Monitor is restarted, check that File > Capture Events is checked. It will log everything within the filter criteria that has been set up (default filters are fine for now).

I would set it up to see what is writing to and reading UserNotPresentSession.etl

Anyone with Process Monitor will be able to use it to open the .PML file and view it as if it were on their system.

 

1 user thanked author for this post.

SupremeLaW

Reply | Quote

The ProcMon filter you would use is Path.

The value would be C:\Windows\System32\SleepStudy\UserNotPresentSession.etl

 

1 user thanked author for this post.

SupremeLaW

Reply | Quote

I’ve stopped the intense WRITEs to that .etl file.

It is process “System” with PID=4 that is hogging the CPU.

The overhead appears to be caused by a kernel thread.

Reply | Quote

SupremeLaW wrote:

I also downloaded and updated the device driver for the Highpoint SSD7103:

I didn’t see any drivers for the 7103 on the Highpoint site…

There is a note about SSD vendor drivers conflicting with Highpoint NVMe RAID solutions.

https://highpoint-technologies-inc.helpjuice.com/nvme-general-questions/do-i-need-to-install-ssd-manufacturer-provided-drivers-when-using-highpoint-nvme-raid-solutions?from_search=141935363

 

 

1 user thanked author for this post.

SupremeLaW

Reply | Quote

The Highpoint model SSD7103 was demoted to “legacy” products here:

https://www.highpoint-tech.com/eol-disclaimer/ssd7103-software%2Fmanuals

click thru the license agreement, and then find this:

https://filedn.com/lG3WBCwKGHT7yNuTsFCwXy0/Legacy/NVMe/SSD7103/

https://filedn.com/lG3WBCwKGHT7yNuTsFCwXy0/Legacy/NVMe/SSD7103/Software%20Downloads/

https://filedn.com/lG3WBCwKGHT7yNuTsFCwXy0/Legacy/NVMe/SSD7103/Software%20Downloads/Windows/

Reply | Quote

How old is the SSD?
What does your SSD SMART status tell you about the remaining life?

You may find the writes make no difference to its longevity.

cheers, Paul

1 user thanked author for this post.

SupremeLaW

Reply | Quote

My email to Highpoint is dated May 2020:

Reply | Quote

I managed to completely disable Sleep Study and all the files it creates as follows:

1st. Open Task Scheduler > Microsoft > Windows > Power Efficiency Diagnostics > AnalyzeSystem and disabled & delete that task.

2nd. Delete the contents of the SleepFolder and then remove all access to it.

1- Open Windows Explorer and navigate to C:\Windows\System32\SleepStudy.

2- Right-click the SleepStudy folder > Properties > Security tab > click the Advanced button.

3- Click the Change option to the right of “Owners:” and set Administrators (or your user if it’s not an administrator) as the new owner, click the Replace owner on subcontainers and objects box, click OK twice to exit back to Explorer.

4- Repeat step 2.

5- Click the Disable inheritance button, select the Convert inherited permissions into explicit permissions on this object option, click OK twice to exit back to Explorer.

6- Delete all the files and subfolders in the SleepStudy folder (i.e. the folder should now be empty.)

7- Repeat step 2.

8- Remove all the users in “Permission entries:“, click OK, answer “Yes” to the Do you want to continue? prompt, click OK to exit back to Explorer.

The Sleep Study process is now completely disabled and you won’t get any error notices about it failing when starting Windows.

1 user thanked author for this post.

SupremeLaW

Reply | Quote

We’re both right over the target.

Without doing all of those steps, I already performed a subset of those steps;  AND,

the partial good news is that the intense WRITEs to that .etl file have HALTED.

BUT, I’m still seeing >20% CPU overhead being generated by process “System”, PID=4 .

The surviving theory now is that there is a conflict, deep down in the device drivers with our 4 x Samsung NVMe SSDs.  And, updating the SSD7103 device driver did not stop the CPU overhead being generated by that bug.

Because the SSD7103 is now a “legacy” Highpoint product, there probably won’t be any newer drivers, going forward.

Reply | Quote

Just FYI, after completing the above steps, there’s no longer any writes to the .etl files (because the system can no longer access the SleepStudy folder to create them) and my “System” process now shows 0%.

Of course I don’t have any of those Samsung NVMe drives, my are all Samsung Sata SSDs.

Have you tired use Samsung Magician to check to see if there’s a firmware update available for them?

BTW, I don’t really understand how the NVMe drivers (or any other drivers for that matter) would have an effect on what the Sleep Study process does.

Sleep Study tells you how well the system slept and how much activity it experienced during that time.

 

1 user thanked author for this post.

SupremeLaW

Reply | Quote

A firmware update for the Samsung M.2 NVMe drives would be an excellent experiment.

However, after all these years of struggling with Windows, I’m quite burned out with the prospect of more trial-and-error.  I know that method words, but it’s very time-consuming.

I just don’t have the patience any longer for more trials-and-errors.

Also, Windows 10 22H2 is hosted by that SSD7103, so doing low-level changes may require re-installing that OS i.e. bigger headaches that I’m willing to tolerate, at this point.

I REALLY DO APPRECIATE YOUR ATTENTION AND VALUABLE SUGGESTIONS.

P.S.  repeating a CLUE I just happened to find at Amazon:

A very relevant CLUE re: Highpoint SSD7103 as boot drive:

https://www.amazon.com/High-Point-SSD7103-Bootable-Controller/dp/B07S8F1BGJ

“Windows 10 cannot sleep or hibernate if you use this as a boot device”

 

CONCLUSION / SUSPICION:

As such, there appears to be a direct contingency between the SSD7103 and sleep/hibernate when the SSD7103 is used as a boot device.

 

Reply | Quote

Re: ” I don’t understand how the NVMe drivers (or any other drivers for that matter) would have an effect on what the Sleep Study process does.”

I can only speculate:  your point is well taken.

That claim was found at a User Review posted at Amazon.

As such, I have no idea how reliable that claim might be.

MANY THANKS again for all your help.

Reply | Quote

Oh, boy, I hope everyone still reading here gets a GOOD BELLY LAUGH from the following:

I like to add supplemental cooling fans to workstations.

To supplement the chassis cooling for our HP Z220 tower workstation, I recycled the cardboard backing from a desk top calendar.

I was attaching this jury rig with electrical tape, but I noticed that the tape was coming loose.

So, to fix that problem, I replaced the electrical tape with good ol’ fashioned DUCK TAPE!

Great SEAL of approval there (pun intended).  Call me a QUACK, I won’t mind!!

Now, however, the fans I mounted in that cardboard jury rig had to work harder, because the duck tape was sealing the seams much more tightly.

You’ll never guess:  this new duck tape solution caused a Vantec USB 3.0 adapter to STOP working, even though it has been powered correctly via a chain of molex extension cables.

And, it turned out that those extension cables had too many extensions.

Consequently, the molex input cable was not supplying the Vantec USB 3.0 adapter with sufficient power, and 2 x SanDisk 256GB flash drives stopped showing up in Windows Explorer.

I re-seated that Vantec adapter, and removed the unnecessary molex extension cables.

I also attached my cardboard jury rig with smaller strips of electrical tape, to allow the internal chassis over-pressure to escape more easily and not over-burden any of the chassis fans.

VOILA!  Not only did the Vantec adapter start working again.

THE CPU OVERHEAD HAS VANISHED!

Whew, what a CHAIN REACTION!

I should go back to school and study nuclear physics.

p.s.  I am available at any time to receive my 30 lashes with a wet noodle.

 

Reply | Quote

“You have additional fans that have to work harder when you tape up the box properly.”

Why / how do they work harder?
Do you have the installed backwards so they blow into the box instead of out, or vice versa?
Do the fans have less capacity  are running slower than the internal fans, causing a reduction in airflow?

cheers, Paul

Reply | Quote

> Why / how do they work harder?

On that PC, there are more  fans blowing IN than fans blowing OUT:

this creates an over-pressure inside the chassis, which helps to keep dust out.

But, that over-pressure creates more back-pressure that the intake fans must push against.

>  Do you have them installed backwards so they blow into the box instead of out, or vice versa?

The 2 fans I’ve added to my “jury-rig” left panel are both blowing IN.

Both are very low speed fans, and one has a dust filter on the outside that is easy to vacuum.

One blows IN cooler intake air directly onto the HDD cage.

One blows IN near the bottom rear of the chassis, to feed cooler air to a Vantec twin slot fan mounted in PCI slot #7.  The latter internal “twin” fans blow upwards towards the RAID controller and other add-in cards.

>  Do the fans have less capacity are running slower than the internal fans, causing a reduction in airflow?

I’m not sure I fully understand this question.  See above.

The 2 fans in my “jury-rig” left panel both spin at relatively slow speeds, just enough to create some over-pressure, and also to blow cooler air directly onto the HDD cage and to feed the Vantec twin slot fans with cooler intake air.

Bottom Line:

Our USB 3.0 adapter needs a Molex power feed, but the Molex extension cable I used was at the very end of a series that was too long.

I now believe there was a voltage “droop” by the time DC current reached the USB 3.0 adapter.

And, when I removed a redundant extension cable, the USB 3.0 adapter returned to normal operation.

After fixing the original .etl problem, the CPU overhead that remained was evidently caused by a kernel task that was “polling” that USB 3.0 adapter, but that USB adapter was not getting enough input power to operate normally.

Our USB 3.0 adapter does not get enough power from a standard PCIe 2.0 x1 expansion slot, hence the need for a Molex input power cable and connector.

Hope this helps.

Reply | Quote

IME computers suck air in at the front and blow it out the rear.
If you are pressurising the rear you may be upsetting the internal airflow and reducing cooling.

cheers, Paul

1 user thanked author for this post.

SupremeLaW

Reply | Quote

I agree that is one-half of “computer ventilation” basics

Our Vantec twin fans mount in an available PCI slot:

https://www.newegg.com/vantec-sp-fc70-bl-pci-slot-case-cooler/p/N82E16835888112

The slow fan in the bottom rear end of our left side panel merely adds a small amount of colder air to the upwards flow of those twin fans.

Not only do computers suck air in the front, and blow it out the rear; warm air rises naturally by operation of convection — like hot air balloons.

The Vantec twin fans direct cooler air directly onto the RAID controller’s heatsink.

The air that is warmed as it rises upwards naturally,then exhausts out the rear fan and the PSU’s internal fan.

So, I would add to your general observation by saying that computers suck air in and blow it out the back;  computers should also suck air in near the bottom, preferably the front, and that warmed air should rise upwards to exhaust out the top and/or the rear exhaust fans and PSU’s internal fan when the PSU is located at the top/rear.

 

 

Reply | Quote

PCs don’t use convection cooling, it isn’t good enough. That’s why they have variable speed fans.

cheers, Paul

1 user thanked author for this post.

SupremeLaW

Reply | Quote

See the gas laws in physics:  PV/T is a constant (more or less).

PV/T = Pressure x Volume / Temperature

Thus, as air is heated, it expands, and that reduces its density.

When a small volume of air becomes less dense than the air surrounding it, it rises, like a hot air balloon.

Since this is a naturally occurring process, it makes sense to harness this natural buoyancy.

More importantly, when all of the PCIe expansion slots are populated, we have found that our RAID controllers run cooler with one or more fans that blow cooler directly onto the integrated heatsink on each RAID controller.

Our favorite controller is the Highpoint RocketRAID 2720SGL, and all of them have been superb spanning a period of many years.

Starting out, Highpoint’s documentation needed some work, especially their procedure for DISABLING INT13 in the controller bios; but, their hardware has been flawless for us.

 

Reply | Quote

This is the USB 3.0 adapter that we suspect was not getting enough input DC power via the Molex connector.

Note this:  “Internal USB 3.0 (20-pin connector)”

We added 2 x SanDisk 256GB flash drives using an adapter cable with 20-pin connector at one end, and a “Y” branch into 2 x USB 3.0 females, one for each flash drive.

If anyone needs the details of the latter adapter cable, please advise.  It’s pretty simple:  20-pin connector at one end, branching to 2 x USB 3.0 female connectors at the other end.

Here’s the manufacturer’s web page for that USB 3.0 adapter:

4-Port Super Speed USB 3.0 PCIe Host Card w/ Internal 20-Pin Connector model UGT-PC345

https://www.vantecusa.com/products_detail.php?p_id=125&p_name=+4-Port+Super+Speed+USB+3.0+PCIe+Host+Card+w%2F+Internal+20-Pin+Connector&pc_id=16&pc_name=USB&pt_id=4&pt_name=Add-on+Cards

Reply | Quote

Vantec UGT-PC345 USB 3.0 adapter

Reply | Quote

Enlabs MB20P22U310IN 2 Port Internal USB 3.0 Motherboard 20-Pin Header to 2x USB 3.0 A 10-Inch Female Adapter Cable, USB 20pin to 2 x USB 3.0 Splitter Cable – Black

https://www.newegg.com/black-en-lab-10-inch-25cm-usb-cable/p/181-01CY-00002

Reply | Quote

Here’s another 2-pin adapter from EN-LABS, but the USB female connectors are close enough to each other, that many USB flash drives won’t fit in pairs when their housings are wide:

Dual Port USB 3.0 to Motherboard Mainboard Internal 20pin /19pin Header Adapter, 20-pins to 2 X USB A Female Connector

https://www.newegg.com/black-en-labs-n-a-adapter/p/181-00WC-00003?cm_mmc=TEMC-Function-Referred-Item-US-000014&utm_source=transactional&utm_medium=email&utm_campaign=TEMC-Function-Referred-Item-US-000014

Reply | Quote

2 of these low-profile flash drives will fit because the housings are narrow:

SanDisk 256GB Ultra Flair CZ73 USB 3.0 Flash Drive, Speed Up to 150MB/s (SDCZ73-256G-G46)

https://www.newegg.com/sandisk-model-sdcz73-256g-g46-256gb/p/N82E16820173392?Item=N82E16820173392

 

Reply | Quote