troubleshooting Question

ZoneAlarm CPU Hogging and Bizarre Hook to Windows Backup Service

Avatar of mjacobs2929
mjacobs2929 asked on
Software FirewallsVulnerabilitiesMicrosoft Legacy OS
6 Comments1 Solution5290 ViewsLast Modified:
Been pestering me for weeks. Finally attempted troubleshooting last night. After a wasted couple of hours with ZA support, thought I'd try the Experts.

This is the summary I posted to them:

Windows 8.1, i7 cpu, 12 Gb RAM
ZoneAlarm Pro version: 12.0.104.000
ZoneAlarm license key: xxx
Vsmon version: 12.0.104.000
Driver version: 12.0.102.000


After several system rebuilds (not associated with ZA) and multiple clean installs, Zonealarm - specifically vsmon.exe - continues to hog the cpu.

I have disabled logging. I have shut down all apps which could be attracting firewall attention. I have stopped all internet activity. I have attempted to force priority low. I have even tried to change the affinity to a specific processor (I have an i7, with 8 processors). I have deliberately opened apps with intensive activity (eg ip cameras).

NONE of these makes the slightest difference to the stable 12-14% cpu activity used by vsmon.

If I perform a clean install, disconnect from the internet and reboot, close down nearly all apps, open up the task manager, and just let the system sit there, I can watch vsmon build up its activity, over about 20 minutes till it reaches 12-14% and stabilises.

Using procexp, I even tried to identify and shut down ANY other activity using the cpu at all, to see if any were related to vsmon's greed. In the process, I may have found a clue.

I found windows backup service sdclt.exe churning away using a small amount of cpu power (~0.1-0.2%) and tried to shut it down. The message I got was interesting. It asked if I wanted to shut down ZATray.exe. At first I thought I must have right clicked on the wrong item in the list but however carefully I tried, any attempt to shut down sdclt.exe resulted in the same question.

So we know that ZATray is running the windows backup service PERMANENTLY for whatever reason, on my machine. (It does not appear to be doing this on any other machine I have access to)

So I'd like you to investigate why it might be doing that and how I can switch it off, even if only to test the consequences for the overall vsmon problem.

***************************
They deny even the possibility of a link to the backup service and suggested a selective startup (nothing except ZA and MS basics). Made zero difference and sdclt.exe still shows up as a child process of ZATray. As Process Explorer also reveals that Vsmon is performing a ludicrous amount of reading, writing and cpu cycling, I strongly suspect the root of the problem is at least linked to this bizarre hook where ZATray is spawning sdclt.

I have eliminated the possibility that the windows file is infected . (SFC /Scannow and clamwin both say everything is clean) and, no, I'm not running any other firewall. (Windows firewall disabled) and I'm deliberately only using Windows Defender for real-time scanning/protection and clamwin for manual scanning. So no Avast, Malwarebytes or any other malware shields are implicated.

I'm open to suggestions
ASKER CERTIFIED SOLUTION
btanExec Consultant
Join our community to see this answer!
Unlock 1 Answer and 6 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 6 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros