-
Title
InTrust agent server adcscm.nt_intel causing high CPU usage during backup. -
Description
Customer recently upgraded the Backup Exec Remote agent on a server to version 15. Whenever a backup job starts, the server's CPU spikes to 100%. The process causing the spike is adcscm.nt_intel.exe, which utilizes 92-98% of the CPU. Need to stop the process and disable the Quest InTrust service in order to get the CPU usage down to a respectable level.
Checking the Event Logs on the member server noted that the Security log was rolling over very quickly with a high volume of events, far more than an equivalent server. Also the single largest volume is the EventID 4674 'An operation was attempted on a privileged object'
Checking UltimateWIndowsSecurity.com https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4674 reveals that these events are classsified as noise. Microsoft admits: "These are high volume events, which typically do not contain sufficient information to act upon since they do not describe what operation occurred."
-
Cause
When the backup job runs, higher than average number of events are written to the Security log and the InTrust Agent expends more CPU cycles to keep up with the volume.
-
Resolution
Check under Local Security Policies and Set Audit: Audit the use of Backup and Restore privilege to Disabled. Enabling this policy setting can generate a large number of security events, which might cause servers to respond slowly and force the security log to record numerous events of little significance.
As per Microsoft's Technet article https://technet.microsoft.com/en-us/library/jj852206(v=ws.11).aspx
Please note: If you have an InTrust version prior to 11.3, any folder/registry paths referenced may contain a non-Quest branded path.