Team: Huntress Managed Endpoint Detection and Response (EDR)
Product: Huntress Agent
Environment: Windows
Summary: This document offers a starting place when investigating high CPU and spikes on endpoints running the Huntress Agent. It outlines common causes and considerations for these spikes with information on what can be gathered to aid in the investigation process.

• Common Causes
• A Note About Microsoft Defender Antivirus
• Information to Collect
• Expected Resource Utilization

Common Causes

When experiencing high CPU utilization related to the Huntress Agent and its related services, it is important to look at possible application interference and other third party tool activity. Huntress would recommend reviewing these first to ensure there is no conflict of resource usage before further investigation continues.

Windows Update/Rebooting

As a first step, Huntress would recommend rebooting and ensuring your endpoint is patched and up-to-date with Windows Updates. This may solve the performance issues with both Huntress, 3rd party software, and/or Microsoft Defender Antivirus. This is especially important on machines with higher uptime as activity such as file locks or missing updates can directly impact the performance of the Huntress Agent and other security tools.

Third Party Antivirus or Security Tools

Potential conflicts and resource contention with other security software, such as antivirus, can lead to CPU spikes.

Huntress works natively with Microsoft Defender Antivirus. If you are using any other antivirus tools, ensure that all exclusions are in place per the Allowlisting Article.

ThreatLocker has been known to interfere with Huntress as it does not always honor the allowlisting. It is critical that ThreatLocker is in learning mode before Huntress is installed or installation is likely to fail.

Huntress Rio Service Stopped/Crashed

A stopped or crashed Rio service may be a factor in high CPU utilization. It is recommended to first address the Rio service and ensure it is running. If the service does not start after rebooting and restarting the services, please review and gather the information described in our Rio Troubleshooting guide and reach out to Support. 

A Note About Microsoft Defender Antivirus

The Huntress Agent works with Microsoft Defender Antivirus to push settings, run scans and collect logs. While these two pieces of software integrate, you may sometimes notice Defender has unusually high resource utilization. The Antimalware Service Executable has been known to cause high CPU. Apply the necessary Windows Updates to ensure Microsoft Defender AV is up to date, then reboot the endpoint to see if the utilization decreases. If you continue to see issues, we recommend reaching out to Microsoft Support, as Huntress support does not have visibility to troubleshoot and fix this and is considered a support limitation.

If you notice a spike with another application, there may be instances where allowlisting the software with Defender AV Exclusions can yield performance improvements. Proper exclusions are highly recommended to reduce interference and slowdowns.

Information to Collect

If you are still seeing high CPU utilization after checking the above, collect the following information to help our Support team investigate further.

• Timestamps
• Duration and Time Between Each Spike
• CPU Usage Screenshots
• Baseline CPU/Virtual Machines

Timestamps

When did the spikes occur?

This information is important for events with high CPU usage as we can see if it correlates to Huntress updates, surveys, or other process events. Providing timestamps on the latest 2-3 spikes is helpful so we have the most recent data. It is also important to include accurate time zones with each timestamp so we can reference the data correctly.

Is this happening when a specific action is being taken on the host?

If you notice the spike occurring at the same time as another action or event, please include this information when reaching out to Support.

Duration and Time Between Each Spike

Is it constant usage or just a temporary spike?

The duration and frequency of high CPU utilization can be useful for identifying potential correlations with Rio and Huntress Agent surveys. 

Example: If there are regular spikes lasting around 7 minutes, you can reference this with the agent logs for surveys and other events. The screenshot below is an example of the HuntressAgent.log showing a processed survey with a duration of around 7 minutes. In some cases, we can tune the max CPU during agent survey gathering, which can potentially fix the issue.

CPU Usage Screenshots

How much utilization?

A screenshot of the CPU usage that shows how much of each resource the Huntress Agent is using is helpful during the investigation as different modules in Huntress have different expectations. Additionally, screenshots may also help to discover if other applications have high CPU utilization, which could indicate interference.

Baseline CPU/Virtual Machines

What is the baseline CPU usage?

Knowing the typical CPU usage of the endpoint can also assist in determining if the Huntress Agent is the primary contributor to CPU spikes or if it's adding on to existing resource constraints. Example: If an endpoint is using ~50% CPU regularly, running Huntress EDR could lead to additional performance issues.

It may be worth investigating the resources allotted if this is a virtual machine. If it is too thinly provisioned, this can lead to any program (including Huntress) utilizing excessive resources, resulting in high CPU usage and performance issues. Example, the percentage of a device's CPU load may be 1-5% when running a survey, whereas a VM’s CPU load may be 25%.

Expected Resource Utilization

The Huntress Agent was designed to use as few system resources as possible and still be effective. Below is the expected utilization for the Huntress services.

Huntress Agent (HuntressAgent.exe): This service is expected to consume 1-5% CPU resources but may increase to 5-10% when a survey is running. Most agents only send a few surveys a day and the time to complete the process is typically less than 5 minutes. By default, the Huntress Agent is limited to a maximum of 50% CPU usage, though it is unlikely to require the full amount.

Huntress Updates: This service regularly checks for updates throughout the day, which can lead to 5-10% CPU usage during the check. Up to 30% has been observed in some environments briefly, but it should only last a few minutes.

Huntress Rio (HuntressRio.exe): The Rio service is expected to consume between 1-5% CPU resources but may increase to 5-10% when processing a survey. 

CPU spikes due to agent surveys can be high on under-provisioned machines, but can also be unnoticeable if the machine's power greatly exceeds its average workload. 

To reach out to support, please use the Contact Us options below or send an email to our help desk at support@huntress.io. Please include any additional information to help with further troubleshooting.