High cpu and ram usage

tonino · March 03, 2017, 02:05:46 AM

Hello!

I'm new and not very familiar with rehips!

But after installing rehips, seems that the rules never finished to install, consuming a lot of cpu and ram!
In task manager "Pack of Rules of Rehips" process, showing hiding every time.

W10 x64 pro
webroot, hmp.a, voodoshield

(i excluded rehip in hmp.a)

fixer · March 03, 2017, 02:35:30 AM

What do you mean by "showing hiding every time"? RulesPack process starts, then crashes and gets restarted again? If it crashes, is there any crash dump or any other information that could help, maybe in Windows Event Log?

tonino · March 03, 2017, 03:29:09 AM

no, don't crash ( i think)!

rehips seems to finish installing rules!

But as i said, this process (Pack of Rules for Rehips) continue showing in task manager but not always, (e.g. when installing rules) showing and hiding. (that's why i think rules never finished installing)

I went in the logs(GUI), and is not stopping registering: Program C:\Windows\System32\conhost.exe with PID .... terminated/allowed

And this system process is doing the same of "pack of rules of rehips" process!

And all this i noticed only because of hi usage of cpu and ram!

Umbra · March 03, 2017, 06:23:58 AM

Quote from: tonino on March 03, 2017, 02:05:46 AM
W10 x64 pro
webroot, hmp.a, voodoshield

(i excluded rehip in hmp.a)

exclude ReHIPS in Webroot by allowing its processes (control process from the tray icon) and in Voodooshield too(if it didn't yet), then give us feedbacks.

Tarnak · March 03, 2017, 07:40:14 AM

Hope it is OK to post...But, I run VoodooShield and WSA, but not HMP.A.

I have not excluded ReHIPS, in either VS or WSA, and it seems I don't need to, on my system, as I don't have any CPU issue.

P.S. I wanted to post an image, but I can't. When I go to path where it is, I get some popup, advising that I don't have permission, or something similar. Obviously, ReHips has isolated from my being able to access. I was able to copy the image to my desktop, hoping to access it from there, but, I still can't get it attached, here. I must be doing something wrong.

Umbra · March 03, 2017, 08:10:10 AM

Quote from: Tarnak on March 03, 2017, 07:40:14 AM
Hope it is OK to post...But, I run VoodooShield and WSA, but not HMP.A.

I have not excluded ReHIPS, in either VS or WSA, and it seems I don't need to, on my system, as I don't have any CPU issue.

HMPA often create issues with ReHIPS, i ofter reported it.

QuoteP.S. I wanted to post an image, but I can't. When I go to path where it is, I get some popup, advising that I don't have permission, or something similar. Obviously, ReHips has isolated from my being able to access. I was able to copy the image to my desktop, hoping to access it from there, but, I still can't get it attached, here. I must be doing something wrong.

yes the desktop is especially monitored, you have put your pix on a dedicated folder and allow the browser to access this folder.

ReHIPS security is very tight. wait a bit i will create a thread for this.

tonino · March 03, 2017, 12:17:14 PM

Quote from: umbrapolaris on March 03, 2017, 06:23:58 AM
Quote from: tonino on March 03, 2017, 02:05:46 AM
W10 x64 pro
webroot, hmp.a, voodoshield

(i excluded rehip in hmp.a)

exclude ReHIPS in Webroot by allowing its processes (control process from the tray icon) and in Voodooshield too(if it didn't yet), then give us feedbacks.

webroot was allowed by default (when rehips installed). In VS was whitelisted.

May i ask you if this process (Pack of rules) is doing the same on your task manager (showing and hiding) both with the system process "conhost"?
Or after installing rules, this isn't showing in your task?

tonino · March 03, 2017, 12:19:34 PM

Quote from: fixer on March 03, 2017, 02:35:30 AM
What do you mean by "showing hiding every time"? RulesPack process starts, then crashes and gets restarted again? If it crashes, is there any crash dump or any other information that could help, maybe in Windows Event Log?

Fixer, do you have any idea of this issue?
Do you need a log file?

fixer · March 03, 2017, 03:44:28 PM

RulesPack32/64 (or RulesManager32/64) are automatically started by Service on several occasions: initial rules installation after ReHIPS was installed, user pressed Reinstall Rules button, new user logged in who doesn't have rules installed yet, some program was installed/uninstalled. If RulesPack exits unexpectedly (like crashes), it doesn't mark rules for that user as installed, so Service restarts it. That's why it may look like process disappears and then appears again. RulesPack is a console application, so it's OK that it executes with conhost process who is responsible for console handling.
So the first question is: does it really crash and then gets restarted? It doesn't always have its window visible, so you should either take a look at ReHIPS log (there will be many events like starting and terminating RulesPack) or look at some process manager like Process Hacker, Process Explorer or Windows Task Manager. If PID of RulesPack is changing, it means it died and was restarted.
If it really unexpectedly exits, most likely it crashes. In that case Windows Event Log in Applications should have events that RulesPack crashed along with some basic information like exception code, address, etc. In that case I'll need this info, maybe crashdump (which is much better).
It it really crashes, I'll be very grateful if you help us get to the root of this issue.

tonino · March 03, 2017, 05:16:29 PM

Hi fixer!
I understand!

I opened Event viewer/Windows Logs/ Aplication:
i sow that was some information (several) about SPP (software protection): Successfully scheduled Software Protection service for re-start at 2117-02-07T08:59:05Z. Reason: RulesEngine.
and about restart manager: Starting session3-.....

take in consideration that i'm not very qualified in this field!
So if you need Event Properties in XML view of this 2 information i can send you a PM!

I have a look for crash dumb, but found nothing!

regards

crasher · March 03, 2017, 10:18:09 PM

Quote from: tonino on March 03, 2017, 05:16:29 PM
I opened Event viewer/Windows Logs/ Aplication:

ReHIPS has its own system event log. You can see ReHIPS events log from ReHIPS Control Center: switch to Advanced mode on main window, open Log tab. If there is many repeated lines like:

QuoteProgram C:\Program Files\ReCrypt\ReHIPS\HIPSService64.exe with PID 1360 executing program C:\Program Files\ReCrypt\ReHIPS\RulesPack64.exe with PID 148 - allowed (internal)
Program C:\Program Files\ReCrypt\ReHIPS\RulesPack64.exe with PID 148 terminated

then press "Open system Event Log" button on Log tab and search information about RulesPack crashes close in time with RulesPack starts from ReHIPS Control Center Log.

tonino · March 03, 2017, 11:33:17 PM

Yes i know about log in the main GUI of reHips, but i was asking in reference of what Fixer advice me:

If it really unexpectedly exits, most likely it crashes. In that case Windows Event Log in Applications should have events that RulesPack crashed along with some basic information like exception code, address, etc. In that case I'll need this info, maybe crashdump (which is much better).
It it really crashes, I'll be very grateful if you help us get to the root of this issue.

Anyway i sow the logs. Is possible that chrome application or some chromium based application crash the rules installation?
here the log.

thanks in advance!

crasher · March 04, 2017, 12:32:19 AM

Quote from: tonino on March 03, 2017, 11:33:17 PM
Yes i know about log in the main GUI of reHips, but i was asking in reference of what Fixer advice me:

If it really unexpectedly exits, most likely it crashes. In that case Windows Event Log in Applications should have events that RulesPack crashed along with some basic information like exception code, address, etc. In that case I'll need this info, maybe crashdump (which is much better).
It it really crashes, I'll be very grateful if you help us get to the root of this issue.

Anyway i sow the logs. Is possible that chrome application or some chromium based application crash the rules installation?

I do not think that chromium is involved.
It seems there is problem with RulesPack. Can you send me your Windows Event Log in Applications between 21:02:33 and 21:02:52?

aDVll · March 04, 2017, 12:38:46 AM

Quote from: tonino on March 03, 2017, 11:33:17 PM
Yes i know about log in the main GUI of reHips, but i was asking in reference of what Fixer advice me:

If it really unexpectedly exits, most likely it crashes. In that case Windows Event Log in Applications should have events that RulesPack crashed along with some basic information like exception code, address, etc. In that case I'll need this info, maybe crashdump (which is much better).
It it really crashes, I'll be very grateful if you help us get to the root of this issue.

Anyway i sow the logs. Is possible that chrome application or some chromium based application crash the rules installation?
here the log.

thanks in advance!

What you linked is the rehips program logs from the gui. What is needed is to open microsoft windows event viewer(eventvwr.msc), expand applications and services logs, right click on recrypt, selectsave all events as, give it a name and click save. Then share the file created here.

Also go to Event Viewer->Windows Logs->Application and get the logs from 21:02:33 and 21:02:52 or if you don't want to look grab everything like i showed you above.

Dumps are usually located here
C:\Users\yourpcusername\AppData\Local\CrashDumps
or just here
C:\Windows
or
C:\Windows\Minidump

crasher · March 04, 2017, 12:44:24 AM

Quote from: aDVll on March 04, 2017, 12:38:46 AM
What is needed is to open microsoft windows event viewer(eventvwr.msc), expand applications and services logs, right click on recrypt, selectsave all events as, give it a name and click save.

Now, rather it requires windows applications log (Event Viewer->Windows Logs->Application). It may contains more info about crash (if it was).