Kaseya Community

RUNDLL32.EXE Issue on Windows 2008

  • We are experiencing an issue with our customers who now run Windows 2008. For each counter in a monitor set, a new instance of RUNDLL32.EXE is started and can be seen in Task Manager. Each instance never ends, until you remove the monitor set.

    We are not seeing this behavious in Windows 2003 or previous.

    We have already seen a significant performance impact on one of our customers across 5 of their sites..

    Is anyone else seeing this? Is this expected behaviour?

    Legacy Forum Name: RUNDLL32.EXE Issue on Windows 2008,
    Legacy Posted By Username: kentgeorgeson
  • I have not seen this behavior.

    Just to be clear.... are they running 2008 Server 32-bit? or 64-bit ?

    Legacy Forum Name: Monitor Sets,
    Legacy Posted By Username: lwolf
  • Both 32-bit and 64-bit versions of 2008 are showing the issue.

    Specifically 2008 Enterprise Server Edition Service Pack 1 Build 6001 and 2008 Enterprise Server x64 Edition Service Pack 1 Build 6001.

    When I remove the monitor sets from these agents, you can see in Task Manager each RUNDLL32.exe end.

    Legacy Forum Name: Monitor Sets,
    Legacy Posted By Username: kentgeorgeson
  • I know the agent tends to "hide" processes it runs. I believe it's an encapsulation environment of some form, but perhaps in those OS's it runs it like a normal process, instead of a thread of the agent? It's a good question.

    Legacy Forum Name: Monitor Sets,
    Legacy Posted By Username: boostmr2
  • We are also noticing this issue on all of Windows 2008 Servers as well. The Kaseya Agent will spawn multiple instances of RUN32DLL and over time will affect server performance. We noticed a RUNDLL32 instance is spawned for each monitor set but all are Windows 2003 Servers do not have this issue.

    Has anyone found a resolution to this yet?

    Thanks!

  • Same issue here.

  • Have you got service pack 2 installed? - I have the problem only on one machine at one customer site, Server 2008, Service Pack 1. The only machine with SP1 on it.

    Let me know if you have SP1 on the server and maybe we can write it off as an anomaly if SP2 fixes it.

  • Hi folks just tested there.

    SP2 but rundll32 still spawned with monitor sets (running 2008 Datacentre SP2)

    Although not sure I notice performance issues with it - also did a google on this before and seemed quite common for 2008 to have multiple rundll32 running...

  • You may need to un-install then re-install the Kaseya Agent after installing SP2 in order for the RUNDLL32 processes to go away.

    As for performance, if the Server is robust enough and not doing a lot, performance will not be affected to much, but in my case, the servers are very busy as it is and 15-25 RUNDLL32s, each taking 3-5MB of memory, etc does cause problems in performance.

    I have a ticket open with Kaseya which they say has been escalated to a speacialist. I will keep you all posted as to what they say.

  • Kaseya Support got back to me with this response:

    I talked with the monitor dev team and run RUNDLL32 are used by the monitor counters.  however, monitor dev also told me that you have way too many counters running on your server.  Best practices is to have about 10 counters running on your servers.  i counted 50+ counters on machine XXXXX.

    Microsoft stats this when setting up monitor server counters:

    Don't try to chart too many counters or counter instances at once. You'll make the display difficult to read and you'll use system resources—namely CPU time and memory—that may affect server responsiveness.

    My response to Kaseya Support:

    Thank you for your reply and research you have done in this matter so far.

    Unfortunately the issue is not resolved!

    You mentioned that we have 50+ counters on XXXXX.

    That server is running the same monitoring script as all our other Windows 2008 Servers XXXXX1, XXXXX2, XXXXX3, XXXXX4 and XXXXX5 but it has triple the amount of RUNDLL32s running.

    Also, we are using the default Kaseya monitoring script for Windows Server with one addition, that it emails us if it notices a warning or error in either the System or Application Event Log on all our Windows 2008 Servers. This would not account for 50+ monitors, since why does one server have 50+ and the others have only 10 when they are running the same monitoring script.

    Also, the XXXXX5 does not have any RUNDLL32s running and it has the same Kaseya script and is one of our Windows 2008 Servers. We even just installed the Basic Kaseya Server script on XXXXX and still the RUNDLL32s appear.

    Therefore from the results above, this is more than just a “your running to many monitors” resolution.

    The only difference is that XXXXX is a VMWare Virtual machine Host  that is running 2-3 Virtual Machines, could this maybe be the cause of the “extra monitors” even though all our Windows 2003 Servers do not have the RUNDLL32 issue and some of them are Virtual Machine Hosts as well?

    END OF EMAIL.

    I will keep you all posted to thier reply.

    Thanks! :-)

  • Request from Kaseya Support:

    - uninstall monitor sets from Server XXXXX.  wait 5-10 minutes.

    - open perfmon on Server XXXXX and verify all the counters have been removed.  if not delete them.

    - reboot the machine.

    - reapply monitor set.  wait 10-20 minutes.  verify if the run RUNDLL32.dll issue still persists.  update ticket with results and screen shots.

    My reponse to Kaseya Support:

    The Kaseya Agent was uninstalled from Server XXXXX.

    All RUNDLL32s were manually closed using Process Explorer.

    After logoff (since we cannot reboot Production Servers at this time) we re-installed the same Kaseya Agent after a 15min wait period.

    THETA-3B has around 40 RUNDLL32s running and issue still persists.

    Thanks!

    END OF EMAIL!

  • Email from Kaseya Support:

    Launching perfmon data collector is done by windows internally and we don't know if there is another way this can be done to avoid the said problems.

    Research has led to us to believe these are some issues with how RunDLL32.exe execute these dlls and processes. (Google result shows) Since it's dictated by how MSFT launches these collectors, I am not sure there is anything we can do in the immediate future.

    My reply to them:

    Unfortunately this does not solve our problem.

    As is stated in this ticket, we have many 2008 Servers running the Kaseya agent with an average of 10 RUNDLL32s running, which is fine.

    The 1 server in question (XXXXX) has over 30 RUNDLL32s and this is where the issue is.

    Obviously something is wrong with the Kaseya Agent and not the RUNDLL32 process.

    From your response (and Google searches) it appears you also have no idea why your product is doing this.

    In light of this we will just need to remove the Kaseya client from this particular server and for the near future look for a different product for monitoring our 2008 Servers.

    Thanks for your time and have a great day!

    END OF REPORT!

    So unfortunately folks Kaseya has no resolution for this issue :-(



    [edited by: Alpha at 1:07 PM (GMT -7) on 6-24-2011] None
  • @Alpha you running SNMP monitoring on these Windows 2008 machines?

  • @HardKnoX.

    Thanks for your interest.

    No we are not running SNMP on any of the 2008 Servers.

    To make sure I checked to make sure they were not turned on, and the SNMP Trap Service is offline and set to Manual mode.

  • Does this machine performa a LAN Watch? if so you may want to turn off SNMP scanning to rule it out.