Our blog

Troubleshooting a program that hogs your processor utilization

Saturday, April 13, 2019

Issue: Windows-10 PC with modern hardware is running far slower than normal (the fan is constantly running, and CPU utilization is nearly maxed out).  Since the PC is relatively new (and has very few programs installed / running at one time), this slowness was a surprise.

System Specification:

  • 8 GB RAM
  • 256 GB SSD
  • CPU: Intel Core i5-7600T CPU @ 2.80 GHz

Troubleshooting Steps:

  1. Checked Task Manager:
(Absolute Software causes CPU utilization to spike via WMI Provider Host)

2. Checked for operating system corruption using the System File Checker in an Administrative (elevated) Command Prompt:

(Windows Resource Protection did not find any integrity violations)

3. Downloaded and Launched SysInternals Process Explorer to investigate troublesome process/service further:

(Utilized Process Explorer to further investigate the strange virus-program by Absolute software. Determined PID)

4. Launched Event Viewer to search for WMI-related errors:

(Applications and Services Logs > Microsoft > Windows > WMI-Activity logs revealed an Error (Event 5858) in Client Process ID 4476)

5. Exported tasklist to a file (tasklist >> c:\Folder\tasklist_export.txt), then searched for the client process ID in question:

(Using TaskList, was able to locate the source of the error to be CtHWiPrvService.exe by cross referencing the PID)

6. We searched for the filename (above), but were unable to locate it initially:

(A search from command prompt results in our inability to locate the source of the malware)

7. We attempted to terminate the process using a more forceful method, taskkill.  Results: C:\>taskkill /PID 4476 /T /FERROR: The process with PID 4476 (child process of PID 796) could not be terminated. Reason: Access is denied.   Investigating this a bit further, in Task Manager, the process with PID 4476 was listed as:

(The PID cross-referenced in Task Manager points to a service, cryptically named rpchdp)

8. Upon checking the details of rdpchdp, the location of the malware was linked again back to CtHWiClientService.  Right clicking on that service, and selecting Open File Location resulted in the following error:

(Location is not available. C:\ProgramData\CTES\Components\HDP is not accessible. Access is denied. Absolute Software Malware Removal Guide)

9. Now that we have ascertained the location of the rogue process, we can gain access to the hidden, restricted folder:  C:\ProgramData\CTES\Components\HDP

(At least, we were able to access the folder containing the Absolute Software Malware – C:\ProgramData\CTES\Components\HDP)

10. From command prompt, we documented the directory of C:\ProgramData\CTES\Components\

04/13/2019  07:24 PM    <DIR>          .

04/13/2019  07:24 PM    <DIR>          ..

08/18/2018  12:51 AM            77,616 CtHWiPrvClient.dll

08/18/2018  12:51 AM            78,128 CtHWiPrvClient4.dll

08/18/2018  12:51 AM           559,920 CtHWiPrvService.exe

08/18/2018  12:51 AM           707,376 CtPrvHelper.dll

04/13/2019  07:01 PM    <DIR>          Outbox

06/13/2018  01:26 AM                93 policy_configuration.json

04/13/2019  07:24 PM    <DIR>          Temp

               5 File(s)      1,423,133 bytes

11. Then, we attempted to delete all files in the directory.  It’s rarely ever this easy, but it’s always temping to try:

C:\ProgramData\CTES\Components\HDP>del *.* /S /F /QC:\ProgramData\CTES\Components\HDP\CtHWiPrvClient.dll Access is denied.
Deleted file – C:\ProgramData\CTES\Components\HDP\CtHWiPrvClient4.dll C:\ProgramData\CTES\Components\HDP\CtHWiPrvService.exe Access is denied.
Deleted file – C:\ ProgramData \ CTES \ Components \ HDP \ CtPrvHelper.dll Deleted file – C:\ProgramData\CTES\Components\HDP\policy_configuration.json

Here’s a visual of the reason why these files cannot be deleted:

(Cannot delete the malicious file, CtHWiPrvService.exe, because it is open in Absolute malware service “rpchdp”)

12. In services.msc, we then set the rpchdp malware service to Disabled and attempted to stop the service:  

(Windows is unable to stop the rpchdp Absolute malware service from Services.msc)

13. Attempted, once again, to terminate the service via taskkill:

C:\ProgramData\CTES\Components\HDP>taskkill /F /FI “SERVICES eq rpchdp”

ERROR: The process with PID 4476 could not be terminated.

Reason: Access is denied.

14. Enabled safe mode boot menu, as follows:

From elevated command prompt, run the following commands:

bcdedit /set {bootmgr} displaybootmenu yes

bcdedit /set {bootmgr} timeout 10

Then, we rebooted to test that the safe mode boot menu appeared. It did, and we booted into Safe Mode successfully.

15. Once in safe mode:

(Thankfully, we were able to delete the Absolute malware service in safe mode)

16. We rebooted back into normal mode, and thought we were in the clear. Then, we realized there were more files in the other CTES subdirectories, and we then also decided, as a good measure, to delete the contents of this folder (C:\ProgramData\CTES\Components\SVC), as an added measure of safety from this virus-like program:

(Unfortunately, we were unable to delete all files)
(We then had to attempt to terminate this service manually)

17. In Services.msc, we were thankfully able to stop CtesHostSvc!

(The service was easily terminated in regular mode)

18. Once this second malware service was terminated, the associated files were able to be deleted. As an additional measure of security, we decided to delete the contents of this entire folder (C:\ProgramData\CTES):


(Unfortunately, there still remains one last rogue process/service running, namely the CTES Manager (again, from Absolute Software Corp.)
(This service being active prevented the associated executable file from being deleted during our malware clean-up)

19. Thankfully, we were able to stop this service successfully in Services.MSC:

(Once this service was stopped and disabled, we were able to delete the remaining files located in C:\ProgramData\CTES)

20. Now, as you can see, the folder is completely empty!

(Thankfully, this parasite of a program that was hogging the system’s CPU resources and causing overall system instability, this menace, had been slayed)

21. As a final measure, we thought it would be a good idea to tweak the permissions on this folder, as well:
– We first replaced the owner on the subcontainers and objects, then
– We changed the permissions completely

(See before and after, above)

22. The final death-blow to this malware was to delete the 3 services from Services.msc using an elevated command prompt, as follows:

22A: sc delete “Ctes Manager”
22B: sc delete CtesHostSvc
22C: sc delete rpchdp

Phew!  All traces of the Absolute Software malware are finally gone!

The CPU utilization is still far lower than it was before, the PC fan isn’t running all the time, and overall system stability is extremely solid.

We also rebooted an additional time, for added measure.

Cross-checks after reboot:
1. Ensure malware-directory is still empty:

C:\ProgramData\CTES>dir

 Volume in drive C is OS

 Volume Serial Number is ACAB-3DA5

 Directory of C:\ProgramData\CTES

04/13/2019  08:16 PM    <DIR>          .

04/13/2019  08:16 PM    <DIR>          ..

               0 File(s)              0 bytes

               2 Dir(s)  47,444,283,392 bytes free

C:\ProgramData\CTES>

✔ Success! (Directory is still empty)

2. Ensure CPU utilization is normal
✔ Success! (CPU utilization is hovering at an average of <15%, whereas before it was between 70-100%)

3. Ensure services are not present

✔ Success! (The 3 services are not listed in Services.msc)

If you’ve made it this far, thanks for reading! It’s important to note that the patience required to resolve this problem is the same patience that each and every member of the Concise Team has. This is described by one of our core values, a mish-mash of phrases that reads:

Don’t be a quitter (Tenacity) >> “Get to the 5th page of Google”

We hope you’ve enjoyed this journey of malware removal and IT support service.

By: Team Concise

Recent Posts