Troubleshooting a program that hogs your processor utilization
Saturday, April 13, 2019
Issue: Windows-10 PC with modern hardware is running far slower than normal (the fan is constantly running, and CPU utilization is nearly maxed out). Since the PC is relatively new (and has very few programs installed / running at one time), this slowness was a surprise.
System Specification:
- 8 GB RAM
- 256 GB SSD
- CPU: Intel Core i5-7600T CPU @ 2.80 GHz
Troubleshooting Steps:
- Checked Task Manager:

2. Checked for operating system corruption using the System File Checker in an Administrative (elevated) Command Prompt:

3. Downloaded and Launched SysInternals Process Explorer to investigate troublesome process/service further:

4. Launched Event Viewer to search for WMI-related errors:

5. Exported tasklist to a file (tasklist >> c:\Folder\tasklist_export.txt), then searched for the client process ID in question:

6. We searched for the filename (above), but were unable to locate it initially:

7. We attempted to terminate the process using a more forceful method, taskkill. Results: C:\>taskkill /PID 4476 /T /FERROR: The process with PID 4476 (child process of PID 796) could not be terminated. Reason: Access is denied. Investigating this a bit further, in Task Manager, the process with PID 4476 was listed as:

8. Upon checking the details of rdpchdp, the location of the malware was linked again back to CtHWiClientService. Right clicking on that service, and selecting Open File Location resulted in the following error:

9. Now that we have ascertained the location of the rogue process, we can gain access to the hidden, restricted folder: C:\ProgramData\CTES\Components\HDP

10. From command prompt, we documented the directory of C:\ProgramData\CTES\Components\
04/13/2019 07:24 PM <DIR> .
04/13/2019 07:24 PM <DIR> ..
08/18/2018 12:51 AM 77,616 CtHWiPrvClient.dll
08/18/2018 12:51 AM 78,128 CtHWiPrvClient4.dll
08/18/2018 12:51 AM 559,920 CtHWiPrvService.exe
08/18/2018 12:51 AM 707,376 CtPrvHelper.dll
04/13/2019 07:01 PM <DIR> Outbox
06/13/2018 01:26 AM 93 policy_configuration.json
04/13/2019 07:24 PM <DIR> Temp
5 File(s) 1,423,133 bytes
11. Then, we attempted to delete all files in the directory. It’s rarely ever this easy, but it’s always temping to try:
C:\ProgramData\CTES\Components\HDP>del *.* /S /F /QC:\ProgramData\CTES\Components\HDP\CtHWiPrvClient.dll Access is denied.
Deleted file – C:\ProgramData\CTES\Components\HDP\CtHWiPrvClient4.dll C:\ProgramData\CTES\Components\HDP\CtHWiPrvService.exe Access is denied.
Deleted file – C:\ ProgramData \ CTES \ Components \ HDP \ CtPrvHelper.dll Deleted file – C:\ProgramData\CTES\Components\HDP\policy_configuration.json
Here’s a visual of the reason why these files cannot be deleted:

12. In services.msc, we then set the rpchdp malware service to Disabled and attempted to stop the service:

13. Attempted, once again, to terminate the service via taskkill:
C:\ProgramData\CTES\Components\HDP>taskkill /F /FI “SERVICES eq rpchdp”
ERROR: The process with PID 4476 could not be terminated.
Reason: Access is denied.
14. Enabled safe mode boot menu, as follows:
From elevated command prompt, run the following commands:
bcdedit /set {bootmgr} displaybootmenu yes
bcdedit /set {bootmgr} timeout 10
Then, we rebooted to test that the safe mode boot menu appeared. It did, and we booted into Safe Mode successfully.
15. Once in safe mode:



17. In Services.msc, we were thankfully able to stop CtesHostSvc!

18. Once this second malware service was terminated, the associated files were able to be deleted. As an additional measure of security, we decided to delete the contents of this entire folder (C:\ProgramData\CTES):



20. Now, as you can see, the folder is completely empty!

21. As a final measure, we thought it would be a good idea to tweak the permissions on this folder, as well:
– We first replaced the owner on the subcontainers and objects, then
– We changed the permissions completely

22. The final death-blow to this malware was to delete the 3 services from Services.msc using an elevated command prompt, as follows:



Phew! All traces of the Absolute Software malware are finally gone!
The CPU utilization is still far lower than it was before, the PC fan isn’t running all the time, and overall system stability is extremely solid.
We also rebooted an additional time, for added measure.
Cross-checks after reboot:
1. Ensure malware-directory is still empty:
C:\ProgramData\CTES>dir
Volume in drive C is OS
Volume Serial Number is ACAB-3DA5
Directory of C:\ProgramData\CTES
04/13/2019 08:16 PM <DIR> .
04/13/2019 08:16 PM <DIR> ..
0 File(s) 0 bytes
2 Dir(s) 47,444,283,392 bytes free
C:\ProgramData\CTES>
✔ Success! (Directory is still empty)
2. Ensure CPU utilization is normal
✔ Success! (CPU utilization is hovering at an average of <15%, whereas before it was between 70-100%)
3. Ensure services are not present
✔ Success! (The 3 services are not listed in Services.msc)
If you’ve made it this far, thanks for reading! It’s important to note that the patience required to resolve this problem is the same patience that each and every member of the Concise Team has. This is described by one of our core values, a mish-mash of phrases that reads:
Don’t be a quitter (Tenacity) >> “Get to the 5th page of Google”
We hope you’ve enjoyed this journey of malware removal and IT support service.
By: Team Concise