Share via

Windows Defender SenseNdr.exe causing Non-Paged Pool memory leak after Windows Server update KB5041578

Anonymous
2024-09-15T13:54:53+00:00

We're experiencing a significant Non-Paged Pool memory leak on our Windows Server 2019 domain controllers after installing the following updates:

  • KB5041578
  • Servicing Stack Update 10.0.17763.6174

Problem details:

  • The process SenseNdr.exe, part of Microsoft Defender for Endpoint, is causing a continuous increase in Non-Paged Pool memory usage.
  • This is affecting only Windows 2019 servers.
  • The memory leak is severe enough to impact server performance.

What we've tried:

  • Attempted to disable real-time protection via registry and group policy (unsuccessful).
  • Considered reinstalling Windows Defender (not possible due to management restrictions).
  • Investigated group policies and central management settings in Microsoft 365 Defender.

Questions:

  1. Has anyone else encountered this specific memory leak with SenseNdr.exe after these updates?
  2. Are there any known workarounds or fixes for this issue that don't involve completely disabling Microsoft Defender for Endpoint?
  3. If disabling components is necessary, what's the safest way to do this on domain controllers without compromising security?
  4. Has Microsoft acknowledged this as a bug in the recent updates?

Environment:

  • OS: Windows Server 2019
  • HyperVisor: Vmware
  • Latest Update: KB5043050
  • Servicing Stack: 10.0.17763.6174
  • Centrally managed via Microsoft 365 Defender/Intune

Update 1:

The problem was initially resolved by removing Windows Defender ATP (offboarding). Subsequently, we reinstalled Windows Defender and reactivated Windows Defender ATP (onboarding). Unfortunately, this process did not permanently fix the issue, and we are still experiencing the memory leak.

Update 2:
The latest Windows update KB5044277 did not resolve this issue. Uninstalling Windows Defender ATP fixes the problem. However, this is not the solution. There are now multiple reports from other companies experiencing this issue.

SenseNdr.exe is slowly eating the memory - Microsoft Community Hub

Any insights or solutions would be greatly appreciated.

Windows for business | Windows Server | Performance | System performance

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

42 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2025-01-02T10:39:03+00:00

    I think that should be a question, wheter we got it fixed or not.

    Yes and no.

    Two things happened.

    1)
    MS has changed configuration without any info to us. It´s possible. See thread.

    2)

    We have got a powersh script checking used size of pagefile.sys. As far as I know script is a bit more complex, but increasing size of pagefile.sys is a very good sign for problems. We have got warning per 50% and critical per 75%.

    Why no:

    Above points are in the end no proof. Our systems got stuck after 3 weeks, running full in a few hours. Because we restart our systems all 4 weeks, we don´t know wheter it is fixed or not. I have not read anything about a real solution from MS. First 2 proposed solutions by MS did not fix the problem. So I don´t believe in any claims made by MS. Understandable.

    br

    Hnas

    1 person found this answer helpful.
    0 comments
  2. Anonymous
    2024-11-25T14:00:24+00:00

    Hi Tomas,

    I have a script in place running every hour on all servers in my environment.

    Last high memory usage detection is from November 10th.

    Seems like a patch from this date has fixed the memory problems for me.

    I cannot tell you which patch is the one that fixed things but I do not have any problems anymore for sure.

    As the script does not have any impact in performance I'll keep it active just in case.

    Hope this information is helpful for you.

    1 person found this answer helpful.
    0 comments
  3. Anonymous
    2024-11-11T09:14:14+00:00

    We've hit this issue, for context we run a network busy and data dense Health Tech based system,

    We had one of our API server's fall over in the middle of the night due to SenseNDR using all the available memory.

    Windows Server 2019, 64G, RAM, 16 Cores, Build: 17763

    We run multiple REST API servers, they typically transfer at between 60-90Mbps

    1 person found this answer helpful.
    0 comments
  4. Anonymous
    2024-11-11T08:32:56+00:00

    In case you restart machine every 24h you will never recognize wheter issue is fixed. My machines had no problems for 3 to 5 weeks and then suddenlty they exploded. I don´t know which event triggers sensendr to explode, but for sure it is heavy traffic.

    br

    Hans

    1 person found this answer helpful.
    0 comments
  5. Anonymous
    2024-09-16T05:53:38+00:00

    Hello,

    Thank you for posting in Microsoft Community forum.

    Based on the description, I understand your question is related to KB5041578.

    I found three known issues about KB5041578, but it seems none of them mentioned Windows Defender SenseNdr.exe causing Non-Paged Pool memory leak:

    August 13, 2024—KB5041578 (OS Build 17763.6189) - Microsoft Support

    1. After installing the Windows update released on or after July 9, 2024, Windows Servers might affect Remote Desktop Connectivity across an organization. This issue might occur if legacy protocol (Remote Procedure Call over HTTP) is used in Remote Desktop Gateway. Resulting from this, remote desktop connections might be interrupted.

    This issue might occur intermittently, such as repeating every 30 minutes. At this interval, logon sessions are lost and users will need to reconnect to the server. IT administrators can track this as a termination of the TSGateway service which becomes unresponsive with exception code 0xc0000005.

    ​​​​​​​This issue is addressed in KB5043050.

    1. After installing this security update, you might observe that some Windows Server 2019 devices experience system slowdowns, unresponsiveness, and high CPU usage particularly with Cryptographic Services. 

    A limited number of organizations reported that the issue was observed when the device was running an Antivirus software which performs scans against the ‘%systemroot%\system32\catroot2’ folder for Windows updates, due to an error with catalog enumeration. 

    Our investigations so far indicate that this issue is limited to some specific scenarios. If your IT environment is affected, you might observe that your devices:

    • Show increased CPU utilization
    • Experience increased disk latency/ disk utilization
    • Indicate degraded OS or application performance
    • Show that the CryptSVC service fails to start
    • May boot into a black screen
    • Experience slow to boot
    • Freeze or hang

    This issue is addressed in KB5043050.

    1. After installing this security update, you might face issues with booting Linux if you have enabled the dual-boot setup for Windows and Linux in your device. Resulting from this issue, your device might fail to boot Linux and show the error message “Verifying shim SBAT data failed: Security Policy Violation. Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation.”

    The August 2024 Windows security update applies a Secure Boot Advanced Targeting (SBAT) setting to devices that run Windows to block old, vulnerable boot managers. This SBAT update will not be applied to devices where dual booting is detected. On some devices, the dual-boot detection did not detect some customized methods of dual-booting and applied the SBAT value when it should not have been applied.

    Please refer to the workaround mentioned in Windows release health site for this issue.

    Have a nice day. 

    Best Regards,

    Molly

    0 comments