Microsoft.Tri.Sensor.exe consuming High CPU on DC

Question

Microsoft.Tri.Sensor.exe consuming High CPU on DC

kumar kaushal 176 Microsoft Employee

I would like to know as to what steps that we can implement/Follow to troubleshoot the issue with Microsoft.Tri.Sensor.exe consuming high CPU. I have already ran the sizing tool and increased the CPU /memory on the server but still i see the spike. I can understand that CPU consumption of the Microsoft.Tri.Sensor.exe depends on the traffic that is coming to the DC .

What else can do to fix the issue ?

2 answers

Your answer

Answer 1

Limitless Technology 39,926

Hello @kumar kaushal

Best practice is that the DC is blocked from RECEIVING any traffic from unknown internet sources. this is the root cause, if this is fixed all the rest will be fine. You can check the discussion on the Topic in the https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/atp-sensor-consume-most-server-cpu-60/m-p/306097

Hope this helps with your query!

---------
--If the reply is helpful, please Upvote and Accept as answer--

LeeM 41 Reputation points

2023-05-05T07:36:40.7966667+00:00
This is old, but it still comes up at the top of the google results.

The discussion you link doesn't mention networking except for the DC initiating outbound DNS queries to 8.8.8.8. Nor is there ever any actual solution to the OP's issue.

What is your source that the DC should be "blocked RECEIVING any traffic from unknown internet sources" as a solution to Trisensor consuming excessive resources? Of course the DC should not receive external traffic from a security point of view, but how does that pertain to this question and your response that "this is the root cause" without knowing anything about this OP's environment?

If it is the purported "root cause", how does it happen that on one of my DCs that trisensor is consuming 3 times the memory of any other process (including LSASS) on the server, when the DC is firewalled, network-segregated, and only accessible by internal domain clients on the LAN?

And how does that explain Trisensor consuming twice the memory on that DC compared to another one, when they have the identical spec, are on the same LAN, are in the same AD site, and the other DC is hosting all the FSMO roles and has twice the network utilisation of the "bad" DC?

I am so tired of uninformed "advice" and random irrelevant links sprayed around this forum (presumably to try and game some ranking system). At least if someone is so confident that they include a company name with their "advice", we know how much value their company services are probably worth.

Answer 2

Limitless Technology 39,926

Hello,

Best practice is that the DC is blocked from RECEIVING any traffic from unknown internet sources. this is the root cause, if this is fixed all the rest will be fine. You can check the discussion on the Topic in the https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/atp-sensor-consume-most-server-cpu-60/m-p/306097

Hope this helps with your query!

--If the reply is helpful, please Upvote and Accept as answer--

Share via

Microsoft.Tri.Sensor.exe consuming High CPU on DC

2 answers

Your answer