Skip to content

High CPU Usage and Performance Issues After Implementing NTFS Security

← Systems Manager
Revised: 04/19/2022
Version: 8.0 & Higher

Q - We recently implemented NTFS security on our Elliott folder. We noticed the Elliott performance became a lot slower after the NTFS security was applied. On the Elliott (PSQL) server, we noticed the "System" process (NT Kernel & System) CPU utilization rate became quite high.  Elliott user performance became very slow.  Can the NTFS security cause this to happen?

A - Based on our understanding, the following conditions combined together can cause this kind of performance problem:
  • NTFS Security is enabled with the Elliott folder.
  • Access-Based Enumeration (ABE) is enabled.
  • You may have many Elliott sub folders and the sub folders may contain a large number of files. For example, your reports folder may contain tens of thousands of files. 
This issue occurs because there are many access check requests when ABE enumerates a folder that contains many sub folders.  Before the NTFS security is enabled, everyone can access everything, so there's no need to check the folders and sub folders for permission.  Now that NTFS security is enabled, Windows is spending time pre-processing to figure out if a user has right to access a certain folder before displaying it and thus the high CPU and performance issue.  Also,  Windows is known for not being efficient in its handling of large folders with tens of thousands of files.

Solutions

We assume that it is necessary for you to enable NTFS security. Therefore, disabling NTFS security is not a viable solution.  You can resolve this issue with one (or both) of the following approaches:

Do Not Store Large Number of Spooled Reports in a Single Folder

In the early implementation of Elliott V8, the spooled reports are saved under the Reports folder by company and module.  Users do not have to archive the spooled reports because the spooled reports naming convention in Elliott V8 will not result in duplicate file names.  However, when a folder contains tens of thousands of files, Windows will not efficiently process that folder. Below is an example to demonstrate Windows inefficiency with folder with large number of files:


In this example, when you try to delete all the files (168,825 of them) from a folder. It will take more than 4 hours to do so.  Keep in mind that the deleting is from Windows Explorer.  So the in-efficiency is clear and it is from Windows.  To avoid this inefficiency, you should still archive to make sure that your spooled reports folder does not contain too many files.

Starting with Elliott V8.1, the spooled reports are saved under the Reports folder by company, module, year and month.  As a result, each folder will contain a lot less spooled reports. As a result, this is not an issue.

Disable Access-Based Enumeration (ABE)

When Access-Based Enumerication is disabled, Windows does not need to spend time to pre-process a folder and its sub folders to determine if any access is granted to this user. Therefore, to avoid this high CPU and performance problem -- ff you can't easily archive your spooled reports folders to smaller size -- then you can choose to disable ABE.

Disable ABE with Windows 2008 Server
To disable ABE on Windows 2008 server, you should first bring up Server Manager, then expand the "Roles" node and then expand the File Services node.  Highlight "Share and Storage Management."  Right click on the share where Elliott resides and choose "Properties."  In the Properties window, click on the "Advanced" button.  Then disable the "Access-Based Enumeration."  See sample screen below:







Disable ABE on Windows 2012 Server

To disable ABE on Windows 2012 server, you first should bring up Server Manager, then choose File and Storage Services.  Click on Shares, and right click on the share where your Elliott folder resides.  Choose "Properties."  In Properties window, choose "Settings" and disable "Access-Based Enumeration."  See sample screens below:








** NOTE: Be careful with implementing ABE. If you don't have CPU performance issues, then you should have ABE enabled, which it is by default. A potential side effect of disabling ABE is that your Elliott software may not work. If Elliott is not working, you may receive the following error message when attempting to start the program:

The application was unable to start correctly (0xc0000267)



If you investigate the user's Elliott network folder, under <ElliottRoot> users should be able to see many sub folders, such as DATA*, BIN*, REPORTS, LOG, etc. If the user can only see BIN* and LOG folders, this means the ABE disabling is overdone.

If you can't properly implement ABE -- i.e., striking a balance between allowing users to see the <ElliottRoot> sub folders vs. reducing heavy CPU usages -- then a quick and easy solution is to add NTFS "Read" access, in addition to "List Folder," to the <ElliottRoot> folder..

EMK





Feedback and Knowledge Base

(thinking…)