Summary:
I’ve been using Comodo Internet Security for years with Windows 7. When I recently did a clean install of Windows 10 Pro I naturally decided to also use CIS there. Big mistake.
All seemed to go fine for a bit, but then I noticed that my system fan was running loudly. Checking Task Manager I could see that for some reason the CPU Utilization was at 35% or so. Checking the processes I could see that explorer.exe was using up about 25% of my cpu — one entire core of my i5-2400.
To make a long story short over the course of the last week I have tried to figure out the culprit for this terrible behavior. I have concluded that this only happens when free Comodo Firewall or free Comodo Internet Security is installed.
Uninstalling either and running with just the builtin Windows Firewall works fine.
Details:
The 25%+ explorer.exe CPU usage seems to happen after Comodo brings up an alert to let a program connect to the Internet. But that is just speculation on my part. All I know for sure is that eventually explorer.exe starts using 25% CPU forever.
Restarting explorer.exe via the Task Manager doesn’t help. Killing explorer.exe does return the CPU usage to normal, but as soon as I run explorer.exe again via Task Manager (even after waiting for hours), it shoots back up to 25%+ again and stays there (for hours until I kill it again). I have to reboot to get explorer.exe to behave again, but it soon starts using 25% of my CPU again if I have Comodo Firewall or CIS running on my system.
I’ve used Sysinternal’s Process Explorer to attempt to see what explorer.exe is doing with the CPU. The most active thread typically shows this on the stack when I check it:
ntdll.dll!ZwQuerySystemInformation+0x14 Explorer.EXE+0xe8e2 KERNEL32.DLL!BaseThreadInitThunk+0x22 ntdll.dll!RtlUserThreadStart+0x34
After I restart explorer.exe, its top thread’s stack also sometimes shows any of the following (not that peeking at the stack this way is necessarily meaningful):
`USER32.dll!InvalidateRect+0x74
USER32.dll!SendMessageW+0x2a4
USER32.dll!SendMessageW+0xfb
guard64.dll!Exported+0x1d94f
ntdll.dll!ApiSetQueryApiSetPresence+0x274
ntdll.dll!ApiSetQueryApiSetPresence+0x109
ntdll.dll!LdrGetDllHandleEx+0x1f0
ntdll.dll!LdrGetDllHandleEx+0xc0
ntdll.dll!LdrGetDllHandle+0x1c
KERNELBASE.dll!GetModuleHandleExW+0x110
KERNELBASE.dll!GetModuleHandleExW+0x3a
explorer.exe+0xe89d
KERNEL32.DLL!BaseThreadInitThunk+0x22
ntdll.dll!RtlUserThreadStart+0x34
ntdll.dll!RtlQueryProcessHeapInformation+0x1092
ntdll.dll!bsearch+0x8c
ntdll.dll!RtlFindActivationContextSectionString+0x5f6
ntdll.dll!RtlFindActivationContextSectionString+0x2ff
ntdll.dll!RtlFindActivationContextSectionString+0xc5
ntdll.dll!RtlDosApplyFileIsolationRedirection_Ustr+0x523
ntdll.dll!RtlDosApplyFileIsolationRedirection_Ustr+0x302
ntdll.dll!ApiSetQueryApiSetPresence+0x372
ntdll.dll!ApiSetQueryApiSetPresence+0x109
ntdll.dll!LdrGetDllHandleEx+0x1f0
ntdll.dll!LdrGetDllHandleEx+0xc0
ntdll.dll!LdrGetDllHandle+0x1c
KERNELBASE.dll!GetModuleHandleExW+0x110
KERNELBASE.dll!GetModuleHandleExW+0x3a
explorer.exe+0xe89d
KERNEL32.DLL!BaseThreadInitThunk+0x22
ntdll.dll!RtlUserThreadStart+0x34
ntdll.dll!RtlAllocateHeap+0x5cc
explorer.exe+0xe827
KERNEL32.DLL!BaseThreadInitThunk+0x22
ntdll.dll!RtlUserThreadStart+0x34
`
Result:
I’ve given up on Comodo Firewall and Comodo Internet Security on Windows 10 for now. I’m running with just the standard Windows Firewall (and Binisoft’s Windows Firewall Control). Less control than with Comodo’s software but mostly gets the job done without using 25%+ of my CPU.
I’m a bit surprised no one else has reported this issue. Maybe my case is unique, but this happens on a clean install of Windows 10 Pro (well, plus a few non-security programs like Firefox, XYplorer, TCC/LE, etc), and I’ve been able to reproduce it after uninstalling, using my system for almost a week without issue, and then trying Comodo Firewall again.
System/Configuration:
Windows 10 Pro version 1511 build 10586.589 64bit
Intel Core i5-2400
8GB ram
Comodo Firewall free version
Product version: 8.4.0.5165
Auto-Sandbox: Disabled
HIPS: Disabled
VirusScope: Enabled
Traffic Filtering: Safe Mode
Set alert frequency level: Low
Create Rules for safe applications: Off
Filter loopback traffic: Off
Enable Cloud Lookup: Off
Trust applications signed by trusted vendors: Off
Trust files installed by trusted installers: Off