Edge goes high CPU when injected via user-mode

c++ / delphi package - dll injection and api hooking
Post Reply
choochy2003
Posts: 88
Joined: Fri Mar 21, 2008 4:52 am
Location: Adelaide, South Australia
Contact:

Edge goes high CPU when injected via user-mode

Post by choochy2003 »

I have an issue at the moment, on some Windows 10 Fall Creators Update machines, where after our DLL is injected into Microsoft Edge it uses a really high amount of CPU (between 80-100%). This happens via the user-mode injection when Edge is already started and we start our product. If Edge starts later and the kernel injection kicks in, it does not have a problem.

The strange thing is that this behaviour does not happen on all similar systems, and looking at ProcMon Edge is in a loop access a set of registry keys. Where it normally accesses a few hundred registry values without our DLL injected, it is access the same 20 values millions of times a minute, which is where I think the CPU usage might be coming from.

The versions of our product's that I can reproduce this issue with, span back a number of MadCodeHook releases, so its nothing new.

Just wondering if anyone else has seen a similar issue?
choochy2003
Posts: 88
Joined: Fri Mar 21, 2008 4:52 am
Location: Adelaide, South Australia
Contact:

Re: Edge goes high CPU when injected via user-mode

Post by choochy2003 »

It looks like it might not specifically have to do with just the injection itself. If I disable all the hooks inside the DLL, the issue also doesn't occur. However, it doesn't matter which API I hook, hooking any single API will cause this issue. So its a combination of a user-mode injected DLL hooking any API.
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Re: Edge goes high CPU when injected via user-mode

Post by madshi »

I've never seen any issue like this. Which registry keys is it accessing again and again in a loop, and do you happen to have a thread callstack?

I suppose you've already tested with the latest madCodeHook builds (released late December 2017)?

Might make sense to double check with one of the demo projects compiled by me, just to make extra sure it's unrelated to your specific code and your linker/compiler settings etc:

http://madshi.net/PrintMonitor.zip
Post Reply