Slow startup of a Windows machine (edr module active)

I notice a slowness when opening a session on my machines (W11 / W2022).
With the module activated and installed EDR (regardless of the version). Machines take approximately 3-5 minutes longer than normal to start up
I noticed this on physical/virtual machines (esxi8) in an AD type domain.
By uninstalling the EDR module everything is back to normal. While leaving the other modules (communication / av).
I don’t notice any other problems and the use of the machine is good after startup and I haven’t seen any blockages in the logs.
I am a new user and testing.

hi @gslawi38770

Apologies for the inconvenience caused. We need Performance logs and CIS report logs inorder to investigate the issue further

Now, in the case of Performance/Slowness issues, and you suspect it to be caused by XCS, Performance Logs are needed for us to investigate and find root cause.

We also need a set of fresh cisreporttool logs after the Performance Logs have been collected.

It is important to remember, Performance Logs must be collected at the time the issue is occurring.

You don’t have to run the Performance Log tool for more than 10 minutes.

When the user is having Performance/Slowness issues, send this procedure to the endpoints and it will do the following:

  1. It will download and install the windows ADK (Assessment and Deployment Toolkit).

  2. sets the DisablePagingExecutive value to 1 in the registry.

  3. puts the SlowIo2.bat in Windows Performance Toolkit folder.

  4. Creates task scheduler to run a given script to collect and upload performance log.

  5. Restarts the system.

  6. Task scheduler runs the given script to collect and upload performance log to SFTP server to the given location in the script.

endpoint. The zip file has an instructions.txt file:

Performance Logs

Also, here’s a quick video on how to collect Performance Logs via the same tool:
Collecting Windows Performance Logs.mp4

Here is the download link for the cisreporttool in case the procedure happens to fail:
If you run the cisreporttool locally on the endpoint, an output file will be stored in the location where you run the tool from.
Please share the cisreporttool logs in the support ticket so we can further investigate, typically you can quickly share it via OneDrive. Just be sure to remove any permissions on the shared link.