ManagementAgentNT.exe consuming 100% CPU usage

  • Article ID: 118534
  • Rating:
  • 5 customers rated this article 2.6 out of 6
  • Updated: 24 May 2016


In Task Manager the 'ManagementAgentNT.exe' process was found to be consuming 100% CPU usage.

First seen in
Sophos Endpoint Security and Control 9.7


The cause in one case was specific to the module 'SUMAdapter.dll' being loaded by the ManagementAgentNT.exe process.  

See the 'Technical information' section below for more details on how you can establish which adapter might be responsible for the CPU usage on your computer.  

Note: The 'What To Do' section below only covers the specific case of the SUMAdapter.dll being responsible.

What To Do

Once you have concluded the problem is with the SUMAdapter.dll, perform the following steps:

  1. Stop the 'Sophos Agent' service.
  2. Delete the contents of the directory:
    • XP/2003: 
      C:\Documents and Settings\All Users\Application Data\Sophos\Remote Management System\3\Agent\AdapterStorage\SDDM\
    • Vista+
      C:\ProgramData\Sophos\Remote Management System\3\Agent\AdapterStorage\SDDM\
  3. Start the 'Sophos Agent' service.
  4. In Enterprise Console, right click on the Sophos update manager and choose 'Comply with Configuration'.
  5. Check the CPU usage of the process in Task Manager.

Technical information

The 'Sophos Agent' service (ManagementAgentNT.exe) is part of the Remote Management System (RMS) application and is responsible for communicating with the Sophos applications on a managed endpoint. These applications include Sophos Anti-Virus, Sophos Client Firewall, Sophos Update Manager, etc.  Each of the managed applications provides an adapter DLL that is loaded into the ManagementAgentNT.exe process in order for RMS to manage the application.

Each of the managed application register their adapters by adding registry keys under:

HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Remote Management System\ManagementAgent\Adapters\

In the example of Sophos update manager application, it creates the key: SDDM, within it is the DLLPath value which references the SUMAdapter.dll location on disk.  As the keys are created or removed, the adapter is loaded or unloaded from the Sophos Agent.  You can see the DLLs being loaded or unloaded by the ManagementAgentNT.exe process with a tool such as Process Explorer.

To establish which adapter maybe at fault, you can backup the above 'Adapters' registry key, and then delete the adapter keys one at a time until the CPU is returned to normal levels.  Add them back in one at a time to prove which adapter is causing the problem.  

Note: a problematic adapter may not be able to unload itself so it may be worth restarting the Sophos Agent service to be sure the adapter is not loaded after deleting the key.

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent