Feb 05 2019 05:42 AM - last edited on Nov 30 2021 02:07 PM by Allen
One of my servers show in ATA multiple SAMR queries (see attached screen-shot).
It's happening at the beginning of each our as can be seen (3:13pm, 2:13pm, etc.)
Which process/network activity should I check in the server (if there is no scheduled task) ?
Feb 05 2019 05:46 AM
A good start would be to capture a netmon 3.4 trace during the expected time of this traffic, as netmon is usually able to show you which process generated the traffic.
By Any chance is there any software installed on this machine by Lenovo?
Feb 05 2019 05:48 AM
Feb 05 2019 05:51 AM
So far I mainly seen it come from Lenovo.
I think they have some kind of messaging app that does it.
But netmon should provide you with more clues.
Feb 19 2019 01:50 PM
I ran into similar activity recently. The SAMR queries were only being seen on servers in Azure, so that was a bit of a clue. Using Message Analyzer and adding the Process Name column from Global Properties quickly found which process was performing that activity.
The culprit was WaAppAgent.exe which is the Azure VM agent.