Seeking a solution as Norton Security continues to run at high CPU for several minutes at startup, so this is definitely *not* solved on v.22.19.8.65.  The prior threads are below but are closed to new posts, so needed to start this thread to continue.

System:

Laptop running 64-bit Windows 7 Home Premium SP1.  Every day at or shortly after startup (or sometimes even later), my CPU spikes (50% or higher) with the Windows Task Manager reporting cltRT.exe is the culprit. It's easy to spot as the circular hourglass icon appears in the mouse pointer icon throughout the duration as others have reported.  The prior suggested "fix" for Window 8 & 10 is NOT applicable to Windows 7, and so this problem has continued through multiple Norton updates.  My system is currently running Norton 22.19.8.65, but the problem began earlier this year with other recent version updates (perhaps around the time I noticed LifeLock in the title) and has continued to persist throughout with no change.  Neither this process nor the process tree can be killed in Task Manager, even when logged in as an admin.

Negative Impact:

This is causing significant additional CPU heat and system stress as my laptop's fan immediately kicks in at the highest and loudest speed during the entire episode (also causing additional battery drain) -- plus I'm concerned about what information is being sent back to Norton during this process.  It also delays launching programs, etc.  I've been using Norton AV/Security products for well over 15 years and am very frustrated that Norton has NOT found a suitable solution for this.  I kept hoping a new version would incorporate a fix, but contrary to some posts here, it has not.  Would greatly prefer not to have to switch security platforms.

Further Details:

For reference, the earlier detailed thread link is below:

https://community.norton.com/en/forums/dtrtexe-runs-high-cpu-startup

Note that the correct filename is indeed cltRT.exe found in the Norton Security program C:\Program Files (x86)\Norton Security\Engine and C:\Program Files (x86)\Norton Security\Engine32 subdirectories -- I have confirmed this is the actual name appearing in the Task Manager -- appears to be in the 32-bit program dir on a 64-bit system (this laptop was always a 64-bit Windows 7 platform).

The follow-up P.S. forum note marking one of the above posts as a solution is below, but it fails to take into account that the supposed solution does *not* address nor works in Windows 7 (as it apparently relies upon a feature native only to Windows 8 &10):

https://community.norton.com/en/forums/dtrtexe-runs-high-cpu-startup-ps

Could someone please advise whether a fix will be made for this situation?  Norton tends to pride itself on using lower system resources, but it appears at some point they introduced a licensing verification module (CLTRT = "Consumer Licensing Technologies" from the file properties and I'm assuming RT means either "real-time" or "remote") for their own benefit that is definitely having a very negative impact on my and others' systems.

[Apologies for the lengthy post, but I figured the context would be helpful.  Just to kindly anticipate a likely reply, please, this laptop is not able to be upgraded to Windows 10, as the necessary drivers do not exist for it (or I would have done so already).  There are still many Windows 7 users because there is not an upgrade path, so we're stuck with it -- the laptop still works.]

Appreciate any and all help, thanks in advance.

[P.S. My apologies for the duplicate post here, it's my first time posting on the Norton forums.  I saw afterward that my first post went under the "Norton Internet Security | Norton 360 | Norton AntiVirus" product category and I'm thinking perhaps it should have gone here under "Norton Security | Norton Security with Backup" -- was wondering why I didn't see it in the forum list after I posted.  It's a bit confusing.]

Update:

Norton Support requested I provide another copy of the cltdynamic.dat file.  So as I did the last time, I tried disabling the NortonSecurity.exe Windows Service only to find that is was now grayed out and I could no longer disable said service.  This change apparently happened after Support claimed they found corrupt data during the last go round and said I needed to remove and reinstall Norton to fix this issue.

So something during the reinstall of Norton back in December with the latest version form Norton, no longer allowed me to access NortonSecurity.exe service.  So the only option found to retrieve the copy of the cltdynamic.dat file was now to restart the system in Safe Mode.

I uploaded the requested file for review.  A couple of days later I received another message requesting I download SymHelp tool and run it the next time the cltRT.exe process runs and upload that file for review. 

I reread the message, thinking wait a minute, we tried that before.  The SymHelp tool could not capture this problem because it would hang during these events hence the reason they then asked for the cltdynamic.dat file.  I responded back to support pointing this out and inquiring why they were now asking me to repeat a step they know will not collect the data.  It appears we're going in circles, just backwards this time.

Additionally, I point out that since I received the pop up that my subscription will be expiring, I haven't seen the cltRT.exe process run in the last couple of days.  In fact, that night that it it should have run around midnight, it did not run until that pop up appeared around 2:00 AM.  I cleared the pop up and noticed it running in background for several more minuets.  I received another pop up the following day but again dismissed it and haven't seen the cltRT.exe process run since.  So even if I wanted to try running the SymHelp tool the process has not reappeared.

Now for another twist.  I tried to install the Critical Windows Update for Windows 7 on January 16, 2020.  They downloaded ok.  But during the install, I noticed it was taking forever.  After over an hour, it finally completed and said I need to reboot.  After the reboot and the updates finalizing, again seemingly taking longer than normal, my desktop was frozen. After another 30 -40 minutes, I tried to reboot the system again.  This time when the desktop finally appeared I tried starting the task manager.  After several attempts, It finally appeared.  Looking through what all was running I notice I now had a process called cltLH or something to that effect running and eating up the CPU at over 80% and the system was still for the most part non-responsive.

I left this running for over an hour and found my system getting very hot and I decided to remove these updates.  I reverted the system back to before I installed the updates.  All seemed ok after that.  I disabled Norton tamper protection and shut down real time protection and tried reinstalling windows updates again but with the same results. 

So I decided to uninstall NortonSecurity and deleted all remaining traces of it.  Cleaned up the system with Disk Cleanup and ran Defrag.  I then ran windows update again and low and behold they all installed without a glitch.

In conclusion, it appears to me at least, that something in the latest version of Norton (22.19.9.63) not only changed the end users ability to access the NortonSecurity.exe service in widows services control panel but also caused a problem with installing windows updates. 

I have permanently removed Norton Security and will not be reinstalling it at this point due to these and other issues I've experienced with this program and looking for alternatives. 

Resp JJ

Point noted, but Norton already know this when it first loads during boot. The subscription status is clearly stated on the GUI.

But the product is programmed to timeout the subscription if it cannot 'phone home' at least once a week. You can check this if you have a computer you do not need to use for a week or so. Your product will stop working until it can connect to the Norton subscription servers to verify the subscription is still valid. That is the purpose of the license checking function and that is how the subscription time remaining gets updated in the GUI. 

Point noted, but Norton already know this when it first loads during boot. The subscription status is clearly stated on the GUI.

Although bootlegging may be one part of the license check, it is mainly to ensure you have a current valid subscription for your product. 

Agree with everything you have stated. I was hoping to get a response from someone at Norton, but I guess they don't want to admit what they're doing.

The situation is the same running Win 10. I'm building a new machine (AMD 3800x with Win 10 Pro 1909) and have observed the same resource hogging behavior. A simple license check should take milliseconds. Even simulation software developed by Lockheed Martin takes a fraction of a second to do this. Obviously, the Norton process is doing much more and should be given a lower priority than it currently has.

Some insight into the cltRT.exe in isolation can be found here (hybrid-analysis):

https://www.hybrid-analysis.com/sample/4e8b83b330fa226704b4e31077190f9c23cd9be93da50e2645df830dd91f0cc3/5e04edf0b833333ee3264acf

As a US Dept of Defense contractor (DARPA), I need to keep an eye on data exfiltration. Some clarification from Norton is not an unreasonable demand. As for DRM, would anyone running Win 10 have any need or desire to bootleg Norton? After all, Win Defender has improved markedly over the past year.

Yeh, I'm also concerned about the viability of Norton (consumer). AnandTech recently put the company on it's Death Watch for 2020. On the enterprise side, I guess we'll have to wait and see what Broadcom does. I suspect they may have purchased Symantec just to acquire the customer base.

Carlos Sangria,

The cltdynamic.dat file is a system file of Norton and is in use.  Hence the reason it cant be copied or opened from its current location.  You'd have to shut down Norton, either through windows services or rebooting in safe mode.  I was originally able to shut it down by disabling its service but, since reinstalling Norton, the Norton service are now grayed out and no longer accessible to the user even through the admin account.  This only leaves booting into safe mode to access the cltdynamic.dat.

As for the cltRT.exe file process, from what I've been able to determine, it has something to do with some sort of Digital Rights Management (DRM) for Norton's programs (as are other software company's). If you look at its properties under details, it states "Consumer Licensing Technologies".  If you search the net, you'll find additional info about it.   

When the cltRT.exe process runs, its repeatably opening new instances of its self every second during its duration. You can verify this by watching the PID next to the process in the task manager while it runs.  Hence why you cant lock on the file while its running.  Whether this is normal behavior for this process or not, I cannot confirm.

It appears to also works in conjunction with the main system process NortonSecurity.exe.  So I'd suspect its sending its telemetry data through that process back to Norton.  If you try to block it, I'd suspect you'd end up having to block Norton's main process and I'm sure you'll end up with a boat load or errors popping up.  Even if you find a way to block the cltRT.exe file, I'm sure in short order you'll end up with a error that the program cannot validate your license and would shut down in some form.

I'm not sure if folks running windows 10 are experiencing similar issues as most of the complaints seem to be from windows 7 and below users.  If windows 10 users are not experiencing this issue, then the question becomes whether Norton will attempt a fix or wait out the effected users and later claim these are legacy operating systems and no longer supported. 

In conclusion, I cant blame Norton for trying to use this process to ensure people are not running bootlegged copies as was rampant for years.  However, in the mean time I would hope Norton will address this issue. 

Between these and other issues that have arisen with their programs of late and what I'm seeing on Symantec's side with the Broadcom's acquisition, things are not looking to good and appears to be losing customer base rather quickly on both sides of the house. 

Just my 2 cents worth...      

Yeah, same problem here. File "cltdynam.dat" is now at 575k. Here's my thoughts:

1) The file above remains open all the time so can't analyze it, even with a hex editor.

2) cltRT.exe runs once daily at intermittent times. Process  can't be stopped. Also can't rename file.

3) This is NOT a license check. If it is, then Norton has the worst programmers in history.

4) It is likely telemetry SPYWARE - Read new terms and conditions.

@ Sunil_GA - How about giving a straight answer - Specifically what is this doing? I want to know before I go into my hacker tools to find out or block any egress using a hardware firewall.

Sunil_GA,

File uploaded.

Hi @JJ_,

Sorry that issue still not resolved for you. Can you please upload "cltdynam.dat" file compressed in a folder and upload it under Log file section of comment? 

Update:  Well its been a month now since I reinstalled NS.  Norton Engineering team had determine that there was uncleared data that needs to be fixed and would require reinstalling the product per the logs submitted. 

After the reinstall the cltRT.exe activity seem to have been fixed.  However, over the last month this process activity has increase from every other couple of days and only running for 10 to 20 seconds to now running sometimes twice a day and lasting several minutes again with high CPU usage.

The last file the engineering team requested, prior to this determination, was cltdynam.dat (file size 560kb).  After the reinstall, the files size was around 50kb.  However, it has continued to increase in size with each run and now is at 431kb.  I've also noted several other files and folders that are modified with each run of the cltRT.exe process.

I've asked several times now what the cltRT process actual function is but have not received an answer to this question.

At this point I consider the issue still unresolved. 

Update:  The cltRT.exe process ran again on Dec 9 and Dec 11, noting it only ran for about 10-15 seconds during each instance then stopped.  Whether this would be considered normal behavior or not of this process is still in question.

Just a follow-up, I've been providing Norton support with logs and such trying to help get to the bottom of this issue.  At this point, I've removed and reinstalled NS after deleting all remaining folders/files in reference to NS on 12/5.

About 24 hrs after the reinstall the cltRT.exe process did start and run however, it only ran briefly (about 30 seconds compared to the 2-3 minutes it used too).  I haven't seen it since.  I will continue to keep an eye on this and update if I see it again. 

Also, what was determined as to why you cant lock onto this file while its running is because its constantly opening and immediately terminating and reopening new instances of itself every second.  If you look at the picture I posted above from the resource manager, each instance has a different PID.  Hence why you cant open its properties, file location, create a dump file, etc because it had already terminated.  

Sunil_GA,

File uploaded as requested.

Sunil_GA,

Please see uploaded file per your request

From your list of what you say you can do with NortonSecurity.exe, the only thing that tamper protection would stop would be ending its process, or trying to change the file. Just viewing the file location is not a risk to the software. Try renaming the file. I just tried that and was denied access to the change, even after accepting the UAC prompt with my Admin password. The block that occurs then is NTP kicking in.

Have you actually tried ending the process with NTP enabled? This is what I get when I tried just now.

And clicking End Process, this is what I get. NTP is protecting itself.

I get the same results with both the System NS process, and the user NS process.

peterweb,

Just thinking If that were the case, wouldn't tamper protection also prevent accessing NortonSecurity.exe's process?   I can open its file location, properties, create a dump file, and even end its process from the task manager.     

That may be Norton Product Tamper Protection feature blocking access. I you can stop or manipulate a Norton process, so could any malware that might sneak by all your protections.

OK so the cltRT.exe process just ran moments ago.  While it was running I right click the process and selected "Create Dump File".  I received a popup error with the following message:  "The operation could not be completed.  The operation is not valid for this process".  And yes, I'm logged in as administrator.  

Sunil_GA,

I will try again to select this process to Create the Dump File but I have not been successful in past attempts.  This process seems to run in some form of stealth (or is hanging the system and not allowing it to respond) as I cannot highlight the file nor right click it to select its "properties" or select "open its location" in the Task Manager when its running.  Any other process's running during the event I can select and right click and open the properties or location just not the cltRT.exe process.