This answer has helped me too. As above I set all intervals to -1 in etc/system/local/inputs.conf. (Except WinEventLog because I monitor Windows Event Logs.)

I noticed that the file etc/system/default/inputs.conf on my Windows Universal Forwarder contains the following lines:

[admon]
interval=60
baseline=0

[MonitorNoHandle]
interval=60

[WinEventLog]
interval=60
evt_resolve_ad_obj = 0
evt_dc_name=
evt_dns_name=

[WinNetMon]
interval=60

[WinPrintMon]
interval=60

[WinRegMon]
interval=60
baseline=0

[perfmon]
interval=300

[powershell]
interval=60

[powershell2]
interval=60

See also https://answers.splunk.com/answers/444108/splunk-sub-processes-startstop-every-minute-splunk.html

How do you submit an ER?

as a client, you can submit it through the support portal. (P4 case severity)

I did, not sure I can identify the ones responsible for these programs..
The ones I suspected are the ones I tried to disable, see my original post, but to no avail.

$ cat   /cygdrive/d/LogServer/foo.txt | grep '\['
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [MonitorNoHandle]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [SSL]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [WinEventLog]
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf   [WinEventLog://Application]
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf   [WinEventLog://Security]
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf   [WinEventLog://System]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [WinNetMon]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [WinPrintMon]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [WinRegMon]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [admon]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [batch://C:\Program Files\SplunkUniversalForwarder\var\spool\splunk]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [batch://C:\Program Files\SplunkUniversalForwarder\var\spool\splunk\...stash_new]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [blacklist:C:\Program Files\SplunkUniversalForwarder\etc\auth]
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf                          [default]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [fschange:C:\Program Files\SplunkUniversalForwarder\etc]
C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inputs.conf         [http]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [monitor://C:\Program Files\SplunkUniversalForwarder\etc\splunk.version]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [monitor://C:\Program Files\SplunkUniversalForwarder\var\log\splunk]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [monitor://C:\Program Files\SplunkUniversalForwarder\var\log\splunk\license_usage_summary.log]
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\inputs.conf [monitor://C:\Program Files\SplunkUniversalForwarder\var\log\splunk\metrics.log]
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\inputs.conf [monitor://C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [perfmon]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [powershell]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [powershell2]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [script]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [script://C:\Program Files\SplunkUniversalForwarder\bin\scripts\splunk-wmi.path]
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\inputs.conf [splunktcp]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [tcp]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [udp]

Under:
[WinNetMon]
[WinPrintMon]
[WinRegMon]

Do you see the disabled = 1 ?

You're right, I don't see that! it ignored my input stanzas in :

C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf

for example:

C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [WinNetMon]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        baseline = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        evt_dc_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        evt_resolve_ad_obj = 0
host = idmsrv01
index = default
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        interval = 60
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        [WinPrintMon]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        _rcvbuf = 1572864
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        baseline = 0
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        evt_dc_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        evt_resolve_ad_obj = 0
host = idmsrv01
index = default
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf                        interval = 60

Oh ok so something has put that into the system\default entries, the system\local entries could override it. I'm guessing this was an older forwarder installation that included the windows TA?

Perhaps you could uninstall/re-install the forwarder and just re-deploy the Windows TA (or automatically if your already sending it down from a deployment server).

Thanks. I will try the fresh reinstall idea. without adding any app at all.

An uninstall/reinstall seems to fix the issue!
Now, I added that TA app back and the issue still did not re-appear!!!
Very odd... Thank you all anyways 🙂

What's odd is that performing an uninstall then fresh install, and problem is gone.

Add Splunk_TA_windows app, restart agent, and problem appears (commands execute every minute)

Remove Splunk_TA_windows app, restart Splunk agent, and issue still continues!! (commands continue to execute every minute)!!!

How are you installing Splunk TA windows? If your just dropping in the file from the deployment server removing the app and restarting should emove all related schedules/scripts.

I simply drop the TA folder into the /etc/apps folder. To uninstall I just remove that folder.

To remove the TA app, do I need to remove other things from other places? besides the app's subfolder?

Thanks,
Mohamed.

No, that should work! As long as you restart the forwarder afterward.

in my latest experience the forwarder needed a lobotomy to get it to stop. going to test with 6.5.2 which ships with the traditional inputs disabled, but they are present despite the windows TA...