Recently we were analyzing multiple slow terminalservers especcially when there are lots of users connected to them they where reacting slow, login took long or starting basic apps taking ages.
First identification was one svchost.exe was eating up one complete CPU core, that made me use Process Explore as it can identify what service is behind svchost.exe thats causing high CPU load.
Once identified “Windows Firewall” as the Service that caused the CPU load, googling around and looking in all the rules revealed thousands of firewall rules that where leftover and used by Apps and tied to a specific user.
There was a patch out for Server 2016 and 2019 but still you have to enable the cleanup manually and remove the old rules by hand. Enabling Automatic cleanup with Registry Key DeleteUserAppContainersOnLogoff:
Set-ItemProperty -Path HKLM: \SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy -Name DeleteUserAppContainersOnLogoff -Value 1 -Type DWord
#Cleanup old rules that are tied to a user
$ruleswithowner =Get-NetFirewallRule | ? Owner -like "S-1-5-*"
Write-Host "Removing $($ruleswithowner.count) FW Rules"
$ruleswithowner | remove-netfirewallrule
This pretty much instantly restored performance for our TS Users.