Troubleshooting High CPU Usage by a Windows Process
High CPU usage by a process.
Run PSTAT to determine whether user or kernel time is high for a process.
You may be able to narrow down the problem with this util.
For User mode process : e.g. lsass.exe, winlogon.exe, spoolsv.exe
1. Performance log while the problem is happening. Objects : Processor, Process, and Thread.
2. Using userdump.exe dump the process that is pegging CPU. Look up PID# in taskmanager. Userdump.exe NNN where NNN is the pid number for the process.
For Kernel Mode process e.g. SYSTEM you may need to create full memory dump.
Try following for System process
1. Performance log while the problem is happening.
2. Run PSTAT50.EXE for Windows 2K/XP and get the output. Pstat50 > log1.txt.
Perflog
Find out which thread or threads are pegging CPU.
For the thread, find the starting address.
Best way to do is plot all the counters for the specific thread. Change log to report format with maximum value. Save as tsv file and open it with wordpad. Look for starting address in hex.
Try to match starting address with module listed in PSTAT report.
Example :
From performance log :
Thread # 53 for System
Starting address : 0xBEED396E
From PSTAT :
VsapiNT.sys BEEEE000 0 0 0
TMFilter.sys BEEBF000 0 0 0
srv.sys BEE5D000 40640
PSTAT
=====
User Time Kernel Time Ws Faults Commit Pri Hnd Thd Pid Name
63164 3168474 File Cache
0:00:00.000 0:31:53.765 16 1 0 0 0 1 0 Idle Process
0:00:00.000 5:39:27.421 216 159818408 28 8 250 67 8 System
tid pri Ctx Swtch StrtAddr User Time Kernel Time State
264 9 950 BEE72352 0:00:00.000 0:00:00.062 Wait:EventPairLow
268 9 688 BEE72352 0:00:00.000 0:00:00.046 Wait:EventPairLow
2bc 9 1993973 BEED3BE4 0:00:00.000 0:33:47.765 Wait:Executive
2c0 9 1993020 BEED396E 0:00:00.000 0:33:46.875 Wait:Executive
2c4 9 1993365 BEED396E 0:00:00.000 0:33:50.796 Wait:Executive
2c8 8 1993157 BEED396E 0:00:00.000 0:33:47.656 Ready
2cc 9 1993354 BEED396E 0:00:00.000 0:33:53.359 Wait:Executive
2d0 9 1993185 BEED396E 0:00:00.000 0:33:44.468 Wait:Executive
2d4 9 1993971 BEED396E 0:00:00.000 0:33:46.875 Wait:Executive
2d8 9 1993036 BEED396E 0:00:00.000 0:33:47.328 Wait:Executive
2dc 9 1993013 BEED396E 0:00:00.000 0:33:46.359 Wait:Executive
2e0 9 1993046 BEED396E 0:00:00.000 0:33:41.703 Wait:Executive
Notice the kernel time for these threads.
Search on these thread “BEED396E”
Look up the nearest start address in PSTAT.
Problem is “TMFilter.sys”.
afd.sys BF0AB000 8032 1568 95424 Fri Mar 22 20:00:44 2002
CNMPROT.SYS BF0D5000 1824 11328 0 Sun Apr 28 15:27:33 2002
VsapiNT.sys BEEEE000 0 0 0
TMFilter.sys BEEBF000 0 0 0
srv.sys BEE5D000 40640 7776 164416 Tue Apr 01 19:30:18 2003
Leave a Reply