Quantcast
Channel: Sysinternals Forums
Viewing all 10386 articles
Browse latest View live

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

July 31, 2016, 2:01 pm
$
0
0
Author: juan.alcocer
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 31 July 2016 at 9:01pm

Originally posted by MagicAndre1981 MagicAndre1981 wrote:

Originally posted by skratchi skratchi wrote:

Hello
 
I have a fileserver Windows 2012 R2 and also this Problem with System process PID 4. It's a VM on very new ESX-Hardware (vSphrere 6), 4 CPU's and 8GB Ram.
 


You also have srv2.sys CPU usage. try this hotfix:

High CPU usage and performance issues occur when access-based enumeration is enabled in Windows 8.1
https://support.microsoft.com/en-us/kb/2920591

We have a pretty similar configuration (Virtual Fileserver with Windows 2008 R2 SP1, Thin Clients storing/using RDS Profiles there) this started happening last week (July 24th), apparently after windows updates patches were applied on clients (not in servers).

Same behavior, System PID 4, main threads consuming CPU are "ntoskrnl.exe", "srv2.sys" we already went through exhaustive investigation. 

Hotfix 2920591 (https://support.microsoft.com/en-us/kb/2920591) was already applied, it is much better but the problem persists.

I'm attaching the highCPUUsage.etl file hoping you can help us or give more insight.

Thank you very much
JAM
Search

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

July 31, 2016, 2:04 pm
$
0
0
Author: TooManyIssues
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 31 July 2016 at 9:04pm

UPDATE: downloaded network adapter drivers and System usage went back to regular 3-4% but I am still having GPU crashes and now "Windows Modules Installer Worker" is taking up 35% CONSTANT CPU usage.. is there something else I need to update or disable?

PsTools : Ports PsPasswd Windows Sysinternals

July 31, 2016, 10:10 pm
$
0
0
Author: pinscomputer
Subject: Ports PsPasswd Windows Sysinternals
Posted: 01 August 2016 at 5:10am

from the sysinternals admin reference:

Basic Connectivity
Unless you specify an IP address, name resolution needs to work. If DNS is not available,
NetBIOS over TCP (NBT) might suffice, but it requires that 137 UDP, 137 TCP, 138 UDP, and
139 TCP be opened on the firewall of the target system.
Some of the utilities require that the administrative Admin$ share be available. This requires
that file and print sharing be enabled (the Workstation service locally and the Server service
on the target system), that the firewall not block the ports that are needed to support file
and printer sharing, and also that “simple file sharing” be disabled.
Some of the utilities require that the Remote Registry service be running on the target
system.
(The table at the end of the chapter lists which ones require this feature.) Note that in
the newer versions of Windows, this service is not configured for automatic start by default.
It therefore needs to be manually started or configured for automatic start before some of
these tools will work.

TABLE 6-4 PsTools System Requirements
Utility            Local                          Remote
                     Requires                     Requires Admin$     Requires              Supports specification
                     administrative rights    share on remote     RemoteRegistry    of multiple computer
                     locally                         service                   names


PsExec           Depends on command    Yes                      No                        Yes
                     and options

PsFile             Yes                               No                       No                        No
PsGetSid         No                               Yes                      No                        Yes

PsInfo             No                               Yes                      Yes                       Yes
PsKill              Depends on target         Yes                      No                        No
                      process

PsList              No                                Yes                     Yes                        No
PsLoggedOn     No                                No                      Yes                       (Can scan network)
PsLogList         Depends on operation     Yes                     Yes                       Yes
                      and target log

PsPasswd        Yes                                No                       No                       Yes (for local accounts)
PsService        Depends on operation      No                       No                       No (but the find option
                      and specific services                                                                    can scan network)

PsShutdown     Yes                                Yes                      No                        Yes
PsSuspend       Depends on target           Yes                      No                        No
                       process
 
 

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

July 31, 2016, 10:15 pm
$
0
0
Author: pinscomputer
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 01 August 2016 at 5:15am

@toomanyissues,
let windows module trusted worker (tiworker.exe) run until it complete.  this may take a lot of time.
 
after tiworker completes, run another check for updates using the windows check for updates tool
 
what is giving you an indication that the GPU is crashing?
 

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

July 31, 2016, 10:31 pm
$
0
0
Author: TooManyIssues
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 01 August 2016 at 5:31am

hi! i solved the update issue by upgrading back up to Windows 10, not a real solution but the new version didnt get stuck updating so no background processes running constant... as far as the GPU crashes that is still an issue. I know it's GPU because only while gaming (games run by Steam odly enough, stand-alone games such as League of Legends run alright) my PC crashes spontaneously after about 10 minutes in-game in teh same way an over-heat. I ran MSI to check temps and CPU temp constant 38c but gpu going up to 70c while IDLING. I honestly don't think it's over-heating cause it doesnt feel too hot, and i've felt laptops get HOT. Fans running fine and drivers updated. Before when i was in windows 8 i even updated BIOS to no avail. 

PsTools : PSEXEC @ The system cannot find the path specified

August 1, 2016, 2:34 am
$
0
0
Author: Raghuram
Subject: PSEXEC @ The system cannot find the path specified
Posted: 01 August 2016 at 9:34am

Hi All

There was space missing between 'ipconfig' and /all and I missed the quotes for username and password.

Thank you 

Best
Raghu

PsTools : psexec -p accepts old password

August 1, 2016, 2:41 am
$
0
0
Author: Raghuram
Subject: psexec -p accepts old password
Posted: 01 August 2016 at 9:41am

Hi All

I want to understand how psexec -p accepts old password without error

While running the below command with old passord or new password psexec executes without error

    PsExec.exe \\remotemachine -s -u domain\username -p 'oldpassword' hostname 
or
    PsExec.exe \\remotemachine -s -u domain\username -p 'newpassword' hostname

On office domain I have changed the password 2 weeks ago and restarted the workstation more than once in these 2 weeks.

Regards
Raghuram 

BgInfo : Overlapping old and new

August 1, 2016, 2:42 am
$
0
0
Author: Steffen
Subject: Overlapping old and new
Posted: 01 August 2016 at 9:42am

Hello!
I used Bginfo with static Background. Everything fine.
Now I let start Bginfo at Startup: D:\BGInfo\Bginfo.exe cnf.bgi /silent /nolicprompt /timer:0
Now I have 2 overlapping Backgrounds with Infos.
 
What is going on and how can I repair it?
 
Regards Steffen
Search

BgInfo : Overlapping old and new

August 1, 2016, 3:16 am
$
0
0
Author: Steffen
Subject: Overlapping old and new
Posted: 01 August 2016 at 10:16am

Ok, done.
Win7, ConfiBackground, change Background, turn back and restart Bginfo.
 
Regards Steffen

Miscellaneous Utilities : Contig64.ехе does not work

August 1, 2016, 5:19 am
$
0
0
Author: At1ant
Subject: Contig64.ехе does not work
Posted: 01 August 2016 at 12:19pm

Contig64.exe does not defragment file, Contig.exe works fine.
Tested on Windows 7 Sp1 Russian with all updates.

Process Monitor : Crash while saving boot log

August 1, 2016, 6:59 am
$
0
0
Author: jhw
Subject: Crash while saving boot log
Posted: 01 August 2016 at 1:59pm

I'm also seeing crashes when converting boot logs with Process Monitor v3.30 on Windows 7 x86, Windows 10.0.10586.0 x64, and Windows 10.0.14393.5 x64.

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

August 1, 2016, 2:15 pm

Miscellaneous Utilities : SDelete hangs at 100%

August 2, 2016, 7:42 am
$
0
0
Author: StuartMW
Subject: SDelete hangs at 100%
Posted: 02 August 2016 at 2:42pm

Here's some objective test data comparing v1.61 and the newly released v2.0 of SDelete.

---

Timer 1 on: 19:45:02

SDelete -z E:

SDelete - Secure Delete v1.61
Copyright (C) 1999-2012 Mark Russinovich
Sysinternals - www.sysinternals.com

SDelete is set for 1 pass.
Free space cleaned on E:\
1 drives zapped

Timer 1 off: 19:46:28  Elapsed: 0:01:25.50

---

Timer 1 on: 19:46:28

SDelete64 -z E:

SDelete v2.0 - Secure file delete
Copyright (C) 1999-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

SDelete is set for 1 pass.
Free space cleaned on E:\
1 drive cleaned.

Timer 1 off: 20:28:54  Elapsed: 0:42:25.89

---

So yes the v2.0 version of SDelete doesn't "hang" (forever) at 100% it just does something else for 28x the time of v1.61.

PS: E: is a flash drive (NTFS formatted) with 1.10GB of free space.

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

August 2, 2016, 8:21 am
$
0
0
Author: pinscomputer
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 02 August 2016 at 3:21pm

Originally posted by juan.alcocer juan.alcocer wrote:

 
Same behavior, System PID 4, main threads consuming CPU are "ntoskrnl.exe", "srv2.sys"
 
 
the underlying activity of this thread appear to be the Symantec AV product.
 
have you checked for updates to the Symantec product?
 
does this Symantec product also have a firewall function built-in?
 
 


Edited by pinscomputer - 10 hours 20 minutes ago at 3:56pm

Autoruns : 13.52 autoruns64.exe

August 2, 2016, 8:56 am
$
0
0
Author: rseiler
Subject: 13.52 autoruns64.exe
Posted: 02 August 2016 at 3:56pm

Yes, Mark admitted as much himself in a recent "Defrag Tools" podcast.
Search

Miscellaneous Utilities : whois doesn't know various TLDs

August 2, 2016, 9:03 am
$
0
0
Author: pozmu
Subject: whois doesn't know various TLDs
Posted: 02 August 2016 at 4:03pm

I second this.
Maybe we should try to contact whois-servers.net instead?
Or maybe Sysinternals should switch to another API.

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

August 2, 2016, 9:08 am
$
0
0
Author: juan.alcocer
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 02 August 2016 at 4:08pm

Why do you believe is the Symantec AV? We saw some load because of it but didn't believe it was the root cause.

We are not on the latest version but we do have other servers with no problems having the same configuration and version.

Engines
-------
Common Client:  12.12.0.15
LiveUpdate:  2.3.1.7
SymEvent:  12.9.6.12
Auto-Protect Kernel Driver:  14.6.3.35
Auto-Protect User Mode Interface:  14.6.3.37
Decomposer:  2.3.3.2
Power Eraser Engine:  5.1.0.5
Eraser:  115.2.1.18
SONAR Framework:  8.0.0.137
SONAR Engine:  10.1.0.96
Intrusion Protection Framework:  12.4.0.11
Intrusion Protection Engine:  15.0.6.11


Definitions
-----------
Virus & Spyware:  160802001 (8/2/2016 9:39 AM)
Portal List:  151111022 (8/2/2016 9:39 AM)
Whitelist:  160801003 (8/2/2016 9:39 AM)
Revocation List:  160801009 (8/2/2016 9:39 AM)
Reputation Settings:  150302005 (8/2/2016 9:39 AM)
Power Eraser:  151028036 (8/2/2016 9:39 AM)
SONAR:  160718001 (8/2/2016 9:39 AM)
Intrusion Protection:  160801011 (8/2/2016 9:39 AM)
SCD:  160609032 (8/2/2016 9:39 AM)
EFA Signatures:  160726002 (8/2/2016 9:39 AM)

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

August 2, 2016, 12:32 pm
$
0
0
Author: juan.alcocer
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 02 August 2016 at 7:32pm

Originally posted by pinscomputer pinscomputer wrote:

Originally posted by juan.alcocer juan.alcocer wrote:

 
Same behavior, System PID 4, main threads consuming CPU are "ntoskrnl.exe", "srv2.sys"
 
 
the underlying activity of this thread appear to be the Symantec AV product.
 
have you checked for updates to the Symantec product?
 
does this Symantec product also have a firewall function built-in?
 
 

We disabled Symantec AV and traced the spike again.
Here is the new xperf dump


We are currently analyzing it, if you can also find something it would be greatly appreciated
Regards,

Miscellaneous Utilities : sdelete does not delete file

August 2, 2016, 12:49 pm
$
0
0
Author: yong321
Subject: sdelete does not delete file
Posted: 02 August 2016 at 7:49pm

Another anomaly is when you delete a file with no filename extension. You can append a dot to make sdelete find the file.

C:\temp>touch myfile

C:\temp>sdelete myfile

SDelete v2.0 - Secure file delete
Copyright (C) 1999-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

SDelete is set for 1 pass.

Cleaning disk myfile:

Error opening disk myfile:
The system cannot find the file specified.


C:\temp>sdelete myfile.

SDelete v2.0 - Secure file delete
Copyright (C) 1999-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

SDelete is set for 1 pass.
C:\temp\myfile...deleted.

Files deleted: 1

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

August 2, 2016, 5:25 pm
$
0
0
Author: pinscomputer
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 03 August 2016 at 12:25am

I have only taken a brief look at the new ETL file so will continue to analyze.
 
However, here's a thought based on the brief analysis....
 
you have provided 3 xperf ETL files.
after disabling Symantec, the common denominator is still srv2.sys and (in your system) the high disk I/O on disk 3 (for all 3 traces)
 
this still appears to be what MagicAndre originally proposed... Srv2.sys problems due to access based enumeration.
 
have you reviewed this hotfix (change to registry values):
 
 
 


Edited by pinscomputer - 1 hour 50 minutes ago at 12:26am
Viewing all 10386 articles
Browse latest View live
Search