Author: gian.mini
Subject: System Process High Cpu windows 2003 server x64
Posted: 15 July 2013 at 10:11am
Hi.I've windows 2003 server x64 that suddenly last week has begun to consume 100% cpu.
Subject: System Process High Cpu windows 2003 server x64
Posted: 15 July 2013 at 10:11am
Hi.I've windows 2003 server x64 that suddenly last week has begun to consume 100% cpu.
I've followed some topic on this and other forums to investigate the cause.
Running Process Explorer i've seen was the System Process to consume about 50-70% of cpu. Looking at the property i've discovered there were a lot of thread srv.sys+0x62010 consuming high cpu.
So i decide to run kernrate, unable to understand the right meaning of that offset.
Kernrate gave me this output
NTOSKRNL 45788 303249 59 % 9895374
NTFS 7697 303249 9 % 1663420
HAL 7140 303249 9 % 1543045
FLTMGR 5516 303249 7 % 1192078
E1G5132E 2324 303249 2 % 502246
SRV 1993 303249 2 % 430712
TCPIP 1859 303249 2 % 401753
PROCMON20 1191 303249 1 % 257390
KLIF 1014 303249 1 % 219138
WIN32K 744 303249 0 % 160787
NDIS 410 303249 0 % 88606
SYMMPI 267 303249 0 % 57702
VMMEMCTL 250 303249 0 % 54028
NETBT 148 303249 0 % 31984
DATASCRN 144 303249 0 % 31120
SCSIPORT 144 303249 0 % 31120
AFD 120 303249 0 % 25933
DMIO 99 303249 0 % 21395
KSECDD 67 303249 0 % 14479
NTFS 7697 303249 9 % 1663420
HAL 7140 303249 9 % 1543045
FLTMGR 5516 303249 7 % 1192078
E1G5132E 2324 303249 2 % 502246
SRV 1993 303249 2 % 430712
TCPIP 1859 303249 2 % 401753
PROCMON20 1191 303249 1 % 257390
KLIF 1014 303249 1 % 219138
WIN32K 744 303249 0 % 160787
NDIS 410 303249 0 % 88606
SYMMPI 267 303249 0 % 57702
VMMEMCTL 250 303249 0 % 54028
NETBT 148 303249 0 % 31984
DATASCRN 144 303249 0 % 31120
SCSIPORT 144 303249 0 % 31120
AFD 120 303249 0 % 25933
DMIO 99 303249 0 % 21395
KSECDD 67 303249 0 % 14479
so i 've done another kernrate with -z ntoskrnl flag that gave me this result
KeInsertQueueApc 2525 303249 5 % 545684
MmIsThisAnNtAsSystem 1734 303249 3 % 374739
ExpInterlockedPopEntrySList 1523 303249 3 % 329139
ExReleaseResourceLite 1392 303249 3 % 300829
IoGetPagingIoPriority 1383 303249 2 % 298884
RtlVirtualUnwind 1251 303249 2 % 270357
FsRtlLegalAnsiCharacterArray 1143 303249 2 % 247016
RtlAssert 1131 303249 2 % 244423
MmMapLockedPagesSpecifyCache 1124 303249 2 % 242910
FsRtlAreNamesEqual 989 303249 2 % 213735
CcPurgeCacheSection 907 303249 1 % 196014
ExAllocatePoolWithTag 876 303249 1 % 189314
ExFreePoolWithTag 867 303249 1 % 187369
wctomb 801 303249 1 % 173106
IoGetStackLimits 787 303249 1 % 170080
ExAcquireResourceExclusiveLite 685 303249 1 % 148037
ExAcquireSharedWaitForExclusive 653 303249 1 % 141121
ExpInterlockedPushEntrySList 643 303249 1 % 138960
FsRtlAddLargeMcbEntry 611 303249 1 % 132044
ExAcquireFastMutex 609 303249 1 % 131612
ExFreePool 605 303249 1 % 130748
MmTrimAllSystemPagableMemory 564 303249 1 % 121887
ZwUnloadKey 562 303249 1 % 121455
KeReleaseSemaphore 555 303249 1 % 119942
FsRtlInitializeFileLock 506 303249 1 % 109353
KeSetEvent 503 303249 1 % 108704
MmMapLockedPages 459 303249 0 % 99195
KeUpdateSystemTime 459 303249 0 % 99195
SeDeleteAccessState 452 303249 0 % 97682
MmIsThisAnNtAsSystem 1734 303249 3 % 374739
ExpInterlockedPopEntrySList 1523 303249 3 % 329139
ExReleaseResourceLite 1392 303249 3 % 300829
IoGetPagingIoPriority 1383 303249 2 % 298884
RtlVirtualUnwind 1251 303249 2 % 270357
FsRtlLegalAnsiCharacterArray 1143 303249 2 % 247016
RtlAssert 1131 303249 2 % 244423
MmMapLockedPagesSpecifyCache 1124 303249 2 % 242910
FsRtlAreNamesEqual 989 303249 2 % 213735
CcPurgeCacheSection 907 303249 1 % 196014
ExAllocatePoolWithTag 876 303249 1 % 189314
ExFreePoolWithTag 867 303249 1 % 187369
wctomb 801 303249 1 % 173106
IoGetStackLimits 787 303249 1 % 170080
ExAcquireResourceExclusiveLite 685 303249 1 % 148037
ExAcquireSharedWaitForExclusive 653 303249 1 % 141121
ExpInterlockedPushEntrySList 643 303249 1 % 138960
FsRtlAddLargeMcbEntry 611 303249 1 % 132044
ExAcquireFastMutex 609 303249 1 % 131612
ExFreePool 605 303249 1 % 130748
MmTrimAllSystemPagableMemory 564 303249 1 % 121887
ZwUnloadKey 562 303249 1 % 121455
KeReleaseSemaphore 555 303249 1 % 119942
FsRtlInitializeFileLock 506 303249 1 % 109353
KeSetEvent 503 303249 1 % 108704
MmMapLockedPages 459 303249 0 % 99195
KeUpdateSystemTime 459 303249 0 % 99195
SeDeleteAccessState 452 303249 0 % 97682
i've also checked with process monitor the registry and files activities but bot twos don't give me any significant result.
The system is protected with kaspersky at last update: i've also tried to deactivate but the result has been the same.
I've not already tried to "msconfiging" the system as this is the production and application file server.
So i would like to have some other suggestion about some other tecnique to investigate the cause of the problem and understand the meaning of srv.sys+srv.sys+0x62010 and of the detail result of kernrate ntoskrnl.
Thank you in advance.
Gianfranco