Troubleshooting Windows System Process CPU Spike

In this blog post, we will look at a case of Windows system process CPU spike and the procedure to troubleshoot it.

In general, if the system process on your Windows system is having high CPU usage, you want to

  1. Determine the thread in the system process that taking up the CPU resource and Identify the driver or subsystem the thread is running for.
  2. Once you determine the source of the issue, you can formulate a fix. Depends on your situation, this could be disabling the offending component. Or if you are lucky, obtaining and applying an update from the vendor of the offending component.

Introduction:
My colleague recently recommended a customer to make a configuration change for a software we are supporting. After the change is made, the customer noticed a CPU spike from the System process. (It’s actually not related to the configuration change, but the customer started paying attention after the change and noticed the CPU spike). The only way to make sure it’s not related to the config change is to figure out what caused the CPU spike.

What is System Process
Mark’s blog post has a good explanation as well as some very helpful tips on how to troubleshoot System Process CPU Spike.

“The System process is special because it doesn’t host an executable image like other processes. It exists solely to host operating system threads for the memory manager, cache manager, and other subsystems, as well as device driver threads.  These threads execute entirely in kernel mode”

Confirming the CPU spike

A quick look at the Task manager confirms the problem. task-manager-showing-cpu-spike

Identify the thread in system process that is taking up CPU resource

Using process explorer, we can look at the threads running in the system process (In process explorer, right click on system process > properties > Threads tab). In my case, process explorer shows that there are a few threads taking up a few percents of CPU each.
process-explorer 

It also indicates the start address and it points to the srv2.sys driver. This is the Microsoft SMB 2.0 server driver.

Coming up with a solution
Now that I know the source of the problem, a search on high CPU problem related to srv2.sys quickly leads me to this knowledge base article (2732618) – High CPU usage on a file server that is running Windows Vista, Windows 7, Windows Server 2008 or Windows Server 2008 R2 with ABE enabled. The cause section of the article says “This issue occurs because there are many access check requests when ABE enumerates a folder that contains many subfolders.”

I confirm that the machine is running Windows 2008 R2. It’s a file server with at least one shared folder that has ABE enabled. And we are having CPU spike issue. The solution would be to install the hot fix in the knowledge base article.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s