none
Svchost.exe causing CPU usage to go up and down

    Question

  • Sorry if I have posted this in the wrong forum but I rarely ever post here.  However I have run into an issue that I am unable to find assistance on.  On all of our domain controllers (3) running Server 2008 x64 we see the CPU spiking up and down.  The CPU will start out next to nothing then jumps to 100% for a second, then returns to next to nothing for a second, then jumps to 100% for a second.... and so on.  Using Process Explorer we found out it is an svchost process that runs DHCP Client, TCP/IP NetBIOS Helper, and Windows Event Log services.  If we kill the process we can start all the services back up without any issues except for the Windows Event Log service.  As soon as we start the Windows Event Log service the CPU starts spiking up and down again.  There do not seem to be an unusual # of events being logged and we don't have any auditing turned on so I am not sure what is going on.  I was able to gather a procdump that I have posted below.  I will continue to investigate but was just wondering if someone could offer any insight?

     

    *******************************************************************************

    *                                                                             *

    *                        Exception Analysis                                   *

    *                                                                             *

    *******************************************************************************

    GetPageUrlData failed, server returned HTTP status 404

    URL requested: http://watson.microsoft.com/StageOne/svchost_exe/6_0_6001_18000/47919291/unknown/0_0_0_0/bbbbbbb4/80000003/00000000.htm?Retriage=1

    FAULTING_IP:

    +70de990

    00000000`00000000 ??              ???

    EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)

    ExceptionAddress: 0000000000000000

       ExceptionCode: 80000003 (Break instruction exception)

      ExceptionFlags: 00000000

    NumberParameters: 0

    FAULTING_THREAD:  00000000000003d8

    DEFAULT_BUCKET_ID:  STATUS_BREAKPOINT

    PROCESS_NAME:  svchost.exe

    ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION}  Breakpoint  A breakpoint has been reached.

    EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid

    MOD_LIST: <ANALYSIS/>

    NTGLOBALFLAG:  0

    APPLICATION_VERIFIER_FLAGS:  0

    PRIMARY_PROBLEM_CLASS:  STATUS_BREAKPOINT

    BUGCHECK_STR:  APPLICATION_FAULT_STATUS_BREAKPOINT

    LAST_CONTROL_TRANSFER:  from 000000007740616a to 0000000077636eda

    STACK_TEXT: 

    00000000`0010f2f8 00000000`7740616a : 00000000`00000010 00000000`0010f150 00000000`00000000 0000990d`354adee0 : ntdll!ZwReadFile+0xa

    00000000`0010f300 000007fe`ff30fc9a : 00000000`0010f3c0 00000000`00246f28 00000000`0010f430 00000000`0010f3f8 : kernel32!ReadFile+0x8a

    00000000`0010f390 000007fe`ff30fa3b : 00000000`00246f28 00000000`00000000 00000000`00000000 00000000`00000000 : advapi32!ScGetPipeInput+0x3a

    00000000`0010f3e0 000007fe`ff30e00d : 00000000`0000003c 00000000`00000000 00000000`00000000 00000000`000004d3 : advapi32!ScDispatcherLoop+0x9a

    00000000`0010f4e0 00000000`ffa81dca : 00000000`00245310 00000000`00000000 00000000`00000024 00000000`00000000 : advapi32!StartServiceCtrlDispatcherW+0x176

    00000000`0010f780 00000000`ffa824b2 : 00000000`00000000 00000000`ffa85490 01ce990d`38280236 00000000`0d72c90f : svchost!wmain+0x110

    00000000`0010f7b0 00000000`7740b22d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : svchost!ScCreateWellKnownSids+0x301

    00000000`0010f7f0 00000000`77616861 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd

    00000000`0010f820 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d

     

    STACK_COMMAND:  ~0s; .ecxr ; kb

    FOLLOWUP_IP:

    svchost!wmain+110

    00000000`ffa81dca 33c9            xor     ecx,ecx

    SYMBOL_STACK_INDEX:  5

    SYMBOL_NAME:  svchost!wmain+110

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: svchost

    IMAGE_NAME:  svchost.exe

    DEBUG_FLR_IMAGE_TIMESTAMP:  47919291

    FAILURE_BUCKET_ID:  STATUS_BREAKPOINT_80000003_svchost.exe!wmain

    BUCKET_ID:  X64_APPLICATION_FAULT_STATUS_BREAKPOINT_svchost!wmain+110

    WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/svchost_exe/6_0_6001_18000/47919291/unknown/0_0_0_0/bbbbbbb4/80000003/00000000.htm?Retriage=1

    Followup: MachineOwner

    ---------

    Thursday, August 15, 2013 2:43 PM

Answers

  • I finally figured out my issue... The event log was being overloaded by Windows Security Audits from a new firewall that was brought online without my knowledge.   This firewall had an LDAP feature turned on to resolve IP to hostnames.  If you come across CPU spikes described in this thread, make sure you (or someone else) didn't add any sw/hw that points to your DC.  

    • Marked as answer by TonyIMG Tuesday, October 08, 2013 12:01 PM
    Tuesday, September 17, 2013 11:35 PM
  • Hi,

     

    SVCHOST.EXE is a generic host process for services. There can be multiple SVCHOST.EXE running on a system and each SVCHOST.EXE can also hold multiple services.

     

    The first step is to identify the Process ID (PID) of the SVCHOST.EXE that is pegging the CPU.  This can be done through Task Manager->Processes tab. If the PID column is not present, you can add it by selecting View->Select Columns and check the PID checkbox.  Once the PID is identified, the next step is to determine which services are running under the PID. From a Command Prompt, type:

     

    TASKLIST.EXE /SVC

     

    TASKLIST.EXE will list all the processes and PID’s running on the system. Look for the PID in question and check the Services column. This will give you a list of Services to start investigating.

     

    For more troubleshooting information, please also refer to the following Microsoft TechNet blogs:

     

    PRF: High CPU (Individual Process)

    http://blogs.technet.com/b/askperf/archive/2009/04/10/prf-high-cpu-individual-process.aspx

     

    PRF: High CPU (SVCHOST.EXE)

    http://blogs.technet.com/b/askperf/archive/2009/04/10/prf-high-cpu-svchost-exe.aspx

     

    Regards,


    Arthur Li

    TechNet Community Support

    Friday, August 16, 2013 6:21 AM

All replies

  • Hi,

     

    SVCHOST.EXE is a generic host process for services. There can be multiple SVCHOST.EXE running on a system and each SVCHOST.EXE can also hold multiple services.

     

    The first step is to identify the Process ID (PID) of the SVCHOST.EXE that is pegging the CPU.  This can be done through Task Manager->Processes tab. If the PID column is not present, you can add it by selecting View->Select Columns and check the PID checkbox.  Once the PID is identified, the next step is to determine which services are running under the PID. From a Command Prompt, type:

     

    TASKLIST.EXE /SVC

     

    TASKLIST.EXE will list all the processes and PID’s running on the system. Look for the PID in question and check the Services column. This will give you a list of Services to start investigating.

     

    For more troubleshooting information, please also refer to the following Microsoft TechNet blogs:

     

    PRF: High CPU (Individual Process)

    http://blogs.technet.com/b/askperf/archive/2009/04/10/prf-high-cpu-individual-process.aspx

     

    PRF: High CPU (SVCHOST.EXE)

    http://blogs.technet.com/b/askperf/archive/2009/04/10/prf-high-cpu-svchost-exe.aspx

     

    Regards,


    Arthur Li

    TechNet Community Support

    Friday, August 16, 2013 6:21 AM
  • Hi,

    Thank you for your reply but I don't think you have fully read my post.  I was able to figure out exactly what was causing the particular svchost.exe process to run high.  It is the event log service that is cause that process to spike up and down.

    • Proposed as answer by BunnyOlesen Saturday, June 14, 2014 10:12 PM
    Monday, August 19, 2013 6:34 PM
  • I have the exact same problem described on this thread.  The only difference being that I have 6 DC's in my environment and only the 2 DC's that have FSMO roles split between the two are experiencing the same CPU up/down spikes.  I have noticed that the up/down spikes have started at the beginning of the month which led me to believe it was one of the MS Security patches (since I installed them at this time).  However, even after the removal of all the MS Security patches installed at that time, I'm still getting the same CPU spike.  Please help!  


    Thursday, September 12, 2013 10:10 PM
  • I finally figured out my issue... The event log was being overloaded by Windows Security Audits from a new firewall that was brought online without my knowledge.   This firewall had an LDAP feature turned on to resolve IP to hostnames.  If you come across CPU spikes described in this thread, make sure you (or someone else) didn't add any sw/hw that points to your DC.  

    • Marked as answer by TonyIMG Tuesday, October 08, 2013 12:01 PM
    Tuesday, September 17, 2013 11:35 PM
  • Thank you for your response.  We actually did replace our firewall not too long ago - traded out a Cisco for a Palo Alto.  I'll have to go back and see if the dates correlate.  What did you see in particular in your event log that led you to this?  I am not seeing anything that necessarily stands out in ours.
    Thursday, October 03, 2013 9:11 PM
  • It was the same issue for us.  Our Palo Alto firewalls monitor the server security logs.  It was originally set to poll every 2 seconds.  We increased that timer.  It still spikes the CPU when it does that but it is much less frequent.
    Tuesday, October 08, 2013 12:00 PM
  • Our FW that was causing the issue was a Palo Alto device as well.  I first noticed a real noticeable lag in internet speed.  I originally thought it was the fw but after a reboot the DNS server, Internet access was re-established.  I then noticed a considerably system lag on the DC and thats when i realized the CPU usage was very unusual.  I discovered the process causing the slowness but it wasn't until a few days later I realized the PAN FW was the culprit.  

    Tuesday, October 08, 2013 6:44 PM
  • Out of curiosity, since yours is a Palo Alto as well, what in particular did you do to resolve the issue?  Polling of the security logs is something that we want so we turned down the frequency.  It would be nice if it did would stop spiking the CPU completely but I am not sure if that is possible with that feature.

    Wednesday, October 09, 2013 11:42 AM
  • The PA unit was a demo that had ldap enabled.  We were going to disable ldap but decided to just shut down the unit instead. 
    Tuesday, October 15, 2013 5:32 PM