Random CPU Spikes in System process

By soumyasch
in Microsoft (Windows)

 Share

Recommended Posts

Proficient

soumyasch

Posted
Posted

For the last few days, I have been having random CPU spikes. The "System" process, about once every 1.5 to 2 minutes, takes up one entire core for about 10 seconds. Because it is the System process, I am suspecting it to be a driver (the most recent driver upgrades were installing Nvidia 195.62 laptop drivers (WHQL) and Realtek R239 HD Audio drivers, but I cannot lay the blame on an upgrade as I didn't notice exactly when the spiking started). I have ruled out other possible factors including malware and rootkits.

Process Explorer narrows it down to a thread that starts at Ntkrnlpa.exe!KeInsertQueueDpc+0x275, but because the System process is a protected process, it can't access any more information, including the thread stack. There are several other threads that start at the same address but do not spike.

How can I get more information about exactly what is causing the spikes or what function starts at KeInsertQueueDpc+0x275 or what execution stack it followed to cause the spikes? Any help in getting to the root of the problem is greatly appreciated.

Link to comment
https://www.neowin.net/forum/topic/859048-random-cpu-spikes-in-system-process/
Share on other sites
Proficient

soumyasch

Posted
  • Author
Posted

Thanks for your suggestion. I have already used kernRates (using the symbols with Process Explorer wasn't helpful, as all it showed was that it was a thread from the threadpool, it couldn't show anything else as the System process is protected in Win7).

I have two installations of Win7 on the same system (one Pro, the other Ultimate). The spiking occurs only in Pro. I ran the same workload (same running processes plus uTorrent and FDM with same config downloading the same file) in both environments for one hour, with kernrates running. Comparing the results showed that Ntfs.sys generated about 10% of the events in Pro, whereas it was ~0% in Ult. I have no idea whats triggering this behavior in Ntfs.sys in Pro. Re-running the profiler without the downloaders running also gives the same result. The other modules have caused more or less similar percentage of events.

There isn't any disc thrashing occurring when there are CPU spikes (if it is of interest, regular filesystem tasks barely results in any CPU usage). So, it looks like the NTFS driver is repeatedly trying to do something but getting stuck in a loop without doing anything noticeable.

Will try profiling again with xperf and let you know the results.

Proficient

soumyasch

Posted
  • Author
Posted

But saw something else. Coinciding with the CPU spikes, interrupts also go up and file activity occurs.

In the graph, the green line is the CPU usage for interrupts, the red one for the CPU utilization of first core and blue for the CPU utilization of the second core. And the bars indicate file activity. At the CPU spikes, all events are occurring.

Looking into the CPU usage around the time of the spikes, sure enough the System process is spiking and except the kernel, the Ntfs.sys driver shows the most usage. The values are similar to the one traced by kernrates.

post-113245-1261841455_thumb.png

post-113245-1261841633_thumb.png

Proficient

soumyasch

Posted
  • Author
Posted

Looking into the details of file activity, there are three events the System process participated in. The huge towers for the file IO events occurred for the Create event.

The total time the System process spent for Creating files is close to five seconds, which is about the same duration the CPU spikes last, and generated about 250,000 IO Request Packets, which explains the spikes in file IO.

post-113245-1261842452_thumb.png

post-113245-1261842466_thumb.png

Proficient

soumyasch

Posted
  • Author
Posted

Each of those 260,000 events are created by Thread with Id 48 of the System process, which is confirmed to the same thread that spikes by using Process Explorer to look into the threads' activity of the System process during the spike.

Each of those events look same:

  Quote
File Name: \Device\HarddiskVolume2\Windows\System32\drivers\etc\lmhosts

Flags: synchronous_io_nonalert Option24 normal shareRead shareWrite

Result: Object Name not found. (0xc0000034)

So it looks like its trying to create (or read?) the lmhosts file and failing. Sure the file isn't present in %windir%\System32\drivers\etc\; I do not use WINS. But why the hell is it trying to do the same for more than 250,000 times, when it has already failed once? And why is it doing this over and over again? I will try and create a dummy lmhosts file and see what happens, but that looks like a band-aid, not a solution.

post-113245-1261843143_thumb.png

Proficient

soumyasch

Posted
  • Author
Posted

Deleting and re-creating lmhosts fixed the problem, but it resurfaced on next restart. Dammit, I want a resolution. Don't ****ing care what the problem is anymore. I am taking a heavy hammer and disabling NetBIOS over TCP with brute force. No more NetBIOS, no more LanMan name resolution!

Proficient

MagicAndre1981

Posted
Posted

Ok, because you now know the cause, contact the MS support and tell them what you found out.

you can code a small program which creates the empty file. Now run the program with task scheduler at every startup. So you have a workaround until MS fixed it.

Neowinian

FallenDeku

Posted
Posted

If anyone reading this topic has the same problem (I did), I've found a solution which appears to fix the problem for good

Open the properties box for a network adapter, any will do

Click TCP/IPv4 and then Properties

Jump to the WINS tab

De-select "Enable LMHOSTS lookup"

When you OK out of it the setting is applied to all network adapters

Hope this helps someone, spent most of my afternoon trying to find out what was going on

  • 2 years later...
Neowinian

JoeyX

Posted
Posted
  On 01/01/2010 at 09:35, FallenDeku said:

If anyone reading this topic has the same problem (I did), I've found a solution which appears to fix the problem for good

Open the properties box for a network adapter, any will do

Click TCP/IPv4 and then Properties

Jump to the WINS tab

De-select "Enable LMHOSTS lookup"

When you OK out of it the setting is applied to all network adapters

Hope this helps someone, spent most of my afternoon trying to find out what was going on

It works! Thanks.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • BBC threatens Perplexity with legal action over content scraping

      By zikalify · Posted

      BBC threatens Perplexity with legal action over content scraping by Paul Hill Image via Depositphotos.com The UK’s public broadcaster, BBC, has written a letter to Perplexity, the AI search startup, asking it to stop scraping articles from its websites, delete existing copies of content, and propose some sort of financial compensation if it would like to carry on scraping data. If the demands are not met, BBC may seek an injunction against the startup citing alleged misuse of its intellectual property. BBC is probably responding in this way because it has seen other news organizations cement deals with firms like OpenAI and Mistral. The income stream allows news organizations to raise more funds and also cover the costs of the extra load on their servers caused by AI scraping. For anybody not familiar with Perplexity, it’s a bit like ChatGPT but has a much stronger emphasis on searching the web to find information. You can ask it anything you want to know about and it very quickly searches online and constructs a specific response to your question based on what it has found. The company offers many of its features for free, but does have Perplexity Pro, which costs money. Essentially, Perplexity is making money from publishers by using their content to improve its own product, but not paying them all. Perplexity's defense and existing publisher programs In a statement to the Financial Times, Perplexity labeled the BBC’s claims as "manipulative and opportunistic". The startup accused the broadcaster of having “a fundamental misunderstanding of technology, the internet and intellectual property law.” This is not the first time Perplexity has had a run-in with the media. Forbes and Wired accused it of plagiarizing content from their websites and The New York Times sent the company a cease and desist notice to stop using its content for AI purposes. To assuage publishers, Perplexity has set up a revenue sharing program, which includes TIME, Fortune, Der Spiegel, and others. According to Digiday, the revenue share was up to 25%. It’s not clear if BBC has tried engaging through this avenue or if it wants to try to squeeze the startup for a bigger slice. The escalating battle over AI and intellectual property Even if you only keep up with AI developments in passing, you’ll likely have seen that AI models need to be trained on vast amounts of data, much of which is copyrighted. There is an ongoing debate about whether these companies should be allowed to train on this data, or first seek out permission from the copyright holders. The move from the BBC could spur other publishers on to try and get themselves a better deal from Perplexity. Alternatively, Perplexity could remove BBC content from its platform and stop pulling information from there. It could probably find most of the information elsewhere, but if Perplexity tried to pull this too much it would eventually end up pretty useless with not a lot of content. Overall, this is just one of many ongoing legal issues surrounding AI, but once a conclusion has been reached, it could set a precedent about how AI companies should go about getting content from publishers. Source: FT via Reuters
    • Steam overlay's FPS counter gets major upgrade to show CPU and VRAM usage, temps, and more

      By dustojnikhummer · Posted

      No, it's in fact not always there. You have to enable the FPS overlay first, either in Steam general settings or in the.... Steam Overlay... which is Shift+Tab. And what is that? A keyboard shortcut
    • Steam overlay's FPS counter gets major upgrade to show CPU and VRAM usage, temps, and more

      By dustojnikhummer · Posted

      Mangohud hasn't been built into anything but the Steam Deck until now, you had to set it up yourself.
    • Is the Start menu in Windows actually useful? Do we even need it?

      By Jdoe25 · Posted

      M$ Start Menu and its Oddities: What Do They Know? Do They Know Things?? Let's Find Out! Short answer is "you actually want Open-Shell or any of its paid alternatives".
    • Microsoft is removing legacy drivers from Windows Update

      By Jdoe25 · Posted

      Windoze 11 delivering whatever drivers to me in a recent laptop (2024) made me disable the ability to receive drivers altoghether. I was repeatedly losing the ability to have a lighted keyboard, because I'd install the most recent driver from the manufacturer, and Windoze would immediately "replace it" or "complement it" with a whatever "Component download" of its own. Wasted me a couple of days troubleshooting that crap. Windoze 11 wasting my time since like forever.

  • Recent Achievements

    • One Month Later
      KynanSEIT earned a badge
      One Month Later
    • One Month Later
      gowtham07 earned a badge
      One Month Later
    • Collaborator
      lethalman went up a rank
      Collaborator
    • Week One Done
      Wayne Robinson earned a badge
      Week One Done
    • One Month Later
      Karan Khanna earned a badge
      One Month Later

  • Popular Contributors

    1. 1
      +primortal
      679
    2. 2
      ATLien_0
      274
    3. 3
      Michael Scrip
      220
    4. 4
      +FloatingFatMan
      171
    5. 5
      Steven P.
      160
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!