Random CPU Spikes in System process

By soumyasch
in Microsoft (Windows)

 Share

Recommended Posts

Proficient

soumyasch

Posted
Posted

For the last few days, I have been having random CPU spikes. The "System" process, about once every 1.5 to 2 minutes, takes up one entire core for about 10 seconds. Because it is the System process, I am suspecting it to be a driver (the most recent driver upgrades were installing Nvidia 195.62 laptop drivers (WHQL) and Realtek R239 HD Audio drivers, but I cannot lay the blame on an upgrade as I didn't notice exactly when the spiking started). I have ruled out other possible factors including malware and rootkits.

Process Explorer narrows it down to a thread that starts at Ntkrnlpa.exe!KeInsertQueueDpc+0x275, but because the System process is a protected process, it can't access any more information, including the thread stack. There are several other threads that start at the same address but do not spike.

How can I get more information about exactly what is causing the spikes or what function starts at KeInsertQueueDpc+0x275 or what execution stack it followed to cause the spikes? Any help in getting to the root of the problem is greatly appreciated.

Link to comment
https://www.neowin.net/forum/topic/859048-random-cpu-spikes-in-system-process/
Share on other sites
Proficient

soumyasch

Posted
  • Author
Posted

Thanks for your suggestion. I have already used kernRates (using the symbols with Process Explorer wasn't helpful, as all it showed was that it was a thread from the threadpool, it couldn't show anything else as the System process is protected in Win7).

I have two installations of Win7 on the same system (one Pro, the other Ultimate). The spiking occurs only in Pro. I ran the same workload (same running processes plus uTorrent and FDM with same config downloading the same file) in both environments for one hour, with kernrates running. Comparing the results showed that Ntfs.sys generated about 10% of the events in Pro, whereas it was ~0% in Ult. I have no idea whats triggering this behavior in Ntfs.sys in Pro. Re-running the profiler without the downloaders running also gives the same result. The other modules have caused more or less similar percentage of events.

There isn't any disc thrashing occurring when there are CPU spikes (if it is of interest, regular filesystem tasks barely results in any CPU usage). So, it looks like the NTFS driver is repeatedly trying to do something but getting stuck in a loop without doing anything noticeable.

Will try profiling again with xperf and let you know the results.

Proficient

soumyasch

Posted
  • Author
Posted

But saw something else. Coinciding with the CPU spikes, interrupts also go up and file activity occurs.

In the graph, the green line is the CPU usage for interrupts, the red one for the CPU utilization of first core and blue for the CPU utilization of the second core. And the bars indicate file activity. At the CPU spikes, all events are occurring.

Looking into the CPU usage around the time of the spikes, sure enough the System process is spiking and except the kernel, the Ntfs.sys driver shows the most usage. The values are similar to the one traced by kernrates.

post-113245-1261841455_thumb.png

post-113245-1261841633_thumb.png

Proficient

soumyasch

Posted
  • Author
Posted

Looking into the details of file activity, there are three events the System process participated in. The huge towers for the file IO events occurred for the Create event.

The total time the System process spent for Creating files is close to five seconds, which is about the same duration the CPU spikes last, and generated about 250,000 IO Request Packets, which explains the spikes in file IO.

post-113245-1261842452_thumb.png

post-113245-1261842466_thumb.png

Proficient

soumyasch

Posted
  • Author
Posted

Each of those 260,000 events are created by Thread with Id 48 of the System process, which is confirmed to the same thread that spikes by using Process Explorer to look into the threads' activity of the System process during the spike.

Each of those events look same:

  Quote
File Name: \Device\HarddiskVolume2\Windows\System32\drivers\etc\lmhosts

Flags: synchronous_io_nonalert Option24 normal shareRead shareWrite

Result: Object Name not found. (0xc0000034)

So it looks like its trying to create (or read?) the lmhosts file and failing. Sure the file isn't present in %windir%\System32\drivers\etc\; I do not use WINS. But why the hell is it trying to do the same for more than 250,000 times, when it has already failed once? And why is it doing this over and over again? I will try and create a dummy lmhosts file and see what happens, but that looks like a band-aid, not a solution.

post-113245-1261843143_thumb.png

Proficient

soumyasch

Posted
  • Author
Posted

Deleting and re-creating lmhosts fixed the problem, but it resurfaced on next restart. Dammit, I want a resolution. Don't ****ing care what the problem is anymore. I am taking a heavy hammer and disabling NetBIOS over TCP with brute force. No more NetBIOS, no more LanMan name resolution!

Proficient

MagicAndre1981

Posted
Posted

Ok, because you now know the cause, contact the MS support and tell them what you found out.

you can code a small program which creates the empty file. Now run the program with task scheduler at every startup. So you have a workaround until MS fixed it.

Neowinian

FallenDeku

Posted
Posted

If anyone reading this topic has the same problem (I did), I've found a solution which appears to fix the problem for good

Open the properties box for a network adapter, any will do

Click TCP/IPv4 and then Properties

Jump to the WINS tab

De-select "Enable LMHOSTS lookup"

When you OK out of it the setting is applied to all network adapters

Hope this helps someone, spent most of my afternoon trying to find out what was going on

  • 2 years later...
Neowinian

JoeyX

Posted
Posted
  On 01/01/2010 at 09:35, FallenDeku said:

If anyone reading this topic has the same problem (I did), I've found a solution which appears to fix the problem for good

Open the properties box for a network adapter, any will do

Click TCP/IPv4 and then Properties

Jump to the WINS tab

De-select "Enable LMHOSTS lookup"

When you OK out of it the setting is applied to all network adapters

Hope this helps someone, spent most of my afternoon trying to find out what was going on

It works! Thanks.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Here are some of the ways you can use Safari's new look on Apple iOS 26

      By SkyDX · Posted

      It's a Developer Beta 1 not even a Public or User Beta, I doubt any of the design is 100% finalized yet.
    • Windows 11 finally gets a small, but long-requested Windows 10 taskbar feature

      By eric79XXL · Posted

      Was going to comment the same thing. It's SO annoying to have to go back to settings every time I install something new or some apps like discord update and the icon is hidden again.
    • XRECODE3 1.167

      By Copernic · Posted

      XRECODE3 1.167 by Razvan Serea xrecode3 is a converter and audio-grabber which allows you to convert from mp3, mp2, wma, aiff, amr, ogg, flac, ape, cue, ac3, wv, mpc, mid, cue ,tta, tak, wav, wav(rf64), dts, m4a, m4b, mp4, ra, rm, aac, avi, mpg, vob, mkv, mka, flv, swf, mov, ofr, wmv, divx, m4v, spx, 3gp, 3g2, m2v, m4v, ts, m2ts, adts, shn, tak, xm, mod, s3m, it, mtm, umx, mlp to m4a, alac, ape, flac, mp3, mp4 (using NeroAAC), ogg, raw, wav, wav(rf64), wma, WavPack, mpc, mp2, Speex, ofr, ac3, aiff, tak, snd and Shorten formats. Command Line parameters are supported. XRECODE3 features: Works on XP, Vista, Windows 7, Windows 8, 10 32/64 bit versions and under Wine. Parallel conversion by utilizing power of multi-core CPUs. Support of embedded CUE sheets (for FLAC, WavPack, APE and TAK files). Support of mp4, mka chapters (can split mp4, mka by chapters to any supported format). Built-in Metadata editor with Cover Art support. Has support for LossyWav. Supports portable mode. Merge input files to one large audio file and create CUE sheet. Converting to many formats at once using "Multiple" output mode. Grabbing of multi-channel Audio CDs to the desired format at once. Informative and resizable UI suited even for netbooks. Extracting audio from flv, avi, mov etc. video files (multiple audio streams are supported). Can export/import Metadata to/from external file. Support for 24/32bit audio files. Multilanguage support. Currently program is available in Dutch, English, French, Japanese, Korean, Polish, Russian, Hungarian, Italian, Spanish, Spanish Traditional, Swedish, Brazilian Portuguese, German, Finnish, Bulgarian, Czech, Danish and Chinese (simplified) languages. What's new in XRECODE3: Native 64bit support. Added support for DSD/DST and DFF formats (including handling of SACD ISOs). Added option to extract audio without transcoding. Added option to encode several files to one multi-channel file. Added option to split file into individual track-per-channel for all available output formats. Added option to merge files per folder. Output and Metadata settings are now output format specific. Enhanced Metadata settings. Added support for multiple Cover pictures in Metadata editor. Added 32bit int/float output for formats which support them (e.g. WAV). Added dithering option in Output Settings. Added option to use EBUR128 in Normalize. Added option to Album Mode Normalize. Added option to configure Matrices under Output Settings. Added more output file pattern elements. Tabbed UI. CUE files are now displayed more nicely. Enhanced Shell Extension. XRECODE3 1.167 changelog: Added option to handle YEAR and DATE tags (under Settings/Metadata/Advanced). Updated to the latest qaac (2.85). Download: XRECODE3 v1.167 (64-bit) | Portable | ~30.0 MB (Shareware) Download: XRECODE3 v1.167 (32-bit) | Portable Link: XRECODE3 Homepage | XRECODE3 Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Hasleo Disk Clone 5.2.2.1

      By Copernic · Posted

      Hasleo Disk Clone 5.2.2.1 by Razvan Serea Hasleo Disk Clone is a free and all-in-one disk cloning software for Windows 11/10/8/7/Vista and Windows Server that can help you migrate Windows OS to another disk, clone one disk to another disk or clone one partition to another location quickly and efficiently. Completely Free Windows Migration and Disk/Partition Cloning Software Migrate Windows from one disk to another without reinstalling Windows, apps. Clone one disk to another and makes the data on 2 disks are exactly the same. Clone a partition to another location without losing any data. Easily adjust the size and location of the destination partition. Convert MBR to GPT or convert GPT to MBR by cloning. Creation of Windows PE emergency disk. Extremely fast cloning speed and multi-language support. Supported OS: Windows Vista/Server 2008 or later, fully compatible with GPT and UEFI. Note: Hasleo Disk Clone 5.2.2.1 changelog is not yet available. Download: Hasleo Disk Clone 5.2.2.1 | 28.8 MB (Freeware) Link: Hasleo Disk Clone Home Page | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Some AMD Ryzen users can get free Windows performance boost with this simple system tweak

      By duhk · Posted

      Shouldn't using "High Performance" mode prevent c-states from initializing? Maybe AMD hasn't built a proper power plan for their x3d processors like they used to for their ryzen chips.

  • Recent Achievements

    • First Post
      Johnny Mrkvička earned a badge
      First Post
    • Week One Done
      viraltui earned a badge
      Week One Done
    • One Month Later
      serfegyed earned a badge
      One Month Later
    • Dedicated
      firey earned a badge
      Dedicated
    • Dedicated
      fettermanj earned a badge
      Dedicated

  • Popular Contributors

    1. 1
      +primortal
      634
    2. 2
      ATLien_0
      229
    3. 3
      Michael Scrip
      218
    4. 4
      Xenon
      149
    5. 5
      Steven P.
      140
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!