Random CPU Spikes in System process

By soumyasch
in Microsoft (Windows)

 Share

Recommended Posts

Proficient

soumyasch

Posted
Posted

For the last few days, I have been having random CPU spikes. The "System" process, about once every 1.5 to 2 minutes, takes up one entire core for about 10 seconds. Because it is the System process, I am suspecting it to be a driver (the most recent driver upgrades were installing Nvidia 195.62 laptop drivers (WHQL) and Realtek R239 HD Audio drivers, but I cannot lay the blame on an upgrade as I didn't notice exactly when the spiking started). I have ruled out other possible factors including malware and rootkits.

Process Explorer narrows it down to a thread that starts at Ntkrnlpa.exe!KeInsertQueueDpc+0x275, but because the System process is a protected process, it can't access any more information, including the thread stack. There are several other threads that start at the same address but do not spike.

How can I get more information about exactly what is causing the spikes or what function starts at KeInsertQueueDpc+0x275 or what execution stack it followed to cause the spikes? Any help in getting to the root of the problem is greatly appreciated.

Link to comment
https://www.neowin.net/forum/topic/859048-random-cpu-spikes-in-system-process/
Share on other sites
Proficient

soumyasch

Posted
  • Author
Posted

Thanks for your suggestion. I have already used kernRates (using the symbols with Process Explorer wasn't helpful, as all it showed was that it was a thread from the threadpool, it couldn't show anything else as the System process is protected in Win7).

I have two installations of Win7 on the same system (one Pro, the other Ultimate). The spiking occurs only in Pro. I ran the same workload (same running processes plus uTorrent and FDM with same config downloading the same file) in both environments for one hour, with kernrates running. Comparing the results showed that Ntfs.sys generated about 10% of the events in Pro, whereas it was ~0% in Ult. I have no idea whats triggering this behavior in Ntfs.sys in Pro. Re-running the profiler without the downloaders running also gives the same result. The other modules have caused more or less similar percentage of events.

There isn't any disc thrashing occurring when there are CPU spikes (if it is of interest, regular filesystem tasks barely results in any CPU usage). So, it looks like the NTFS driver is repeatedly trying to do something but getting stuck in a loop without doing anything noticeable.

Will try profiling again with xperf and let you know the results.

Proficient

soumyasch

Posted
  • Author
Posted

But saw something else. Coinciding with the CPU spikes, interrupts also go up and file activity occurs.

In the graph, the green line is the CPU usage for interrupts, the red one for the CPU utilization of first core and blue for the CPU utilization of the second core. And the bars indicate file activity. At the CPU spikes, all events are occurring.

Looking into the CPU usage around the time of the spikes, sure enough the System process is spiking and except the kernel, the Ntfs.sys driver shows the most usage. The values are similar to the one traced by kernrates.

post-113245-1261841455_thumb.png

post-113245-1261841633_thumb.png

Proficient

soumyasch

Posted
  • Author
Posted

Looking into the details of file activity, there are three events the System process participated in. The huge towers for the file IO events occurred for the Create event.

The total time the System process spent for Creating files is close to five seconds, which is about the same duration the CPU spikes last, and generated about 250,000 IO Request Packets, which explains the spikes in file IO.

post-113245-1261842452_thumb.png

post-113245-1261842466_thumb.png

Proficient

soumyasch

Posted
  • Author
Posted

Each of those 260,000 events are created by Thread with Id 48 of the System process, which is confirmed to the same thread that spikes by using Process Explorer to look into the threads' activity of the System process during the spike.

Each of those events look same:

  Quote
File Name: \Device\HarddiskVolume2\Windows\System32\drivers\etc\lmhosts

Flags: synchronous_io_nonalert Option24 normal shareRead shareWrite

Result: Object Name not found. (0xc0000034)

So it looks like its trying to create (or read?) the lmhosts file and failing. Sure the file isn't present in %windir%\System32\drivers\etc\; I do not use WINS. But why the hell is it trying to do the same for more than 250,000 times, when it has already failed once? And why is it doing this over and over again? I will try and create a dummy lmhosts file and see what happens, but that looks like a band-aid, not a solution.

post-113245-1261843143_thumb.png

Proficient

soumyasch

Posted
  • Author
Posted

Deleting and re-creating lmhosts fixed the problem, but it resurfaced on next restart. Dammit, I want a resolution. Don't ****ing care what the problem is anymore. I am taking a heavy hammer and disabling NetBIOS over TCP with brute force. No more NetBIOS, no more LanMan name resolution!

Proficient

MagicAndre1981

Posted
Posted

Ok, because you now know the cause, contact the MS support and tell them what you found out.

you can code a small program which creates the empty file. Now run the program with task scheduler at every startup. So you have a workaround until MS fixed it.

Neowinian

FallenDeku

Posted
Posted

If anyone reading this topic has the same problem (I did), I've found a solution which appears to fix the problem for good

Open the properties box for a network adapter, any will do

Click TCP/IPv4 and then Properties

Jump to the WINS tab

De-select "Enable LMHOSTS lookup"

When you OK out of it the setting is applied to all network adapters

Hope this helps someone, spent most of my afternoon trying to find out what was going on

  • 2 years later...
Neowinian

JoeyX

Posted
Posted
  On 01/01/2010 at 09:35, FallenDeku said:

If anyone reading this topic has the same problem (I did), I've found a solution which appears to fix the problem for good

Open the properties box for a network adapter, any will do

Click TCP/IPv4 and then Properties

Jump to the WINS tab

De-select "Enable LMHOSTS lookup"

When you OK out of it the setting is applied to all network adapters

Hope this helps someone, spent most of my afternoon trying to find out what was going on

It works! Thanks.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Microsoft: Edge performs better than Google Chrome on Windows in ad blocking and more

      By monterxz · Posted

      But only for Google ads are the main source of revenue. Otherwise, why would mobile Edge have a built-in AdBlock?
    • Microsoft: Edge performs better than Google Chrome on Windows in ad blocking and more

      By Big John Studd · Posted

      That makes no sense. Of course the average user knows that Edge exists, because it's built into Windows as standard. Hence the normie joke about it just being a downloader for Chrome. People use Chrome because Google have spent the past 15+ years aggressively ramming it down people's throats through massive advertising campaigns, both on their own services and beyond. It's become just the standard internet browser and the average person doesn't care enough about the minutiae of browser differences to switch. Mozilla and Firefox simply cannot compete with Google and Microsoft when it comes to getting Firefox's name out there. They don't have a platform like Google's network of websites or Windows to constantly push adoption. The idea that people pick a browser based on milliseconds of page loading time that's imperceptible outside of a benchmark is nonsense.
    • Microsoft Weekly: useful PowerToys modules, Microsoft Store updates, and video gen in Bing

      By TarasBuria · Posted

      Microsoft Weekly: useful PowerToys modules, Microsoft Store updates, and video gen in Bing by Taras Buria This week's news recap is here, bringing you the latest stories from the Microsoft world, including useful PowerToys modules, fresh Windows 11 preview builds, AI video generation in Bing, Office updates, gaming news, and more. Quick links: Windows 10 and 11 Windows Insider Program Updates are available Gaming news Great deals to check Windows 11 and Windows 10 Here, we talk about everything happening around Microsoft's latest operating system in the Stable channel and preview builds: new features, removed features, controversies, bugs, interesting findings, and more. And, of course, you may find a word or two about older versions. This week's Windows 11 section kicks off with some stats. StatCounter published its monthly report, showing that Windows 11 slowed its climb a little bit in May 2025. On the gaming side, however, things are much better, with Windows 11 occupying the majority of PCs on Steam. Now, here are some Windows updates you might have missed. Windows 11 versions 23H2 and 22H2 received KB5062170, a small emergency patch that resolved errors when installing recent updates. The patch is available only through the Microsoft Update Catalog, and the company recommends installing it only if your system experiences the 0xc0000098 code when installing the May 2025 security update. Finally, Microsoft released a new Defender update for Windows 11 and 10 installations, fresh recovery updates, and a script for recovering the inetpub folder, which showed up unannounced on systems in April. As Windows 10 is getting closer to the end of support, more companies are urging users to switch. AMD, Dell, and ASUS all urge users to prepare for the "mandatory Windows 11 upgrade," while other companies shamelessly poach Windows 10 users, luring them to Linux. To finish this week's Windows section, here is an ancient CD-burning app that made a surprising 64-bit comeback and now works on modern operating systems, including Windows 11. Windows Insider Program Here is what Microsoft released for Windows Insiders this week: Builds Canary Channel Build 27871 This week's Canary build introduced Start menu improvements (more Phone Link features), small taskbar tweaks, and a long list of various fixes to improve different parts of the operating system. Dev Channel Build 26200.5622 (KB5058512) This build brought new Click to Do features, a dedicated Settings section for Quick Machine recovery, improved Windows Widgets, a new spec card for the Settings app, and a few fixes here and there. Build 26200.5622 also contains a new "Your Device Info" card on the Settings Home page, which makes it easier to find your computer's specs with fewer clicks. Beta Channel Build 26120.4230 (KB5058506) This one is almost identical to build 26200.5622 from the Dev Channel. Release Preview Channel Nothing in the Release Preview Channel this week Besides new builds, Microsoft announced a new update for the Windows Photos app, which is now available to Windows Insiders in all channels. The update introduces AI-powered light controls (Relight), which let you place and control up to three light sources on your photo, and AI-powered search with natural language support. Updates are available This section covers software, firmware, and other notable updates (released and coming soon) from Microsoft and third parties, delivering new features, security fixes, improvements, patches, and more. Microsoft announced a batch of new features for the Microsoft Store. The app is getting an improved Home page with personalized recommendations based on your recent activities, region, and deals. Search now considers additional information when ranking apps in the results, and a Copilot button lets you ask AI about a certain app. Microsoft also brags about significant performance improvements under the hood. This week, we had plenty of various Office updates. Microsoft 365, for one, is getting significant changes to its update channels beginning July 2025. Rollback support will be expanded to two months, the Semi-Annual Enterprise Channel (Preview) is being deprecated, and the Semi-Annual Enterprise Channel will be supported for eight months instead of the current 14. Microsoft also announced the general availability of the new Message Trace in the Exchange Admin Center in Exchange Online, some big updates for the new Outlook for Windows in the June 2025 update, and acknowledged a few issues with Outlook after a recent Calendar feature upgrade. Teams is also getting a "major" change for third-party app settings, and Word is getting SharePoint eSignature support. Bing received a surprising update this week. OpenAI's Sora video generator is now available for free in Bing Video Creator. Now, you do not have to pay for an OpenAI subscription to generate short videos using AI. Way to boost Bing stats, Microsoft! PowerToys Run, a useful and convenient launcher for Windows 10 and 11, recently received three new third-party modules that let you test your internet speed, download videos from hundreds of websites, and check out word definitions, usage, synonyms, and more. Microsoft announced some long-requested changes for Microsoft Edge, but only for those living in the EEA region. Windows will no longer annoy you with setting Edge as your default browser, and Windows Widgets will respect your default browser. Also, Microsoft will let you uninstall the Microsoft Store app, and Windows Search will be able to use other search providers. Speaking of browsers, Microsoft published a blog post that explained why Edge is a faster and smarter alternative to Chrome. If you are picking between the two, the article might help you make the choice (Google has an answer to that with its own article explaining that Chrome is now faster than ever). Also, the company released Edge 138 in the Beta Channel, bringing some important changes and new features, such as a new (sort of new) media control center, AI-powered history search, and more. Here are other updates and releases you may find interesting: Microsoft expanded LinkedIn's CEO role to manage Office apps. Microsoft announced the general availability of two new reasoning AI agents: Research and Analyst. Microsoft and Crowdstrike announced a partnership on threat actor naming. Microsoft will invest $400 million in Switzerland to bolster cloud and AI infrastructure. The annual Build conference is moving away from Seattle. Here are the latest drivers and firmware updates released this week: Intel 32.0.101.6876 non-WHQL with support for four new games and a single fix for intermittent display artifacts. Nvidia 576.66 Hotfix with patches for FC 25 crashes, video bugs in browsers, and more. In addition to that, Nvidia released a new version of the Nvidia App, which introduced a light theme (and automatic theme switching), support for more games, and some bug fixes. AMD Software Pro Edition 25 Q2 with support for Windows Server 2025, new Ryzen processors, and a few fixes. AMD Radeon Software 25.6.1 with the RX 9060 XT support and FSR 4 support for more games. On the gaming side Learn about upcoming game releases, Xbox rumors, new hardware, software updates, freebies, deals, discounts, and more. Hello Games continues relentlessly improving No Man's Sky. The game's latest update, "Beacon," was announced this week. It offers space explorers overhauled settlements, player overseer duties, and much more. The update is now available on all supported platforms, including Nintendo Switch 2. The Witcher 4 from CD Projekt RED might be a few years away. Still, at the State of Unreal 2025 keynote, the developers revealed a tech demo showcasing the capabilities of Unreal Engine 5 on the base PlayStation 5, which managed to pull it off at a solid 60 FPS. Nvidia announced new games that are now available in the GeForce NOW cloud streaming service (you have to own them to play them). The latest drop is a massive one: 25 new games, including FBC: Firebreak, Dune: Awakening, 7 Days to Die, DREADZONE, and more. Game Pass is also getting new games, and the first drop in June is also a pretty big one. You will soon get access to Kingdom: Two Crowns, EA Sports FC 25, FBC: Firebreak, Crash Bandicoot 4: It's About Time, The Alters, and more. Some games are leaving the service, so check out the full list here. Xbox Games Showcase 2025 is happening today. With the show kicking off in just a few hours, check out our recap of what to expect at the show and how to watch it. On the hardware side, we have a new Xbox Storage Expansion Card from Seagate. At a whopping $429.99 price tag, the new card offers an immense amount of space for your games, doubling that of the previously biggest expansion card. Now, you can get an Xbox Storage Expansion Card with 4TB. By the way, it costs as much as the 1TB Xbox Series S. Deals and freebies If you are looking for some new games at lower prices, check out this week's Weekend PC Game Deals, which covers multiple specials and discounts, including some freebies, such as Deathloop from the Epic Games Store. Other gaming news includes the following: Ubisoft is skipping its Forward game showcase for the first time since 2020. Valve released a new beta version of Steam for Linux to address sluggish update installations. Elden Ring Nighteign received its first update with reduced difficulty for solo runs. The Expanse TV show is getting a narrative-driven sci-fi action RPG. Black Myth: Wukong is coming to Xbox in August. Atomic Heart is getting a sequel and an MMO RPG spin-off. Great deals to check Every week, we cover many deals on different hardware and software. The following discounts are still available, so check them out. You might find something you want or need. Crucial X10 8TB Portable SSD - $439.99 | 44% off Apple 2025 MacBook Air 13-inch Laptop with M4 chip - $849 | 15% off 4TB WD_BLACK SN7100 PCIe Gen4 Solid-State Drive - $249.99 | 16% off SAMSUNG Q-Series Soundbar HW-Q900F - $997.99 | 29% off KEF Q Concerto Meta Three-Way Bookshelf Speaker - $1,199.99 | 14% off This link will take you to other issues of the Microsoft Weekly series. You can also support Neowin by registering a free member account or subscribing for extra member benefits, along with an ad-free tier option.
    • Microsoft: Edge performs better than Google Chrome on Windows in ad blocking and more

      By olympus1 · Posted

      No, they aren't because they don't do with that online advertising, they sell with that "spots" in their store. Apple is not an online advertising company. The business model of Microsoft ads is exactly the same with Google ads. They both are ad companies which do online advertising and make though their sites user profiling. Just because Microsoft never managed to be as successful as Google in that business that doesn't mean they are not exactly what Google is. An online advertising company. Both Google, Microsoft and Amazon are online advertising companies. Apple isn't.
    • Taskbar Buddy

      By theefool · Posted

      I'm lost without clippy.

  • Recent Achievements

    • Week One Done
      LunaFerret earned a badge
      Week One Done
    • Week One Done
      Ricky Chan earned a badge
      Week One Done
    • Week One Done
      maimutza earned a badge
      Week One Done
    • Week One Done
      abortretryfail earned a badge
      Week One Done
    • First Post
      Mr bot earned a badge
      First Post

  • Popular Contributors

    1. 1
      +primortal
      483
    2. 2
      +FloatingFatMan
      262
    3. 3
      snowy owl
      240
    4. 4
      ATLien_0
      227
    5. 5
      Edouard
      185
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!