What do I do if CPU utilization is high on a Windows instance? -

This topic describes how to resolve a high-CPU-utilization issue in a Windows instance.

Problem description

CPU utilization is high on a Windows instance.

Possible cause

The Windows instance may experience high CPU utilization due to one of the following reasons:

The instance is infected by viruses or attacked by trojans.
Third-party antivirus software runs on the instance.
An exception occurs in an application or a driver, or an application has a high I/O usage or a high interrupt rate.

Solution

Step 1: Identify the issue

You can use various Microsoft tools to capture full memory dumps and identify high-CPU-utilization issues. These tools include Task Manager, Resource Monitor, Performance Monitor, Process Explorer, Xperf (available in Windows Server 2008 and later), and Kernrate (available in Windows Server 2003). In scenarios with high traffic, you can use Wireshark to capture network packets for a period of time and analyze traffic patterns.

Note

For an instance that runs Windows Server 2008 or later, use the built-in Resource Monitor to monitor CPU load.

Connect to the Windows instance.
For more information, see Connection methods.
In the lower part of the desktop, click the Start icon and select Run.
In the Run dialog box, enter perfmon -res and click OK.
In the Resource Monitor window, check for processes that cause high CPU utilization.
Find the IDs and names of the processes that cause high CPU utilization.
In the Task Manager window, find the location of each process that contributes to high CPU utilization based on the process ID, and check whether the process is abnormal.
1. In the top navigation bar of the Task Manager window, choose Vie > Select column.
2. In the Select columns dialog box, select PID and click OK.
3. On the Processes tab of the Task Manager window, click PID to sort processes, and then find the processes that cause high CPU utilization. Right-click the name of a process and select Open file location to check whether the process is a malicious process.

Step 2: Analyze and resolve the issue

Determine whether the processes that cause high CPU utilization are normal, and perform operations to resolve the issue. The following table describes the operations that you need to perform based on whether the process is normal or abnormal.

Possible cause

Operation

Normal processes

Services that are frequently accessed and Windows in-box services, such as update services, may cause high network traffic or high CPU load.

Note

For a Windows Server 2008 or Windows Server 2012 instance, we recommend that you configure at least 2 GB of memory.
On a Windows Server 2012 instance that has one vCPU and 1 GB of memory, the Windows Update service automatically checks for, downloads, and installs new Windows updates, which results in sudden spikes in CPU utilization. This is a normal scenario.

Check in the background whether Windows Update operations are performed.
We recommend that you install antivirus software on the instance to perform a virus scan. If antivirus software is installed on the instance, check whether the antivirus software runs in the background when the instance experiences high CPU utilization. If possible, upgrade the antivirus software to the latest version, or uninstall the antivirus software.
Check whether applications that are hosted on the instance involve large numbers of disk read/write operations, initiate large numbers of network requests, or generate compute-intensive workloads. Upgrade to an instance type that has more vCPUs or memory to resolve the resource bottleneck. For more information, see the "Change instance types" section of Overview of instance configuration changes.
If the current instance type provides high configurations, an instance type upgrade may not resolve the issue of high CPU utilization and higher configurations may not have architecture benefits. In this case, move applications to other instances to free up resources on the Windows instance, and optimize applications.
For example, you can migrate databases to ApsaraDB RDS instances. To optimize applications, you can modify the application configurations, such as the number of connections, cache settings, web settings, and the parameters used to call databases.

Abnormal processes

High CPU utilization may be caused by viruses or trojans. Malicious third-party applications may exploit svchost.exe or tcpsvcs.exe in the operating system to disguise themselves and consume excessive CPU resources. You must check for and terminate abnormal processes.

Note

If you cannot determine whether a process is a virus or a trojan, we recommend that you search the process name on the Internet. Before you terminate abnormal processes, we recommend that you create snapshots for the instance to back up instance data.

Use a commercial version of antivirus software or the free scan tool Microsoft Safety Scanner to scan for and remove viruses in safe mode.
Run Windows Update to install the latest Microsoft security patches.
Use MSConfig to disable all drivers except Windows in-box drivers. For more information, see How to perform a clean boot in Windows.
A server or a website is overloaded by a large number of access requests when the server or the website suffers a DDoS attack or HTTP flood attack. You can log on to the Security Center console to check anti-DDoS thresholds and to check whether HTTP flood protection is enabled. If no attacks hit the thresholds, Security Center does not perform traffic scrubbing. Contact Alibaba Cloud technical support to scrub traffic.

More information

This section describes some Windows in-box tools.

Task Manager

Task Manager allows you to view the lists of applications and processes and identify applications that cause high CPU utilization.
When you check CPU utilization on the Performance tab, right-click the CPU graph and choose Change graph to > Logical processors.
When the CPU utilization of a process spikes to nearly 100% and the CPU utilization of other processes has insignificant change, a network I/O issue may occur.

Resource Monitor

Resource Monitor allows you to visually check CPU utilization and search for processes based on handles and modules.

Process Explorer

Process Explorer is part of the Microsoft Sysinternals suite. You can configure symbols to check thread call stacks of applications and identify potential anomalous drivers. You can download Process Explorer from Process Explorer.
The following figure shows the Process Explorer window.

Performance Monitor

Performance Monitor allows you to collect performance counters for various components. Multiple counters are used to monitor the consumption of CPU resources. Click the Start icon and select Run. In the Run dialog box, enter perfmon to start Performance Monitor.
Take note of the following critical performance counters: \Processor(_Total)\% Processor Time: The value of this performance counter is the sum of the \Processor(*)\% User Time and \Processor(*)\% Privileged Time counter values.
- \Processor(_Total)\% Processor Time
- \Processor(*)\% User Time
- \Processor(*)\% Privileged Time
\Processor(*)\% Privileged Time: This performance counter indicates the percentage of time that applications spend in executing system calls in kernel (or privileged) mode, such as drivers, I/O request packets (IRPs), and context switching. If the value of the \Processor(*)\% Privileged Time performance counter of the operating system exceeds 30% as shown in the following figure, the instance spends a significant amount of time in processing I/O requests.
If the value of % Privileged Time is large, check the % DPC Time, % Interrupt Time, and Context Switches/sec performance counters.
- Large % DPC Time and % Interrupt Time values indicate that unknown devices perform a large number of operations or experience an issue that significantly diminishes performance. For more information, see the following document:
  - Choose Your Own Adventure: High Deferred Procedure Calls (DPCs) or High Interrupts
- A large Context Switches/sec value indicates that a large number of threads are in the Ready state. To resolve the issue, reduce the number of threads.
If the % DPC Time and % Interrupt Time values are large, use Microsoft Xperf to further analyze the issue. For information about Microsoft Xperf, see the following document:
- Windows IT Pro Magazine: Examining xPerf
If the Context Switches/sec value is large, see the following documents:
- The Case of the 2 Million Context Switches
- Mark Russinovich's The Case of the System Process CPU Spikes
\Processor(*)\% User Time: This performance counter indicates the percentage of time that the processor spends in running code in user mode. The performance counter can help you identify the applications or functions on which the processor spends a significant amount of time.
The following figure shows a large % User Time value.