This topic describes how to resolve a high-CPU-utilization issue in a Windows instance.
Problem description
CPU utilization is high on a Windows instance.
Possible cause
The Windows instance may experience high CPU utilization due to one of the following reasons:
The instance is infected by viruses or attacked by trojans.
Third-party antivirus software runs on the instance.
An exception occurs in an application or a driver, or an application has a high I/O usage or a high interrupt rate.
Solution
Step 1: Identify the issue
You can use various Microsoft tools to capture full memory dumps and identify high-CPU-utilization issues. These tools include Task Manager, Resource Monitor, Performance Monitor, Process Explorer, Xperf (available in Windows Server 2008 and later), and Kernrate (available in Windows Server 2003). In scenarios with high traffic, you can use Wireshark to capture network packets for a period of time and analyze traffic patterns.
For an instance that runs Windows Server 2008 or later, use the built-in Resource Monitor to monitor CPU load.
Connect to the Windows instance.
For more information, see Connection methods.
In the lower part of the desktop, click the Start icon and select Run.
In the Run dialog box, enter
perfmon -res
and click OK.In the Resource Monitor window, check for processes that cause high CPU utilization.
Find the IDs and names of the processes that cause high CPU utilization.
In the Task Manager window, find the location of each process that contributes to high CPU utilization based on the process ID, and check whether the process is abnormal.
In the top navigation bar of the Task Manager window, choose Vie > Select column.
In the Select columns dialog box, select PID and click OK.
On the Processes tab of the Task Manager window, click PID to sort processes, and then find the processes that cause high CPU utilization. Right-click the name of a process and select Open file location to check whether the process is a malicious process.
Step 2: Analyze and resolve the issue
Determine whether the processes that cause high CPU utilization are normal, and perform operations to resolve the issue. The following table describes the operations that you need to perform based on whether the process is normal or abnormal.
Possible cause | Operation |
Normal processes | Services that are frequently accessed and Windows in-box services, such as update services, may cause high network traffic or high CPU load. Note
|
Abnormal processes | High CPU utilization may be caused by viruses or trojans. Malicious third-party applications may exploit svchost.exe or tcpsvcs.exe in the operating system to disguise themselves and consume excessive CPU resources. You must check for and terminate abnormal processes. Note If you cannot determine whether a process is a virus or a trojan, we recommend that you search the process name on the Internet. Before you terminate abnormal processes, we recommend that you create snapshots for the instance to back up instance data.
|
More information
This section describes some Windows in-box tools.
Task Manager
Task Manager allows you to view the lists of applications and processes and identify applications that cause high CPU utilization.
When you check CPU utilization on the Performance tab, right-click the CPU graph and choose Change graph to > Logical processors.
When the CPU utilization of a process spikes to nearly 100% and the CPU utilization of other processes has insignificant change, a network I/O issue may occur.
Resource Monitor
Resource Monitor allows you to visually check CPU utilization and search for processes based on handles and modules.
Process Explorer
Process Explorer is part of the Microsoft Sysinternals suite. You can configure symbols to check thread call stacks of applications and identify potential anomalous drivers. You can download Process Explorer from Process Explorer.
The following figure shows the Process Explorer window.
Performance Monitor
Performance Monitor allows you to collect performance counters for various components. Multiple counters are used to monitor the consumption of CPU resources. Click the Start icon and select Run. In the Run dialog box, enter perfmon to start Performance Monitor.
Take note of the following critical performance counters:
\Processor(_Total)\% Processor Time
: The value of this performance counter is the sum of the\Processor(*)\% User Time
and\Processor(*)\% Privileged Time
counter values.\Processor(_Total)\% Processor Time
\Processor(*)\% User Time
\Processor(*)\% Privileged Time
\Processor(*)\% Privileged Time
: This performance counter indicates the percentage of time that applications spend in executing system calls in kernel (or privileged) mode, such as drivers, I/O request packets (IRPs), and context switching. If the value of the\Processor(*)\% Privileged Time
performance counter of the operating system exceeds 30% as shown in the following figure, the instance spends a significant amount of time in processing I/O requests.If the value of
% Privileged Time
is large, check the% DPC Time
,% Interrupt Time
, andContext Switches/sec
performance counters.Large
% DPC Time
and% Interrupt Time
values indicate that unknown devices perform a large number of operations or experience an issue that significantly diminishes performance. For more information, see the following document:A large
Context Switches/sec
value indicates that a large number of threads are in the Ready state. To resolve the issue, reduce the number of threads.
If the
% DPC Time
and% Interrupt Time
values are large, use Microsoft Xperf to further analyze the issue. For information about Microsoft Xperf, see the following document:If the Context Switches/sec value is large, see the following documents:
\Processor(*)\% User Time
: This performance counter indicates the percentage of time that the processor spends in running code in user mode. The performance counter can help you identify the applications or functions on which the processor spends a significant amount of time.The following figure shows a large
% User Time
value.