Today I came across a virtual machine (VM) with a CPU usage of 100%, logging onto the box Task Manager informed me the culprit was the ‘svchost.exe’ process.
Unfortunately if you look in Task Manager you will see many instances of svchost.exe therefore we have to drill down a little bit further to understand exactly what thread within this process is causing the high CPU usage. The VM is running Microsoft Server 2008 R2.
Here we see Task Managers ‘Process’ view, svchost.exe is running at 97% CPU usage.
If we right-click on the process and select ‘Go to service(s)’, Task Manager will jump to the ‘Services’ tab and highlight the services with threads running under this instance of svchost.exe.
We now have a list of possible culprits however at this point we don’t know which of the various services are causing the high CPU usage. We could right-click on each service one at a time and stop them to see if this affects the CPU usage however this is a poor way of identifying the rogue service.
At this point I decided to use the great Sysinternals tool ‘Process Explorer’. I found the svchost.exe process with high CPU usage and opened the properties for it. I then selected the ‘Threads’ tab and found that the service ‘wuauserv’ was using 92.31% of the CPU for this svchost.exe process.
Clicking on the ‘Module’ button opens a new window providing details for the selected thread.
We now have what looks to be our culprit – I clicked on the ‘Suspend’ button to pause the thread, gave the system a few seconds then clicked to resume the thread again.
We can see the point where I suspended the thread, CPU usage drops dramatically – when I resume the thread CPU usage immediately returns to 100% utilisation.
At this point I could have terminated the thread, rebooted the server or taken some other form of remediation to resolve the high CPU usage.
The VM actually required a number of Windows updates to be installed so I went ahead with those – as this particular VM isn’t critical I decided I would reboot it after installing updates. Interestingly once the updates had installed (but before the reboot) the thread CPU usage dropped to essentially zero and CPU usage as a whole returned to less than 10%.
It looks like for whatever reason the ‘Windows Update Agent’ module went a bit crazy but then corrected itself once the updates had installed.
Sysinternals provide a great set of tools to help quickly troubleshoot issues like this – newer versions of Task Manager are adding more of the ‘Process Explorer’ functionality but I still turn to Mark Russinovich’s tools on a regular basis. There are many ways of troubleshooting issues like this and I have chosen to present once such method today – of course other tools are available as are command line options.