100% CPU usage in System process thread

[Joshua D. Curry]

I run a Windows 2000 Server standard w/ the latest system packs and
hotfix KB889081 (http://support.microsoft.com/?kbid=889081) installed
(which didn't solve my problem!). My system continuously runs at (or
near, if not at) 100% in the System process (not the System Idle
process). This has only been going on for about three weeks or so
(apparently after applying hotfixes which came out on Feb 11, 2005 and
after, there was an error when installing KB886906 which occurred daily
(automatic updates) until I installed the update manually on March 8,
2005). However, I can't prove this for sure because I didn't start
actively monitoring the CPU thread (with an event tracker) last week.

I've searched all over the web for information about this problem, but I
can't find anything. I've tried everything that I can think of,
including the special hotfix listed above (KB889081 - 100% terminal
services problem - which didn't work). Can anyone help? I have no idea
what to do next.

Is there any other information that would be helpful to you in looking
at the problem? Just post about it and I'll get you the information.

I tried to attach the full cpu thread information from pstat but I can't
get a post with an attachment to stick on the newsgroup. However, in
general after only 32 mins of uptime the System process has used about
10 total minutes of CPU in various threads and it just goes up and up
from there. Here's an excerpt:

Pstat version 0.3: memory: 785904 kb uptime: 0 0:32:54.312

PageFile: \??\H:\pagefile.sys
Current Size: 524288 kb Total Used: 53816 kb Peak Used 53848 kb

Memory: 785904K Avail: 299032K TotalWs: 612464K InRam Kernel: 2256K
P:45676K
Commit: 616516K/ 520004K Limit:1263992K Peak: 630440K Pool N:11464K
P:45852K

User Time Kernel Time Ws Faults Commit Pri Hnd Thd Pid Name
62592 325686 File
Cache
0:00:00.000 0:00:47.343 16 1 0 0 0 1 0 Idle
Process
0:00:00.000 0:09:03.765 212 4816 24 8 261 48 8 System
0:00:38.625 0:00:34.375 7708 184210 15464 8 982 30 1876
WinMgmt.exe

No other processes had kernal times in the mins range.

pid: 8 pri: 8 Hnd: 261 Pf: 4816 Ws: 212K System
tid pri Ctx Swtch StrtAddr User Time Kernel Time State
4 0 671751 80545880 0:00:00.000 0:00:04.765 Ready
c 13 1 804168C4 0:00:00.000 0:00:00.000 Wait:EventPairLow
10 13 2139 804168C4 0:00:00.000 0:00:00.015 Wait:EventPairLow
14 13 2956 804168C4 0:00:00.000 0:00:00.156 Wait:EventPairLow
18 13 328 804168C4 0:00:00.000 0:00:00.015 Wait:EventPairLow
1c 13 139 804168C4 0:00:00.000 0:00:00.000 Wait:EventPairLow
20 13 4661 804168C4 0:00:00.000 0:00:00.250 Wait:EventPairLow
24 13 4307 804168C4 0:00:00.000 0:00:00.187 Wait:EventPairLow
28 13 12256 804168C4 0:00:00.000 0:00:00.546 Wait:EventPairLow
2c 13 1588 804168C4 0:00:00.000 0:00:00.015 Wait:EventPairLow
30 13 10349 804168C4 0:00:00.000 0:00:00.625 Wait:EventPairLow
34 12 29004 804168C4 0:00:00.000 0:00:00.109 Wait:EventPairLow
38 12 8922571 804168C4 0:00:00.000 0:00:30.109 Wait:EventPairLow
3c 12 9086202 804168C4 0:00:00.000 0:00:33.000 Wait:EventPairLow
40 15 1949 804168C4 0:00:00.000 0:00:00.015 Wait:EventPairLow
44 14 1974 804931BE 0:00:00.000 0:00:00.000 Wait:Executive
48 18 118 80438394 0:00:00.000 0:00:00.031 Wait:VirtualMemory
4c 17 4186 804CAB72 0:00:00.000 0:00:00.000 Wait:FreePage
50 16 29006 8046272E 0:00:00.000 0:00:00.000 Wait:Executive
54 23 1989630 80462826 0:00:00.000 0:00:03.718 Wait:Executive
58 16 1 8041BCD0 0:00:00.000 0:00:00.000 Wait:EventPairLow
5c 17 1 8041BCD0 0:00:00.000 0:00:00.000 Wait:EventPairLow
60 8 36004873 BFFE58C8 0:00:00.000 0:07:48.718 Ready
64 17 1480 8043BFD4 0:00:00.000 0:00:00.015 Wait:VirtualMemory
68 8 1 BFFA0FC0 0:00:00.000 0:00:00.000 Wait:Executive
6c 8 19 BFEA894A 0:00:00.000 0:00:00.015 Wait:EventPairLow
70 9 657 F20902E0 0:00:00.000 0:00:00.000 Wait:Executive
74 8 1 BFDC0538 0:00:00.000 0:00:00.000 Wait:EventPairLow
78 8 1 BFDC0538 0:00:00.000 0:00:00.000 Wait:EventPairLow
7c 8 1 BFDC0538 0:00:00.000 0:00:00.000 Wait:EventPairLow
80 8 33 BFDAD366 0:00:00.000 0:00:00.000 Wait:Executive
8c 8 2 F20B9553 0:00:00.000 0:00:00.000 Wait:Executive
90 8 1 F20B96FD 0:00:00.000 0:00:00.000 Wait:Executive
94 8 1 F2518D8E 0:00:00.000 0:00:00.000 Wait:Executive
9c 8 23 BF35C6C0 0:00:00.000 0:00:00.000 Wait:EventPairLow
a4 8 435 BF3420F6 0:00:00.000 0:00:00.046 Wait:Executive
ac 9 1078 804FF168 0:00:00.000 0:00:00.000 Wait:LpcReceive
1ac 8 1 BE955E18 0:00:00.000 0:00:00.000 Wait:EventPairLow
1b0 8 12 BE955E18 0:00:00.000 0:00:00.000 Wait:EventPairLow
1b4 8 5 BE955E18 0:00:00.000 0:00:00.000 Wait:EventPairLow
1b8 8 33 BE93FE0A 0:00:00.000 0:00:00.000 Wait:Executive
1bc 8 166661 BE92CC6A 0:00:00.000 0:00:00.312 Wait:Executive
2ac 9 19 BE726D78 0:00:00.000 0:00:00.000 Wait:EventPairLow
2b4 9 182 BE726D78 0:00:00.000 0:00:00.031 Wait:EventPairLow
28c 9 105 BE726D78 0:00:00.000 0:00:00.000 Wait:EventPairLow
220 9 27 BE726D78 0:00:00.000 0:00:00.000 Wait:EventPairLow
e5c 8 1 BF35C6CE 0:00:00.000 0:00:00.000 Wait:EventPairLow
e4c 8 1 BF35C6CE 0:00:00.000 0:00:00.000 Wait:EventPairLow

System report

OS Name Microsoft Windows 2000 Server
Version 5.0.2195 Service Pack 4 Build 2195
OS Manufacturer Microsoft Corporation
System Manufacturer Gateway
System Model Gateway 6400
Processor x86 Family 6 Model 8 Stepping 10 GenuineIntel ~933 Mhz
BIOS Version AMIBIOS (C)1999 American Megatrends Inc., Version 07.00.01

You can download the full pstat text file and a system nfo file from:
http://fun.fsuwap.org/joshdcurry/cpu_problem.zip

 

[Joshua D. Curry]

I ran an adware scan on Saturday afternoon and didn't find anything.
Spybot, adware, a squared, etc. I also scanned for viruses, again, using
Norton Corp. and the latest McAfee stinger as suggested in some
responses in win2000.general (see my post there too if you like).
However, there was no effect. Can anyone help? I'll be happy to post any
other information you need.

Here are some updated pstat results (and zip file updated, see below). I
still don't know what to do about this problem... help?

Pstat version 0.3: memory: 785904 kb uptime: 0 17:18:21.393

PageFile: \??\H:\pagefile.sys
Current Size: 524288 kb Total Used: 364820 kb Peak Used 386368 kb

Memory: 785904K Avail: 377812K TotalWs: 425184K InRam Kernel: 2188K
P:67388K
Commit: 702404K/ 551996K Limit:1263992K Peak: 794848K Pool N:24612K
P:82448K


User Time Kernel Time Ws Faults Commit Pri Hnd Thd Pid Name
142740 36286777 File
Cache
0:00:00.000 0:48:31.078 16 1 0 0 0 1 0 Idle
Process
0:00:00.000 3:47:22.421 84 64076 24 8 242 48 8 System
0:03:59.109 1:19:50.515 1660 1031 1220 8 84 5 1724
cygrunsrv.exe
0:01:45.906 0:11:24.093 6680 70309 12356 8 332 43 1048
rtvscan.exe

The rest are under 5 mins, with most below 30sec.

pid: 8 pri: 8 Hnd: 242 Pf: 64076 Ws: 84K System
tid pri Ctx Swtch StrtAddr User Time Kernel Time State
4 0 4622842 80545880 0:00:00.000 0:00:17.500 Ready
c 13 97617 804168C4 0:00:00.000 0:00:09.281 Wait:EventPairLow
10 13 203270 804168C4 0:00:00.000 0:00:16.968 Wait:EventPairLow
14 14 77734 804168C4 0:00:00.000 0:00:06.546 Wait:EventPairLow
18 13 307171 804168C4 0:00:00.000 0:00:25.671 Wait:EventPairLow
1c 13 179992 804168C4 0:00:00.000 0:00:17.421 Wait:EventPairLow
20 14 162776 804168C4 0:00:00.000 0:00:12.578 Wait:EventPairLow
24 13 343407 804168C4 0:00:00.000 0:00:29.750 Wait:EventPairLow
28 14 289057 804168C4 0:00:00.000 0:00:23.125 Wait:EventPairLow
2c 14 263991 804168C4 0:00:00.000 0:00:23.656 Wait:EventPairLow
30 13 135150 804168C4 0:00:00.000 0:00:11.796 Wait:EventPairLow
34 12 100659282 804168C4 0:00:00.000 0:06:07.703 Wait:EventPairLow
38 12 105302963 804168C4 0:00:00.000 0:05:58.171 Wait:EventPairLow
3c 12 112736751 804168C4 0:00:00.000 0:06:52.515 Wait:EventPairLow
40 15 43195 804168C4 0:00:00.000 0:00:00.343 Wait:EventPairLow
44 14 62303 804931BE 0:00:00.000 0:00:00.000 Wait:Executive
48 18 178564 80438394 0:00:00.000 0:00:13.796 Wait:VirtualMemory
4c 17 62920 804CAB72 0:00:00.000 0:00:02.234 Wait:FreePage
50 16 1011423 8046272E 0:00:00.000 0:00:01.203 Wait:Executive
54 23 74723907 80462826 0:00:00.000 0:02:19.484 Wait:Executive
58 16 1 8041BCD0 0:00:00.000 0:00:00.000 Wait:EventPairLow
5c 17 2 8041BCD0 0:00:00.000 0:00:00.000 Wait:EventPairLow
60 8 858909843 BFFE58C8 0:00:00.000 3:14:38.406 Ready
64 17 33533 8043BFD4 0:00:00.000 0:00:00.937 Wait:VirtualMemory
68 8 1 BFFA0FC0 0:00:00.000 0:00:00.000 Wait:Executive
6c 8 19 BFEA894A 0:00:00.000 0:00:00.015 Wait:EventPairLow
70 9 657 F20902E0 0:00:00.000 0:00:00.000 Wait:Executive
74 8 1 BFDC0538 0:00:00.000 0:00:00.000 Wait:EventPairLow
78 8 1 BFDC0538 0:00:00.000 0:00:00.000 Wait:EventPairLow
7c 8 1 BFDC0538 0:00:00.000 0:00:00.000 Wait:EventPairLow
80 8 1038 BFDAD366 0:00:00.000 0:00:00.000 Wait:Executive
8c 8 2 F20B9553 0:00:00.000 0:00:00.000 Wait:Executive
90 8 1 F20B96FD 0:00:00.000 0:00:00.000 Wait:Executive
94 8 1 F2518D8E 0:00:00.000 0:00:00.000 Wait:Executive
9c 9 372 BF35C6C0 0:00:00.000 0:00:00.000 Wait:EventPairLow
a4 8 13350 BF3420F6 0:00:00.000 0:00:00.437 Wait:Executive
ac 9 28396 804FF168 0:00:00.000 0:00:00.218 Wait:LpcReceive
1ac 8 1 BE955E18 0:00:00.000 0:00:00.000 Wait:EventPairLow
1b0 8 540 BE955E18 0:00:00.000 0:00:00.015 Wait:EventPairLow
1b4 8 5 BE955E18 0:00:00.000 0:00:00.000 Wait:EventPairLow
1b8 8 1038 BE93FE0A 0:00:00.000 0:00:00.000 Wait:Executive
1bc 8 5104741 BE92CC6A 0:00:00.000 0:00:21.031 Wait:Executive
2ac 9 2316 BE726D78 0:00:00.000 0:00:00.062 Wait:EventPairLow
2b4 9 6625 BE726D78 0:00:00.000 0:00:00.343 Wait:EventPairLow
123c 9 2896 BE726D78 0:00:00.000 0:00:00.078 Wait:EventPairLow
11d0 9 30 BE726D78 0:00:00.000 0:00:00.000 Wait:EventPairLow
1258 8 3 BF35C6CE 0:00:00.000 0:00:00.000 Wait:EventPairLow
119c 8 12 BF35C6CE 0:00:00.000 0:00:00.000 Wait:EventPairLow

pid:6bc pri: 8 Hnd: 84 Pf: 1031 Ws: 1660K cygrunsrv.exe
tid pri Ctx Swtch StrtAddr User Time Kernel Time State
6b8 9 7372 7C57B70C 0:00:00.031 0:00:00.125 Wait:Executive
708 8 40 7C57B700 0:00:00.000 0:00:00.031 Wait:Executive
70c 8 55 7C57B700 0:00:00.000 0:00:00.015 Wait:UserRequest
554 8 4 7C57B700 0:00:00.000 0:00:00.000 Wait:Executive
10ec 8 419416026 77F9E5B9 0:03:59.062 1:19:49.203 Ready

I've also updated the zip file at
http://fun.fsuwap.org/joshdcurry/cpu_problem.zip. The recent results are
called pstat_sat_afternoon.txt.