Link to home
Start Free TrialLog in
Avatar of gabolinche
gabolinche

asked on

100% CPU Usage in Windows 2000, System Process

I have an IBM ThinkPad PIII running Windows 2000 Professional. A couple of days ago it turned extremely slow. I opened the Task Manager and it shows a 100% CPU Usage, mostly (99%) by the System process.

I broke down the System process using the performance monitor, pviewer and pstat and I came up with two device drivers. There are two threads that are intermittently using 100% of the CPU (about 2 minutes for one thread, then it goes down and the other one goes up for another 2 minutes, and so on). The two threads point to rasacd.sys and cwcwdm.sys...

But now I'm stuck. What should I do in order to avoid this problem? I haven't installed any new hardware so I don't see why this suddenly started happening...

Thanks for your help.
Avatar of CrazyOne
CrazyOne
Flag of United States of America image

Here is what I am thinking. These drivers may have gotten corrupted and need to be replaced. I would suggest backing up these two files to a folder within the WINNT folder. Then do an expand.

Expand -r CDDriveLetter:\i386\rasacd.sy_ C:\Windows\system32\drivers
Expand -r CDDriveLetter:\i386\cwcwdm.sy_ C:\Windows\system32\drivers

Actually before you do that do this

Start > Run sfc /scannow

if that doesn't help
then copy the files from C:\Windows\system32\dllcache to where the files reside now.
If the OS doesn't allow to over write this files then...

Inuse.exe: File-In-Use Replace Utility
http://www.microsoft.com/windows2000/techinfo/reskit/tools/default.asp

How to Replace In-Use Files at Windows Restart
http://support.microsoft.com/default.aspx?scid=KB;en-us;181345
Actually the cwcwdm.sys is in the i386\Drivers.cab file if end up doing what I suggested in my first post then disregard the Expand command on this file and just open the cab file and pull out the cwcwdm.sys file.
ASKER CERTIFIED SOLUTION
Avatar of sunray_2003
sunray_2003
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Yeah it might be the case Sunray but gabolinche did identify the System process as the original culprit. I would guess 90% of the time that when the System process is the culprit it is a driver or in this case two drivers are the cause of the problem. gabolinche is one of the few questioner here at EE that I have seen who knew to use the pviewer and pstat utilities to break down the System process to determine what drivers are involved.

The rasacd.sys is RAS Automatic Connection Driver
and cwcwdm.sys is Crystal ISA WDM Driver

I suppose it is possible that Spyware is hitting these drivers. I am more inclined if something other than corrupted drivers is involved to lean towards a virus.

Online Scanners

 Norton Web Services  
Go to this page and click on Scan for Viruses
http://security.symantec.com/ssc/vc_about.asp?j=1&langid=us&venid=sym&plfid=22&pkj=REODSKVYRMHCGVRVRMN

It needs to download a few file so as to activate the scan so you may see a message like this.

"The Scan for Viruses uses an ActiveX program to scan your computer. The download is approximately 1.5MB and can take about 10 minutes over a 28.8 modem.

The scan can take more than 20 minutes depending on the speed of your computer and the number of files that you have. Please do not browse away from this page unless you intend to abort the scan.
 
Downloading Scan for Viruses controls. Please wait...
 
During the download, you might see one or more messages asking if it is OK to download and run these programs. Click Yes when these messages appear.
 
Note: Scan for Viruses does not scan compressed files"
======================
 Trend Micro HouseCall        
www.housecall.antivirus.com
"Trend Micro's free online virus scanner
In order to better serve our customers, we ask HouseCall users to register before scanning their computer.  By registering, you will receive virus alerts from our team of Virus Doctors. You will be able to unsubscribe when you receive your first email. You can also scan without registering"
http://housecall.antivirus.com/housecall/start_corp.asp
======================

PC Pitstop Virus Scan
Our free Web-based virus scan uses Panda Software's award-winning technology and virus list. We're checking against the "wildlist," the roughly 200 viruses that are most prevalent in the world in a given month
http://www.pcpitstop.com/antivirus/default.asp
Avatar of K K
K K

How old is your computer? If it's old did you open it and cleaned all the DUST away from the CPU head? Take a look inside your PC. i've had the same problems and after alot of work, i opened the case and found the CPU filled with DUST which effected the FAN speed and made the system run at 100%
Avatar of gabolinche

ASKER

Thanks CrazyOne,

I replaced the files with the original ones from the Windows 2000 CD but that didn't work... :(

The computer is about 2 years old and when I boot up in the command prompt safe mode it seems to work just fine, so I'm going to rule out the old, dust-filled computer problem.

Now I'm going for the virus problem. But you have to understand that the 100% cpu usage is making the computer completely unusable (it takes 20 minutes just to boot up to Windows 2000) so surfing the web to a virus-checking website or installing an antivirus is out of the question (it would take too darn long).

I tried booting from the Norton Antivirus 2000 CD but it doesn't recognize NTFS drives so it's useless. I booted in the command prompt safe mode and I'm running Norton from the command line. I hope something comes up...
Here see if this utility is any help. It shows what files are being use by what proccess

Note when you open the program go to the menu View and make sure there is a check mark next to View DLL's if there isn't then click on it.

Process Explorer
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
Some other proccess may be using it besides the the System proccess
Oh and see if you can disable these drivers by booting to the Recovery Console and running these commands.

DISABLE rasacd
DISABLE cwcwdm

https://www.experts-exchange.com/questions/20776549/100-CPU-Usage-in-Windows-2000-System-Process.html
To start the Recovery Console, use any of the following methods:
Start your computer with the Windows 2000 Setup floppy disks, or with the Windows 2000 CD-ROM. At the "Welcome to Setup" screen, press F10, or press R to repair, and then C to start the Recovery Console.

....

DISABLE
disable servicename

The disable command disables a Windows 2000 system service or driver.

where servicename specifies the name of the service or driver to be disabled. Use the listsvc command to display all eligible services or drivers to disable. The disable command prints the old start type of the service before resetting it to SERVICE_DISABLED. Because of this, you should record the old start type, in case it is necessary to re-enable the service.

The start_type values that the disable command displays are:
SERVICE_DISABLED
SERVICE_BOOT_START
SERVICE_SYSTEM_START
SERVICE_AUTO_START
SERVICE_DEMAND_START
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Norton came up with nothing :(
But I had to use the old virus definitions that come in the CD...

I did a system repair with the Windows 2000 CD but didn't work...

I disabled the services just as you suggested but the problem persists! Darn, this thing has got me guessing too long now... I'm tempted to just reinstall Windows 2000 but the computer is not mine so I can't just delete all files.

I'm booting up (VERY slowly) and I will have to navigate to a virus-checking webpage and see what I can find. It's going to take forever but what the hell... I can't think of anything else...
I think you may have a piece of hardware running amuck

strip the machine down to just a mouse, keyboard, video adapter, one hard drive, and/or disable all on board devices not needed to run the OS.

If the problem isn't present any more then you know that one or more of the items removed is causing the problem.
Or you might think about doing Parallel Installation to see if a fresh installation has the same issue.

HOW TO: Perform a Parallel Installation of Windows 2000
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;266465
I forgot to ask but does this happen in safe mode?
Oops never mind I see you already answered that.
Another thing to look at is what is disabling what is running at startup

Backup these registry keys and the delete all the items you see in panel on the right

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Some other registry settings
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

or in can install one of these to view and disable startup items

MSCONFIG for Win 2000
http://www.insideproject.com/showguide.cfm?guideid=31
http://www.insideproject.com/downloads/msconfig2k/msconfig.zip

StartupCop
http://web.zdnet.com/pcmag/pctech/content/18/08/ut1808.007.html

StartStop
http://www.tfi-technology.com/downloads.htm

AutoRuns
http://www.sysinternals.com/ntw2k/source/misc.shtml#autoruns

Startup Control Panel
http://www.mlin.net/StartupCPL.shtml
and
StartupMonitor
http://www.mlin.net/StartupMonitor.shtml
I dont know if it's relevant for you but I also had this 100% problem, I tryed everything to get it down and ... no luck.

Then one day I desided to remove my old Adaptec SCSI card that I did not use anymore, after that everything was fine again.

Might have been a corrupted driver to that card, or the card itself.
try running the repair of win2k. often this will solve the problem without deleting any user installed files.
Finally it worked... I don't know exactly what did the trick.
I booted up in safe mode with network enabled, uninstalled all programs that were not indispensable, ran all of the trojan removers and spy-ware detectors that you people recommended and it finally booted up normally...

Probably must've been one of those programs I uninstalled or a spyware that was removed by the programs... Can't nail it in one specific reason because I did everything at once...

Thanks!
similar thing happened to me, over a few hours the system process crept up to 99% of cpu time, and the pc became impossibly slow, requiring a full restart to recover, repeat every 3 hours or so

solution in the end was to unplug the usb scanner - problem completely solved!!
I am going through the same problem now.  The Win2K kermel time is high (on the performance graph in the task manager).  Why would this happen even if no applications are open?  Any help is appreciated.
gabolinche can now probably answer this eh?
Bhagyesh Trivedi
I'm having the same problem with XP however I can't seem to be able to use pstat or performance monitor to identify which system process is using the CPU. pstat just seems to give the kernal time for normal processes not drivers. Am I missing something?
I have not heard of the pviewer and pstat command. I seem to have the same problem with the system task using all of the CPU. Would you mind explaining how to use these 2 commands?
use process explorer instead. it gives the same info. just search for process explorer
btw. The source of my problem turned out to be the IRDA adapter... even though nothing is connected to it. I discovered this by disabling the IRDA driver in the system manager
I've been having the same problem in XP. I've disabled all non essential programs, and that helped a little (System process went down from 90-99% to 60%). I looked in the device manager and noticed that I have two 1394 Network Adapters (no idea what they are) that were disabled. I uninstalled them and the system process went down to 0%, with the occasional spike to 1%.

Blackwood
watch viruses and spyware PROTECT your PC especially from internet attackers
I also had the same System Process at 99% problem and it turned out to be related to the USB controllers on the Asus A7N266-VM. I used Process Explorer, double clicked on the System Process and found the USB controllers to be the ones using all the CPU power.
In device manager I disabled all USB controllers and the CPU was free again. Idle process back to 97~99 as it is supposed to be.
Unfortunately I didn’t get the time to find out if it was a driver problem or a hardware problem (customers system and they were in a hurry to leave once the CPU was normal again).
Moral is that this problem could very well be related to faulty hardware or hardware drivers and device manager (to disable hardware devices) might be a very good starting point to bring down the CPU load.
I had the same problem and have found the problem to be a failing hard drive.  I performed a scan disk which identified the bad sectors and moved the corrupt files allowing the system process to function properly.

Hopefully this helps for you.

Ace
I came across this issue today on a workstation running Win2k SP4.  The problem turned out to be related to a print job that was stuck in the queue.  I viewed printer status and deleted the job and the system process immediately went back to normal.  The printer was an Epson C62 and the job was of the format outbind://
I have unfortunately seen this problem on several of the NEW IBM T41s we have gotten at my company. We have done everything from reimaging to sending to IBM for them to put on a different image than the one it shipped with.  (That machine came back with new system board!!!)  I have no expereince with the Process Manager program, but will use it in the future - how handy to have a tool to break down the processes more.  

Playing around with one of the affected laptops tonight points to a problem with one of the startup items.  I disabled about half of the startup items using msconfig and restarted.  Problem was gone.  Started adding back in the services and when I got to "tfswctrl", it went back to CPU at 100% usage and completely frozen.  That service is DLA and after multiple restarts without it in the startup I cannot reproduce the errors.  It looks like there is a new version of DLA that doesn't play nice. Will post again if it pops back up.  Thanks for all the great suggestions!