Solved

100% CPU Usage in Windows 2000, System Process

Posted on 2003-10-23
34
75,260 Views
Last Modified: 2011-08-18
I have an IBM ThinkPad PIII running Windows 2000 Professional. A couple of days ago it turned extremely slow. I opened the Task Manager and it shows a 100% CPU Usage, mostly (99%) by the System process.

I broke down the System process using the performance monitor, pviewer and pstat and I came up with two device drivers. There are two threads that are intermittently using 100% of the CPU (about 2 minutes for one thread, then it goes down and the other one goes up for another 2 minutes, and so on). The two threads point to rasacd.sys and cwcwdm.sys...

But now I'm stuck. What should I do in order to avoid this problem? I haven't installed any new hardware so I don't see why this suddenly started happening...

Thanks for your help.
0
Comment
Question by:gabolinche
34 Comments
 
LVL 44

Expert Comment

by:CrazyOne
Comment Utility
Here is what I am thinking. These drivers may have gotten corrupted and need to be replaced. I would suggest backing up these two files to a folder within the WINNT folder. Then do an expand.

Expand -r CDDriveLetter:\i386\rasacd.sy_ C:\Windows\system32\drivers
Expand -r CDDriveLetter:\i386\cwcwdm.sy_ C:\Windows\system32\drivers

0
 
LVL 44

Expert Comment

by:CrazyOne
Comment Utility
Actually before you do that do this

Start > Run sfc /scannow

if that doesn't help
then copy the files from C:\Windows\system32\dllcache to where the files reside now.
0
 
LVL 44

Expert Comment

by:CrazyOne
Comment Utility
If the OS doesn't allow to over write this files then...

Inuse.exe: File-In-Use Replace Utility
http://www.microsoft.com/windows2000/techinfo/reskit/tools/default.asp

How to Replace In-Use Files at Windows Restart
http://support.microsoft.com/default.aspx?scid=KB;en-us;181345
0
 
LVL 44

Expert Comment

by:CrazyOne
Comment Utility
Actually the cwcwdm.sys is in the i386\Drivers.cab file if end up doing what I suggested in my first post then disregard the Expand command on this file and just open the cab file and pull out the cwcwdm.sys file.
0
 
LVL 49

Accepted Solution

by:
sunray_2003 earned 300 total points
Comment Utility
I generally assume that cpu 100 % to be spyware issue .May be I am wrong

But just in case ..

Check  my comments in this thread

http://oldlook.experts-exchange.com/Operating_Systems/WinXP/Q_20773970.html

Sunray
0
 
LVL 44

Expert Comment

by:CrazyOne
Comment Utility
Yeah it might be the case Sunray but gabolinche did identify the System process as the original culprit. I would guess 90% of the time that when the System process is the culprit it is a driver or in this case two drivers are the cause of the problem. gabolinche is one of the few questioner here at EE that I have seen who knew to use the pviewer and pstat utilities to break down the System process to determine what drivers are involved.

The rasacd.sys is RAS Automatic Connection Driver
and cwcwdm.sys is Crystal ISA WDM Driver

I suppose it is possible that Spyware is hitting these drivers. I am more inclined if something other than corrupted drivers is involved to lean towards a virus.

Online Scanners

 Norton Web Services  
Go to this page and click on Scan for Viruses
http://security.symantec.com/ssc/vc_about.asp?j=1&langid=us&venid=sym&plfid=22&pkj=REODSKVYRMHCGVRVRMN

It needs to download a few file so as to activate the scan so you may see a message like this.

"The Scan for Viruses uses an ActiveX program to scan your computer. The download is approximately 1.5MB and can take about 10 minutes over a 28.8 modem.

The scan can take more than 20 minutes depending on the speed of your computer and the number of files that you have. Please do not browse away from this page unless you intend to abort the scan.
 
Downloading Scan for Viruses controls. Please wait...
 
During the download, you might see one or more messages asking if it is OK to download and run these programs. Click Yes when these messages appear.
 
Note: Scan for Viruses does not scan compressed files"
======================
 Trend Micro HouseCall        
www.housecall.antivirus.com
"Trend Micro's free online virus scanner
In order to better serve our customers, we ask HouseCall users to register before scanning their computer.  By registering, you will receive virus alerts from our team of Virus Doctors. You will be able to unsubscribe when you receive your first email. You can also scan without registering"
http://housecall.antivirus.com/housecall/start_corp.asp
======================

PC Pitstop Virus Scan
Our free Web-based virus scan uses Panda Software's award-winning technology and virus list. We're checking against the "wildlist," the roughly 200 viruses that are most prevalent in the world in a given month
http://www.pcpitstop.com/antivirus/default.asp
0
 
LVL 1

Expert Comment

by:cadnologist
Comment Utility
How old is your computer? If it's old did you open it and cleaned all the DUST away from the CPU head? Take a look inside your PC. i've had the same problems and after alot of work, i opened the case and found the CPU filled with DUST which effected the FAN speed and made the system run at 100%
0
 

Author Comment

by:gabolinche
Comment Utility
Thanks CrazyOne,

I replaced the files with the original ones from the Windows 2000 CD but that didn't work... :(

The computer is about 2 years old and when I boot up in the command prompt safe mode it seems to work just fine, so I'm going to rule out the old, dust-filled computer problem.

Now I'm going for the virus problem. But you have to understand that the 100% cpu usage is making the computer completely unusable (it takes 20 minutes just to boot up to Windows 2000) so surfing the web to a virus-checking website or installing an antivirus is out of the question (it would take too darn long).

I tried booting from the Norton Antivirus 2000 CD but it doesn't recognize NTFS drives so it's useless. I booted in the command prompt safe mode and I'm running Norton from the command line. I hope something comes up...
0
 
LVL 44

Expert Comment

by:CrazyOne
Comment Utility
Here see if this utility is any help. It shows what files are being use by what proccess

Note when you open the program go to the menu View and make sure there is a check mark next to View DLL's if there isn't then click on it.

Process Explorer
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
0
 
LVL 44

Expert Comment

by:CrazyOne
Comment Utility
Some other proccess may be using it besides the the System proccess
0
 
LVL 44

Expert Comment

by:CrazyOne
Comment Utility
Oh and see if you can disable these drivers by booting to the Recovery Console and running these commands.

DISABLE rasacd
DISABLE cwcwdm

http://www.experts-exchange.com/Applications/Q_20776549.html
To start the Recovery Console, use any of the following methods:
Start your computer with the Windows 2000 Setup floppy disks, or with the Windows 2000 CD-ROM. At the "Welcome to Setup" screen, press F10, or press R to repair, and then C to start the Recovery Console.

....

DISABLE
disable servicename

The disable command disables a Windows 2000 system service or driver.

where servicename specifies the name of the service or driver to be disabled. Use the listsvc command to display all eligible services or drivers to disable. The disable command prints the old start type of the service before resetting it to SERVICE_DISABLED. Because of this, you should record the old start type, in case it is necessary to re-enable the service.

The start_type values that the disable command displays are:
SERVICE_DISABLED
SERVICE_BOOT_START
SERVICE_SYSTEM_START
SERVICE_AUTO_START
SERVICE_DEMAND_START
0
 
LVL 44

Assisted Solution

by:CrazyOne
CrazyOne earned 200 total points
Comment Utility
If you can disable them then you should be able to use the online scanners and run the Spyware detector programs that Sunray posted.
0
 

Author Comment

by:gabolinche
Comment Utility
Norton came up with nothing :(
But I had to use the old virus definitions that come in the CD...

I did a system repair with the Windows 2000 CD but didn't work...

I disabled the services just as you suggested but the problem persists! Darn, this thing has got me guessing too long now... I'm tempted to just reinstall Windows 2000 but the computer is not mine so I can't just delete all files.

I'm booting up (VERY slowly) and I will have to navigate to a virus-checking webpage and see what I can find. It's going to take forever but what the hell... I can't think of anything else...
0
 
LVL 44

Expert Comment

by:CrazyOne
Comment Utility
I think you may have a piece of hardware running amuck

strip the machine down to just a mouse, keyboard, video adapter, one hard drive, and/or disable all on board devices not needed to run the OS.

If the problem isn't present any more then you know that one or more of the items removed is causing the problem.
0
 
LVL 44

Expert Comment

by:CrazyOne
Comment Utility
Or you might think about doing Parallel Installation to see if a fresh installation has the same issue.

HOW TO: Perform a Parallel Installation of Windows 2000
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;266465
0
 
LVL 44

Expert Comment

by:CrazyOne
Comment Utility
I forgot to ask but does this happen in safe mode?
0
 
LVL 44

Expert Comment

by:CrazyOne
Comment Utility
Oops never mind I see you already answered that.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 44

Expert Comment

by:CrazyOne
Comment Utility
Another thing to look at is what is disabling what is running at startup

Backup these registry keys and the delete all the items you see in panel on the right

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Some other registry settings
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

or in can install one of these to view and disable startup items

MSCONFIG for Win 2000
http://www.insideproject.com/showguide.cfm?guideid=31
http://www.insideproject.com/downloads/msconfig2k/msconfig.zip

StartupCop
http://web.zdnet.com/pcmag/pctech/content/18/08/ut1808.007.html

StartStop
http://www.tfi-technology.com/downloads.htm

AutoRuns
http://www.sysinternals.com/ntw2k/source/misc.shtml#autoruns

Startup Control Panel
http://www.mlin.net/StartupCPL.shtml
and
StartupMonitor
http://www.mlin.net/StartupMonitor.shtml
0
 
LVL 8

Expert Comment

by:SNilsson
Comment Utility
I dont know if it's relevant for you but I also had this 100% problem, I tryed everything to get it down and ... no luck.

Then one day I desided to remove my old Adaptec SCSI card that I did not use anymore, after that everything was fine again.

Might have been a corrupted driver to that card, or the card itself.
0
 
LVL 9

Expert Comment

by:bhagyesht
Comment Utility
try running the repair of win2k. often this will solve the problem without deleting any user installed files.
0
 

Author Comment

by:gabolinche
Comment Utility
Finally it worked... I don't know exactly what did the trick.
I booted up in safe mode with network enabled, uninstalled all programs that were not indispensable, ran all of the trojan removers and spy-ware detectors that you people recommended and it finally booted up normally...

Probably must've been one of those programs I uninstalled or a spyware that was removed by the programs... Can't nail it in one specific reason because I did everything at once...

Thanks!
0
 

Expert Comment

by:shoishoi
Comment Utility
similar thing happened to me, over a few hours the system process crept up to 99% of cpu time, and the pc became impossibly slow, requiring a full restart to recover, repeat every 3 hours or so

solution in the end was to unplug the usb scanner - problem completely solved!!
0
 

Expert Comment

by:NagiNat
Comment Utility
I am going through the same problem now.  The Win2K kermel time is high (on the performance graph in the task manager).  Why would this happen even if no applications are open?  Any help is appreciated.
0
 
LVL 9

Expert Comment

by:bhagyesht
Comment Utility
gabolinche can now probably answer this eh?
Bhagyesh Trivedi
0
 

Expert Comment

by:djsq
Comment Utility
I'm having the same problem with XP however I can't seem to be able to use pstat or performance monitor to identify which system process is using the CPU. pstat just seems to give the kernal time for normal processes not drivers. Am I missing something?
0
 

Expert Comment

by:jeh3404
Comment Utility
I have not heard of the pviewer and pstat command. I seem to have the same problem with the system task using all of the CPU. Would you mind explaining how to use these 2 commands?
0
 

Expert Comment

by:djsq
Comment Utility
use process explorer instead. it gives the same info. just search for process explorer
0
 

Expert Comment

by:djsq
Comment Utility
btw. The source of my problem turned out to be the IRDA adapter... even though nothing is connected to it. I discovered this by disabling the IRDA driver in the system manager
0
 
LVL 1

Expert Comment

by:Dingus
Comment Utility
I've been having the same problem in XP. I've disabled all non essential programs, and that helped a little (System process went down from 90-99% to 60%). I looked in the device manager and noticed that I have two 1394 Network Adapters (no idea what they are) that were disabled. I uninstalled them and the system process went down to 0%, with the occasional spike to 1%.

Blackwood
0
 
LVL 1

Expert Comment

by:school1282
Comment Utility
watch viruses and spyware PROTECT your PC especially from internet attackers
0
 

Expert Comment

by:FlexyDemon
Comment Utility
I also had the same System Process at 99% problem and it turned out to be related to the USB controllers on the Asus A7N266-VM. I used Process Explorer, double clicked on the System Process and found the USB controllers to be the ones using all the CPU power.
In device manager I disabled all USB controllers and the CPU was free again. Idle process back to 97~99 as it is supposed to be.
Unfortunately I didn’t get the time to find out if it was a driver problem or a hardware problem (customers system and they were in a hurry to leave once the CPU was normal again).
Moral is that this problem could very well be related to faulty hardware or hardware drivers and device manager (to disable hardware devices) might be a very good starting point to bring down the CPU load.
0
 

Expert Comment

by:ace95
Comment Utility
I had the same problem and have found the problem to be a failing hard drive.  I performed a scan disk which identified the bad sectors and moved the corrupt files allowing the system process to function properly.

Hopefully this helps for you.

Ace
0
 

Expert Comment

by:sknick
Comment Utility
I came across this issue today on a workstation running Win2k SP4.  The problem turned out to be related to a print job that was stuck in the queue.  I viewed printer status and deleted the job and the system process immediately went back to normal.  The printer was an Epson C62 and the job was of the format outbind://
0
 

Expert Comment

by:Cammie83
Comment Utility
I have unfortunately seen this problem on several of the NEW IBM T41s we have gotten at my company. We have done everything from reimaging to sending to IBM for them to put on a different image than the one it shipped with.  (That machine came back with new system board!!!)  I have no expereince with the Process Manager program, but will use it in the future - how handy to have a tool to break down the processes more.  

Playing around with one of the affected laptops tonight points to a problem with one of the startup items.  I disabled about half of the startup items using msconfig and restarted.  Problem was gone.  Started adding back in the services and when I got to "tfswctrl", it went back to CPU at 100% usage and completely frozen.  That service is DLA and after multiple restarts without it in the startup I cannot reproduce the errors.  It looks like there is a new version of DLA that doesn't play nice. Will post again if it pops back up.  Thanks for all the great suggestions!
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
merging MP3 audio files 10 87
Citrix Elite issue 10 70
simple redial program 3 84
software license audit 6 41
In our personal lives, we have well-designed consumer apps to delight us and make even the most complex transactions simple. Many enterprise applications, however, are a bit behind the times. For an enterprise app to be successful in today's tech wo…
The article will include the best Data Recovery Tools along with their Features, Capabilities, and their Download Links. Hope you’ll enjoy it and will choose the one as required by you.
The viewer will learn common shortcuts with easy ways to remember them. The viewer will then learn where to find all of the keyboard shortcuts, how to create/change them, and how to speed up their workflow.
Using Adobe Premiere Pro, the viewer will learn how to set up a sequence with proper settings, importing pictures, rendering, and exporting the finished product.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now