Link to home
Create AccountLog in
Avatar of d_melnyk
d_melnykFlag for Canada

asked on

High CPU usage by "System" process

Hi Folks:

   I have a Windows XP pro system (SP2) which seems to have 86% plus CPU usage by the "System" process at all times - even with no other programs running. Under Task manager another "System" entry seems to pop up and then disappear about every couple of seconds. There also seems to be constant network activity of a few packets about every couple of seconds.

I have run antivirus programs and anti adware programs to no avail ... (norman anti-virus has been running constantly & Spybot S&D (resident) and also tried Ad-Aware).

Any thoughts on what is going on or how to find the "pest" that may have infected this system would be greatly appreciated.

Best regards, Dave Melnyk
Avatar of maramom
maramom

Hi Dave,
Try ewido: http://www.ewido.net/en/
SOLUTION
Avatar of trueluck3
trueluck3

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of d_melnyk

ASKER

Mike:

   Thanks for the input ... I am not using "Norton" but "Norman Data Defense" - I know that symantec's Norton product causes all kinds of grief. I'll try ditching other anti-spyware items etc.

Dave
Have you tried Ewido?

If the problem isn't malware, it may be drivers competing for interrupt requests. Check your system event log to see if there are any errors.
Get process explorer from sysinternals and you can look more closely at the system proceess.  This will show what threads are useing up the cpu
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
I got process explorer and checked things out - seems that ACPI.SYS is the item that is eating about 50% of the CPU usage - not sure what this means...

regards, Dave Melnyk
Just another quick note -- seems that the DPCs (deferred procedure calls) are also using alot of CPU time 30 to 50% at times.

 Also checked the system event log - seems that there have been some errors detected by the driver on hardisk 1 - is this a sign that the drive is failing and could this be the cuase of the high CPU usage?

Regards,... Dave Melnyk
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Your 2nd hard drive (1) could be failing. That's probably where you should start. Do diagnostics on the drive, and back up the data. If the system is trying to read from the drive and having trouble accessing it, it can lock up and spike the cpu.
If you want to simply disconnect the drive temporarily to see if there's a change in cpu usage, try it.
You can get diagnostics for your drive from the manufacturer, or use the Ultimate Boot CD: http://www.ultimatebootcd.com/
Although hard drive warnings can cause concern, there can be other reasons, such as faulty ide/sata cables or cables and power connections not firmly attached, and even ide/sata channel faults on the motherboard. Or it can just be a matter of using chkdsk to fix errors. This may not be the problem, but, it's important to rule out a problem with the hard drive with the diagnostics.
I agree a faulty driver can do this, try running sfc /scannow from the run box
Hi guys:

    I ran sfc / scannow - it turned up nothing - I downloaded and ran Ewido - it found a few tracking cookies but other than that, nothing major. I disabled hard disk 1 - it is in a drive tray, and problem still seems to exist with high CPU usage in the "System" item. By the way - the 'analysis" portion of Ewido shows 2 "System" process running - one with a PID (Not sure what that is) of 0 and another with a PID of 4.) - I am about to try checking all cables etc. to see if this is an issue.

Regards, Dave Melnyk
Avatar of nobus
you can disconnect or disable devices to test from a hard point of view.
For the soft side, disable programs at startup :
in the run box, type msconfig + enter
in the startup tab, click disable all
in the services tab, click hide MS services, then click disable all.
Now reboot and test
Now that the hard disk is disabled is there any errors in the event logs
This might be coz of "firewall".

Check the firewall settings in Start->Settings->Control Panel. Disable the firewall settings and check the CPU utilization.
Hi Guys:

   I disabled all items in startup with msconfig - no difference - also disabled hard disk 1 and still no difference. Also changed out the IDE cable to a known good cable - stil the same problem. Haven't had a chance to check event logs regarding drive errors with hard disk 1 disabled but will try later. For the moment I am reinstalling XP on another drive in the same system - so far it seems to be operating normally - CPU usage just sitting there is 98% for system idle and only about 1% for the "System" entry.

I'll put the old drive back in later (the joy of drive trays) and check the logs.

Regards, Dave
This sounds like a bug to me. Ewido catches what spybot may miss, but it sounds like you need a heavy-duty virus scan. Try one (or more) of the online scans.

Corrupted drivers can create problems with interrupt requests, so updating all drivers (from Manufacturer) may be your fix. Try the scans, first.
you can also run sfc /Scannow from the run box - may help too
An update for all those helping out ...

   I am now scanning with bit defender web scan - but looks like it will take over 13 hours to finish! (174,000 plus files to scan...).
I had downloaded and installwed AWSPS (Atelier Wep Security Port scanner) as I had noticed that I had constant network activity on the system. It indicates that the local machine (IP 192.168.0.2 has a connection established with my router at 192.168.0.1:5678. the Local address "port" number is incrementing approximately each second to two seconds ... Not sure how to interpret this, but certainly looks suspicious as if something is trying to get in or out. I set the router to block port 5678 to all traffic, but the incrementing of the port number continues - occaissionally the "connection" with the 5678 port on 192.168.0.1 is lost, but it is quickly re-established and the local addres continues to increment through the ports (TCP connection according to AWSPS). If anyone has any info on what this may mean or how to interpret this info I could really use the help.

Best regards, Dave Melnyk
Sounds like you may have a rootkit.
Get this http://skads.org/special/rkfiles.zip
unzip it to a folder then reboot into safe mode and run the batch file it contains. Takes a little while but be patient. When finished it will display a text file of the hidden files that are running. Ignore the degfrag entry if its there. NOT ALL THE ENTRIES WILL BE BUGS. Post the contents here first so we can verify what they are.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Hi Guys:
   here are the results:

C:\rootkit
 
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\DivX.dll: PEC2
C:\WINDOWS\system32\Stamin32.Tlb: +]FileSpec2WWW
 
Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye

I know that the Stamin32.tlb file is legit - it is part of the Stamina toolkit that I use for development. (Unless something has corrupted the file - not sure what the "+]filespec2www" means.

regards, Dave Melnyk
ASKER CERTIFIED SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Peregian:

   Downloaded Icesword and ran it ... the 192.168.0.2:5678 lists "C:\WINDOWS\SYSTEM32\SVCHOST.EXE" as the path name. There are another of other items with the same path name - checked the PID for that item and killed it intask manager - seems to have gotten rid of the constant network activity, but CPU usage is still 100%. not sure what this means ...

Dave
Do you have a HP printer? They install a java package that uses that port.
Peregian:

   No HP printer.

Dave
Can you reboot so all processes are running and open icesword at the port page then go to dump--current list and post contents
Here is the dump from ICEsword:

Port£º

Protocol  Local Address           Foreign Address         State               PID       PathName
TCP       192.168.0.2 : 1259      192.168.0.1 : 5678      ESTABLISHED         948       C:\WINDOWS\System32\SVCHOST.EXE
TCP       192.168.0.2 : 1252      192.168.0.143 : 139     TIME_WAIT           0         ----
TCP       192.168.0.2 : 2869      192.168.0.1 : 4454      TIME_WAIT           0         ----
TCP       192.168.0.2 : 2869      192.168.0.1 : 4450      TIME_WAIT           0         ----
TCP       192.168.0.2 : 2869      192.168.0.1 : 4446      TIME_WAIT           0         ----
TCP       192.168.0.2 : 2869      192.168.0.1 : 4455      TIME_WAIT           0         ----
TCP       192.168.0.2 : 2869      192.168.0.1 : 4447      TIME_WAIT           0         ----
TCP       192.168.0.2 : 2869      192.168.0.1 : 4451      TIME_WAIT           0         ----
TCP       192.168.0.2 : 2869      192.168.0.1 : 4448      TIME_WAIT           0         ----
TCP       192.168.0.2 : 2869      192.168.0.1 : 4452      TIME_WAIT           0         ----
TCP       192.168.0.2 : 2869      192.168.0.1 : 4449      TIME_WAIT           0         ----
TCP       192.168.0.2 : 2869      192.168.0.1 : 4453      TIME_WAIT           0         ----
TCP       0.0.0.0 : 2868          0.0.0.0 : 0             LISTENING           760       C:\Norman\BIN\Njeeves.exe
TCP       127.0.0.1 : 1032        0.0.0.0 : 0             LISTENING           1752      C:\WINDOWS\System32\alg.exe
TCP       0.0.0.0 : 445           0.0.0.0 : 0             LISTENING           4         NT OS Kernel
TCP       0.0.0.0 : 135           0.0.0.0 : 0             LISTENING           884       C:\WINDOWS\System32\SVCHOST.EXE
TCP       0.0.0.0 : 2869          0.0.0.0 : 0             LISTENING           1236      C:\WINDOWS\System32\SVCHOST.EXE
TCP       192.168.0.2 : 139       0.0.0.0 : 0             LISTENING           4         NT OS Kernel
UDP       192.168.0.2 : 137       * : *                                       4         NT OS Kernel
UDP       0.0.0.0 : 1124          * : *                                       1040      C:\WINDOWS\System32\SVCHOST.EXE
UDP       0.0.0.0 : 500           * : *                                       648       C:\WINDOWS\System32\LSASS.EXE
UDP       0.0.0.0 : 1125          * : *                                       1040      C:\WINDOWS\System32\SVCHOST.EXE
UDP       192.168.0.2 : 138       * : *                                       4         NT OS Kernel
UDP       192.168.0.2 : 123       * : *                                       948       C:\WINDOWS\System32\SVCHOST.EXE
UDP       127.0.0.1 : 123         * : *                                       948       C:\WINDOWS\System32\SVCHOST.EXE
UDP       192.168.0.2 : 1900      * : *                                       1236      C:\WINDOWS\System32\SVCHOST.EXE
UDP       127.0.0.1 : 1900        * : *                                       1236      C:\WINDOWS\System32\SVCHOST.EXE
UDP       0.0.0.0 : 4500          * : *                                       648       C:\WINDOWS\System32\LSASS.EXE
UDP       0.0.0.0 : 445           * : *                                       4         NT OS Kernel
UDP       127.0.0.1 : 1040        * : *                                       948       C:\WINDOWS\System32\SVCHOST.EXE
RAW       ---                     ---                     ---                 4         NT OS Kernel
RAW       ---                     ---                     ---                 4         NT OS Kernel
RAW       ---                     ---                     ---                 648       C:\WINDOWS\System32\LSASS.EXE

I alsow checked with tasklist - i.e. Tasklist /v /fi "PID EQ 948"

and got the following:

Image Name                   PID Session Name     Session#    Mem Usage Status
        User Name                                              CPU Time Window T
itle
========================= ====== ================ ======== ============ ========
======= ================================================== ============ ========
================================================================
SVCHOST.EXE                  948 Console                 0     16,184 K Running
        NT AUTHORITY\SYSTEM                                     0:00:09 N/A

Not terribly meaningful.

Regards, Dave
That looks clean no external connections and the 5678 port is connecting to the gateway, I wonder if it could be universal plug and play if the port keeps incrementing. I think we'll have to go back to faulty driver. I've got to go out and do a couple of jobs so I'll be back in a few hours.
Hi folks:

   I 'm beginning to think the problem is hardware - I just did a clean load of Windows XP on a new drive in this system as a test and the problem has occurred again. Given that I seem to have constant network activity, I think it may be a bad NIC (or one that is about to fail). I am gogin to replace it with another one and see if the problem resolves itself.

Did you install updated drivers?
Have you also tried windows updates. I have seen it once and windows updates fixed it.
hi folks:

   Just an update.... appears it was motherboard hardware starting to fail. Couldn't upgrade memory on the system with out it going nuts - failing to boot, rebooting etc. Changed out power supply, all cards, memory and even the processor - but the wierdness remained - in the ned -- new motherboard and processor and momory - the $600.00 fix!

Thanks to all who offered advice - I will award split points to those that hung in there trying to helps solve this - also some great diagnostic programs and links .. thanks again

Dave Melnyk