Win2k3 server running high system process

We have a win2k3 sp2 file server that is running high on it's system process.  We experienced some dfsr.exe related issues which appeared to clear up after restarting the dfs service, however, the cpu is still running high and task manager reports it is the system process is fluctuating between 20 and 70 percent.  What's the best way to troubleshoot this issue?
FREDARCEAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Justin OwensITIL Problem ManagerCommented:
SyIinternals has a few very good tools... I would recommend looking at Process Monitor and Process Explorer.

DrUltima
FREDARCEAuthor Commented:
I've installed process explorer and it nicely breaks down all the subcomponents of the System process but the numbers don't add up.  Total CPU on System process is about 55% and there is one subprocess that uses about 10%  and occassionally another process will flash 3 or 4%.?
Justin OwensITIL Problem ManagerCommented:
Make sure you have gone to

File... Show processes from all users....
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

FREDARCEAuthor Commented:
that option is only available in task manager. I am using the process explorer which doesn't have that option although it appears to show all the processes
Justin OwensITIL Problem ManagerCommented:
Process Monitor will give you a real time readout of what your CPU is actually processing.  It should yield information about errors in process which might be causing a mis-reporting.  I would suggest starting that capture and see if you can determine a point of failure from there.

DrUltima

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FREDARCEAuthor Commented:
I have installed Krnview / Krnrate and it shows that intelppm.sys has the most hits in terms of percentage but I'm still not so convinced on what's really happening?


Results for Kernel Mode:
-----------------------------

OutputResults: KernelModuleCount = 115
Percentage in the following table is based on the Total Hits for the Kernel

Time   106231 hits, 25000 events per hit --------
 Module                                Hits   msec  %Total  Events/Sec
intelppm                              46443     177328    43 %     6547612
ntoskrnl                              26945     177328    25 %     3798751
klif                                  15014     177328    14 %     2116698
hal                                    9795     177328     9 %     1380915
Ntfs                                   5831     177328     5 %      822064
fltMgr                                  667     177328     0 %       94034
tcpip                                   350     177328     0 %       49343
sis                                     229     177328     0 %       32284
win32k                                  198     177328     0 %       27914
NDIS                                    188     177328     0 %       26504
b57xp32                                 181     177328     0 %       25517
srv                                     164     177328     0 %       23120
cpqteam                                  71     177328     0 %       10009
storport                                 30     177328     0 %        4229
netbt                                    25     177328     0 %        3524
RDPDD                                    20     177328     0 %        2819
KSecDD                                   14     177328     0 %        1973
USBPORT                                  13     177328     0 %        1832
HpCISSs2                                 13     177328     0 %        1832
RDPWD                                     7     177328     0 %         986
ipsec                                     7     177328     0 %         986
Npfs                                      6     177328     0 %         845
afd                                       4     177328     0 %         563
usbehci                                   3     177328     0 %         422
USBSTOR                                   2     177328     0 %         281
rdbss                                     2     177328     0 %         281
usbuhci                                   2     177328     0 %         281
usbhub                                    1     177328     0 %         140
msiscsi                                   1     177328     0 %         140
termdd                                    1     177328     0 %         140
CLASSPNP                                  1     177328     0 %         140
PartMgr                                   1     177328     0 %         140
volsnap                                   1     177328     0 %         140
ftdisk                                    1     177328     0 %         140

================================= END OF RUN ==================================
============================== NORMAL END OF RUN ==============================
FREDARCEAuthor Commented:
actually the system process is no longer running high.  KB941838 has fixed the issue.

thanks
FREDARCEAuthor Commented:
I ultimately found the solution but the recommendation to use sysinternals was the key.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Architecture

From novice to tech pro — start learning today.