ntdll dll etwtracemessageva+0x130 on windows server 2008 R2 high CPU Usage

Hello Experts,

  We have one windows server 2008 r2 which is under monitoring. Every time we get an alert about CPU Usage is high for this server. I have checked the server and found out that eventlog service is taking high CPU usage (SVCHost.exe).

 I have used Process Explorer to get the information. Below are the stack value for above service.

 ntoskrnl.exe!SeAccessCheckWithHint+0xb4a
ntoskrnl.exe!IoGetRequestorProcess+0x250
ntoskrnl.exe!ExfTryToWakePushLock+0x899
ntoskrnl.exe!KeStackAttachProcess+0x117f
ntoskrnl.exe!ObReferenceObjectByPointerWithTag+0x23b
wevtsvc.dll+0x7984
wevtsvc.dll+0x79f8
wevtsvc.dll+0xf231
wevtsvc.dll+0x22154
wevtsvc.dll!SvchostPushServiceGlobals+0x10eae
wevtsvc.dll+0x228fc
wevtsvc.dll+0x2271e
wevtsvc.dll+0x22f50
wevtsvc.dll+0x22ee0
wevtsvc.dll+0x22aaa
wevtsvc.dll!SvchostPushServiceGlobals+0xd9ed
wevtsvc.dll!SvchostPushServiceGlobals+0xd834
RPCRT4.dll!I_RpcGetBuffer+0x265
RPCRT4.dll!Ndr64AsyncServerCallAll+0x11ae
RPCRT4.dll!NdrServerCallAll+0x40
RPCRT4.dll!NdrServerCall2+0x1ba4
RPCRT4.dll!NdrServerCall2+0x1d06
RPCRT4.dll!NdrServerCall2+0x23f9
RPCRT4.dll!NdrServerCall2+0x209d
RPCRT4.dll!NdrDllCanUnloadNow+0x52f
RPCRT4.dll!NdrDllCanUnloadNow+0xe5
ntdll.dll!TpSetTimer+0x3eb
ntdll.dll!EtwTraceMessageVa+0x46f
kernel32.dll!BaseThreadInitThunk+0xd
ntdll.dll!RtlUserThreadStart+0x21


 What does this indicate? How I will come to know what application/file which is causing this?

 I think I have explained the problem in a clear manner. Please let me know if any other information is needed on this.

Thanks,

_Prashant_
LVL 10
Prashant GirennavarAsked:
Who is Participating?
 
DavidConnect With a Mentor PresidentCommented:
There is a detail column. That says what is going on, how many bytes, etc ... your image is not showing that.   Also the path column tells you the registry entry, which you also did not expand.

So look at those two columns, along with the Operation column and see the registry entry or entries.  Open them up with regedit or at least look at the path (assuming it is registry I/O, can't tell w/o full details).

But you are so close to getting the information you need to see what process is screwing up.  If you want to do a brute force, start killing non-vital services while watching, and hopefully the messages will stop right after killing a service,then you have the offending program.
0
 
DavidPresidentCommented:
you've probably got a poorly written program keeping the event logger busy by doing something in a loop.   Go to the microsoft sysinternals site and look for filemon.  This utility will let you select a program and see which files are read/writing to it.

With such a utility you should be able to figure out which program is the culprit.  Hopefully it wasn't written by a staffer or some commercial software you bought, rather than microsoft.

(Note you can also ask filemon to let you know when a program interacts with the DLL, as it isn't limited to data files)
0
 
Prashant GirennavarAuthor Commented:
I think filemon is not available to download from sysinternals site. It is been combined with Process Monitor.

 Now I am using Process monitor to find out the program which is taking high CPU , but I am unable to find which program from this tool.

 Can you please tell me the procedure to find out the program which is taking this high CPU usage.

 I just have a stack of the eventlog service from process monitor tool. ( I have posted the stack above in my question).

Thanks,

_Prashant_
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
DavidPresidentCommented:
Process monitor won't give you the files and specific read/write information.  Darn, I used to even have a copy of the source code to filemon somewhere.  

Are you sure filemon isn't there anymore? I think I loaded it on a server at office only a few months ago.
0
 
Prashant GirennavarAuthor Commented:
http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx

I tried searching that , but no luck. in the above link they are referring , it is been integrated with process explorer.

Please let me know how to proceed.

 Thanks,

 _Prashant_
0
 
Prashant GirennavarAuthor Commented:
I have installed Process Monitor. I found below HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers regulary using svchost.exe. I am not sure what is this all about ?

Below is the screen shot.

CPU High Usage
Thanks,

_Prashant_
0
 
Prashant GirennavarAuthor Commented:
Can some one help how to find out the program which is using eventlog service heavily?

I know we have determined the cause it eventlog which is taking high amout of CPU, but I am unable to determine what program is using it extensively.

your help is much appriciated.

Thanks,

_Prashant_
0
 
Prashant GirennavarConnect With a Mentor Author Commented:
The culprit was Operations Agent from HP. OPCLE.Exe was trying to read the eventlogs over and over.

 We have applied the hotfix for OPCLE , now the issue got resolved.

 Thanks for helping!!!!!!!!!!!!!!!!

Regards,

_Prashant_
0
 
DavidPresidentCommented:
Glad to help.
0
 
Prashant GirennavarAuthor Commented:
This is due to HP Operations agent.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.