0
On a Lenovo Yoga 2 Pro laptop, 8GB RAM, Intel Core i7, running Windows 8.1 I'm seeing the following. In situations of high system load (high CPU/memory usage), the System process starts using high CPU in addition to the CPU already used by other processes. This has been happening for at least a year.
Examples of the situations when this happens:
- Many Google Chrome tabs open with the Developer Tools open for some of them
- A Virtualbox virtual machine with 2-3GB RAM doing some heavy lifting on top of the usual browsers, background apps
- A Java application using 1GB of RAM, 3GB of virtual memory using 100% of one CPU core on top of the usual browsers, background apps
The irony of the situation is that when the system is already under heavy load, the System using more CPUs causes even more of a slowdown.
Using Process Explorer I've been able to pinpoint the thread within System that uses high CPU to be ntoskrnl.exe!KeRegisterBugCheckReasonCallback. This is a function that should be called by drivers when a BSOD is happening (see this question). However in my case no BSOD happens.
The issue occurs even with no USB devices attached, so none of those can be the cause.
I've done a WPA trace when the issue occurred as explained in this question, screenshot below. This doesn't tell me much more than resources are used within ntoskrnl.exe with the nearest driver in the trail being fltmgr.sys. That doesn't help me a lot because it's not a specific driver that I can uninstall or upgrade.
Any pointers to further debug this are welcome!
Process Explorer for the System process while the issue is happening:
WPA trace:
AronVanAmmers
Posted 2017-05-26T15:46:51.440
Reputation: 181
1
you need to load debug symbols, I've explained this in my answer. Without symbols you see no function names
– magicandre1981 – 2017-05-27T08:07:48.247because you use Chrome, it could be the ntoskrnl.exe!MiZeroWorkerPages issue, here turning off HW acceleration in Chrome options can fix it. – magicandre1981 – 2017-05-27T08:08:51.020
1" [...] KeRegisterBugCheckReasonCallback. This is a function that should be called by drivers when a BSOD is happening " This isn't correct. That function is called by drivers (and other kernel mode code) in case a BSOD happens. If a BSOD happens then the BSOD mechanism (KeBugCheck and its friends) will call each registered "callback" routine so that the driver(s) that registered them can add their private info to the dump file. It's still a problem in that nobody should be calling that over and over again. Drivers typically call it when they are loaded, i.e. once per boot. – Jamie Hanrahan – 2017-05-28T03:19:08.457
But...because you do not have symbols for Process Explorer either, any routine name at all in the threads display is a red herring! A proper thread function display would be e.g. ntoskrnl.exe!ExpWorkerThread , without an offset (the stuff after the + sign, like "+0x80C" , is the offset). Nobody is going to create a thread and specify a start address of e.g. ExpWorkerThread+0x80C! It will be always be a symbol with no offset at all. If you don't have symbols you can trust the module name but not the routine name. – Jamie Hanrahan – 2017-05-29T02:54:19.327
@magicandre1981 thanks, I had missed that critical part of your post. After several tries the symbols in WPA loaded and I was able to pin down the issue to an old driver from a software package I had already uninstalled. Have confirmed duplicate. Anyone searching for
ntoskrnl.exe!KeRegisterBugCheckReasonCallbackshould find it by this question. – AronVanAmmers – 2017-05-29T19:07:53.350Also thanks @JamieHanrahan for your note, I learned something new! – AronVanAmmers – 2017-05-29T19:08:32.813
Please share the ETL (compressed as 7z via OneDrive share link), I want to take a look at it on my own and add the result to my answer in the duplicate. – magicandre1981 – 2017-05-30T15:24:24.997
@magicandre1981 I would but don't have the ETL anymore :(. Deleted it when solved. And now I can't reproduce it anymore. Sorry! – AronVanAmmers – 2017-05-31T16:12:54.890
ok, if you see it again, capture a new trace and share it. – magicandre1981 – 2017-05-31T16:43:24.403