Windows 10 System (ntoskrnl.exe) using CPU when machine has been idle for a while

I noticed that my laptop's CPU starts getting used (maybe 15% usage?) and the CPU fan turns on, generally in the evening when my laptop has been idle for 5 minutes or so. The process using the CPU was System which doesn't tell me a lot so I decided to leave Process Explorer running and monitoring threads for System. It started using CPU again and this is what I found:

The thread eating the CPU after a few minutes of idle had the start address ntoskrnl.exe!RtlAvlRemoveNode+0x7ba0. So it seems pretty core to the system. Does anyone know what might be causing this and/or how I could further diagnose it? I don't like my CPU fan spinning up like this and I would like to stop the system doing this.

I even disabled all scheduled tasks that are triggered on idle (finding them with PowerShell Get-ScheduledTask | Where-Object { $_.State -ne "Disabled" } | Select-Object TaskName, TaskPath, Triggers | Where-Object { $_.Triggers -match "MSFT_TaskIdleTrigger" }) and it still happens.

Jez

Posted 2018-10-10T18:44:50.630

Reputation: 2 612

Does this happen when booting in Safe mode? If it doesn't, you might use Autoruns to disable startup task in bunches until you find the problem one.

– harrymc – 2018-10-22T08:34:47.900

It's the NT kernel using the CPU; I doubt it's any startup task. – Jez – 2018-10-22T10:36:19.027

Try booting in Safe mode for the test. System can be many things. – harrymc – 2018-10-22T10:44:55.410

I dont think you caught all 'idle tasks" with that query. For example the infamous "RunFullMemoryDiagnostic" doesn't show. You can use the Windows Performance Toolkit to trace what it's doing. See https://superuser.com/questions/527401/troubleshoot-high-cpu-usage-by-the-system-process/1164299#1164299 for great examples by magicandre1981

– HoD – 2018-10-22T11:03:23.873

Although this doesn't address the underlying issue, if the CPU Fan spinning up is an issue, have you considered getting a fanless PC? – Stese – 2018-10-25T09:33:33.363

Jez - Try stopping and disabling the superfetch service from services.msc as mentioned in the directions in the Disable From Services section on that post. Afterwards to be thorough, reboot the machine and then check to see if you still have this problem. Additionally, from that same services.msc tool, stop and disable the Windows Search named service and then reboot, test, etc. To undo, simple enable those back from services.msc and then reboot, test, etc. Let me know if any of this help when you can.

– Pimp Juice IT – 2018-10-25T16:24:01.733

Jez, just wanted to know, did you manage to solve the problem? If so, which application was responsible for the cpu time drain? PS. And thanks for applying the bounty, glad you found my answer helpful. – Albin – 2018-10-26T18:40:55.050

The CPU usage hasn't happened for a week now. Next time it does I will try to figure out what was causing it with WPT. – Jez – 2018-10-26T20:43:38.273

Answers

The thread's start address mentions RtlAvlRemoveNode. This is a function called through the ntoskrnl.exe. Rtl stands for Run-Time Library so (most likely and without get further into it) it gets called through a native application (which would be, for example, the autochk program). If you want to know more about the background there's a lot of information on this site. However it's only the start address, it's not necessary this function that causes the CPU time usage. Press the "stack" button to see the full call stack or use 3rd party tools like ProcessThreadsView.

You have two basic options:

The trail and error approach: You disable applications for example through the Task Scheduler / Safe mode etc. hoping to disable the right application. (Applications could be the screensaver, defrag, search index, etc. most likely but not necessarly something that is triggered by the PC being idle)
The analytical approach: You run further analysis to pinpoint the problem for example by further analysing the thread in question or using "Windows Performance Toolkit" to further identify the application that causes the CPU usage

Since the analytical approach has quite a lot of overhead - knowledge wise - I would suggest the trail and error approach. Although it's just educated guessing it's most likely you are not the only one having the problem, so trying out most common solutions should be a good approach.

If you don't get anywhere by trail and error you will have to switch to a more analytical approach. As HoD suggested in his comment, Windows Performance Toolkit is a good next step here. Once you have more information or run into specific trouble you can further specify you're question so we'll be able to help you.

There is also the chance this behaviour is caused by something like malware, bugs, problematic updates etc. please take that into account, especially if you use the trail and error method.

Albin

Posted 2018-10-10T18:44:50.630

Reputation: 3 983

The subsystems being called that I can identify in your calls stack are :

MMCSS - mmcss.sys
DirectX 12 - dxgmms2.sys

One can see other low-level utility function calls, but we don't know who their callers are, so they do not add much information. The high-level subsystems clearly indicated here are MMCSS and DirectX 12:

Multimedia Class Scheduler service (MMCSS) : Enables multimedia applications prioritized access to CPU resources.
DirectX 12 : Windows software that works directly with your video and audio hardware.

It is therefore clear that what is taking your CPU is an application that has a graphical component. This GUI component might or might not be responsible for the CPU charge, but the important conclusion here is that the application in question does have a GUI.

A graphical application is never started by the Task Scheduler, so this is not the direction to go. You need to find a graphical application that is triggered by an idle condition.

The most obvious candidate is a screen-saver. I would suggest to turn it off as a test :

Right-click the desktop and choose Personalize > Lock screen > Screen saver settings, set (None) as the Screen saver and click OK.
You could instead in Control Panel > Power Option > Change plan settings, set "Turn off the display" to at least have a blank screen.

If that does not help, you will need to find another installed graphical application that does something different on idle.

harrymc

Posted 2018-10-10T18:44:50.630

Reputation: 306 093

Thanks, how do you come to the conclusion that "RtlSetOwnerSecurityDescriptor" uses a lot of CPU time? Maybe I overlooked s.th. but I can not see any indications for that?! – Albin – 2018-10-24T19:39:43.427

@Albin: As I said, I didn't, the poster did. I suggest we clean up our above comments before a moderator gets annoyed. – harrymc – 2018-10-24T20:18:24.737

Let us continue this discussion in chat.

– Albin – 2018-10-24T20:23:20.747

It's not a call stack; it's a dozen separate threads. The only one using significant CPU is the top one, in RtlAvlRemoveNode. The mmcss thread doesn't seem to be responsible for much CPU at all. – dave – 2018-10-24T23:08:32.740

The fact that the start address is RtlAvlRemoveNode + something does not necessarily mean we're executing in RtlAvlRemoveNode. That might just be the closest symbol available to ProcessExplorer. We could guess if we knew something but alas the screen image was too small. Is a wider image possible, capturing all of the +0x.... part? (An RTL AVL routine seems an unlikely thread-start) – dave – 2018-10-25T00:02:33.503

@dave thanks, "exactly" my point! :) You might want to put you're comment into instead of here though, I think there's a better chance to get a reply from the OP. – Albin – 2018-10-25T06:31:26.607

@dave: Low-level utility calls are not very useful for analysis, but the high-level subsystems clearly indicated are MMCSS and DirectX 12, both graphical in nature. It's clear that graphics are some part of the indicated program, and on this rests my answer. The rest is less important. – harrymc – 2018-10-25T08:16:32.710

@Albin: I have clarified my answer and taken out the parts that are debatable, but that were not really useful in any case. But my argument still stands. – harrymc – 2018-10-25T08:35:45.587

@harrymc what argument? you just stated an opinion, you haven't provided any reasons for you're conclusion (why "RtlSetOwnerSecurityDescriptor" uses a lot of CPU time). More important, you suggested not to continue this discussion here, which is a good point so I opened a chat. Would be nice if you could you're answers there. ;) PS. as Dave points out correctly the OP does not post any call stack (at least not in the current version of his question), but that's just semantic, and not important for me, so I didn't mention it before. – Albin – 2018-10-25T10:11:53.173

@harrymc PS. don't get me wrong, I appreciate all you're answers very much (they helped me quite a few times). I still would like to know you're reasons because I come to a different conclusion in this case. – Albin – 2018-10-25T10:19:03.843

@Albin: I think we had a magnificent misunderstanding and I hope the answer now is unequivocal. I didn't really understand why you were insisting on an unimportant detail. My fault for not wording it more exactly. Don't hesitate to insist when my answer is badly written, so long as the final result is a good answer, which I hope it is now thanks for your help. Your having a different opinion is the very attitude that enriches SU. – harrymc – 2018-10-25T10:37:22.883

@harrymc Sure thing. Actually there are a few points (eg. there's still no reason to choose your selected thread as the cause). But I would suggest we do that in the chat?! – Albin – 2018-10-25T11:37:39.890

@Albin: Thanks, but I prefer letting this post have a rest. With the information at hand, I can't do better. – harrymc – 2018-10-25T11:41:29.400

@harrymc Thanks, but if you offer to discuss you're answer it would be nice if you would stand by it. But in the end it's you're choice. It just would be nice, if you could correct the two errors in you're answer, so other users don't get confused. After all, you have a lot of reputation, and a lot of people trust you're answer. And thanks for all you're work so far! : ) – Albin – 2018-10-26T18:38:45.820

It's just the Windows 10 maintenance tasks that start up after the system has been idle for a while.

David Marshall

Posted 2018-10-10T18:44:50.630

Reputation: 6 698

2Erm, which tasks? How can I tell? How can I stop them from running? – Jez – 2018-10-10T19:53:34.230

See the Security and Maintence section on the old Control Panel (you have to search for it with Cortana). It will start up things like disk defrag, update cleanup etc. You would have to search through the Task Scheduler to disable what you don't want. https://docs.microsoft.com/en-gb/windows/desktop/TaskSchd/task-maintenence

– David Marshall – 2018-10-10T20:59:28.497

I disabled them and the problem still happens. – Jez – 2018-10-19T11:04:01.117