ntoskrnl.exe!_misaligned_access eats a lot of CPU when idle

5

3

Please advise what might be causing the unnecessary cpu use described below.

Symptoms:

  • When the computer is left idle, a system process starts to eat about 30% of the CPU. If any key is pressed or the mouse moved, this stops in a second. This is annoying, since this is a rather thin notebook, and the cooling is not designed for sustained high CPU usage and gets loud.
  • Does not happen when on battery.
  • Does not seem to be related to antivirus or indexing reladted stuff, since they have their easily distinguishable processes.

What I found so far:

  • The process is System, the PID is always 4, the description is NT Kernel and System.

  • When examining this process with Process Hacker (right click/properties, then Threads tab), it turns out, that there is a thread in it called ntoskrnl.exe!_misaligned_access+0x3f0 which is responsible for all of this unnecessary CPU usage. The same can be found with other process explorer applications. The address in the process' name changes every reboot, but stays the same between them.

    • Actually, there are mutliple threads with these properties, but always the same does use the CPU (same PID).

    • Right click and inspect gives this stack for this thread

      0, ntoskrnl.exe!KeIsAttachedProcess+0x92e

      1, ntoskrnl.exe!KeWaitForMultipleObjects+0x140f

      2, ntoskrnl.exe!KeWaitForMultipleObjects+0xcb9

      3, ntoskrnl.exe!_misaligned_access+0x5fd

      4, ntoskrnl.exe!RtlGetCompressionWorkSpaceSize+0x1f0

      5, ntoskrnl.exe!KeSynchronizeExecution+0x59d6

  • There is a Handles tab in the same process' properties window. There is this row, which might be connected the thread above, since the handle is the same as the address in the misbehaving thread:

    • Type: SymbolicLink, Name: \GLOBAL??\USB#VID_8087&PID_8000#5&47f868&0&1#{f18a0e88-c30c-11d0-8815-00a0c906bed8}, Handle: 0x3f0

  • Looked up the device (VID 8087 and PID 8000) in device manager, and it is Intel Generic USB Hub

  • I have no further idea what to look for.

Environment details:

  • Dell E7440, with some of Dell's tons of software installed. I know, that the problem might be that some component/driver is missing, but I still do not want to install all of the possible listed stuff. Device manager does not show any devices with no drivers.
  • Windows 8.1 Enterprise 64 bit, not hacked, with all possible updates. Installed about a month ago from official iso, not much crap is installed on it, no errors or BSODs since then.
  • No antivirus, besides windows' built in Security Essentials.

Alex Biro

Posted 2015-05-25T09:40:22.920

Reputation: 153

no, this is definitely something else. use xperf to trace the CPU usage: http://pastebin.com/pgE11HRD

– magicandre1981 – 2015-05-25T15:31:04.737

Thank you for the reply. Do I have any means to schedule this? Since for the first 3-5 minutes, only normal idling would be recorded, the interesting stuff would come after that. – Alex Biro – 2015-05-25T15:41:17.120

Never mind, I'll try to create a batch file and get back when I was able to catch something. – Alex Biro – 2015-05-25T16:03:41.473

simply start it. I limit the file size to 1GB so that it includes the last 2 minutes of activity. So when you notice the issue again, wait a bit and stop the trace. – magicandre1981 – 2015-05-26T04:12:55.367

does it work? Were you able to capture the CPU usage into a trace? – magicandre1981 – 2015-05-26T17:26:19.823

thanks for the followup, and yes, finally. Now that I have the tool to track it, misaligned access misbehaved much less frequently, I have no idea why. Anyway, here's the trace https://www.dropbox.com/s/lkgju3hfvq6p7l2/HighCPUUsage_20150527_0610.zip?dl=0 (90 megs zipped). From this, it seems, that yet it might be related to msmpeng.exe antimalware thingy, since they don't occur separately, but I don't really know how to use the Performance Analyzer. I'll leave the pc idle for some time to let the antimalware service do it's regular checks and do a trace after it seems finished.

– Alex Biro – 2015-05-27T04:32:42.800

At the end of this trace, there's clearly only the System process with PID #4 which generates considerable CPU usage https://www.dropbox.com/s/p9gtv3obizq2sfi/HighCPUUsage_20150527_0730.zip?dl=0 Can you suggest what to look for in the trace and where?

– Alex Biro – 2015-05-27T06:40:43.683

I posted an answer. – magicandre1981 – 2015-05-27T17:39:31.210

Answers

4

The CPU usage is by design. It comes from the function ntoskrnl.exe!RtlScrubMemory / ntoskrnl.exe!RtlpGenericRandomPatternWorker / ntoskrnl.exe!RtlpTestMemoryRandomUp.

enter image description here

This function write random patterns to the RAM to test the RAM for errors. Windows does this during the Idle Maintenance task to optimize Windows (cleanup of WinSxS, optimizing .net files with ngen)

Run the Task Scheduler, go to Microsoft -> Windows -> Task Scheduler, select Idle Maintenance,

enter image description here

do a right click and select disable.

enter image description here

magicandre1981

Posted 2015-05-25T09:40:22.920

Reputation: 86 560

Still I am not sure whether it is wise to disable all of those feature you mentioned carried out by this task, they might be actually useful, and also I noticed that the antimalware service is started by this. So I'll do some further googling about disabling only the memory scrubbing feature, and also will try to schedule the task to run 1-2 times a day only. I tried starting it manually, and the memory scrubbing feature did not kick in when the computer was not idle, and also, there was not other noticeable performance degradation while it was running. – Alex Biro – 2015-05-28T19:45:46.677

Just a followup: the service has to be disabled after a reboot (luckily that happens pretty rarely), because the tasks get enabled during a boot. Also, the other scheduled task called "Regular Maintenance" also triggers this feature, so it has to be disabled too. Sometimes I leave them running for a while so that If these tasks trigger some actually useful processes, these processes can do their jobs too. – Alex Biro – 2015-07-06T14:25:17.897

2

Unfortunately I didn't have this setting in Task scheduler so I didn't have anything to disable. (I'm on Windows 10 b1607)

But what actually helped is adding a DWORD value MaintenanceDisabled with value 1 to this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance

After this my idle CPU usage stopped being high.

You can see more details here: https://www.tenforums.com/tutorials/40119-enable-disable-automatic-maintenance-windows-10-a.html

Renesis

Posted 2015-05-25T09:40:22.920

Reputation: 161

Asked: 2015-05-25T09:40:22.920

Viewed: 11 824 times

Active: 2017-10-09T09:15:25.797