对“系统”进程的 CPU 使用率高进行故障排除

Question

我注意到从一段时间以来我的系统冻结了，这可能是由系统进程引起的高 CPU 使用率引起的。

我运行的所有应用程序都是 Skype、TeamSpeak 和 Chrome，所以它绝对不应该占用那么多 CPU。

您可以在下面的屏幕截图中看到问题本身和正在运行的进程：

有时 CPU 使用率达到 90%，但平均使用率约为 40-65%。

我的电脑参数：

• Windows 8（客户预览版）
• 英特尔酷睿 i3 - 2350M
• 8 GB 内存

我很感激任何帮助尝试！问候。

- 更新 -

由于下面的用户发布了一个很好的答案，我注意到系统中Arthurx.sys消耗最多 CPU 的进程被称为，简单的谷歌告诉它是一个 TPLink 驱动程序（一个 wifi 适配器，我已经买了 2 周前！）驱动程序已从 Windows MSDN 安装，但也尝试从附带的 CD 安装驱动程序，但没有帮助。从系统开始，它只使用大约 5% 的 CPU，但在工作 2-4 小时后，它逐渐增长并达到 CPU 使用率的 40-60%。

设备名称： TPLink WN722N

Answer 1

介绍

High CPU usage by the "System" process can often be caused by a hardware driver issue (bug, old version, incompatility etc).

The System process loads (or hosts) multiple hardware drivers from different vendors that require higher level of memory access. This is why diagnosing the specific culprit can require a bit of detective work as described below.

Diagnosing the issue

To diagnose the CPU usage issues, you should use Event Tracing for Windows (ETW) to capture CPU Sampling data / Profile.

To capture the data, install the Windows Performance Toolkit, which is part of the Windows SDK.

The Windows 10 WPT can be used on Windows 8/Server 2012, Windows 8.1/Server 2012R2 and Windows 10/Server 2016. If you still use Windows 7, use the SDK/WPT with Build 15086.

^{(all other entries can be unselected)}

Now run WPRUI.exe, select First Level, under Resource select CPU usage and click on start.

Now capture 1 minute of the CPU usage. After 1 minute, click on Save.

Now analyze the generated ETL file with the Windows Performance Analyzer by dragging and dropping the CPU Usage (sampled) graph to the analysis pane and ordering the columns like you see in the picture:

Inside WPA, load the debug symbols and expand Stack of the SYSTEM process. In this demo, the CPU usage comes from the nVIDIA driver.

In the following demo, the CPU usage comes from the Realtek NIC driver:

When you see calls like ntoskrnl.exe!ViKeTrimWorkerThreadRoutine, ntoskrnl.exe!MmVerifierTrimMemory, ntoskrnl.exe!VerifierKeLeaveCriticalRegion, this means you have Driver Verifier enabled. This also hurts performance a lot and causes high SYSTEM usage. Disable Driver Verifier and reboot.

In this demo, the driver iai2ce.sys (Intel Serial IO GPIO Controller driver) causes it:

In this example, the CPU usage comes from the file rtsuvc.sys which seems to be the Realtek UVC webcam Driver

This demo shows that Bitdefender driver ignis.sys

In the following example, the CPU usage is casued by the broadcom network driver bcmwl664.sys

When you see ntoskrnl.exe!MiZeroWorkerPages as cause, it is trickier. This means the function of the kernel which zeros the memory before it can be used again causes the high CPU usage:

There is no real way to detect which process causes it, but I know that Chrome can cause it if you have hardware acceleration enabled in Chrome. So if you see this and use Chrome, turn hardware acceleration in Chrome off.

When you see those ntoskrnl.exe!RtlpGenericRandomPatternWorker, ntoskrnl.exe!RtlpTestMemoryRandomUp calls

the CPU usage comes from the Kernel to test memory for issues (memtest). This usage is triggered via the idle maintenance task of Windows 8.1/10. You can use Task Scheduler to disable the idle task.

In Windows 10, the task is called RunFullMemoryDiagnostics under Microsoft > Windows > MemoryDiagnostic > RunFullMemoryDiagnostic.

In this case, the CPU usage seems to come from the Data Deduplication Feature (dedup.sys!DdpPostCreate) of Windows Server:

In this demo, the CPU usage is caused by the WIFI card driver athrx.sys

Search for a driver update if you see this.

In the following demo, a citrix driver is involved:

So contact your IT for how to solve Citrix issues.

In this demo, the function usbhub.sys!UsbhPortRecycle causes the CPU usage:

Changing USB2.0 ports to 1.1 speed or connecting USB drives to other USB 2.0 ports helped for some users.

In this case, a small amount of SYSTEM usage comes from the Acronis driver tdrpm251.sys:

In this demo, the CPU usage ntoskrnl.exe!KeAcquireSpinLockRaiseToDpc and ntoskrnl.exe!KeReleaseSpinLock.

so a driver is using SpinLocks very heavily. Disable some devices/drivers until you see one which causes it.

In this case, the CPU usage is caused by the driver L1C62x64.sys

This is the qualcomm atheros AR8171/8175 PCI-E gigabit Ethernet driver. So update the driver if you see it in the stack.

Here, the CPU usage comes from scanning the host file (netbt.sys!DelayedScanLmHostFile)

make sure your hosts file is not too large to avoid this usage.

In this case, the CPU usage comes from SRTSP64.SYS from symantec.

Update your used symantec product to the latest version.

Here, the CPU usage comes from the AMD GPU driver (atikmdag.sys)

if you see this, go to AMD site and get the latest driver for your AMD card.

Here, the drivers TMXPFlt.sys and VsapiNt.sys cause the high CPU usage.

From what I see, those files are part of Trend Micro AV suite. Update the tool or remove it.

In this example, the CPU usage comes from the function ntoskrnl.exe!MmGetPageFileInformation

This function gets information about the pagefile.

Routine Description: This routine returns information about the currently active paging files.

Disable the pagefile, reboot and enable it again and see if this fixes it. Also, removing Intel services (e.g Intel Content Protection HECI Service) seems to fixed it for a user.

Here, you can see that the driver Netwtw04.sys (Intel Wifi driver) calls the function flushCompleteAllPendingFlushRequests and this causes a high CPU usage.

Because the debug symbols get loaded the Windows inbox driver is used. Only here we can get debug symbols to see the callstack with the function name flushCompleteAllPendingFlushRequests.

Here, you should install the latest driver from Intel to fix it.

The most complicated case of SYSTEM usage is ACPI.sys usage in the callstack:

Line #, DPC/ISR, Module, Stack, Count, Process, Weight (in view) (ms), TimeStamp (s), % Weight
6, , ,   |    |- ACPI.sys!ACPIWorkerThread, 40246, , 39.992,941063, , 4,13
7, , ,   |    |    ACPI.sys!RestartCtxtPassive, 40246, , 39.992,941063, , 4,13
8, , ,   |    |    ACPI.sys!InsertReadyQueue, 40246, , 39.992,941063, , 4,13
9, , ,   |    |    ACPI.sys!RunContext, 40246, , 39.992,941063, , 4,13
10, , ,   |    |    ntoskrnl.exe!KeReleaseSpinLock, 40246, , 39.992,941063, , 4,13
11, , ,   |    |    ntoskrnl.exe!KiDpcInterrupt, 40246, , 39.992,941063, , 4,13
12, , ,   |    |    ntoskrnl.exe!KiDispatchInterruptContinue, 40246, , 39.992,941063, , 4,13
13, , ,   |    |    ntoskrnl.exe!KxRetireDpcList, 40246, , 39.992,941063, , 4,13
14, , ,   |    |    ntoskrnl.exe!KiRetireDpcList, 40246, , 39.992,941063, , 4,13
15, , ,   |    |    |- ntoskrnl.exe!KiExecuteAllDpcs, 40198, , 39.945,173325, , 4,13
16, , ,   |    |    |    |- ACPI.sys!ACPIInterruptDispatchEventDpc, 27565, , 27.408,930428, , 2,83
17, , ,   |    |    |    |    |- ACPI.sys!ACPIGpeEnableDisableEvents, 24525, , 24.384,921620, , 2,52
18, , ,   |    |    |    |    |    ACPI.sys!ACPIWriteGpeEnableRegister, 24525, , 24.384,921620, , 2,52
19, , ,   |    |    |    |    |    |- hal.dll!HalpAcpiPmRegisterWrite, 24421, , 24.281,015516, , 2,51
20, , ,   |    |    |    |    |    |    |- hal.dll!HalpAcpiPmRegisterWritePort, 24166, , 24.027,316013, , 2,48

this is extremely difficult to debug. In a sysinternals topic, I listed some advice:

• make sure the CPU doesn't overheat because of dust in the CPU fan
• update or re-flash the (same) BIOS/UEFI
• load default BIOS/UEFI settings
• make sure the battery is not damaged, remove the battery from the notebook or disable the battery in device manager.
• change jumper on HDD caddy if you have replaced the DVD/Blue-Ray Drive with a Caddy to install an SSD next to your old HDD

• disable some devices as advised by this user
• if you use an Intel chipset, try to install Intel Rapid storage Technology (RST) to replace the standard AHCI driver from Windows. This also seems to helped.
• the user Shayna figured out, that using Process Hacker (started as admin) to suspend the threads of the ACPI.sys issues "fixes" the issue for him. So try his workaround if all other steps don't fix it for you.

In the following demo, the Intel HD driver igdkmd64.sys in version .4574 for the Intel HD 630 causes the issue:

The solution is to update to driver with version of at least .4590.

In the following case, the CPU usage of the SYSTEM process is caused by the driver stdriverx64.sys

This seems to be an audio streaming driver. So update this software/driver if you see this in WPA.

If you see a driver called risdxc64.sys in callstack of SYSTEM that causes the high CPU usage, update the Ricoh PCIe SDXC/MMC Host Controller driver or disable the SD card reader in device manager if no driver update fixes it.

This SD card reader seems to be built-in to many Lenovo devices.

The user @stevemidgley showed a new issue of higher CPU usage with Wdf01000.sys!FxSystemWorkItem::_WorkItemThunk

Here you can see a driver UDE.sys causing it.

In symbol hub

I can see it belongs to Modem driver and PNP data of the trace shows Fibocom L850-GL (LTE Modem) as possible device:

And the solution is to disable the modem and USB composite device in device manager.

用户@fajar提供了以下案例：

这里cpu使用量很小，但是如果你把view改成DPC/ISR使用量

您可以看到 avgNetHub.sys 驱动程序导致大量 DPC 使用

该名称表明该驱动程序是 AVG 防病毒软件的一部分。因此，如果您在跟踪中看到这一点，请更新软件或将其删除。

Answer 2

这可能是由错误的驱动程序或系统加载的其他模块引起的。要查看系统进程内部，您可以使用Process Explorer 之类的工具。

下载并运行它，然后选择系统进程，右键单击并选择属性：

切换到 Threads 选项卡（忽略提到符号的对话框）：

这将显示哪个文件使用了过多的 CPU 使用率，然后您可以尝试诊断它。

然而，正如其他人在评论中所说的那样，您确实需要尽快远离预览版！

Answer 3

关于加载调试符号以添加到magicandre1981\'s 优秀答案的注释：如果在 Windows 性能分析器中加载符号工作正常，则在勾选“跟踪”>“加载符号”后，您应该会在顶部看到一个进度条，并显示“正在加载符号”，旁边显示文件名它需要几分钟才能完成。您还应该在诊断控制台中看到许多如下所示的行：

\n\n

SYMSRV:  File: Accessibility.ni.pdb\n\nSYMSRV:  Notifies the client application that a proxy has been detected.\nSYMSRV:  Connecting to the Server: http://msdl.microsoft.com/download/symbols.\nSYMSRV:  Successfully connected to the Server.\nSYMSRV:  Sending the information request to the server.\nSYMSRV:  Successfully sent the information request to the server.\nSYMSRV:  Waiting for the server to respond to a request.\nSYMSRV:  Successfully received a response from the server.\nSYMSRV:  Closing the connection to the Server.\nSYMSRV:  Successfully closed the connection to the Server.\nSYMSRV:  Get File Path: /download/symbols/Accessibility.ni.pdb/7B46178957827CDAB7EE4C86EDEE1DAE1/Accessibility.ni.pdb\n

\n\n

如果您没有看到其中任何一个，则加载调试符号可能不起作用，并且您将无法正确解释您的跟踪。

\n\n

就我而言，最初加载调试符号不起作用。我按照以下说明修复了它：

\n\n

\n

\n

1. 确定您使用的是 x86 还是 x64 版本的 Windows Performance Toolkit。

   \n\n

   这在 x86 版本的 Windows 上很容易。在 x64 版本上，您可以在任务管理器中检查 *32 标记。如果\xe2\x80\x99 不存在，那么您\xe2\x80\x99 正在运行x64 版本。

   \n\n

   请注意，无论架构如何，WPT 始终安装到 Program Files (x86)。

\n

2. dbghelp.dll将和文件从正确的调试器目录复制symsrv.dll到 Windows Performance Toolkit 目录。在我的系统上，相关目录是：

   \n\n

   C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers\\x64和\n C:\\Program Files (x86)\\Windows Kits\\10\\Windows Performance Toolkit

\n

3. 重新启动 Windows 性能分析器，以便选择正确版本的 dbghelp.dll。

\n

\n

\n