Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

System process at 100%

135 views
Skip to first unread message

GLT101

unread,
Dec 8, 2005, 10:51:02 AM12/8/05
to
Hi All,

Sorry for the long post, but I have been working
on this problem for many days now.

I have a Windows 2000 Prof PC (P4 2.45GHz, 512MB RAM)
which is part of a windows 2003 domain. The PC
has the following problem:

On boot the PC is fine. I can log into the domain
OK. After about 5-8 minutes, the System process starts
to increase CPU usage reaching 100% in a few seconds.
The process continues like this until it has used
about 10 miutes of CPU time. It then decays away
slowly, until eventually reaching normal (0% most
of the time).

Here's the weird part: this happens only the first
time I boot the machine each day. On subsequent
restarts, the PC behaves fine.


First off, I regard myself as no slouch when it comes
to malware. So I am pretty sure this is not
virus/worm/adware. I have run full scans on this PC
with Symantec AV Coprate Ed. 10.0, Pest Patrol 4.4,
and HijackThis. None of these revealed any nasties.
There are no connections to external systems open. I
have even analysed the network traffic using ethereal
to be sure that there is nothing on the wire that
shouldn't be there.

So, now I have used the sysinternals ProcessExplorer
(V. nice!) as recommended here. It reveals that when
the system process is in this busy state, the value
of DPCs (deferred procedure calls) is also very high (~50).
Secondly, there are about 10 threads within the system
process that all have the same start address: 0x16b4c.
Using debugger symbols tells me that these are all
ExpWorkerThreads. The stack for each of these looks
like this:

ntoskrnl.exe!KiSwapThread+0xc5
ntoskrnl.exe!KeRemoveQueue+0x195
ntoskrnl.exe!ExpWorkerThread+0x73
ntoskrnl.exe!PspSystemThreadStartup+0x54
ntoskrnl.exe!KiThreadStartup+0x16


I have four questions:

1) What is the meaning of the high DPCs value -is it
significant or just another indication that the system
is busy?

2) Is there a way to see what driver is associated with
these "worker threads" to give a hint as to the source
of the problem?

4) Could this be the MS04-011 race condition given here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;841382
If so, how can I obtain the fix?

3) Anyone any other suggestions as to what else to try?

Thanks for listening.
Geoff

Mak

unread,
Dec 8, 2005, 8:21:35 PM12/8/05
to
Hi Geoff,

1) http://www.sysinternals.com/Information/AdvancedDPCs.html
2) try RATT: http://www.microsoft.com/whdc/DevTools/tools/RATT.mspx
3) <snip> "Here's the weird part: this happens only the first time I boot

the machine each day. On subsequent restarts, the PC behaves fine."

and "with Symantec AV Coprate Ed. 10.0" - try booting with SAV disabled
(Gold release of SAV 10 is pretty bugy), it's up to ver 10.0.2 now:
http://service1.symantec.com/SUPPORT/ent-security.nsf/ppfdocs/2005062413405248?OpenDocument&ExpandSection=3%2C1
4) have no idea, guess you could try uninstalling KB835732. To get the
patch, call MS support.

Good luck.


"GLT101" <GLT...@discussions.microsoft.com> wrote in message
news:DAB2BD64-F7E0-468C...@microsoft.com...

GLT101

unread,
Dec 12, 2005, 12:16:05 PM12/12/05
to
Hi Mak and all,

Thanks for the response. I upgraded our company
n/w to the latest patch of Symantec Anti-virus: 10.0.1007.
No change, the problem is still there this morning.

I tried using RATTV3.exe. It runs, but the reporting tool
cwsa crahses the error: "The procedure entry point
IsWow64Process could not be located in the dynamic
link library kernel32.dll". So I still can't see which driver
is responsible for the DPCs.

New questions
1) How can I fix the cwsa error?
2) Anyone know how to analyze the RATTV3 .etl file without cwsa?

Modified outstanding question:


4) Could this be the MS04-011 race condition given here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;841382

How can I tell if it is?

Cheers,
Geoff

Mak

unread,
Dec 12, 2005, 9:46:41 PM12/12/05
to
Hi,

RATTV3 won't work (at least cwsa, AFAIK) on Win2k (missed that in your
original post). Try analysing data on WinXP / W2k3. Read help.
Latest SAV is 10.0.2 as from late November. I still recommend stopping SAV
completely on that machine for a test. (you may also want to remove all USB
devices (the usual suspect) / update chipset drivers).

"GLT101" <GLT...@discussions.microsoft.com> wrote in message

news:0F04AF3D-E28E-4EE7...@microsoft.com...

GLT101

unread,
Dec 14, 2005, 9:59:02 AM12/14/05
to
Hi Mak,

I finally nailed it. It is the USB driver usbehci.sys. Disabling that
immediately
stopped the thrashing.

Thanks for the help.

For the search engines:
The Microsoft USB driver for Enhanced USB controller on ASUSTek P4PE
mother board under Windows 2000 Professional causes a race condition.
To stop the problem I disabled the USB controller "Intel(r) 82801DB/DBM USB
Enhanced Host Controller" in the Device Manager.

Cheers,
Geoff

Mak

unread,
Dec 16, 2005, 1:02:26 AM12/16/05
to
Hi, you are welcome and thanks for feedback.

"GLT101" <GLT...@discussions.microsoft.com> wrote in message

news:2EDD4BAD-3968-4DC3...@microsoft.com...

0 new messages