CPU pegged at 100%

Discussion in 'Windows 7 Help and Support' started by Don Key, Jun 11, 2011.

  1. Don Key

    Don Key New Member

    Joined:
    Jun 11, 2011
    Messages:
    18
    Likes Received:
    0
    System performance is abysmal.

    "Resource and Performance Monitor" says:
    [TABLE="class: block"]
    [TR]
    Component Status Utilization Details[/TR]
    [TR="class: b2"]
    [TD]CPU[/TD]
    [TD]

    Busy[/TD]
    [TD]100 %[/TD]
    [TD]High CPU load. Investigate Top Processes.
    [/TD]
    [/TR]
    [/TABLE]

    Resource Monitor says:

    Image PID Description Status Threads CPU Average CPU
    System Interrupts - Deferred Procedure Calls and Interrupt Svce... Running - 63 52.80%
    System 4 NT Kernel & System Running 106 26 28.33%


    the various other images are <1% except firefox, at 11%

    Seems like the OS is just spinning on the CPU. This is typical, right at startup.

    What can I do to get this thing out of the mud?

    -Don
     
  2. Saltgrass

    Saltgrass Excellent Member
    Microsoft Community Contributor

    Joined:
    Oct 16, 2009
    Messages:
    15,157
    Likes Received:
    393
    First step might be to open Task Manager and click the all users button. Go to the Processes Tab and then the view option. Use the Select Columns option to add the column for PID and Image Path. From your post, possibly the 106 and 63 are PIDs and show what process is hosting the high usage, but you will probably need to know what inside that process is actually causing the problem. For now, if you look for a PID in Task Manager, which ones are 106 and 26 and the 63 number? If you have not done so, in Performance Monitor, under the System folder there are System Diagnostics and System Performance options. If you right click on one of those and select Start, it will make a report for the Reports Section you can open and read. Some versions of Win 7 seem to be limited in this capability. But it does show CPU usage by different processes and breaks down what is running inside the process, but not the CPU time for the different threads. Now you have two ways to go, one is trial and error method where you use msconfig.exe to not allow certain programs to start up and see if you can find the one responsible, or you can use an advanced version of Task Manager to see if you can pin it down. If you feel it is necessary, there is an advanced version of msconfig.exe called AutoRuns at the site below. If you decide to try the software, check SysInternals and look for Process Explorer. There are instructional videos on the system and the latest "Case of the Unexplained" video for 2011 uses such an example as its first case. If you need help with the software, let us know. Otherwise, maybe you will find the problem in the Startup area of Msconfig.exe after gaining information from Task Manager or Performance Monitor.
     
  3. Don Key

    Don Key New Member

    Joined:
    Jun 11, 2011
    Messages:
    18
    Likes Received:
    0
    Thanks for your response. I drafted a reply yesterday, but it seems to have gone into the ether.

    Here it is in brief:

    The original post data was a copy/paste from "Resource Manager" - the column alignments didn't hold so it was hard to interpret. Here is a snapshot from this morning transposed:

    Image System Interrupts
    PID -
    Description Deferred Procedure Calls and Interrupt Service Routines
    Status Running
    Threads -
    CPU 58
    Average CPU 54.36

    Image System
    PID 4
    Description NT Kernel & System
    Status Running
    Threads 102
    CPU 32
    Average CPU 28.37

    Between the two, the kernel and system interrupts are using an average of about 83% of the cpu.
    With further research after your response, I saw a mention that sometimes a process that is very active but never gets the cpu just shows up under interrupts.

    I also saw an HD Audio process and BCSSYNC listed as hogs - the latter because of housing an infection. I had them both; killed both, rebooted, and CPU usage was around 2-3%! That lasted a while and then it jumped up again. I also saw the McAfee realtime scanner as a hog; killed it, and was back to 2-3%. This morning with all those changes still in place I'm back to 100%.

    Any suggestions for next steps? I'm going to boot in safe mode and run malwarebytes. I have a feeling the BCSSYNC was/is the culprit, and even though the process does not show active and there is no image for it, the virus is loading from the boot track or someplace...?

    Thanks again for the pointers.

    Don
     
  4. Saltgrass

    Saltgrass Excellent Member
    Microsoft Community Contributor

    Joined:
    Oct 16, 2009
    Messages:
    15,157
    Likes Received:
    393
    If the net is correct, BCSSync is an Office 2010 component. That being the case, what do you mean by "housing an infection"?

    If you do have some type of infection, it may have a watcher component that will replace the problem after you find and delete it. Depends on how sophisticated it is.

    Office has seen some problems itself where some component has caused problems under certain conditions. Perhaps do a web search for Office 2010 and high cpu usage or bcssync. I saw one where someone had an online calendar causing a problem. Check for any updates for Office 2010, and while you do that, do you show any recent updated from Windows Update for it?

    No matter what is causing the problem, you still need to find it to stop it, or download an update that might stop it. When you have 15 threads running in a process, you have to pin it down to the one that is causing the problem. The software I was recommending may be required to complete your process, if you want to go that direction.
     
  5. Don Key

    Don Key New Member

    Joined:
    Jun 11, 2011
    Messages:
    18
    Likes Received:
    0
    Yes, BCSSync is an Office 2010 component that synchronizes local files with versions stored online in Sharepoint 2010. Apparently there is a virus that implants itself in the BCSSync image and causes lots of thrashing and high CPU usage. Removing BCSSync.exe stopped the issue temporarily, but as you suggest, evidently the critter has another place from which to launch itself. The BCSSync image can be replace with a "clean" one but the malware needs to be found.

    I booted this am and had low cpu usage for awhile; I happened to leave the computer with performance monitor running. While I was gone, nobody else logged in, cpu usage jumped to 70%. I found that the Mcafee realtime monitoring image had restarted. I killed it and went back to 2% again. I'm rerunning deinstall of mcafee, which evidently failed yesterday.

    I've tried repeatedly to boot w7 in safe mode, but the f8 key does not seem to be recognized. Any suggestions how to force boot in safe mode? Maybe just pull the plug and then let it prompt on restart? I'd rather do it "right" but that is the only means I can think of if f keys don't work.
     
  6. Saltgrass

    Saltgrass Excellent Member
    Microsoft Community Contributor

    Joined:
    Oct 16, 2009
    Messages:
    15,157
    Likes Received:
    393
    I don't remember if you said your system was a laptop, but some systems designate whether the F function will be used or the alternate function. Perhaps you may need to go into a setup routine and set the F keys to use that function.

    Otherwise, normally tapping the F8 key continuously during boot after the initial phase will allow for the Safe Mode option. Different systems may have alternate methods to get into safe mode.

    What do you show on the Startup tab in Msconfig.exe?

    There seems to be another poster possibly having problems with SharePoint in relation to a Grooveex.dll causing side by side (SxS) errors.
     
    #6 Saltgrass, Jun 13, 2011
    Last edited: Jun 13, 2011
  7. Don Key

    Don Key New Member

    Joined:
    Jun 11, 2011
    Messages:
    18
    Likes Received:
    0
    Well, I've moved on from bcssync being the culprit. Now I find that no matter what I disable, deinstall, or remove from startup, the behavior:

    1. Does not change when processes are killed
    2. Is not there after booting - cpu usage is 1-2% unless apps starting, and then settles in at <10%. This is true for hours.
    3. Occurs immediately upon resuming from idle. Usage shoots from 2 to 100%. Every time. I've left taskmgr running and have traces to confirm
    I used msiconfig to boot in safe mode, ran malwarebytes and found nothing. The malwarebytes people have looked at a bunch of logs I provided and concluded its not malware. I'm going to gather trace info on DPC-interrupt later when I can let the system go idle and resume.
     
  8. Don Key

    Don Key New Member

    Joined:
    Jun 11, 2011
    Messages:
    18
    Likes Received:
    0
    So Windows Performance Analyzer indicates that halmacpi.dll is chattering, with 72% of the weight the NT Kernel is using:

    [TABLE]
    [TR]
    [TD]Process[/TD]
    [TD]Module[/TD]
    [TD]Function[/TD]
    [TD]Weight[/TD]
    [TD]% Weight[/TD]
    [TD]Count[/TD]
    [TD]TimeStamp [/TD]
    [/TR]
    [TR]
    [TD][/TD]
    [TD]halmacpi.dll[/TD]
    [TD]Unknown[/TD]
    [TD]25133.408323[/TD]
    [TD]72.26[/TD]
    [TD]25133[/TD]
    [TD]
    [/TD]
    [/TR]
    [TR]
    [TD][/TD]
    [TD][/TD]
    [TD][/TD]
    [TD]1.002285[/TD]
    [TD]0.00[/TD]
    [TD]1[/TD]
    [TD]389.150088773 [/TD]
    [/TR]
    [TR]
    [TD][/TD]
    [TD][/TD]
    [TD][/TD]
    [TD]1.002284[/TD]
    [TD]0.00[/TD]
    [TD]1[/TD]
    [TD]390.198070089 [/TD]
    [/TR]
    [TR]
    [TD][/TD]
    [TD][/TD]
    [TD][/TD]
    [TD]1.002284[/TD]
    [TD]0.00[/TD]
    [TD]1[/TD]
    [TD]391.586045014 [/TD]
    [/TR]
    [TR]
    [TD][/TD]
    [TD][/TD]
    [TD][/TD]
    [TD]1.001818[/TD]
    [TD]0.00[/TD]
    [TD]1[/TD]
    [TD]364.459533247 [/TD]
    [/TR]
    [TR]
    [TD][/TD]
    [TD][/TD]
    [TD][/TD]
    [TD]1.001818[/TD]
    [TD]0.00[/TD]
    [TD]1[/TD]
    [TD]367.570476948 [/TD]
    [/TR]
    [TR]
    [TD][/TD]
    [TD][/TD]
    [TD][/TD]
    [TD]1.001818[/TD]
    [TD]0.00[/TD]
    [TD]1[/TD]
    [TD]369.402444117 [/TD]
    [/TR]
    [TR]
    [TD][/TD]
    [TD][/TD]
    [TD][/TD]
    [TD]1.001818[/TD]
    [TD]0.00[/TD]
    [TD]1[/TD]
    [TD]369.560441042 [/TD]
    [/TR]
    [/TABLE]
    looking at scan from before and after idle/wakeup cycle, this is the profound difference.

    I am contemplating downloading a new version of that dll - any thoughts?
     
  9. Saltgrass

    Saltgrass Excellent Member
    Microsoft Community Contributor

    Joined:
    Oct 16, 2009
    Messages:
    15,157
    Likes Received:
    393
    I do not seem to show that .dll on my system, but I may have missed it.

    If you can find it on yours, what folder is it in? If you right click it, what does it say about who wrote it and other details.
     
  10. Don Key

    Don Key New Member

    Joined:
    Jun 11, 2011
    Messages:
    18
    Likes Received:
    0
    It is the "Hardware Abstraction Layer" dll - part of the OS written by Microsoft. It is in the system32 directory. It's been around for years, blamed in various rashes of blue-screens and instances where mouse and keyboard are frozen after wakeup from idle. Modify date of 11/20/2010, but the create date on my computer is 5/17/11. It and two other dlls starting with 'HAL" all have same dates. I think a microsoft "update" was installed 5/17 that introduced this POS. Rather than try to find a later one, I'll disable timeout and wait for MS to realize it and fix it.
     
  11. Saltgrass

    Saltgrass Excellent Member
    Microsoft Community Contributor

    Joined:
    Oct 16, 2009
    Messages:
    15,157
    Likes Received:
    393
    I do show the file on my 32 bit Win 7 system, but neither of the x64 versions. The acpi part would mean it is related to sleep or resuming from sleep which would make sense. But if it is a legitimate Microsoft signed file, then it is probably not directly responsible for your situation.

    I will check my 32 bit install to see if I can find anything related to the file.
     
  12. Saltgrass

    Saltgrass Excellent Member
    Microsoft Community Contributor

    Joined:
    Oct 16, 2009
    Messages:
    15,157
    Likes Received:
    393
    Since it might be related to ACPI, possibly you could run the powercfg -energy utlity from an Administrative Command Prompt. Shut down everything you can so the utility can complete with the fewest messages possible. Watch where it puts the report and copy it to the Desktop to open.

    Look for any warnings or errors, or something that might look it is causing a problem. You will see USB messages, so do not worry so much about them.

    While you are in the Administrative Command Prompt, you migh also run the sfc /scannow utility to see if it finds anything.
     
  13. Don Key

    Don Key New Member

    Joined:
    Jun 11, 2011
    Messages:
    18
    Likes Received:
    0
    Thanks!

    I disabled sleep mode and left the system on overnight. HALMACPI.dll is only using 1.59%. CPU usage is low; idle process ranges 90-99%.


    The powerconfig trace showed all the USB warnings and disabling of sleep mode, plus the below regarding firefox.
    Suggests to me firefox is being a bit of a hog by grabbing the cpu frequently, but at overall tolerable levels, correct?

    I might try letting it go bad again and rerunning this to see what changes.

    Thanks again. I am learning about all sorts of fun diagnostic tools I hope not to have to ever use again!


    Platform Timer Resolution:Outstanding Timer Request

    A program or service has requested a timer resolution smaller than the platform maximum timer resolution.
    [TABLE]
    [TR]
    [TD]Requested Period[/TD]
    [TD]10000[/TD]
    [/TR]
    [TR]
    [TD]Requesting Process ID[/TD]
    [TD]1648[/TD]
    [/TR]
    [TR]
    [TD]Requesting Process Path[/TD]
    [TD]\Device\HarddiskVolume3\Program Files\Mozilla Firefox\plugin-container.exe[/TD]
    [/TR]
    [/TABLE]



    Power Policy:802.11 Radio Power Policy is Maximum Performance (Plugged In)
    The current power policy for 802.11-compatible wireless network adapters is not configured to use low-power modes.




    CPU Utilization:Individual process with significant processor utilization.

    This process is responsible for a significant portion of the total processor utilization recorded during the trace.
    [TABLE]
    [TR]
    [TD]Process Name[/TD]
    [TD]firefox.exe[/TD]
    [/TR]
    [TR]
    [TD]PID[/TD]
    [TD]3264[/TD]
    [/TR]
    [TR]
    [TD]Average Utilization (%)[/TD]
    [TD]14.40[/TD]
    [/TR]
    [TR]
    [TD]Module [/TD]
    [TD]Average Module Utilization (%) [/TD]
    [/TR]
    [TR]
    [TD]\Device\HarddiskVolume3\Program Files\Mozilla Firefox\xul.dll[/TD]
    [TD]11.03[/TD]
    [/TR]
    [TR]
    [TD]\Device\HarddiskVolume3\Program Files\Mozilla Firefox\mozcrt19.dll[/TD]
    [TD]1.28[/TD]
    [/TR]
    [TR]
    [TD]\SystemRoot\System32\win32k.sys[/TD]
    [TD]0.53[/TD]
    [/TR]
    [/TABLE]



    .
     
  14. Don Key

    Don Key New Member

    Joined:
    Jun 11, 2011
    Messages:
    18
    Likes Received:
    0
    With the many threads I found blaming HALACPI for blue screens and freezeups, while I can accept your statement that it is probably not directly responsible, I have to think that it may be "fragile" in that it does not deal successfully with every possible peripheral. When the system comes back from sleep, it is supposed to "summon the troops" with a bugle call and fails to do it successfully. While that could be because a peripheral has a hardware defect or device driver issue and fails to respond correctly, this dll ends up babbling rather than handling the problem. Incidentally, a few weeks ago (probably 5/17, but I didn't record the first observation so can't prove it) I started having trouble if my wife did not choose "switch user" when she left the system (she has never done that, and it was not an issue). If it went into sleep while she was still logged in, then when I tried to log in it went black screen and froze. I suspect that was another manifestation of this dll crapping out. I asked her to be sure to select "switch user" and that worked - to a point. I could log in, but the cpu issue was there, which I took a while to associate with sleep. I did not add or change any hardware in this timeframe. I can't say a driver was not upgraded with automatic updates - I guess I could check dates - but HALACPI was updated 5/17.

    sfc found no issues, btw.
     
  15. Saltgrass

    Saltgrass Excellent Member
    Microsoft Community Contributor

    Joined:
    Oct 16, 2009
    Messages:
    15,157
    Likes Received:
    393
    I was hoping the powercfg would show a device as you suspect, but I do not see anything. The other day some had some problems with his system not shutting down correctly and it turned out to be the laptop battery.

    Since the Hal.dll or halmacpi.dll or halacpi.dll are system processes, I cannot see any threads inside those, so right now I do not see a way to pin it down farther. I was wondering if the m in the halmacpi.dll was referencing memory, but I have no indication of such so far.

    The logging off situation might be clues to something, but I will have to research that. I wonder if creating a new user to test would show anything? Possibly using an administrative account to access a standard account, over a period of time, might cause some confusion for the system. Some of those diagnostic utilities will divide out processes by user.

    I suppose all I might suggest for now would be to load Process Monitor and see if it shows activity by and what that activity might be doing. I am checking mine now for activity by hal.dll to see what shows up.
     
  16. Don Key

    Don Key New Member

    Joined:
    Jun 11, 2011
    Messages:
    18
    Likes Received:
    0
    As long as I don't let it sleep, there is no issue. HALMACPI is quiet, response is fine. So I really can't do any monitoring for strange activity in the "good" state and my PC is near-unusable in the "bad" state. I don't particularly like not having the "sleep" function available, but will live with that workaround. maybe someday when I'm bored I'll try unplugging various USB devices and see if the problem is present.
     

Share This Page

Loading...