Windows 7 CPU pegged at 100%

Don Key

New Member
Joined
Jun 11, 2011
System performance is abysmal.

"Resource and Performance Monitor" says:
CPU

Busy
100 %High CPU load. Investigate Top Processes.

Component Status Utilization Details

Resource Monitor says:

Image PID Description Status Threads CPU Average CPU
System Interrupts - Deferred Procedure Calls and Interrupt Svce... Running - 63 52.80%
System 4 NT Kernel & System Running 106 26 28.33%


the various other images are <1% except firefox, at 11%

Seems like the OS is just spinning on the CPU. This is typical, right at startup.

What can I do to get this thing out of the mud?

-Don
 
First step might be to open Task Manager and click the all users button. Go to the Processes Tab and then the view option. Use the Select Columns option to add the column for PID and Image Path. From your post, possibly the 106 and 63 are PIDs and show what process is hosting the high usage, but you will probably need to know what inside that process is actually causing the problem. For now, if you look for a PID in Task Manager, which ones are 106 and 26 and the 63 number? If you have not done so, in Performance Monitor, under the System folder there are System Diagnostics and System Performance options. If you right click on one of those and select Start, it will make a report for the Reports Section you can open and read. Some versions of Win 7 seem to be limited in this capability. But it does show CPU usage by different processes and breaks down what is running inside the process, but not the CPU time for the different threads. Now you have two ways to go, one is trial and error method where you use msconfig.exe to not allow certain programs to start up and see if you can find the one responsible, or you can use an advanced version of Task Manager to see if you can pin it down. If you feel it is necessary, there is an advanced version of msconfig.exe called AutoRuns at the site below. If you decide to try the software, check SysInternals and look for Process Explorer. There are instructional videos on the system and the latest "Case of the Unexplained" video for 2011 uses such an example as its first case. If you need help with the software, let us know. Otherwise, maybe you will find the problem in the Startup area of Msconfig.exe after gaining information from Task Manager or Performance Monitor.
 
Thanks for your response. I drafted a reply yesterday, but it seems to have gone into the ether.

Here it is in brief:

The original post data was a copy/paste from "Resource Manager" - the column alignments didn't hold so it was hard to interpret. Here is a snapshot from this morning transposed:

Image System Interrupts
PID -
Description Deferred Procedure Calls and Interrupt Service Routines
Status Running
Threads -
CPU 58
Average CPU 54.36

Image System
PID 4
Description NT Kernel & System
Status Running
Threads 102
CPU 32
Average CPU 28.37

Between the two, the kernel and system interrupts are using an average of about 83% of the cpu.
With further research after your response, I saw a mention that sometimes a process that is very active but never gets the cpu just shows up under interrupts.

I also saw an HD Audio process and BCSSYNC listed as hogs - the latter because of housing an infection. I had them both; killed both, rebooted, and CPU usage was around 2-3%! That lasted a while and then it jumped up again. I also saw the McAfee realtime scanner as a hog; killed it, and was back to 2-3%. This morning with all those changes still in place I'm back to 100%.

Any suggestions for next steps? I'm going to boot in safe mode and run malwarebytes. I have a feeling the BCSSYNC was/is the culprit, and even though the process does not show active and there is no image for it, the virus is loading from the boot track or someplace...?

Thanks again for the pointers.

Don
 
If the net is correct, BCSSync is an Office 2010 component. That being the case, what do you mean by "housing an infection"?

If you do have some type of infection, it may have a watcher component that will replace the problem after you find and delete it. Depends on how sophisticated it is.

Office has seen some problems itself where some component has caused problems under certain conditions. Perhaps do a web search for Office 2010 and high cpu usage or bcssync. I saw one where someone had an online calendar causing a problem. Check for any updates for Office 2010, and while you do that, do you show any recent updated from Windows Update for it?

No matter what is causing the problem, you still need to find it to stop it, or download an update that might stop it. When you have 15 threads running in a process, you have to pin it down to the one that is causing the problem. The software I was recommending may be required to complete your process, if you want to go that direction.
 
Yes, BCSSync is an Office 2010 component that synchronizes local files with versions stored online in Sharepoint 2010. Apparently there is a virus that implants itself in the BCSSync image and causes lots of thrashing and high CPU usage. Removing BCSSync.exe stopped the issue temporarily, but as you suggest, evidently the critter has another place from which to launch itself. The BCSSync image can be replace with a "clean" one but the malware needs to be found.

I booted this am and had low cpu usage for awhile; I happened to leave the computer with performance monitor running. While I was gone, nobody else logged in, cpu usage jumped to 70%. I found that the Mcafee realtime monitoring image had restarted. I killed it and went back to 2% again. I'm rerunning deinstall of mcafee, which evidently failed yesterday.

I've tried repeatedly to boot w7 in safe mode, but the f8 key does not seem to be recognized. Any suggestions how to force boot in safe mode? Maybe just pull the plug and then let it prompt on restart? I'd rather do it "right" but that is the only means I can think of if f keys don't work.
 
I don't remember if you said your system was a laptop, but some systems designate whether the F function will be used or the alternate function. Perhaps you may need to go into a setup routine and set the F keys to use that function.

Otherwise, normally tapping the F8 key continuously during boot after the initial phase will allow for the Safe Mode option. Different systems may have alternate methods to get into safe mode.

What do you show on the Startup tab in Msconfig.exe?

There seems to be another poster possibly having problems with SharePoint in relation to a Grooveex.dll causing side by side (SxS) errors.
 
Last edited:
Well, I've moved on from bcssync being the culprit. Now I find that no matter what I disable, deinstall, or remove from startup, the behavior:

  1. Does not change when processes are killed
  2. Is not there after booting - cpu usage is 1-2% unless apps starting, and then settles in at <10%. This is true for hours.
  3. Occurs immediately upon resuming from idle. Usage shoots from 2 to 100%. Every time. I've left taskmgr running and have traces to confirm
I used msiconfig to boot in safe mode, ran malwarebytes and found nothing. The malwarebytes people have looked at a bunch of logs I provided and concluded its not malware. I'm going to gather trace info on DPC-interrupt later when I can let the system go idle and resume.
 
So Windows Performance Analyzer indicates that halmacpi.dll is chattering, with 72% of the weight the NT Kernel is using:

ProcessModuleFunctionWeight% WeightCountTimeStamp
halmacpi.dllUnknown25133.40832372.2625133
1.0022850.001389.150088773
1.0022840.001390.198070089
1.0022840.001391.586045014
1.0018180.001364.459533247
1.0018180.001367.570476948
1.0018180.001369.402444117
1.0018180.001369.560441042
looking at scan from before and after idle/wakeup cycle, this is the profound difference.

I am contemplating downloading a new version of that dll - any thoughts?
 
I do not seem to show that .dll on my system, but I may have missed it.

If you can find it on yours, what folder is it in? If you right click it, what does it say about who wrote it and other details.
 
It is the "Hardware Abstraction Layer" dll - part of the OS written by Microsoft. It is in the system32 directory. It's been around for years, blamed in various rashes of blue-screens and instances where mouse and keyboard are frozen after wakeup from idle. Modify date of 11/20/2010, but the create date on my computer is 5/17/11. It and two other dlls starting with 'HAL" all have same dates. I think a microsoft "update" was installed 5/17 that introduced this POS. Rather than try to find a later one, I'll disable timeout and wait for MS to realize it and fix it.
 
I do show the file on my 32 bit Win 7 system, but neither of the x64 versions. The acpi part would mean it is related to sleep or resuming from sleep which would make sense. But if it is a legitimate Microsoft signed file, then it is probably not directly responsible for your situation.

I will check my 32 bit install to see if I can find anything related to the file.
 
Since it might be related to ACPI, possibly you could run the powercfg -energy utlity from an Administrative Command Prompt. Shut down everything you can so the utility can complete with the fewest messages possible. Watch where it puts the report and copy it to the Desktop to open.

Look for any warnings or errors, or something that might look it is causing a problem. You will see USB messages, so do not worry so much about them.

While you are in the Administrative Command Prompt, you migh also run the sfc /scannow utility to see if it finds anything.
 
Thanks!

I disabled sleep mode and left the system on overnight. HALMACPI.dll is only using 1.59%. CPU usage is low; idle process ranges 90-99%.


The powerconfig trace showed all the USB warnings and disabling of sleep mode, plus the below regarding firefox.
Suggests to me firefox is being a bit of a hog by grabbing the cpu frequently, but at overall tolerable levels, correct?

I might try letting it go bad again and rerunning this to see what changes.

Thanks again. I am learning about all sorts of fun diagnostic tools I hope not to have to ever use again!


Platform Timer Resolution:Outstanding Timer Request

A program or service has requested a timer resolution smaller than the platform maximum timer resolution.
Requested Period10000
Requesting Process ID1648
Requesting Process Path\Device\HarddiskVolume3\Program Files\Mozilla Firefox\plugin-container.exe



Power Policy:802.11 Radio Power Policy is Maximum Performance (Plugged In)
The current power policy for 802.11-compatible wireless network adapters is not configured to use low-power modes.




CPU Utilization:Individual process with significant processor utilization.

This process is responsible for a significant portion of the total processor utilization recorded during the trace.
Process Namefirefox.exe
PID3264
Average Utilization (%)14.40
Module Average Module Utilization (%)
\Device\HarddiskVolume3\Program Files\Mozilla Firefox\xul.dll11.03
\Device\HarddiskVolume3\Program Files\Mozilla Firefox\mozcrt19.dll1.28
\SystemRoot\System32\win32k.sys0.53



.
 
With the many threads I found blaming HALACPI for blue screens and freezeups, while I can accept your statement that it is probably not directly responsible, I have to think that it may be "fragile" in that it does not deal successfully with every possible peripheral. When the system comes back from sleep, it is supposed to "summon the troops" with a bugle call and fails to do it successfully. While that could be because a peripheral has a hardware defect or device driver issue and fails to respond correctly, this dll ends up babbling rather than handling the problem. Incidentally, a few weeks ago (probably 5/17, but I didn't record the first observation so can't prove it) I started having trouble if my wife did not choose "switch user" when she left the system (she has never done that, and it was not an issue). If it went into sleep while she was still logged in, then when I tried to log in it went black screen and froze. I suspect that was another manifestation of this dll crapping out. I asked her to be sure to select "switch user" and that worked - to a point. I could log in, but the cpu issue was there, which I took a while to associate with sleep. I did not add or change any hardware in this timeframe. I can't say a driver was not upgraded with automatic updates - I guess I could check dates - but HALACPI was updated 5/17.

sfc found no issues, btw.
 
I was hoping the powercfg would show a device as you suspect, but I do not see anything. The other day some had some problems with his system not shutting down correctly and it turned out to be the laptop battery.

Since the Hal.dll or halmacpi.dll or halacpi.dll are system processes, I cannot see any threads inside those, so right now I do not see a way to pin it down farther. I was wondering if the m in the halmacpi.dll was referencing memory, but I have no indication of such so far.

The logging off situation might be clues to something, but I will have to research that. I wonder if creating a new user to test would show anything? Possibly using an administrative account to access a standard account, over a period of time, might cause some confusion for the system. Some of those diagnostic utilities will divide out processes by user.

I suppose all I might suggest for now would be to load Process Monitor and see if it shows activity by and what that activity might be doing. I am checking mine now for activity by hal.dll to see what shows up.
 
As long as I don't let it sleep, there is no issue. HALMACPI is quiet, response is fine. So I really can't do any monitoring for strange activity in the "good" state and my PC is near-unusable in the "bad" state. I don't particularly like not having the "sleep" function available, but will live with that workaround. maybe someday when I'm bored I'll try unplugging various USB devices and see if the problem is present.
 
Back
Top Bottom