Re: System process at 100%

Tech-Archive recommends: Fix windows errors by optimizing your registry

Hi Mak and all,

Thanks for the response. I upgraded our company
n/w to the latest patch of Symantec Anti-virus: 10.0.1007.
No change, the problem is still there this morning.

I tried using RATTV3.exe. It runs, but the reporting tool
cwsa crahses the error: "The procedure entry point
IsWow64Process could not be located in the dynamic
link library kernel32.dll". So I still can't see which driver
is responsible for the DPCs.

New questions
1) How can I fix the cwsa error?
2) Anyone know how to analyze the RATTV3 .etl file without cwsa?

Modified outstanding question:
4) Could this be the MS04-011 race condition given here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;841382
How can I tell if it is?

Cheers,
Geoff

"Mak" wrote:

> Hi Geoff,
>
> 1) http://www.sysinternals.com/Information/AdvancedDPCs.html
> 2) try RATT: http://www.microsoft.com/whdc/DevTools/tools/RATT.mspx
> 3) <snip> "Here's the weird part: this happens only the first time I boot
> the machine each day. On subsequent restarts, the PC behaves fine."
> and "with Symantec AV Coprate Ed. 10.0" - try booting with SAV disabled
> (Gold release of SAV 10 is pretty bugy), it's up to ver 10.0.2 now:
> http://service1.symantec.com/SUPPORT/ent-security.nsf/ppfdocs/2005062413405248?OpenDocument&ExpandSection=3%2C1
> 4) have no idea, guess you could try uninstalling KB835732. To get the
> patch, call MS support.
>
> Good luck.
>
>
> "GLT101" <GLT101@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:DAB2BD64-F7E0-468C-BD25-882DAA7849FE@xxxxxxxxxxxxxxxx
> > Hi All,
> >
> > Sorry for the long post, but I have been working
> > on this problem for many days now.
> >
> > I have a Windows 2000 Prof PC (P4 2.45GHz, 512MB RAM)
> > which is part of a windows 2003 domain. The PC
> > has the following problem:
> >
> > On boot the PC is fine. I can log into the domain
> > OK. After about 5-8 minutes, the System process starts
> > to increase CPU usage reaching 100% in a few seconds.
> > The process continues like this until it has used
> > about 10 miutes of CPU time. It then decays away
> > slowly, until eventually reaching normal (0% most
> > of the time).
> >
> > Here's the weird part: this happens only the first
> > time I boot the machine each day. On subsequent
> > restarts, the PC behaves fine.
> >
> >
> > First off, I regard myself as no slouch when it comes
> > to malware. So I am pretty sure this is not
> > virus/worm/adware. I have run full scans on this PC
> > with Symantec AV Coprate Ed. 10.0, Pest Patrol 4.4,
> > and HijackThis. None of these revealed any nasties.
> > There are no connections to external systems open. I
> > have even analysed the network traffic using ethereal
> > to be sure that there is nothing on the wire that
> > shouldn't be there.
> >
> > So, now I have used the sysinternals ProcessExplorer
> > (V. nice!) as recommended here. It reveals that when
> > the system process is in this busy state, the value
> > of DPCs (deferred procedure calls) is also very high (~50).
> > Secondly, there are about 10 threads within the system
> > process that all have the same start address: 0x16b4c.
> > Using debugger symbols tells me that these are all
> > ExpWorkerThreads. The stack for each of these looks
> > like this:
> >
> > ntoskrnl.exe!KiSwapThread+0xc5
> > ntoskrnl.exe!KeRemoveQueue+0x195
> > ntoskrnl.exe!ExpWorkerThread+0x73
> > ntoskrnl.exe!PspSystemThreadStartup+0x54
> > ntoskrnl.exe!KiThreadStartup+0x16
> >
> >
> > I have four questions:
> >
> > 1) What is the meaning of the high DPCs value -is it
> > significant or just another indication that the system
> > is busy?
> >
> > 2) Is there a way to see what driver is associated with
> > these "worker threads" to give a hint as to the source
> > of the problem?
> >
> > 4) Could this be the MS04-011 race condition given here:
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;841382
> > If so, how can I obtain the fix?
> >
> > 3) Anyone any other suggestions as to what else to try?
> >
> > Thanks for listening.
> > Geoff
>
>
>
.

Relevant Pages

  • Re: [PATCH] mmc_spi: use EILSEQ for possible transmission errors
    ... better idea if the status can be trusted or not than a higher layer. ... MMC request how the response should be interpreted. ... Have you noticed that I have posted a revised revision of the patch named ...   to a command from EINVAL to EFAULT/ENOSYS, ...
    (Linux-Kernel)
  • Re: CALL FOR TESTERS! [Re: 6.2 SHOWSTOPPER - em completely unusable on 6.2]
    ... In response to Mike Tancsa: ... Hi, Just to clarify, you mean without the patch you do run into the ... bce locks up easily ... result of e-mail transmission. ...
    (freebsd-stable)
  • Re: [stable] [patch 00/17] 2.6.27-stable review
    ... There are 17 patches in this series, all will be posted as a response ... line to the patch, ... Driver core: Fix cleanup in device_create_vargs. ...
    (Linux-Kernel)
  • Re: port 5000
    ... Thanks for the response. ... >>> You need to patch the OS. ... >>> Zonealarm Pro and in this instance its no help. ... >>> on the way out, via Norton's email virus checker, when I have ...
    (comp.security.firewalls)
  • Re: XP Home Display properties
    ... thanks for the quick response. ... Geoff ... > Microsoft-MVP Windows® XP ... >> also correcting the page file settings which were originally set to ...
    (microsoft.public.windowsxp.general)