Troubleshoot and resolve high CPU utilization on a Windows instance - Simple Application Server

This topic describes how to troubleshoot and resolve high CPU utilization on a Windows instance.

Problem description

The CPU utilization of a Windows instance is considered high when it is 80% or higher.

Possible causes

High CPU utilization may be caused by the following:

The instance is infected by a virus or a trojan.
Third-party antivirus software is running on the instance.
An application or driver on the instance is abnormal, or an application has high I/O usage or a high interrupt rate.

Solutions

Step 1: Locate the problem

On a Windows instance, you can use tools such as Task Manager and Resource Monitor to locate the cause of high CPU utilization. This topic uses Resource Monitor on a Windows Server 2022 operating system as an example.

This topic explains how to use Resource Monitor on a Windows Server 2022 system to identify the cause of high CPU utilization.

Use a VNC connection to connect to the Simple Application Server. For more information, see Connect to a server for rescue (console).
At the bottom of the desktop, click the Search button, enter Resource Monitor, and then click OK.
In the Resource Monitor window, check for processes that cause high CPU utilization.
Record the process IDs (PIDs) and names of the processes.
Open the Task Manager window, click the Details tab, and then find the processes based on the recorded names and PIDs. Right-click each process name, select Open file location, and then check whether the process is a malicious program.

Step 2: Analyze and resolve the issue

Determine whether the process that causes high CPU utilization is a normal process or an abnormal process, and then follow the corresponding steps to resolve the issue.

Possible cause

Operation

Normal process

In general, frequent business access or Windows services such as the update service may consume high network traffic and CPU resources.

Note

For Windows Server 2008 or Windows Server 2012 instances, configure at least 2 GiB of memory.
When you use an instance with 1 vCPU and 1 GiB of memory that runs Windows Server 2012, the Windows Update service automatically runs updates, which causes a sudden increase in CPU utilization. This is normal.

Check whether Windows Update is running in the background.
Install antivirus software on the server to scan for viruses. If antivirus software is already installed, check whether it is running a scan in the background when CPU utilization is high. If possible, upgrade the antivirus software to the latest version or remove it.
Check whether applications on the server have many disk access or network access behaviors, or high computing requirements. Try to upgrade the instance type to one with more cores or memory to resolve the resource bottleneck. For more information, see Upgrade configurations.
If your server already has a high configuration, upgrading it further may not be effective. A higher server configuration is not always better for the architecture. In this case, try to separate applications by hosting different applications on different servers and optimize the related programs.
For example, use ApsaraDB RDS to host your database. This reduces the resource consumption of the server and the number of internal calls. For program optimization, you can make adjustments based on your configuration. Specific operations include adjusting the number of connections, cache configurations, and various parameters for web and database calls.

Abnormal process

Abnormally high CPU utilization may be caused by malicious viruses or trojans. Sometimes, third-party malicious programs may disguise themselves as svchost.exe or Tcpsvcs.exe, which are operating system processes, and cause high CPU usage. You must manually find and kill the abnormal processes.

Note

If you cannot determine whether a process is a virus or a trojan, search for the process name on the internet to confirm. Before you delete the process, create a snapshot to back up your data. For more information, see Create a snapshot.

Run Windows Update to install the latest Microsoft security patches.
Use MSConfig to disable all non-Microsoft services and drivers, and then check whether the issue persists. For more information, see How to perform a clean boot in Windows.
If your server or site is under a DDoS attack or an HTTP flood attack, many access requests are generated in a short period. You can log on to the Security Center console to check whether the threshold for DDoS protection is properly configured and whether HTTP flood protection is enabled. If the attack does not trigger the threshold and Security Center does not perform traffic scrubbing, contact after-sales support to enable traffic scrubbing.

Common tools

The following section describes the tools used to locate the cause of high CPU utilization in Windows.

Task Manager

Task Manager displays a list of running applications, which helps you identify applications with high CPU usage. The following figure shows the Task Manager page.

When you check the CPU utilization on the Performance tab, right-click the CPU utilization graph and select Change graph to > Logical processors.

The following figure shows the utilization of two logical CPUs.

If the CPU utilization of a single process spikes to nearly 100% while the CPU utilization of other processes does not change much, the cause may be network I/O processing.

Resource Monitor

Resource Monitor provides a graphical view of CPU utilization. You can also search for corresponding processes by handle and module.

Process Explorer

Process Explorer is a Microsoft Sysinternals tool. By configuring the correct symbols, you can check the call stacks of an application's threads to locate potentially problematic drivers. To download the Process Explorer tool, see Process Explorer.

The following figure shows the Process Explorer tool page.

Performance Monitor

Performance Monitor is a Microsoft tool for collecting performance counters from various components. To analyze system CPU resource consumption, you can check several counters.

The following three core parameters are related to performance:

\Processor(_Total)\% Processor Time: The percentage of time that the processor executes a non-idle thread. \Processor(_Total)\% Processor Time = \Processor(*)\% User Time + \Processor(*)\% Privileged Time.
\Processor(*)\% User Time: Indicates the time consumed by the processor to execute program code. This counter helps you determine which application or function call consumes more time.
\Processor(*)\% Privileged Time: The time that an application spends executing system calls in the kernel, such as calls for drivers, I/O request packets (IRPs), and context switches. If the operating system spends more than 30% of its time in Privileged Time, the instance is performing operations related to high I/O throughput.
When % Privileged Time is high, you need to further check % DPC Time, % Interrupt Time, and Context Switches/sec.
- High % DPC Time and % Interrupt Time values indicate that an unknown device is performing many operations or has poor performance.
- A high Context Switch value indicates that the kernel is frequently switching between processes or threads. For more information, see The Case of the 2 Million Context Switches and Mark Russinovich's The Case of the System Process CPU Spikes.
  A high Context Switches/sec value indicates that many threads are in the Ready state. You need to reduce the number of threads to resolve the issue.