Jump to content

WinXPSP2 High CPU Usage from services.exe

DigitalNomad

By DigitalNomad
in Windows XP

 Share

Recommended Posts

DigitalNomad

DigitalNomad

Posted
Posted

Hi All,

Hoping someone can shed some light on this as I've been battling with it for a week now and run out of things to try from the usual avenues of google etc.

I have a machine that after logging onto a domain, services.exe comsumes 99% of the cpu. Now this only happens when network is connected. If I remove the network cable it doesn't occur.

UPDATE: I've just noticed that even if left at the login screen without logging it happens. It seems if the network cable is plugged in it will happend logged on to the domain or not.

I can't see anything suspicious in the HiJack this log and I've run various virus scanners and spyware scanners with no results, so I'm not thinking it is a virus but maybe a confllict somewhere. Now it's a co-workers machine so I don't know if they installed something and it happened or it just started happening. They seem to think it just started happening.

After fiddling with various things I thought I had it licked, however after leaving the machine sitting idle for 15 minutes I went back to it and the it's back again.

In process explorer when I bring up the properties for services.exe and view the threads, one with the start address of "kernal32.dllCreatethread+0x22" is the thread hogging all the CPU. Now if I click on the suspend button the cpu usage returns to normal but hogs the CPU again if I resume it. Obviously if I kill the thread the problem goes away.

Here is the thread stack:

ntkrnlpa.exe!KiUnexpectedInterrupt+0x8d

ntkrnlpa.exe!PsLookupThreadByThreadId+0x4abc

ntkrnlpa.exe!KiDeliverApc+0xb3

ntkrnlpa.exe!ZwYieldExecution+0x196c

ntkrnlpa.exe!ZwYieldExecution+0x1900

hal.dll!HalClearSoftwareInterrupt+0x34a

hal.dll!HalRequestSoftwareInterrupt+0x30

ntkrnlpa.exe!NtDuplicateObject+0x101d

ntkrnlpa.exe!ObOpenObjectByName+0xeb

ntkrnlpa.exe!LsaDeregisterLogonProcess+0xc811

ntkrnlpa.exe!KeReleaseInStackQueuedSpinLockFromDpcLevel+0xb14

ntdll.dll!KiFastSystemCallRet

ADVAPI32.dll!RegDeleteKeyW+0x64

umpnpmgr.dll+0x19b58

umpnpmgr.dll+0x19b41

umpnpmgr.dll+0x19e93

umpnpmgr.dll!ServiceEntry+0x5908

umpnpmgr.dll!ServiceEntry+0x640f

RPCRT4.dll!CheckVerificationTrailer+0x70

RPCRT4.dll!NdrStubCall2+0x215

RPCRT4.dll!NdrServerCall2+0x19

RPCRT4.dll!NdrGetTypeFlags+0x1c9

RPCRT4.dll!NdrGetTypeFlags+0x12e

RPCRT4.dll!NdrGetTypeFlags+0x5a

RPCRT4.dll!NdrConformantArrayFree+0x42e

RPCRT4.dll!NdrConformantArrayFree+0x28b

RPCRT4.dll!I_RpcBCacheFree+0x14c

RPCRT4.dll!I_RpcBCacheFree+0x5e3

RPCRT4.dll!I_RpcBCacheFree+0x405

RPCRT4.dll!I_RpcBCacheFree+0x5cb

kernel32.dll!GetModuleFileNameA+0x1ba

If anyone can provide any info would be greatly appreciated.

Cheers

DN

Link to comment
Share on other sites

DigitalNomad

DigitalNomad

Posted
  • Author
Posted

I've tracked to a file ccmsetup.exe, which I believe is Client Configuration Manager. Evertime this file is it causes the cpu usage issue. Have tried uninstalling to no avail. As a test I deleted this file which worked for a while then somehow it was back. You'll notice in the log that msiexec.exe is called which I think is re-installing ccmsetup.exe.

Don't know if that helps.

I have the pml file but it's 253MB Any idea how I shrink it?

Thanks for your time

Link to comment
Share on other sites
DigitalNomad

DigitalNomad

Posted
  • Author
Posted (edited)

Thanks for the replies guys. :)

Magic:

I did try that, but the file was still way to large. I'm suprised that it is so big for about a minute worth of gathering data. I can save it as a csv though I don't know what the readablity of it will be?

Submix8c:

Thanks for the link. I had already looked at that. Like I mentioned I've been scouring the net for answers for the past week or so.. All our machines run the configuration manager but none of the them other behave like this, nor do they have ccmsetup.exe actually running continually like this machine.

Edited by DigitalNomad
Link to comment
Share on other sites
cluberti

cluberti

Posted
Posted

It seems services.exe is failing to delete or read the following registry key, over, and over, and over,.... you get the picture:

Date & Time:	11/19/2009 12:14:57 PM
Event Class:	Registry
Operation:	RegOpenKey
Result:	ACCESS DENIED
Path:	HKLM\System\CurrentControlSet\Enum\Root\*SMS_MOUSE\0000\LogConf
TID:	348
Duration:	0.0000229
Desired Access:	Delete

Date & Time:	11/19/2009 12:14:57 PM
Event Class:	Registry
Operation:	RegDeleteKey
Result:	CANNOT DELETE
Path:	HKLM\System\CurrentControlSet\Enum\Root\*SMS_MOUSE\0000
TID:	348
Duration:	0.0000056

Seems like you might want too look at the permissions of the registry keys under \*SMS_MOUSE\ on that machine, as there are literally thousands of these events and this is the only place where the process gets "stuck". Given that the stack is similar to the one you posted above, this is the likely culprit.

Link to comment
Share on other sites
DigitalNomad

DigitalNomad

Posted
  • Author
Posted

Thanks for that cuberit. Really aprreciate you taking the time to help out. I'll look into that. I beleive that SMS mouse has something to do with the remote mouse function but I'll dig a little further and see what I can find.

Thanks to others that have also taken the time to post. :thumbup

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...