How can I troubleshoot high Kernel time?
Solution 1:
The definitive tool for finding out exactly what is using kernel time is kernrate.exe. It comes with the Windows SDK/WDK Visual Studio, etc.
Also Xperf can do the same kernel polling/tracing as well... and is probably a lot easier to use. Kernrate was kind of a beast.
Solution 2:
This is probably easier than you think. If you have consistent, high system usage, Process Explorer provides a Threads tab that you can use for the System process (process id: 4). The offending module and function should be displayed.
If you need a formal tool for collecting the empirical data to analyze the issue, you may use the Windows Performance Recorder/Windows Performance Analyzer, part of the Windows Performance Toolkit.
https://blogs.technet.com/b/yongrhee/archive/2012/11/23/installing-the-windows-performance-toolkit-v5-0-wprui-wpr-xperf.aspx
https://blogs.technet.com/b/yongrhee/archive/2012/11/23/wpr-xperf-capture-high-cpu-disk-i-o-file-registry-networking-private-bytes-virtual-bytes-paged-pool-nonpaged-pool-and-or-application-slowness.aspx
Solution 3:
I had the issue myself with high kernel times consuming 50% of CPU, while other processes accounted for the remaining 40%. The issue was caused by not properly disabling and uninstalling Trend AV.
Even though the services were stopped, and the realtime scan disabled, kernel mini filters appeared to be enabled. I deduced that they were consuming kernel time after I unstalled the software properly and observed that the kernel time reduced to 1/10th of the previous load.
To view the list of filters on your system, type
C:\Users\TEMP>fltmc filters
Filter Name Num Instances Altitude Frame
------------------------------ ------------- ------------ -----
TmPreFilter 3 328500 0
luafv 1 135000 0
Microsoft has a list of 3rd party filters available here. According to that spreadsheet, TmPreFilter is Trend Micro, an AV Scanner.