Troubleshoot High CPU usage by the "System" process
Introduction
High CPU usage by the "System" process can often be caused by a hardware driver issue (bug, old version, incompatility etc).
The System process loads (or hosts) multiple hardware drivers from different vendors that require higher level of memory access. This is why diagnosing the specific culprit can require a bit of detective work as described below.
Diagnosing the issue
To diagnose the CPU usage issues, you should use Event Tracing for Windows (ETW) to capture CPU Sampling data / Profile.
To capture the data, install the Windows Performance Toolkit, which is part of the Windows SDK.
The Windows 10 WPT can be used on Windows 8/Server 2012, Windows 8.1/Server 2012R2 and Windows 10/Server 2016. If you still use Windows 7, use the SDK/WPT with Build 15086.
(all other entries can be unselected)
Now run WPRUI.exe
, select First Level
, under Resource select CPU usage and click on start.
Now capture 1 minute of the CPU usage. After 1 minute, click on Save.
Now analyze the generated ETL file with the Windows Performance Analyzer by dragging and dropping the CPU Usage (sampled)
graph to the analysis pane
and ordering the columns like you see in the picture:
Inside WPA, load the debug symbols and expand Stack of the SYSTEM process. In this demo, the CPU usage comes from the nVIDIA driver.
In the following demo, the CPU usage comes from the Realtek NIC driver:
When you see calls like ntoskrnl.exe!ViKeTrimWorkerThreadRoutine, ntoskrnl.exe!MmVerifierTrimMemory, ntoskrnl.exe!VerifierKeLeaveCriticalRegion, this means you have Driver Verifier enabled. This also hurts performance a lot and causes high SYSTEM usage. Disable Driver Verifier and reboot.
In this demo, the driver iai2ce.sys
(Intel Serial IO GPIO Controller driver) causes it:
In this example, the CPU usage comes from the file rtsuvc.sys
which seems to be the Realtek UVC webcam Driver
This demo shows that Bitdefender driver ignis.sys
In the following example, the CPU usage is casued by the broadcom network driver bcmwl664.sys
When you see ntoskrnl.exe!MiZeroWorkerPages
as cause, it is trickier. This means the function of the kernel which zeros the memory before it can be used again causes the high CPU usage:
There is no real way to detect which process causes it, but I know that Chrome can cause it if you have hardware acceleration enabled in Chrome. So if you see this and use Chrome, turn hardware acceleration in Chrome off.
When you see those ntoskrnl.exe!RtlpGenericRandomPatternWorker, ntoskrnl.exe!RtlpTestMemoryRandomUp calls
the CPU usage comes from the Kernel to test memory for issues (memtest). This usage is triggered via the idle maintenance task of Windows 8.1/10. You can use Task Scheduler to disable the idle task.
In Windows 10, the task is called RunFullMemoryDiagnostics under Microsoft > Windows > MemoryDiagnostic > RunFullMemoryDiagnostic.
In this case, the CPU usage seems to come from the Data Deduplication
Feature (dedup.sys!DdpPostCreate
) of Windows Server:
In this demo, the CPU usage is caused by the WIFI card driver athrx.sys
Search for a driver update if you see this.
In the following demo, a citrix driver is involved:
So contact your IT for how to solve Citrix issues.
In this demo, the function usbhub.sys!UsbhPortRecycle
causes the CPU usage:
Changing USB2.0 ports to 1.1 speed or connecting USB drives to other USB 2.0 ports helped for some users.
In this case, a small amount of SYSTEM usage comes from the Acronis driver tdrpm251.sys
:
In this demo, the CPU usage ntoskrnl.exe!KeAcquireSpinLockRaiseToDpc
and ntoskrnl.exe!KeReleaseSpinLock
.
so a driver is using SpinLocks very heavily. Disable some devices/drivers until you see one which causes it.
In this case, the CPU usage is caused by the driver L1C62x64.sys
This is the qualcomm atheros AR8171/8175 PCI-E gigabit Ethernet
driver. So update the driver if you see it in the stack.
Here, the CPU usage comes from scanning the host file (netbt.sys!DelayedScanLmHostFile)
make sure your hosts file is not too large to avoid this usage.
In this case, the CPU usage comes from SRTSP64.SYS
from symantec.
Update your used symantec product to the latest version.
Here, the CPU usage comes from the AMD GPU driver (atikmdag.sys)
if you see this, go to AMD site and get the latest driver for your AMD card.
Here, the drivers TMXPFlt.sys and VsapiNt.sys cause the high CPU usage.
From what I see, those files are part of Trend Micro AV suite. Update the tool or remove it.
In this example, the CPU usage comes from the function ntoskrnl.exe!MmGetPageFileInformation
This function gets information about the pagefile.
Routine Description: This routine returns information about the currently active paging files.
Disable the pagefile, reboot and enable it again and see if this fixes it. Also, removing Intel services (e.g Intel Content Protection HECI Service) seems to fixed it for a user.
Here, you can see that the driver Netwtw04.sys
(Intel Wifi driver) calls the function flushCompleteAllPendingFlushRequests
and this causes a high CPU usage.
Because the debug symbols get loaded the Windows inbox driver is used. Only here we can get debug symbols to see the callstack with the function name flushCompleteAllPendingFlushRequests
.
Here, you should install the latest driver from Intel to fix it.
The most complicated case of SYSTEM usage is ACPI.sys usage in the callstack:
Line #, DPC/ISR, Module, Stack, Count, Process, Weight (in view) (ms), TimeStamp (s), % Weight
6, , , | |- ACPI.sys!ACPIWorkerThread, 40246, , 39.992,941063, , 4,13
7, , , | | ACPI.sys!RestartCtxtPassive, 40246, , 39.992,941063, , 4,13
8, , , | | ACPI.sys!InsertReadyQueue, 40246, , 39.992,941063, , 4,13
9, , , | | ACPI.sys!RunContext, 40246, , 39.992,941063, , 4,13
10, , , | | ntoskrnl.exe!KeReleaseSpinLock, 40246, , 39.992,941063, , 4,13
11, , , | | ntoskrnl.exe!KiDpcInterrupt, 40246, , 39.992,941063, , 4,13
12, , , | | ntoskrnl.exe!KiDispatchInterruptContinue, 40246, , 39.992,941063, , 4,13
13, , , | | ntoskrnl.exe!KxRetireDpcList, 40246, , 39.992,941063, , 4,13
14, , , | | ntoskrnl.exe!KiRetireDpcList, 40246, , 39.992,941063, , 4,13
15, , , | | |- ntoskrnl.exe!KiExecuteAllDpcs, 40198, , 39.945,173325, , 4,13
16, , , | | | |- ACPI.sys!ACPIInterruptDispatchEventDpc, 27565, , 27.408,930428, , 2,83
17, , , | | | | |- ACPI.sys!ACPIGpeEnableDisableEvents, 24525, , 24.384,921620, , 2,52
18, , , | | | | | ACPI.sys!ACPIWriteGpeEnableRegister, 24525, , 24.384,921620, , 2,52
19, , , | | | | | |- hal.dll!HalpAcpiPmRegisterWrite, 24421, , 24.281,015516, , 2,51
20, , , | | | | | | |- hal.dll!HalpAcpiPmRegisterWritePort, 24166, , 24.027,316013, , 2,48
this is extremely difficult to debug. In a sysinternals topic, I listed some advice:
- make sure the CPU doesn't overheat because of dust in the CPU fan
- update or re-flash the (same) BIOS/UEFI
- load default BIOS/UEFI settings
- make sure the battery is not damaged, remove the battery from the notebook or disable the battery in device manager.
- change jumper on HDD caddy if you have replaced the DVD/Blue-Ray Drive with a Caddy to install an SSD next to your old HDD
- disable some devices as advised by this user
- if you use an Intel chipset, try to install Intel Rapid storage Technology (RST) to replace the standard AHCI driver from Windows. This also seems to helped.
- the user Shayna figured out, that using Process Hacker (started as admin) to suspend the threads of the ACPI.sys issues "fixes" the issue for him. So try his workaround if all other steps don't fix it for you.
In the following demo, the Intel HD driver igdkmd64.sys
in version .4574 for the Intel HD 630 causes the issue:
The solution is to update to driver with version of at least .4590.
In the following case, the CPU usage of the SYSTEM process is caused by the driver stdriverx64.sys
This seems to be an audio streaming driver. So update this software/driver if you see this in WPA.
If you see a driver called risdxc64.sys
in callstack of SYSTEM that causes the high CPU usage, update the Ricoh PCIe SDXC/MMC Host Controller driver or disable the SD card reader in device manager if no driver update fixes it.
This SD card reader seems to be built-in to many Lenovo devices.
The user @stevemidgley showed a new issue of higher CPU usage with Wdf01000.sys!FxSystemWorkItem::_WorkItemThunk
Here you can see a driver UDE.sys causing it.
In symbol hub
I can see it belongs to Modem driver and PNP data of the trace shows Fibocom L850-GL
(LTE Modem) as possible device:
And the solution is to disable the modem and USB composite device in device manager.
The user @fajar provided the following case:
Here the cpu usage is small, but if you change the view to DPC/ISR usage
you can see that the avgNetHub.sys driver causes a lof of DPC usage
The name indicates that this driver is part of AVG anti virus software. So update the software or remove it if you see this in your trace.
This can be caused by a faulty driver or other module loaded by the system. To look inside the System process, you can use a tool like Process Explorer.
Download and run it, then select the System process, right-click and select Properties:
Switch to the Threads tab (ignore the dialog box that mentions symbols):
This will show which file is using the excessive CPU usage, from which you can then attempt to diagnose it.
As others have said in the comments however, you really do need to move away from the Preview versions as soon as possible!
A note on loading debugging symbols to add to magicandre1981's excellent answer: if loading the symbols in Windows Performance Analyzer works correctly, after ticking Trace > Load Symbols you should see a progress bar on the top with Loading symbols which shows file names beside it and takes several minutes to complete. Also you should see many lines like the below in the Diagnostic Console:
SYMSRV: File: Accessibility.ni.pdb
SYMSRV: Notifies the client application that a proxy has been detected.
SYMSRV: Connecting to the Server: http://msdl.microsoft.com/download/symbols.
SYMSRV: Successfully connected to the Server.
SYMSRV: Sending the information request to the server.
SYMSRV: Successfully sent the information request to the server.
SYMSRV: Waiting for the server to respond to a request.
SYMSRV: Successfully received a response from the server.
SYMSRV: Closing the connection to the Server.
SYMSRV: Successfully closed the connection to the Server.
SYMSRV: Get File Path: /download/symbols/Accessibility.ni.pdb/7B46178957827CDAB7EE4C86EDEE1DAE1/Accessibility.ni.pdb
If you don't see either of these, loading debug symbols likely hasn't worked and you won't be able to properly interpret your trace.
In my case initially loading debug symbols didn't work. I fixed it by following these instructions:
Figure out if you are using the x86 or x64 version of the Windows Performance Toolkit.
This is easy on x86 builds of Windows. On x64 builds, you can check the Task Manager for the *32 tag. If it’s not there, then you’re running the x64 version.
Note that WPT always installs to Program Files (x86) regardless of architecture.
Copy the
dbghelp.dll
andsymsrv.dll
files from the correct debugger directory to the Windows Performance Toolkit directory. On my system, the relevant directories are:
C:\Program Files (x86)\Windows Kits\10\Debuggers\x64
andC:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit
Restart Windows Performance Analyzer so that the correct version of dbghelp.dll is picked up.
My problem was that the CPU usage was ridiculously high when downloading anything (up to 4 GHz). I have a predator Helios 300 with a Killer WiFi card, so the Killer driver was pre-installed. I used Process Explorer to go into System
's properties → Threads tab and found out that "kfeco10x64.sys" was causing the high CPU usage. Since "kfeco10x64.sys" was part of the killer network service, I disabled it by running msconfig
and unchecking every service from "Rivet Networks".
After a restart, the problem went away for me. Most importantly, there doesn't seem to be any speed reduction when downloading. I hope this helps anybody who faces the same problem.