Good day All,
Welcome back!!!
Today we will go over how we recently troubleshooted high CPU issue.
The OS issue reported was Windows 2012
As soon we see the task manager we can say that WMI is the issue and we started to look around how to fix WMI.
We ran couple of commands for WMI and it was all good and none of the articles for WMI issue reported applicable to Windows 2012.
So first thing we did was as Service host was common for 4 Service including WMI, we separated them and so that Wmi can have it's own Service host using the below command.
sc config winmgmt type= own
Not sure how many of them know what is xperf? if not please google .. handy little tool to troubleshoot lot of Windows performance issue.
So i ran xperf for like 10 mints captured high cpu and when i check for wmi process this is what i see...
Wmi calling the Service host with PID 724 , this Service host if consuming lot of CPU and intent its spiking the wmi.
So we need to find out what Service are involved in this Service host, and which is spiking it..
this is where Resource Monitor showed his magic
So when i clicked the Svchost i could clearly see that Event log Service which is using the same process is Spiking for high CPU.
Now started to wonder Event log? we couldn't disable it to check it so i started to take a look at all the event logs, first thing i did was cleared all the logs and saved them and started to monitor,,
When i checked the Security logs it was filled in just 2 sec 120 MB, i was puzzled so cleared one more time and checked again.. same thing So now i understood lot of alerts are been generated, security log is getting filled and then after its filled it clearing the old logs and over riding and so the whole process is consuming lot of CPU.
So when i started to check the eventlog i see lot of event id 4663, which is basically telling that some is writing to a folder and that is getting audited.
Well now we know what is been audited, checked group policy to see if Audit object Access was enabled and sure it was...
As soon as we moved the Computer object from the OU having this group policy, CPU spike dropped down and everything went to Normal.
We have close to 1000 Servers in the OU why one Particular Server had this group policy issue is still to be investigate...
If anyone have thoughts welcome to share...
Hope this helps someone and until next one all have a good day!!!!
Welcome back!!!
Today we will go over how we recently troubleshooted high CPU issue.
The OS issue reported was Windows 2012
As soon we see the task manager we can say that WMI is the issue and we started to look around how to fix WMI.
We ran couple of commands for WMI and it was all good and none of the articles for WMI issue reported applicable to Windows 2012.
So first thing we did was as Service host was common for 4 Service including WMI, we separated them and so that Wmi can have it's own Service host using the below command.
sc config winmgmt type= own
Not sure how many of them know what is xperf? if not please google .. handy little tool to troubleshoot lot of Windows performance issue.
So i ran xperf for like 10 mints captured high cpu and when i check for wmi process this is what i see...
Wmi calling the Service host with PID 724 , this Service host if consuming lot of CPU and intent its spiking the wmi.
So we need to find out what Service are involved in this Service host, and which is spiking it..
this is where Resource Monitor showed his magic
So when i clicked the Svchost i could clearly see that Event log Service which is using the same process is Spiking for high CPU.
Now started to wonder Event log? we couldn't disable it to check it so i started to take a look at all the event logs, first thing i did was cleared all the logs and saved them and started to monitor,,
When i checked the Security logs it was filled in just 2 sec 120 MB, i was puzzled so cleared one more time and checked again.. same thing So now i understood lot of alerts are been generated, security log is getting filled and then after its filled it clearing the old logs and over riding and so the whole process is consuming lot of CPU.
So when i started to check the eventlog i see lot of event id 4663, which is basically telling that some is writing to a folder and that is getting audited.
Well now we know what is been audited, checked group policy to see if Audit object Access was enabled and sure it was...
As soon as we moved the Computer object from the OU having this group policy, CPU spike dropped down and everything went to Normal.
We have close to 1000 Servers in the OU why one Particular Server had this group policy issue is still to be investigate...
If anyone have thoughts welcome to share...
Hope this helps someone and until next one all have a good day!!!!
That's a lot of digging you had to do.. Appreciate the share.. It's really useful.. Thanks bro
ReplyDeleteOr just use Resource Monitor and it will show you which service is using high cpu
ReplyDeleteUm, I think that's what he said he did...
Delete