I've noticed that my AWS server occasionally starts using a bunch of CPU for no particular reason, looking something like this:
Observe that it does not occur at specific times, but has a very definite pattern to it. It lasts just under an hour.
Remoting to the machine during this occurrence would invariably make it stop happening. Leaving the account permanently logged on allowed me to capture a more fine-grained CPU usage trace. It looked like this:
That's right; the processes that actually consume that CPU are not in the list. Instead, they appear and disappear all the time. ProcMon was obviously the tool for the job, so I captured a trace. This is what I found:
There's also Postgres involved:
However all the CPU usage is by the Winlogon/LogonUI/etc:
Here's a short excerpt of process start and stop events during this occurrence:
Note that postgres is not interleaved with each start/stop of smss/winlogon/etc, but only some of them.
Any ideas why this happens, and how to prevent it?
Best Answer
For the postgres part this is because postgres creates a process - not a thread - for each session. This is quite costly on windows ( but rather efficient on unix systems ).
Winlogon / LogonUi part this is rather strange. Is the server remotely accessible? Could there be a network scanner on the network which would try to open port 3389 on the server and thus span a rdp session, which would explain the smss / winlogon / logonui sequence? I think of a network scanner because the session is closed immediately.
So my guess for the bounty: you have a nmap process or some "network discovery" tool which scan ports on your network, or your server is open to the internet without firewall on port 3389 ( and maybe 5432 ).