I have a Windows Server 2012 file server that is hosting .vhdx hard drives for user profiles for Windows Server 2012 RDS. Every few seconds the CPU spikes to 100% on System. Running Process Explorer I see this is being caused by ntoskrnl.exe, specifically the DeleteDriver portion on the threads. Any way to dive deeper into this to find out what is causing it? I would like to find the bad process or driver and remove it from the server.
System and ntoskrnl.exe taking up all CPU
cpu-usageprocess-explorerwindows-server-2012
Best Answer
I'm not quite sure what you mean by "the DeleteDriver portion on the threads," but anyway, you might want to look at Windows Performance Analyzer (WPA.) It is a supremely powerful tool and is essentially the de facto tool when it comes to diagnosing performance issues on a Windows machine.
First, you use Windows Performance Recorder to record a trace on the system. Make sure the event you want to observe (unexplained CPU spikes) takes place while the trace is running. Make sure you're capturing metrics that are relevant to your issue (e.g. CPU usage.)
Once you are done recording, stop the trace, and then open the *.etl file in Windows Performance Analyzer.
To get the most out of WPA (and any tool that you might use for debugging on Windows,) make sure that your symbols are correctly configured. Symbols are needed to translate addresses like
0x0000313ainto meaningful names like
0x00000313a ntoskrnl!methodAfor meatbags like you and me.
Next, open the 'Analysis' tab in WPA:
Here you can drill down and see a very detailed profile of what's going on, including but not limited to the names of the drivers/modules/sys files that are showing activity at a specific moment. You should be able to see at a glance when your CPU spikes happen on the timeline, and you can scope your view and zoom down into those events quite nicely.