Thursday, January 30, 2014

Narrowing down high CPU usage in svchost.exe

I recently had a machine with high CPU usage in a shared service (svchost.exe). Xperf pointed at hardware interrupts being processed by ACPI.SYS, but I still wasn't sure which service was causing the ACPI.SYS calls because the DLL is loaded into svchost.exe, which hosts more than 10 services. This is the technique I used to temporarily split those services into their own service processes.

The following steps need to be run from within a PowerShell console with administrative privileges.
  1. Save a list of all running shared services:

    Get-Service | ? ServiceType -eq Win32ShareProcess | ? Status -eq Running | select -expand Name > SharedServices.txt

  2. Configure those shared services to launch into their own processes:

    cat SharedServices.txt | % { sc.exe config $_ type=own }

  3. Reboot to restart all services

  4. Have a look at the services to see which is using the CPU (in my case, it was the Windows Management Instrumentation service).

  5. Restore the original state:

    cat SharedServices.txt | % { sc.exe config $_ type=share }