Friday, November 21, 2014

Domain Controller High CPU - Service Host

In an earlier post I talked about how XenApp 6.5 sessions would start and then disappear.  In the end I had determined this was due to our Domain Controllers having their CPU's pegged out, at least partially due to insufficient RAM.


http://didyourestart.blogspot.com/2014/09/xenapp-65-session-starts-then-disappears.html


Doing this absolutely solved the XenApp issue, but the DC's continued to have high CPU usage.  Basically the pattern was that CPU would sit at 50% for 10 - 15 seconds, then drop to 2%, then back to 50% and the pattern continued. 


Under processes you could see that the issue was with the Service Host: Local Service which wraps TCP/IP NetBIOS Helper, Windows Event Log, and DHCP Client.  Jump over to the Performance tab and click Open Resource Monitor and click the CPU tab. 


Here we see three processes using high CPU in my case:
  • svchost.exe
  • WmiPrvSE.exe
  • perfmon.exe
Under Services the primary eye catcher listed:
  • EventLog
So really two things caught my eye here.  The WMIPrvSE.exe (perhaps some WMI monitor?) and EventLog.  My first suspicion was WMI so I turned off several monitoring applications we have with no effect. 


Next I looked at Eventlog clue.  This lead me to two posts online which nailed it.


Jump into the Eventvwr and look at security log and sure enough it's full.  Clear events and instantly the issue resolves...  Jump over to the other DC with same issue and clear security log with same result. 


Appears that this occurs when the log is full and set to overwrite.  I'm still researching if this is caused by some service doing excessive logging which I highly suspect.

No comments:

Post a Comment