High CPU utilization by the System process (Ntoskrnl.exe) in Windows
On one of their computers with the newly installed Windows 10, the user began to complain about the constant hangs and the slowness of the OS. In the device manager, you can see that more than 50% of the processor resources are used by the System process (ntoskrnl.exe). In this article I will try to describe the main methods of diagnosing high CPU utilization by various processes and methods for identifying the Windows component of the problem.
The situation when the System process consumes more than half of the processor resources of the system is not normal. By itself, the Ntoskrnl.exe file is the executable file of the OS kernel. This is the basic process of the system. As part of the OS kernel, system device drivers are being launched, which are most likely the source of the problem (not all drivers are tested by hardware developers accordingly).
As a rule, the problem of leakage in the driver code and high load on the processor, memory or disk occurs after installing a new hardware, installing a new version of the driver (including when updating drivers automatically, which can be disabled) or after upgrading Windows.
Council In some cases, a high load on the processor and memory can cause a system process and compressed memory.
To understand which specific driver or module causes high CPU utilization, you can use the free Process Explorer utility. Download and run it with administrator rights.
In the list of running processes, locate the System process, right-click on it and open its Properties.
Click the Threads tab. Sort the list of modules loaded by the kernel by the degree of processor utilization (CPU column). The Start Address line contains the name of the function or driver causing the high load (the screenshot is not from the problem system).
Also, to identify the driver that causes high CPU utilization, you can use the free Microsoft utility kernrate.exe (Kernrate Viewer). The utility is included in the WDK (Windows Device Kit). After installing the WDK, you can find the utility in the directory … \ Tools \ Other \ amd64.
Run the kernrate.exe utility with no arguments and wait a while while data is being collected (10-15 minutes), then stop the utility with the Ctrl-C shortcut: Look at the list of modules in the Result for Kernel Mode section.
As you can see, in our example, the high load on the CPU is caused by the b57nd60x module. Using Google or the sigcheck utility (see example) you can determine that the problem is caused by the Broadcom NetXtream Gigabit Ethernet NDIS6.0 Driver network card driver.
In addition, it is possible to analyze CPU utilization when booting the system using the Windows Performance Toolkit (WPT). You need to install the component and start data collection using the Windows graphical console Perfomance Recorder (First level triangle + CPU usage -> Start)
xperf -on latency -stackwalk profile -buffersize 1024 -MaxFile 256 -FileMode Circular && timeout -1 && xperf -d cpuusage.etl
Council This method is convenient to use if, after booting, the system completely freezes and it is simply impossible to work in it. Most likely you will also find the article useful in diagnosing the long loading of Windows useful.
The resulting file must be saved and opened in WPA. Deploy the System process stack. In this example, you can see that the athrx.sys driver (Atheros Wireless Network Adapter Wi-Fi adapter) causes a high processor load.
identifying the driver that is heavily loading the processor in Windows
So, the problem driver is detected. What to do next?
To solve the problem, you need to try installing a newer (or older) version of the driver, or completely disconnecting the equipment if the problem is observed with all versions of the driver. The updated driver can be additionally tested with a stress test using Driver Verifier.