Data to gather for Support for High CPU usage due to ccSvcHst.exe
search cancel

Data to gather for Support for High CPU usage due to ccSvcHst.exe

book

Article ID: 169923

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

A system with Symantec Endpoint Protection (SEP) is experiencing high CPU usage. You determine the issue is caused by ccSvcHst.exe.

The system is business-critical and restarting it is undesirable.

Environment

Symantec Endpoint Protection (SEP)

Resolution

Generate a Windows Performance Recorder trace and verbose WPP logs using Symdiag. (Recommended)

  1. Download and install the Windows Performance Toolkit
  2. Download SymDiag and start gathering debug logs while the issue is happening using the following steps: (Set the timer for 5 minutes instead of 10.) 

    How to collect Verbose WPP logs for Endpoint Protection with the SymDiag Utility.

  3. Once Symdiag is gathering WPP logs run Windows Performance Recorder.
  4. Configure the following options:

    1. Under Select additional profiles for performance recording > Resource Analysis, select CPU Usage, Disk I/O Activity and File I/O Activity.
    2. Under Scenario Analysis, check Minifilter I/O activity.
    3. Performance scenario: General
    4. Detail level: Verbose
    5. Logging mode: File

  5. Click Start to capture the issue. Run for 60 seconds while reproducing the issue.  

    Note: 
    Symdiag debug logging and the Windows Performance recorder trace should be running at the same time for 60 seconds.  Avoid running the WPR trace for longer than 5 minutes.  

  6. After reproducing the issue, click Save on the Windows Performance Recorder trace.
  7. Browse to the location where you want to save the trace file, and click Save
  8. Click Open Folder and navigate to the location where the trace file was saved.
  9. Select all files, right-click on the highlighted files, and then select Send to > Compressed (zipped) folder.
  10. Once Symdiag is complete, save the report locally.  
  11. Upload the saved Symdiag and Compressed WPR trace to the case.  

NOTE:  Windows 10 and some servers based on it will have WPR installed by default.  You can run the command lines listed to collect the same data without the need to install the kit to avoid change requests.  You can follow these steps to collect using the command line from an administrator CLI:

1.  Run wpr -start CPU -start diskio -start fileio -start registry -start network -start minifilter

2.  Replicate issue

3.  Run wpr -stop c:\temp\LogNameHere.etl

4.  Submit the file.

 

Optional Data Collection

You can also gather a Process Monitor trace or process dump of ccsvchst.  These are not preferred, but can be useful in certain situations.  

Generate a low-altitude Process Monitor trace.  

  1. Download Procmon23Low.zip from the attachments section at the bottom of this KB. (Note: the attached file at the bottom of this KB will have a version number in front of the file name)
  2. Right-click Procmon23Low.zip, select Extract All..., and extract the file to a location of your choice.
  3. Navigate to extracted files location, and run Procmon23Low.exe.
  4. Click Agree to agree to the license terms.
  5. When the Process Monitor Filter pop-up window appears, click Reset, click Apply, and then click OK.
  6. Click File > Capture Events to stop the capture. Ensure this option is now unchecked.
  7. Click Edit > Clear Display to clear the display.
  8. Click Filter > Enable Advanced Output. Ensure this option is now checked.
  9. Press Ctrl+E to start capturing.
  10. Capture the issue for a minute or two, return to the Process Monitor window, and press Ctrl-E to stop capturing.
  11. Click File > Save.
  12. Select Native Process Monitor Format (PML), and click OK.
  13. Once saved, navigate to the save location, right-click the PML file, and then select Send to > Compressed (zipped) folder to compress the file.

Generate a ccSvcHst.exe process dump

  1. Download ProcDump.
  2. Right-click Procdump.zip, select Extract All... and extract the files to the Windows folder.
  3. Click Start > Run, and type cmd.exe.
  4. Type the following command:

    procdump –ma -c <CPU usage percentage that will trigger a dump> <Process ID of high CPU ccsvchst.exe process> ccsvchst.dmp

    For example:
    procdump -ma -c 50 2300 ccsvchst.dmp

    Note: This command generates a dump when the CPU usage for the ccSvcHst.exe with process ID 2300 is at least 50%.

The process ID of the offending ccSvcHst.exe process can be determined as follows:

  1. Right-click the Windows task bar and select Start Task Manager.
  2. Navigate to the Processes tab, and click the CPU column header to sort the processes by CPU usage.
  3. Make note of the offending ccSvcHst.exe process' CPU usage.

    Note: If the PID column is not visible, click View Select Columns, check PID (Process Identifier), and then click OK.

Attachments

1584712470149__Procmon23Low.zip get_app