A system with Symantec Endpoint Protection (SEP) is experiencing high CPU usage. You determine the issue is caused by ccSvcHst.exe.

The system is business-critical and restarting it is undesirable.

Generate a Windows Performance Recorder trace and verbose WPP logs using Symdiag. (Recommended)

1. Download and install the Windows Performance Toolkit. 
2. Download SymDiag and start gathering debug logs while the issue is happening using the following steps: (Set the timer for 5 minutes instead of 10.) 
   
   How to collect Verbose WPP logs for Endpoint Protection with the SymDiag Utility.
   
   
3. Once Symdiag is gathering WPP logs run Windows Performance Recorder.
4. Configure the following options:
   
   
   1. Under Select additional profiles for performance recording > Resource Analysis, select CPU Usage, Disk I/O Activity and File I/O Activity.
   2. Under Scenario Analysis, check Minifilter I/O activity.
   3. Performance scenario: General
   4. Detail level: Verbose
   5. Logging mode: File
      
      
5. Click Start to capture the issue. Run for 60 seconds while reproducing the issue.  
   
   Note: Symdiag debug logging and the Windows Performance recorder trace should be running at the same time for 60 seconds.  Avoid running the WPR trace for longer than 5 minutes.  
   
   
6. After reproducing the issue, click Save on the Windows Performance Recorder trace.
7. Browse to the location where you want to save the trace file, and click Save. 
8. Click Open Folder and navigate to the location where the trace file was saved.
9. Select all files, right-click on the highlighted files, and then select Send to > Compressed (zipped) folder.
10. Once Symdiag is complete, save the report locally.  
11. Upload the saved Symdiag and Compressed WPR trace to the case.  

Optional Data Collection

You can also gather a Process Monitor trace or process dump of ccsvchst.  These are not preferred, but can be useful in certain situations.  

Generate a low-altitude Process Monitor trace.  

1. Download ProcmonLowAlt.zip from the attachments section at the bottom of this KB.
2. Right-click ProcmonLowAlt.zip, select Extract All..., and extract the file to a location of your choice.
3. Navigate to extracted files location, and run ProcmonLowAlt.exe.
4. Click Agree to agree to the license terms.
5. When the Process Monitor Filter pop-up window appears, click Reset, click Apply, and then click OK.
6. Click File > Capture Events to stop the capture. Ensure this option is now unchecked.
7. Click Edit > Clear Display to clear the display.
8. Click Filter > Enable Advanced Output. Ensure this option is now checked.
9. Press Ctrl+E to start capturing.
10. Capture the issue for a minute or two, return to the Process Monitor window, and press Ctrl-E to stop capturing.
11. Click File > Save.
12. Select Native Process Monitor Format (PML), and click OK.
13. Once saved, navigate to the save location, right-click the PML file, and then select Send to > Compressed (zipped) folder to compress the file.

Generate a ccSvcHst.exe process dump

1. Download ProcDump.
2. Right-click Procdump.zip, select Extract All... and extract the files to the Windows folder.
3. Click Start > Run, and type cmd.exe.
4. Type the following command:
   
   procdump –ma -c <CPU usage percentage that will trigger a dump> <Process ID of high CPU ccsvchst.exe process> ccsvchst.dmp
   
   For example:
   procdump -ma -c 50 2300 ccsvchst.dmp
   
   Note: This command generates a dump when the CPU usage for the ccSvcHst.exe with process ID 2300 is at least 50%.

The process ID of the offending ccSvcHst.exe process can be determined as follows:

1. Right-click the Windows task bar and select Start Task Manager.
2. Navigate to the Processes tab, and click the CPU column header to sort the processes by CPU usage.
3. Make note of the offending ccSvcHst.exe process' CPU usage.
   
   Note: If the PID column is not visible, click View > Select Columns, check PID (Process Identifier), and then click OK.