A system with Symantec Endpoint Protection (SEP) is experiencing high CPU usage. You determine the issue is caused by ccSvcHst.exe.

The system is business-critical and restarting it is undesirable.

Symantec Endpoint Protection (SEP)

Generate a Windows Performance Recorder trace file (Recommended)

1. Download and install the Windows Performance Toolkit.
2. Run Windows Performance Recorder.
3. Configure the following options as follows:
   1. Under Select additional profiles for performance recording > Resource Analysis, select CPU Usage, Disk I/O Activity and File I/O Activity.
   2. Under Scenario Analysis, check Minifilter I/O activity.
   3. Performance scenario: General
   4. Detail level: Verbose
   5. Logging mode: File
4. Click Start to capture the issue:
5. After reproducing the issue, click Save.
6. Browse to the location where you want to save the trace file, and click Save. 
7. Click Open Folder and navigate to the location where the trace file was saved.
8. Select all files, right-click on the highlighted files, and then select Send to > Compressed (zipped) folder.

Generate a low-altitude Process Monitor trace

1. Download ProcmonLowAlt.zip from the attachments section at the bottom of this KB.
2. Right-click ProcmonLowAlt.zip, select Extract All..., and extract the file to a location of your choice.
3. Navigate to extracted files location, and run ProcmonLowAlt.exe.
4. Click Agree to agree to the license terms.
5. When the Process Monitor Filter pop-up window appears, click Reset, click Apply, and then click OK.
6. Click File > Capture Events to stop the capture. Ensure this option is now unchecked.
7. Click Edit > Clear Display to clear the display.
8. Click Filter > Enable Advanced Output. Ensure this option is now checked.
9. Press Ctrl+E to start capturing.
10. Capture the issue for a minute or two, return to the Process Monitor window, and press Ctrl-E to stop capturing.
11. Click File > Save.
12. Select Native Process Monitor Format (PML), and click OK.
13. Once saved, navigate to the save location, right-click the PML file, and then select Send to > Compressed (zipped) folder to compress the file.

Generate a ccSvcHst.exe process dump

1. Download ProcDump.
2. Right-click Procdump.zip, select Extract All... and extract the files to the Windows folder.
3. Click Start > Run, and type cmd.exe.
4. Type the following command:
   
   procdump –ma -c <CPU usage percentage that will trigger a dump> <Process ID of high CPU ccsvchst.exe process> ccsvchst.dmp
   
   For example:
   
   procdump -ma -c 50 2300 ccsvchst.dmp
   
   Note: This command generates a dump when the CPU usage for the ccSvcHst.exe with process ID 2300 is at least 50%.

The process ID of the offending ccSvcHst.exe process can be determined as follows:

1. Right-click the Windows task bar and select Start Task Manager.
2. Navigate to the Processes tab, and click the CPU column header to sort the processes by CPU usage.
3. Make note of the offending ccSvcHst.exe process' CPU usage.
   
   Note: If the PID column is not visible, click View > Select Columns, check PID (Process Identifier), and then click OK.