A system with Symantec Endpoint Protection (SEP) is experiencing high CPU usage due to ccSvcHst.exe. It is possible to reboot the system (see the Related Articles section if that should not be the case).
SEP 12.1, 14 or higher
Follow these steps in this order.
procdump –ma -c <CPU usage percentage that will trigger a dump> <Process ID of high CPU ccsvchst.exe process> ccsvchst.dmp
(e.g. run the command procdump -ma -c 75 2300 ccsvchst.dmp
to generate a dump when the CPU usage for the ccSvcHst.exe with process ID 2300 is at least 75%).a. Under Select additional profiles for performance recording, under Resource Analysis, select CPU Usage, Disk I/O Activity and File I/O Activity. Under Scenario Analysis, tick Minifilter I/O activity.
b. Performance scenario: General.
c. Detail level: Verbose.
d. Logging mode: File.
If the system is a virtualized one:
If the system is a physical one: