I found the article on how to solve high CPU usage problems by Michael Morales ("Got High-CPU-Usage Problems? ProcDump 'Em!") interesting and thought I would share a technique I used to deal with the same issue. I had a particular process (BESClient.exe) that was spiking the CPU on my laptop. The BESClient process is the client for the BigFix patch management solution. I used System Monitor in conjunction with the Sysinternals Process Monitor utility to gain some insight as to what was going on with my system during the spikes.
First, I created a short batch file, BigFix.bat, to run Process Monitor and put it in the C:\data\bat folder. Listing 1 shows this batch file.
<strong>Listing 1: BigFix.bat<br></strong> <br>"C:\Utilities\Sysinternals\Process Monitor\Procmon.exe"<br> /BackingFile "C:\Tmp\Sysinternals\Process Monitor\EventStore.PML" /Quiet<br><br>
A filter that limits the normally extensive output can be created within Process Monitor if desired.
Then, within System Monitor, I created an alert that would both log an entry in the application event log and run my batch file when CPU usage (%Processor Time) was more than 95 percent for the BESClient process. The Microsoft article "How to create and configure performance alerts in Windows Server 2003" explains how to create an alert. Although the article is written for Windows 2003, the instructions are applicable to other OSs. I used them to create an alert on my laptop, which runs Windows XP SP3.
The instructions for creating an alert are generally easy to follow, except for two tricky parts:
- When selecting the actions that you want to occur when an alert is triggered, you have several options, as Figure 1 shows. When you want to run a batch file or another type of program, you must pass at least one argument to it, whether or not that argument is used. In my case, BigFix.bat didn't need an argument, so I simply used a text-message argument that I tailored to be self-documenting, as Figure 2 shows.
- If the program needs to run interactively, you must change some settings in the Performance Logs and Alerts service properties page—a situation that the "How to create and configure performance alerts in Windows Server 2003" article doesn't mention. If you want to trigger an interactive program, you need to do the following:
When you're done troubleshooting the problem, make sure that you change the Log on as option back to the default NT Authority\Network Service setting. Leave the password box blank because the system will create and manage one.
- In the Performance Logs and Alerts page, select the Log On tab.
- Choose Local System account in the Log on as option and select the Allow service to interact with desktop check box.
- Click Apply.
By using System Monitor in conjunction with Process Monitor, I was able to determine the reason for the spikes: The BigFix client was iterating through all the thousands of files on my laptop. Figure 3 shows a small sample of the activity that Process Monitor captured.