tlist --> which file is culprit?

  • Thread starter Thread starter kmcdowell
  • Start date Start date
K

kmcdowell

I have a 100% processor utilization on svchost.exe, been
going on for nearly two weeks. I have posted here numerous
times for troubleshooting assist, but no joy yet. Checked
everything twice.

Using tlist for the svchost PID that is causing the
problem, I get a list of 88 filenames, with version and
what appear to be memory addresses, but no utilization
stats on the files. There do not appear to be any -
switches that provides any more detail.

Does anyone know how to see processor utilization stats
for each of these filenames? I want to find the one that
is hogging my CPU...

Here is an example of the output:

5.0.2195.6663 shp 0x7c000000 raschap.dll
3.0.9435.0 shp 0x773e0000 ATL.DLL
5.0.2195.6680 shp 0x7c020000 rastls.dll
5.131.2195.6758 sh 0x75940000 CRYPTUI.dll
5.131.2195.6824 sh 0x76930000 WINTRUST.dll
5.0.2195.6613 shp 0x77920000 IMAGEHLP.dll
5.1.2195.6899 shp 0x78160000 SCHANNEL.dll
5.0.2195.6609 shp 0x76960000 WinSCard.dll
5.0.2195.6673 shp 0x77560000 wdmaud.drv
5.0.2195.6655 shp 0x76240000 NTMSDBA.dll
5.0.3700.6705 shp 0x782f0000 Shell32.dll
2000.2.3511.0 shp 0x78740000 comsvcs.dll
2000.2.3513.0 shp 0x6df80000 MSDTCPRX.dll
2000.2.3511.0 shp 0x6a7a0000 MTXCLU.DLL
5.0.2195.6683 shp 0x73930000 CLUSAPI.DLL
5.0.2195.6702 shp 0x689d0000 RESUTILS.DLL
5.0.2195.6660 shp 0x76270000 netman.dll
2.0.2600.1183 shp 0x017a0000 msi.dll
5.0.2195.6604 shp 0x76f20000 NETSHELL.dll
5.0.2191.1 shp 0x76110000 WMI.dll
5.0.2195.6619 shp 0x7ca00000 rsabase.dll

kmcdowell
 
--------------------
Sender: "kmcdowell" <[email protected]>
References: <[email protected]>
Click to expand...
Subject: Re: tlist --> which file is culprit?
Date: Tue, 4 May 2004 10:27:35 -0700

Yeah, I've done that like, twice. No results.

kmcdowell
Click to expand...
----------------------

Troubleshooting high CPU in a host process (services.exe, svchost.exe,
etc.) is done as follows:
1) In Performance Monitor, load the Thread object and select the "%
Processor Time", for instances, select all the the threads from the problem
host process
2) When you have noted the thread(s) that you would like to examine, add
the "Start Address" counter, choose the instance(s) as needed
3) Use calc.exe to convert the displayed start address from decimal to HEX
4) Run Pstat.exe
(http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/pstat-o
..asp)
5) At the bottom of the output, you will see the start address of all the
loaded modules:

ModuleName Load Addr Code Data Paged LinkDate
----------------------------------------------------------------------------
--
ntoskrnl.exe 80400000 450752 99840 739584 Tue Jun 10 17:42:11 2003

And bingo, there you will find culprit.
Cheers,



--
~~ JASON HALL ~~
~ Performance Support Specialist,
~ Microsoft Enterprise Platforms Support
~ This posting is provided "AS IS" with no warranties, and confers no
rights.
~ Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
~ Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.
 
-----Original Message-----

--------------------

----------------------

Troubleshooting high CPU in a host process (services.exe, svchost.exe,
etc.) is done as follows:
1) In Performance Monitor, load the Thread object and select the "%
Processor Time", for instances, select all the the threads from the problem
host process
2) When you have noted the thread(s) that you would like to examine, add
the "Start Address" counter, choose the instance(s) as needed
3) Use calc.exe to convert the displayed start address from decimal to HEX
4) Run Pstat.exe
(http://www.microsoft.com/windows2000/techinfo/reskit/tools
/existing/pstat-o
.asp)
5) At the bottom of the output, you will see the start address of all the
loaded modules:

ModuleName Load Addr Code Data Paged LinkDate
------------------
--
ntoskrnl.exe 80400000 450752 99840 739584 Tue Jun 10 17:42:11 2003

And bingo, there you will find culprit.
Cheers,
Click to expand...


Jason,

This is the second time that you have responded to this
issue for me, but item #5 in your list is incorrect. The
data in the output is not start address, it is load
address. I can not correlate with the output. Can you help
me with this?

kmcdowell
 
--------------------
Content-Class: urn:content-classes:message
From: "kmcdowell" <[email protected]>
Subject: Paging Jason Hall
Date: Tue, 4 May 2004 15:59:19 -0700

Jason,

This is the second time that you have responded to this
issue for me, but item #5 in your list is incorrect. The
data in the output is not start address, it is load
address. I can not correlate with the output. Can you help
me with this?

kmcdowell
Click to expand...
----------------------

I apologize. Is the address of the thread obtained from Perfmon located
ANYwhere in the Pstat file?


--
~~ JASON HALL ~~
~ Performance Support Specialist,
~ Microsoft Enterprise Platforms Support
~ This posting is provided "AS IS" with no warranties, and confers no
rights.
~ Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
~ Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.
 
Back
Top