Diagnosing CPU usage on Vista with Task Manager

Why is CPU utilization near 100% but processes in the process list only account for a few percent?

I am troubleshooting a performance issue on a computer with Vista. Response time in IE is very slow. I went to Task Manager and on the Performance window graph it tracks CPU at 90-100%. I exited out of IE and the iexplorer processes dropped off the process list. But CPU still tracks near 100% (both cores).

Now here’s the question. In the process list, only a few percent of that CPU utilization is accounted for. Why are there processes using near 100% of CPU that don’t show in the process list?

first you have to check the box labeled “show processes from all users” at the bottom of the Task manager window. By default, you only see the processes started by you or from within your account. When you tell it to show all processes, you’ll also see those started under the “SYSTEM” account (the Windows NT and VMS equivalent to a Unix “root” user.) Then you might find the process hogging all the CPU time.

it’ll get stickier if the offending process is one of the “svchost.exe” processes, in which case you’ll have to track down which service hosted by that process is the one gobbling CPU time. IME, anti-virus scanners are frequently the cause.

Also, I clicked on show processes from all users, and am still not seeing anything unusual there.

Sort the processes by CPU, descending (click on the “CPU” column header). The list will continually reorder as you watch it, but the ones that are momentarily using a lot of CPU will flash to the top where you can catch them. Normally, the System Idle process should be at the top of the list, taking all the leftover.

I can’t recall whether it’s in the Vista taskmanager, or just Win 7, but if you right click on a process in the list, it has a choice called “go to services”. That will bring up the services tab, with the services associated with that process highlighted. I think Vista has the feature, but I can’t remember. In particular, it allows you to see which services go with a particular svchost instance.

Task Manager sucks. There are two better MS utilities that provide much more detailed information and allow you to tweak as needed:

Process Explorer - Process Explorer shows you information about which handles and DLLs processes have opened or loaded. The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you’ll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you’ll see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded. The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work.

Process Monitor - Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.

Sorry for asking the obvious, but in the Performance tab, is it really showing a high CPU utilisation? Sometimes the slowness is caused by excessive use of the swap file (when physical memory is full).

Process Monitor displays so much information and updates so often that it is of little use to the casual user. I wouldn’t recommend it to anyone but a Windows technician. The output doesn’t mean anything to most people. It’s terrific if you have a specific problem that you need to hone in on, but even then, the data is overwhelming.

Thumbs up for Process Explorer though. It would have been very helpful if Microsoft had included a text file telling the user how to interpret things like Commit Charge and I/O Bytes, but it wasn’t intended for the average person. That’s what Task Manager is for.

The performance traces show CPU on top (one window for each core) and memory on the bottom. Memory is at about 50% of physical memory but CPU in both cores is very high.

Without jumping to conclusions, it sounds like whatever process is responsible might be hidden. Legit processes don’t generally hide. They’ll protect themselves so that you can’t kill them but they don’t hide - as a general rule.

Just to be safe, I would download Malwarebytes, get the updates and then run a scan. I’m linking you to the google search and not the site since i’m new here and so you can see that it’s legit.

Thanks for that, I am running Microsoft Security Essentials but I can’t definitely rule out malware.

I did see that spoolsv.exe showed up later using as much as 50% CPU even though there was no user activity.

that’s the print spooler. buggy printer driver?

Security Essentials can go into a mode where it’s chewing up a lot of CPU. Mostly on the daily updates, but sometimes it just gets real interested in whatever you’re doing on the web. That process is MSMPENG.EXE

Media Player goes wacky on me sometime too, consuming 80%-90% of the CPU even when it’s paused.

With Process Explorer and similar products, you need to be aware that there is an un-named process in the monitor that usually is at the top when you sort by CPU Usage. That’s the “idle” process. The text portion of the display will tell you that it’s “using” 90% or more. It’s not. That’s how much CPU is available.
You’ll see from the graph that very little CPU is being used. If you are able to dig deeper on the idle process, you would see that all of the usual data fields are empty.