High CPU Usage by Ntoskrnl.exe (System) Process in Windows 10

On one of the computers with newly installed Windows 10, a user began to complain of constant hanging up and slow work of the OS. The Task Manager shows that about 50% of the CPU resources are used by System (ntoskrnl.exe) process. In this article I’ll try to describe the main diagnostics methods of high CPU utilization by different processes and ways to find out the problem Windows component or system driver.

The situation when System process consumes more than a half of CPU resources of the system is not normal. Ntoskrnl.exe is the executable of the OS kernel. It is the core system process. The OS kernel runs system drivers of the devices, which are likely to be the source of the problem (not all drivers are properly tested by hardware developers).

As a rule, the problem of leakage in the driver code and high usage of CPU, memory or disk resources appears after the installation of new hardware, new driver version (including automatic driver updates, which can be disable) or after Windows update.

To understand which driver or module causes high CPU utilization, you can use a free tool Process Explorer. Download it and run as administrator.

Find System in the list of running processes, right-click it and open its Properties.

Go to the Threads tab. Sort the list of modules loaded by the kernel by the rate of CPU usage (CPU column). In Start Address column, the name of a component or a driver is shown, which causes high load (the screenshot below is not from the problem system, in my case it was the ntoskrnl.exe process).

To find out a driver that causes high CPU load, you can also use a free Microsoft tool kernrate.exe (Kernrate Viewer). The tool is a part of WDK (Windows Device Kit). After WDK installation, you can find the tool in the folder …\Tools\Other\amd64.

Run kernrate.exe without parameters and wait till the data are collected (10-15 minutes), then terminate the tool by pressing Ctrl-C. Look at the list of modules in Result for Kernel Mode section.

As you can see, in our example b57nd60x module is causing high CPU usage. Using Google or Sigcheck tool (see the example of using the Sigcheck to detect the driver files related with the module), you can detect that the problem is caused by Broadcom NetXtream Gigabit Ethernet NDIS6.0 Driver.

You can also analyze CPU usage during system boot using Windows Performance Toolkit (WPT). You must install the WPT and run data collection in the Windows Perfomance Recorder (First level triangle + CPU usage -> Start) graphic console.

Or you can start collecting data for analysis using the command :

xperf -on latency -stackwalk profile -buffersize 1024 -MaxFile 256 -FileMode Circular && timeout -1 && xperf -d cpuusage.etl

You must save the file and open it in Windows Performance Analyzer (WPA). Expand the System process stack. In this example, you can see that athrx.sys driver (Atheros Wireless Network Adapter) causes high CPU load.

So, the problem driver is detected. What’s next?

To solve the problem, install the later (or older) driver version, or completely disable (disconnect) the hardware if the problem persists with any driver version. The updated driver can be additionally stress-tested using the Driver Verifier.