CPU occupancy 100% case analysis
1, dllhost process caused CPU usage to occupy 100%
Features: server normal CPU consumption should be below 75%, and CPU consumption It should be up and down, the server with this problem, the CPU will suddenly be 100% level, and will not drop. Looking at the task manager, you can find that DLLHOST.EXE consumes all CPU idle time. In this case, the administrator has to restart the IIS service. The strange thing is that everything is normal after restarting the IIS service, but it may be a while. After the time, the problem reappeared.
Direct reason:
One or more ACCESS databases are damaged during multiple reading and writing. When Microsoft's MDAC system writes this corrupted ACCESS file, the ASP thread is in the BLOCK state, and the other threads can only Wait, IIS is deadlocked, and all CPU time is consumed in DLLHOST.
Workaround:
Installation & ldquo; First-class information monitoring and interception system & rdquo; use the "Chief Document Prosecutor IIS Health Inspector" software,
Enable & rdquo; find deadlock module & rdquo;, Settings:
--wblock=yes
Monitoring directory, please specify the directory where your host's files are located:
--wblockdir=d:\\test
The file storage location of the generated log is monitored. In the log directory of the installation directory, the file name is: logblock.htm
Stop IIS, then start & ldquo; Chief File Checker IIS Health Checker & rdquo;, then start IIS, & ldquo; Chief Document Checker IIS Health Checker & rdquo ; The last written ACCESS file will be recorded in logblock.htm.
After a while, when the problem comes out, for example, the CPU will be at 100% level again, you can stop IIS and check the last ten files recorded by logblock.htm. Note that the most problematic is often The ACCESS file of the counter class, for example: ”**COUNT.MDB”,”**COUNT.ASP”, you can delete the last ten files or suspect files into the recycle bin, then start IIS, see See if the problem reappears. We believe that after a careful search, you can definitely find this file that has taken you for a while.
After finding this file, you can delete it, or download it and fix it with ACCESS2000. The problem is solved.
2, svchost.exe caused CPU usage to occupy 100%
in the win.ini file, under [Windows], “run=” and “load=” is possible to load & ldquo; Trojan & rdquo; procedures, you must pay careful attention to them. Under normal circumstances, there is nothing behind their equal sign. If you find that the path and file name are not the startup files you are familiar with, your computer may be in the middle of the "trojan". Of course, you have to see clearly, because a lot of "trojan", such as "AOL Trojan Trojan", it disguised itself as a command.exe file, if you do not pay attention, you may not find it is not a real system startup file.
In the system.ini file, under [BOOT] there is a "shell=filename”. The correct file name should be "explorer.exe", if not "explorer.exe", but "<;shell= explorer.exe program name”, then the program that follows is "trojan" program That means you are already in the "trojan".
The most complicated situation in the registry, open the registry editor with the regedit command, click to: HKEY-LOCAL-MACHINE\\Software \\Microsoft\\Windows\\CurrentVersion\\Run” directory, view the key value There is no auto-starting file that you are not familiar with, the extension is EXE, here keep in mind: some "trojan" Trojans generated files are very similar to the system's own files, want to pass the camouflage, such as "Acid Battery v1.0 Trojans ”, it will change the Explorer key value under the registry "HKEY-LOCAL-MACHINE\\SOFTWARE\\Microsoft\\Windows \\CurrentVersion\\Run" to Explorer=“C:\\Windows\\expiorer.exe”,<quo;trojan” There is only a difference between the program and the real Explorer between “i” and “l”. Of course, there are many places in the registry that can hide the "trojan" program, such as: "HKEY-CURRENT-USER\\Software\\Microsoft\\Windows \\CurrentVersion\\Run", and "HKEY-USERS\\**** The directory of \\Software\\Microsoft\\Windows\\CurrentVersion\\Run” is possible. The best way is to find the "trojan" virus under "HKEY-LOCAL-MACHINE\\Software \\Microsoft\\Windows\\CurrentVersion\\Run" Called "Code Red II (Red Code 2)" virus, contrary to the earlier "red code" virus in the Western English system, is called the VirtualRoot (virtual directory) virus internationally. The worm exploits known vulnerabilities known to Microsoft and spreads over 80 ports to other Web page servers. The infected machine can get full control of the infected machine by hackers running scripts/root.exe via Http Get request.