Very High CPU Loading on Win2003 Standard SP2 File Server

March 20, 2013 at 01:04:13
Specs: Windows 2003, 3000 / 4GB
Hi All. I got a problem on my File Server running Windows 2003 SP2 (IBM X series 346). I found that the CPU Loading is extremely high sometimes (09:00AM - 12:30PM) & (13:00 - 18:00). CPU loading will jump to 100% but some time back to normal within this period. Here is my finding:
1. Using Task Manager, find high CPU loading task is "System"
2. Using Process Explorer, find many process called srv.sys+0x1b602 consume most of CPU resource
3. Many Port 445 session on said period

Action Performed:
1. Change the switch port which the server connecting;
2. Change the LAN cable;
3. Disable teaming on LAN card driver;
4. Disable NetBIOS over TCP/IP (Solution search from internet)
5. Confirm no Trend Micro Office scan on client computer (Advice by someone on Forum)
6. Stop unnecessary Windows Service
7. Change Server session idle time from 15 Mins to 3 Mins
Till now, I still don’t have any clue on the core problem & not sure if the problem will be fixed if I propose for Server replacement. Do you have any idea on my case? Billon thanks for your help!


See More: Very High CPU Loading on Win2003 Standard SP2 File Server

Report •

#1
March 20, 2013 at 04:37:07
Is that in an office? The times you posted make it sound like the problem takes a lunch break at 12:30 PM. Then resumes until the workers go home. Is that what's happening?

How do you know when a politician is lying? His mouth is moving.


Report •

#2
March 20, 2013 at 11:27:10
This server connected to the internet?

What you list is all the signs of a malware/virus infection.

Just so you know switch port/cable/netbios have nothing to do with cpu processing.

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

#3
March 20, 2013 at 15:58:31
I didn't know that viruses take breaks for lunch.

How do you know when a politician is lying? His mouth is moving.


Report •

Related Solutions

#4
March 20, 2013 at 16:10:30
Hackers do :-) which is the whole point of a virus these days.

And don't you mean breakfast?
quote: 09:00AM - 12:30PM

Though hard to tell when first value is regular time and second value is military time.

port 445 is your biggest clue
http://www.linklogger.com/TCP445Sca...

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

#5
March 20, 2013 at 16:45:17
No, I don't mean breakfast. 9AM to 12:30PM - break for lunch - then start at 1PM to 6PM. That's the translation of the military time. I think it's just an overload during working hours. What's causing it, has to be determined.

How do you know when a politician is lying? His mouth is moving.


Report •

#6
March 20, 2013 at 18:10:30
Thank you for all your reply. More information here:
1. My server serve around ~500 concurrent users (I checked this by using net session) & also start the performance monitor.
2. Server is not connected to Internet
3. I've also suspect is there any SMB flooding or virus infection. However, the CPU loading is fluctuate from 2% to 100% from 09:00AM to 12:30PM & 13:30PM to 18:00PM. It looks like there is some processes running on client side (e.g. Indexing?) on irregular time.

Till now I could not capture any pattern. Do you know is there any process on Windows 7 that will do action on network drive(All user map drive to this server)? Recently, we're migrating Windows XP to Windows 7 for client PC. Thank you!


Report •

#7
March 20, 2013 at 18:42:51
Run wireshark on the server. Just watch the packets.

How do you know when a politician is lying? His mouth is moving.


Report •

#8
March 20, 2013 at 19:21:10
Thank you for your reply. I'm using OmiPeak (Network Analyzer) to capture the data now

Report •

#9
March 20, 2013 at 20:05:21
That should work too.

How do you know when a politician is lying? His mouth is moving.


Report •

#10
March 21, 2013 at 15:59:44
500 users!
What are they using this server for?

You saying by it doesn't have internet you have a closed network meaning no one of the 500 users have internet? I find that hard to believe.

Server specs? Ram? x64 or x32 OS?

Single nic to the server? No adapter teaming? What is the servers bandwidth, gigabit?

Lots of things to consider here

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

Ask Question