windows server 2008 r2 all user process stop serve

Question

windows server 2008 r2 all user process stop serve

Anonymous

we have many windows server 2008 r2 machine.

recently, there are three machines successively occur one issue (the three machine is all virtual machine)

the zabbix client down, and the zabbix server alarm that can not collect the machine's metric data.

the same time the metricbeat of the elastic can not collect all user process metric data, only can get the network, disk, memory and core metric data.

the machine's console can not login and can not remote login by mstsc

we try to use saltstack to collect the status of that time, but unluckily, the saltstack client also cannot connect.

we run some web applications developed by aps.net(.net framework 4.6.1) hosted in iis.

the same time, these web applications can be accessed, but slowly, and one hour passed, these web applications down also.

we restart the machine, and all applications re-run well.

when after restart the machine, we look into the event logs,

the below picture shows the application event logs, the issue occur at 14:54

the below picture shows the system event logs, only one Schannel error, but this error occur every day.

we try to search some dumps in below position, but nothing.

%SystemRoot%\MEMORY.DMP

C:\MEMORY.DMP

C:\Windows\Minidump\*.dmp

C:\Windows\Temp\ *.mdmp *.hdmp *.dmp

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\

we look into the metricbeat data:

the metricbeat data suddently reduce much at 14:54, the reduce data are the process metric

before the issue occur, the process metric data is accounted for 85%

after the issue occur, the process metric data is accounted for 0%

Before the issue occur the last process metric data as below:

Time	host.name	system.process.name	system.process.cpu.total.pct	system.process.cpu.total.value	system.process.state	system.process.memory.size	system.process.memory.rss.pct
03-26 14:54:07.150	VMG1259	smss.exe	0%	795	running	572KB	0%
03-26 14:54:07.150	VMG1259	csrss.exe	0%	402,419	running	3.238MB	0.02%
03-26 14:54:07.150	VMG1259	wininit.exe	0%	467	running	1.668MB	0.01%
03-26 14:54:07.150	VMG1259	csrss.exe	0%	8,376	running	9.957MB	0.03%
03-26 14:54:07.150	VMG1259	winlogon.exe	0%	514	running	1.953MB	0.02%
03-26 14:54:07.150	VMG1259	services.exe	0%	156,686	running	7.781MB	0.04%
03-26 14:54:07.150	VMG1259	lsass.exe	1.56%	33,639,040	running	27.535MB	0.11%
03-26 14:54:07.150	VMG1259	lsm.exe	0%	14,351	running	4.098MB	0.02%
03-26 14:54:07.150	VMG1259	svchost.exe	0%	410,157	running	5.242MB	0.04%
03-26 14:54:07.150	VMG1259	svchost.exe	0%	360,377	running	5.645MB	0.03%
03-26 14:54:07.150	VMG1259	svchost.exe	0%	11,847,994	running	46.207MB	0.13%
03-26 14:54:07.150	VMG1259	svchost.exe	0.46%	12,596,611	running	2.195GB	3.6%
03-26 14:54:07.150	VMG1259	svchost.exe	0%	104,894	running	8.918MB	0.05%
03-26 14:54:07.150	VMG1259	svchost.exe	0%	363,435	running	6.141MB	0.04%
03-26 14:54:07.150	VMG1259	svchost.exe	0%	1,391,996	running	166.531MB	0.26%
03-26 14:54:07.150	VMG1259	svchost.exe	0%	139,714	running	7.344MB	0.04%
03-26 14:54:07.150	VMG1259	svchost.exe	0%	1,590	running	6.125MB	0.04%
03-26 14:54:07.150	VMG1259	svchost.exe	0%	1,294	running	4.031MB	0.02%
03-26 14:54:07.150	VMG1259	inetinfo.exe	0%	249	running	9.195MB	0.05%
03-26 14:54:07.150	VMG1259	SMSvcHost.exe	0%	390	running	25MB	0.06%
03-26 14:54:07.150	VMG1259	nssm.exe	0%	77	running	1.594MB	0.01%
03-26 14:54:07.150	VMG1259	ccSvcHst.exe	98.54%	75,237,503	running	171.559MB	0.29%
03-26 14:54:07.150	VMG1259	python.exe	0.15%	1,103,597	running	53.449MB	0.19%
03-26 14:54:07.150	VMG1259	conhost.exe	0%	19,093	running	1.203MB	0.01%
03-26 14:54:07.150	VMG1259	VGAuthService.exe	0%	171	running	4.859MB	0.03%
03-26 14:54:07.150	VMG1259	vmtoolsd.exe	0%	3,256,301	running	34.805MB	0.13%
03-26 14:54:07.150	VMG1259	ManagementAgentHost.exe	0%	963,414	running	5.922MB	0.03%
03-26 14:54:07.150	VMG1259	svchost.exe	0%	388,192	running	12MB	0.05%
03-26 14:54:07.150	VMG1259	winlogbeat.exe	0%	300,676	running	120.137MB	0.08%
03-26 14:54:07.150	VMG1259	zabbix_agentd.exe	0.16%	8,014,815	running	10.461MB	0.04%
03-26 14:54:07.150	VMG1259	svchost.exe	0%	2,823	running	3.977MB	0.03%
03-26 14:54:07.150	VMG1259	Smc.exe	0%	2,148,960	running	15.551MB	0.03%
03-26 14:54:07.150	VMG1259	WmiPrvSE.exe	0.16%	4,947,088	running	11.609MB	0.06%
03-26 14:54:07.150	VMG1259	svchost.exe	0%	108	running	2.082MB	0.02%
03-26 14:54:07.150	VMG1259	dllhost.exe	0%	10,249	running	4.305MB	0.04%
03-26 14:54:07.150	VMG1259	msdtc.exe	0%	109	running	3.477MB	0.02%
03-26 14:54:07.150	VMG1259	python.exe	0%	3,135	running	30.879MB	0.12%
03-26 14:54:07.150	VMG1259	ccSvcHst.exe	0%	155,017	running	5.301MB	0.01%
03-26 14:54:07.150	VMG1259	taskhost.exe	0%	38,843	running	7.465MB	0.03%
03-26 14:54:07.150	VMG1259	dwm.exe	0%	62	running	1.664MB	0.02%
03-26 14:54:07.150	VMG1259	explorer.exe	0%	7,643	running	18.09MB	0.11%
03-26 14:54:07.150	VMG1259	vmtoolsd.exe	0%	3,999,787	running	5.266MB	0.03%
03-26 14:54:07.150	VMG1259	emedtray.exe	0%	1,637	running	1.383MB	0.01%
03-26 14:54:07.150	VMG1259	jusched.exe	0%	2,526	running	5.184MB	0.04%
03-26 14:54:07.150	VMG1259	jucheck.exe	0%	638	running	4.52MB	0.04%
03-26 14:54:07.150	VMG1259	LogonUI.exe	0%	358	running	9.57MB	0.05%
03-26 14:54:07.150	VMG1259	csrss.exe	0%	4,820	running	2.734MB	0.02%
03-26 14:54:07.150	VMG1259	winlogon.exe	0%	358	running	2.293MB	0.02%
03-26 14:54:07.150	VMG1259	taskhost.exe	0%	27,018	running	7.5MB	0.04%
03-26 14:54:07.150	VMG1259	ccSvcHst.exe	0%	95,284	running	5.516MB	0.01%
03-26 14:54:07.150	VMG1259	rdpclip.exe	0%	139	running	1.805MB	0.02%
03-26 14:54:07.150	VMG1259	dwm.exe	0%	171	running	2.031MB	0.02%
03-26 14:54:07.150	VMG1259	explorer.exe	0%	13,321	running	23.273MB	0.14%
03-26 14:54:07.150	VMG1259	vmtoolsd.exe	0.32%	3,697,722	running	5.27MB	0.03%
03-26 14:54:07.150	VMG1259	emedtray.exe	0%	15	running	1.383MB	0.01%
03-26 14:54:07.150	VMG1259	jusched.exe	0%	1,310	running	4.695MB	0.04%
03-26 14:54:07.150	VMG1259	jucheck.exe	0%	779	running	4.762MB	0.04%
03-26 14:54:07.150	VMG1259	csrss.exe	0%	28,625	running	2.734MB	0.03%
03-26 14:54:07.150	VMG1259	winlogon.exe	0%	358	running	2MB	0.02%
03-26 14:54:07.150	VMG1259	taskhost.exe	0%	21,714	running	7.5MB	0.03%
03-26 14:54:07.150	VMG1259	ccSvcHst.exe	0%	78,280	running	5.488MB	0.01%
03-26 14:54:07.150	VMG1259	rdpclip.exe	0%	155	running	2.641MB	0.02%
03-26 14:54:07.150	VMG1259	dwm.exe	0%	30	running	1.734MB	0.02%
03-26 14:54:07.150	VMG1259	explorer.exe	0%	8,891	running	39.645MB	0.17%
03-26 14:54:07.150	VMG1259	vmtoolsd.exe	0.16%	3,264,975	running	5.23MB	0.03%
03-26 14:54:07.150	VMG1259	emedtray.exe	0%	46	running	1.379MB	0.01%
03-26 14:54:07.150	VMG1259	jusched.exe	0%	1,435	running	5.434MB	0.04%
03-26 14:54:07.150	VMG1259	mmc.exe	0%	2,838,577	running	61.109MB	0.1%
03-26 14:54:07.150	VMG1259	filebeat4biz.exe	0%	9,241,717	running	318.355MB	0.72%
03-26 14:54:07.150	VMG1259	filebeat4debug.exe	0%	5,885,090	running	153.301MB	0.23%
03-26 14:54:07.150	VMG1259	filebeat4error.exe	0%	1,972,648	running	129.082MB	0.15%
03-26 14:54:07.150	VMG1259	filebeat4perf.exe	0.63%	5,773,316	running	139.645MB	0.19%
03-26 14:54:07.150	VMG1259	filebeat4payload.exe	0%	81,073	running	95.617MB	0.06%
03-26 14:54:07.150	VMG1259	filebeat4iis.exe	0.62%	4,396,918	running	101.887MB	0.07%
03-26 14:54:07.150	VMG1259	jucheck.exe	0%	779	running	4.918MB	0.04%
03-26 14:54:07.150	VMG1259	sppsvc.exe	0%	1,608,697	running	3.836MB	0.03%
03-26 14:54:07.150	VMG1259	TrustedInstaller.exe	0%	2,533,439	running	201.324MB	0.39%
03-26 14:54:07.150	VMG1259	mmc.exe	0%	31,589	running	22.266MB	0.1%
03-26 14:54:07.150	VMG1259	metricbeat.exe	0.63%	12,297,745	running	89.66MB	0.12%
03-26 14:54:07.150	VMG1259	WmiPrvSE.exe	0%	305,652	running	21.887MB	0.09%
03-26 14:54:07.150	VMG1259	WmiPrvSE.exe	0.31%	1,103,643	running	7.461MB	0.04%
03-26 14:54:07.150	VMG1259	GoogleCrashHandler.exe	0%	404	running	1.523MB	0%
03-26 14:54:07.150	VMG1259	GoogleCrashHandler64.exe	0%	46	running	1.621MB	0%
03-26 14:54:07.150	VMG1259	wuauclt.exe	0%	46	running	1.992MB	0.02%
03-26 14:54:07.150	VMG1259	w3wp.exe	2.18%	1,214,950	running	471.008MB	0.94%
03-26 14:54:07.150	VMG1259	w3wp.exe	5.93%	1,042,663	running	541.809MB	1.17%
03-26 14:54:07.150	VMG1259	w3wp.exe	0.47%	334,013	running	487.793MB	1%
03-26 14:54:07.150	VMG1259	w3wp.exe	0.79%	286,386	running	488.945MB	1.02%
03-26 14:54:07.150	VMG1259	w3wp.exe	0%	73,585	running	491.992MB	1.01%
03-26 14:53:57.174	VMG1259	smss.exe	0%	795	running	572KB	0%

and when the issue occur, the metirc data shows that the process all count plus 1, but we don't know what

the disk metric, when the issue occur, can not collect the informations

and the net, cpu, memory metrics show normal:

another clue is the windows update, we fonud that these three virtual machine all updated 2017-11-29

and we found out all the updates and look into these update's "Known issues in this update", but not found issue like our issue.

all updates at that day is:

http://support.microsoft.com/kb/3020388

http://support.microsoft.com/kb/3122648

http://support.microsoft.com/kb/2830477

http://support.microsoft.com/kb/2923545

http://support.microsoft.com/kb/3046017

http://support.microsoft.com/kb/3074543

http://support.microsoft.com/kb/3075226

http://support.microsoft.com/kb/3102429

http://support.microsoft.com/kb/310799\*\*\*\*81

http://support.microsoft.com/kb/3127220

http://support.microsoft.com/kb/3020370

http://support.microsoft.com/kb/3179573

http://support.microsoft.com/kb/3000483

http://support.microsoft.com/kb/3197\*\*\*\*

http://support.microsoft.com/kb/3133977

http://support.microsoft.com/kb/4020322

http://support.microsoft.com/kb/2592687

http://support.microsoft.com/kb/3054476

http://support.microsoft.com/kb/3161958

http://support.microsoft.com/kb/2574819

http://support.microsoft.com/help/4038779

http://support.microsoft.com/kb/3055642

http://support.microsoft.com/kb/4042076

http://support.microsoft.com/kb/3205394

http://support.microsoft.com/help/4019263

http://support.microsoft.com/kb/3060716

http://support.microsoft.com/kb/3147071

http://support.microsoft.com/kb/3110329

http://support.microsoft.com/kb/3092627

http://support.microsoft.com/kb/310799\*\*\*\*895

http://support.microsoft.com/kb/4019108

http://support.microsoft.com/kb/3108371

http://support.microsoft.com/kb/2830477

http://support.microsoft.com/kb/3068708

http://support.microsoft.com/kb/3137061

http://support.microsoft.com/kb/3080149

http://support.microsoft.com/help/4022722

http://support.microsoft.com/kb/4041090

http://support.microsoft.com/kb/3092601

http://support.microsoft.com/kb/3101722

http://support.microsoft.com/kb/3192391

http://support.microsoft.com/help/404167\*\*\*\*12

http://support.microsoft.com/kb/2973112

http://support.microsoft.com/kb/4019990

http://support.microsoft.com/kb/4041083

http://support.microsoft.com/kb/3140245

http://support.microsoft.com/kb/4014985

http://support.microsoft.com/kb/3054205

http://support.microsoft.com/kb/3139914

http://support.microsoft.com/kb/3078601

http://support.microsoft.com/kb/2943357

http://support.microsoft.com/kb/3097989

http://support.microsoft.com/kb/3084135

we can not found the cause of the issue by ourself by above informations and look for help!!

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

5 answers

Answer 1

Anonymous

Very welcome.

Rob

0 comments

Answer 2

Anonymous

thank you, it refered to this post.

0 comments

Answer 3

Anonymous

Hi,

Try to edit it down as it is way too long. i.e. Shorten the table examples.
Just split the message into 2 or more parts - post 1st part in the Question and the others in to replies to that Question.
Or refer them to this thread.

Rob