Share via

explorer.exe using 50-100% CPU

Anonymous
2010-05-13T02:52:04+00:00

I've noticed this for a few weeks.  In Task Manager, explorer.exe shows as using 50-100% CPU, and programs seem to run more slowly.  This reliably starts when I open an "explorer window".  It will also start if I use msconfig to disable everything (except microsoft services).

I have booted into safe mode and run malawarebytes anti-malware -- nothing found.

I then ran Process Explorer, and discovered that the thread which seems to be responsible is called (has a start address)  nttdll.dll!EtwTraceMessageVa+0x130.  There may be one or two of these threads present, each using 48%+CPU.

I believe these are responsible, and I think they are used in some kind of event logging, possibly a debugger that somehow got turned on, but I don't know how to proceed from this point.

Thanks for any help

System:  Intel Core2 *** Email address is removed for privacy ***

8GB RAM  Windows 7 Professional 64 bit

Windows for home | Previous Windows versions | Windows update

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

Answer accepted by question author

Anonymous
2010-05-13T02:54:07+00:00

Often, instabilities in Windows Explorer are attributable to faulty shell extensions and addons.

Consider using Sysinternals Autoruns or ShellExView. Disable non-Microsoft shell extensions and add-ons, and check the behavior.  If it is gone, re-enable the disabled extensions/add-ons, one at a time, and see if you can identify which may be responsible.

Try a clean boot, or boot into safe mode.  Does the behavior persist?

What is the complete stack of the thread, per Process Explorer, when the CPU consumption is present?

Was this answer helpful?

7 people found this answer helpful.
0 comments

6 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2010-05-13T20:26:58+00:00

    Now that you have isolated the problem (good work!), there would seem to be little need to do the following.  Still, in case you are curious...

    To check the third-party modules loaded into the address space of a process, one can also use Process Explorer.  Select the process of interest, press CTRL+D to display the lower pane in "DLL View".  Right-click the lower pane column headers and choose "Select columns".  Check the "Company Name" box, click OK, in the "Select Columns" dialog that comes up.  Then sort the lower pane by Company Name, and make note of anything that is not from Microsoft.

    To obtain the full stack of the thread, simply double-click the thread (or click the "Stack" button when the thread is selected) on Process Explorer's Threads tab, of the process' Properties property sheet.

    Was this answer helpful?

    0 comments
  2. Anonymous
    2010-05-13T11:35:32+00:00

    Thank you for that information about EtwTraceMessageVa.

    With regard to your other questions:

      I did not see any excessive events in the event logs.

      I don't know how to check "What third-party modules are loaded into explorer.exe's address space?"

      I have not been using "logman, xperf, or the like".  I'm not aware of those utilities.

    At present, I cannot supply the "complete stack of the thread" as I seem to have isolated the offending program, following your advice regarding disabling of non-Microsoft shell extensions using ShellExView.  (If you still think it would be useful, I can re-enable those extensions and provide the stack).

    The problem seems to be related to the two shell extensions associated with my AntiVirus program:

                          Avast

                          snxPluginsShell Class

    I have started a support ticket with ALWIL regarding this problem.

    Thank you for your help.

    Was this answer helpful?

    0 comments
  3. Anonymous
    2010-05-13T10:44:28+00:00

    What is the complete stack of the thread, per Process Explorer, when the CPU consumption is present? (You just listed the start address, it seems.)

    Shell extensions can log to the event log. 

    Did you check the event logs, to see if one may have excessive events?

    EtwTraceMessageVa may also deal with event tracing, not just event logging.

    What third-party modules are loaded into explorer.exe's address space?

    Any chance you've been working with logman, xperf, or the like?

    Was this answer helpful?

    0 comments
  4. Anonymous
    2010-05-13T03:02:38+00:00

    When I wrote "use msconfig to disable everything (except microsoft services)" I thought all would also understand that to mean a clean boot as per the article you mentioned above.

    And, as I wrote initially, the behavior persisted after this "clean boot". The behavior did NOT persist in safe mode.

    How do shell extensions interact with EtwTraceMessage which has to do with event logging?

    Was this answer helpful?

    0 comments