SYSTEM (ntoskrnl.exe) high CPU usage - All Windows Server versions

Arnaud Rigole 141 Reputation points

Hi everyone,

We can't understand a behavior that we got since yesterday on every file server of our infrastructure: The "SYSTEM" process (ntoskrnl.exe) is using all CPU available, conducting to completly overload the server and slow down to hell its services... Same problem on WS2012R2 & 2016.

On 2012R2, we got 3 KB installed recently (05/09) : KB5004233, KB5004298, KB5004285. On 2016, the last CU installed was the KB5005043 on late august. Nothing more since that.


  • I tried to use ProcessHacker tool to see what could cause that, but i can't see nothing intersting / relevant :
    • I tried to follow the detailed informations of this thread:

Same thing, can't find any relevant using the Windows Performance Analyzer...


Have you any advices ?
Thanks in advance...


Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,431 questions
Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,570 questions
{count} votes

8 answers

Sort by: Most helpful
  1. Arnaud Rigole 141 Reputation points

    @Anonymous thanks for your response. As i told, we got unexpectedly the problem on every file server, from day to day !
    Every server is different and the only common binary is the Antivirus. We tried to disable it, and still have SYSTEM process up to 70% (peaks) cpu usage !

    Anyway, i tried yesterday to boot a 2012R2 without any additional service, and... check that out...


    Any ideas ?

  2. Arnaud Rigole 141 Reputation points

    Following this, i disabled ABE on every SMB share on a sample server : no changes

    0 comments No comments

  3. Docs 15,491 Reputation points

    See if this link is useful:

    Please remember to vote and to mark the replies as answers if they help.

    On the bottom of each post there is:

    Propose as answer = answered the question

    On the left side of each post: Vote = a helpful post

    0 comments No comments

  4. Arnaud Rigole 141 Reputation points

    @Docs as you can see on my first post... i already tried to use WPA to identity binary/drivers involved...
    There is nothing relevant, pure system calls if i expand [root] stack tree of the system process...

    0 comments No comments