High CPU - IIS Worker Process

[jimbocalvo]

Hi guys,

 

I have just started at a new job and one of the first things I've been asked to look at is the very high CPU load on the my company's primary server.

 

The CPU maxes out at 100% (and when not that in the 90's) for most of the day, looking at the process(es) that is consuming the most and w3wp.exe, namely IIS Worker Process is the main culprit. When I look in IIS Manager I can see the WSUSPool as the source.

 

At the moment its causing an issue with clients receving timely Defender updates, my colleague is of the opinion that the high CPU load is the cause of those delays in receiving defender updates.

 

If it were a server I'd built myself or been looking into the issue since it started then I'd probably been able to get a good idea as to what the probable cause was, but I'm now playing catchup and going over things that appear to have already been tried.

 

Setup:

 

Server is a Windows Server 2012 R2 Data Center

18G Ram with 4 Cores

Config Manager 1610

 

Not sure what other information anyone would need to assist but please let me know and I'll get it.

 

So far I have amended the AV as all the directories where being scanned without the standard Config Manager exclusions and I have been looking at Private Memory Limit (under Recycling) for WsusPool in IIS.

 

thanks in advance.

[GarthMJ]

How many clients?

Is it a MP, SUP or DP?

What exactly is your policy cycle? 60 minutes?

How often are you scanning for SU?

[jimbocalvo]

Hi,

 

At the moment it has 350 clients, but this will grow

The server is question is the Primary Server and has 14 roles installed, it has MP, SUP and DP installed. We have another server which also acts as a DP.

The client polling policy is is 10 minutes

 

Where would I check how often we were checking for SU?

[GarthMJ]

Wow 10 minutes.. that is WAY too often! it should 60 minutes...

As for SU scanning that is also a client setting, you will find it in the same place as the client policy settings.

[jimbocalvo]

Hi Garth,

 

is this the screen you're referring to?

[GarthMJ]

yes that is the right one.. so every 7 days..

 

Now how often are you syncing the WSUS database with MS? Have you turned the client policy settings back to every 60 minutes?

[jimbocalvo]

WSUS is set for an auto sync once a day at 05:33 (bizarre time but there we are). But when I look at the sync reports in the WSUS console I can see three sync's a day, the WSUS one at 05:33 and then "Manual" ones happening at 08:00 and 16:00. Are those additional sync's being requested by Config Manager?

 

I have just adjusted the polling schedule to 60 minutes.

[jimbocalvo]

ok, the changes last night have made no difference :-( CPU is maxed at 100% and w3wp.exe is using 50-65% of it.

 

I was optomistic last night as CPU dropped off and was then spiking every half an hour for a 10 minute period, I've been watching it this morning and its not dropped once. Even when I recycled the application pool it dopped momentarily and then went back to 100%

[GarthMJ]

So what does the IIS log say is going on?

[jimbocalvo]

I cant see a great deal of issues in the IIS logs, but what I have seen when I cross check in the application logs are ASP.NET errors, Event ID 1309 with an Event Code of 3001. I see timeouts from workstations when contacting the WSUS site. I have read some material were other people have had issues with their WSUS database either going offline or becoming unstable/corrupt.

 

We are currently mulling over uninstalling and reinstalling WSUS and setting the database to be in the onbox installation of SQL rather than WSUS's own database.

 

Would something like that sound reasonable and also our potential course of action?