You have a system with Symantec Endpoint Protection (SEP) that is experiencing high CPU usage. You determine the issue is caused by ccSvcHst.exe. It is possible to reboot the system (see the Related Articles section if that should not be the case).
Right-click Procdump.zip, select Extract All... and extract the files to the Windows folder.
Open a Command Prompt (cmd.exe) window.
Run the command procdump –ma -c <CPU usage percentage that will trigger a dump> <Process ID of high CPU ccsvchst.exe process> ccsvchst.dmp (e.g. run the command procdump -ma -c 50 2300 ccsvchst.dmp to generate a dump when the CPU usage for the ccSvcHst.exe with process ID 2300 is at least 50%).
The process ID of the offending ccSvcHst.exe process can be determined in the following way:
Right-click the Windows task bar and select Start Task Manager.
Navigate to the Processes tab and click the CPU column header button to sort the processes by CPU usage.
Make note of the offending ccSvcHst.exe process' CPU usage. If the PID column is not visible, navigate to View > Select Columns, tick PID (Process Identifier), then click the OK button.
Following this, generate a Windows Performance Recorder trace file:
Run Windows Performance Recorder. Set the following options, then click the Start button to capture the issue:
a. Under Select additional profiles for performance recording, under Resource Analysis, select CPU Usage, Disk I/O Activity and File I/O Activity. Under Scenario Analysis, tick Minifilter I/O activity. b. Performance scenario: General. c. Detail level: Verbose. d. Logging mode: File.
After reproducing the issue, click the Save button, browse to the location where you wish to save the trace file and click the Save button.
When saved, click the Open Folder button to navigate to the save location, select all files, right-click on them and select the Send to > Compressed (zipped) folder menu option.
Next, generate a low-altitude Process Monitor trace:
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\.
Double-click CrashDumpEnabled, change the value to 1 (1 = complete dump, 2 = kernel dump) and click OK.
Close Registry Editor.
Click the Start button, right-click Computer and select Properties. Click Advanced System Settings.
In the Performance area, click the Settings... button.
In the Performance Options window, navigate to the Advanced tab, then click the Change... button.
Click the Custom size radio button, then set both Initial size (MB) and Maximum size (MB) to at least the amount of system memory + 257 MB, by entering the correct value in each field and clicking the "Set" button when done. E.g. if the system has 4 GB of memory, set both fields to (4 x 1024) + 257 = 4353 MB. If the system has 8 GB of memory, set both fields to (8 x 1024) + 257 = 8449 MB.
After having made these changes, restart the system.
Download https://download.sysinternals.com/files/NotMyFault.zip and unpack the archive to C:\Windows. Open a Command Prompt (cmd.exe) window and, without pressing Enter at the end, type in the command notmyfault /accepteula /crash. Reproduce the issue, return to the Command Prompt window and press Enter to forcefully crash the system.
Following this, upload the resulting dump and all other data to an existing case (or create a new one) using SymDiag:
In the Select Products section, tick Endpoint Protection Client and click Next.
In the Select Data Type section, under Data Type, select All data, tick Choose additional files to collect and click Next.
Below Choose additional files to collect, click the Browse... button, navigate to and select the dump created above (typically C:\Windows\MEMORY.DMP) and all other generated data, then click the Open button, followed by the Next button.
After the data collection has finished, enter your name, company, case number, contact information and a brief description of the issue and click the Open or Update a Support Case button. Enter user name and password, then click the Login button.