You have a system with Symantec Endpoint Protection (SEP) that is experiencing high CPU usage. You determine the issue is caused by ccSvcHst.exe. It is possible to reboot the system (see the Related Articles section if that should not be the case).
SEP 12.1, 14 or higher
procdump –ma -c <CPU usage percentage that will trigger a dump> <Process ID of high CPU ccsvchst.exe process> ccsvchst.dmp
(e.g. run the command procdump -ma -c 75 2300 ccsvchst.dmp
to generate a dump when the CPU usage for the ccSvcHst.exe with process ID 2300 is at least 75%).The process ID of the offending ccSvcHst.exe process can be determined in the following way:
a. Under Select additional profiles for performance recording, under Resource Analysis, select CPU Usage, Disk I/O Activity and File I/O Activity. Under Scenario Analysis, tick Minifilter I/O activity.
b. Performance scenario: General.
c. Detail level: Verbose.
d. Logging mode: File.
If the system is a virtualized one:
If the system is a physical one: