17
votes
[SOLVED] A background process using a significant amount of CPU power stops immediately when I open task manager. Is there a way to identify what's doing thing?
It started a day or two ago. Three threads (I think?) jump from nearly 0% to 100% and go back as soon as I open task manager to try figure out what's causing it. My first thought was a virus or bitcoin mining trying to hide itself (though isn't that done on GPU's?), but Windows' Defender came up empty handed.
I know certain OS apps, like automatic VIRUS scans behave similarly, stopping when you click or type, but this culprit seems to only react to opening the task manager. It also doesn't start again until task manager has been closed for a while.
Here’s a powershell oneliner that should be somewhat analogous to Linux top. Try using that and see if you can catch the process name.
@cfabbro suggested this might be my only option. How would I go about using it? Is it just copypaste for command line? Programming isn't exactly my forte.
Powershell is the MS shell (i.e. a more advanced command line with scripting capabilities), and depending on your Windows version (e.g. if you have Win10 Pro) it might already be installed and located at
%windir%\System32\WindowsPowershell\v1.0\(or whatever version came preinstalled). And you can run it by double-clickingpowershell.exein there, or using Win+R, typingpowershell.exein the popup, then hitting Enter.However if powershell is not installed, a guide for installing it is here:
https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-core-on-windows?view=powershell-7.1
Once you have it installed, it's very much like cmd.exe, so you can just run powershell.exe, copy+paste streblo's script into it, and hit enter to run the script.
p.s. Here's a slightly different script that is slightly more easily understood, and will list the top 10 processes by CPU usage, but without refreshing over and over. If you run it as your CPU usage spikes to 100% on those cores, you should hopefully be able to find the culprit near the top.
If that's not enough processes to find the culprit, just change the
-first 10to-first 20or however many you need to find it. Or similarly, in @streblo's script, just changeselect -f 15to another higher number.p.p.s. Some scripts may require elevated privileges to run them, so you might need to right click powershell.exe in its install directory, then click "Run as Administrator"... or if you're using Win+R, type
powershell.exeand then hit Ctrl+Shift+Enter to run it as Admin. Neither mine nor streblo's scripts should require that though, and I would advise you to be wary of scripts that do require elevated privileges to run unless you know exactly what they are doing, and/or trust the source.Turns out Powershell was already installed. So I ran the script and got these results. "Unarchiver" kept rising to the top and promptly disappeared after I brought up task manager.
Not only did I not find any process labeled "unarchiver", the only thing thatScratch that! I came across this reddit thread, and reading it was honestly kinda spooky. Had to do a doubletake because it was eerily similar to my situation. I'd also recently downloaded Cyberpunk via more dubious means, which is why I initially suspected this being malware. Everything search found it instantly.
This is what the file looked like in the explorer. Just deleted that and rebooted to make sure it didn't recreate itself somehow and so far it's been awfully quiet. Still no idea what it was actually doing.
Thanks @streblo and @cfabbro! That script was actually something I'd needed before. I'll keep it handy from now on just in case.
Awesome, glad you got it sorted out. You should probably keep an eye on your CPU usage over the next while though, since sometimes malware can simply reinstall itself later if all you did was delete the affected files manually. If that does happen, then you're probably going to have to go through the same process again to identify the newly affected files, then upload them to something like virustotal in order to find an antivirus that actually recognizes them as malware, and then download+use that particular AV so it can hopefully permanently remove the problem for you.
I'm about the head off for Christmas morning with the family, and when I get back in a few hours I will try to offer some more thorough assistance... but in the mean-time, here's a quick suggestion before I go. If you suspect whatever is hogging your resources is shutting off when you open Task Manger to avoid detection, you should try using an alternative to Task Manager. E.g. Process Explorer (which is superior to task manager anyways, IMO)
I tried Process Explorer and a couple of other alternatives, as well as Windows' Resource Monitor, but it reacted to all of them. What's weird is that the Rainmeter plugin that I'm using (github link to the thing in the screenshot) doesn't trip whatever alarm bells the presumably malicious app is listening to. This must be because it's using HWinfo to read and translate the, well, hardware info into its UI. And as it turns out, launching that doesn't bother the malware. Granted, HWinfo runs from startup anyway.
That is highly unusual. Are you sure all this isn't just a false reading from your Rainmeter plugin? Have you managed to verify the cores are actually going to 100% with any other program? Are your CPU temps and fans responding in kind?
Similarly, you could something like CAM or CoreTemp to watch your CPU temperate. If it’s sitting at 100% for long durations you’ll definitely notice an increase.
Both HWinfo and HWmonitor report the same value for cores 1, 3 and 7 at 100%. Every other app I tried cuts the high usage. HWmonitor definitely shows temps rising. It went from 50s to 70s when the cores were affected. CPU fan jumps from 1300 RPM to 1800.
Hmm... if that's the case, but you can't manage to actually catch the offending process in any process monitoring programs, at this point you're probably going to have to rely on something like typeperf (e.g.) or a powershell script (e.g. like what @streblo provided below) to try to determine what is actually utilizing those cores.
As far as I know, there are other cryptocurrencies like Monero that can be mined reasonably efficiently on a CPU (some people going as far as to use browsers and JavaScript/WASM to have people mine it unconciously, so it must be worth it). Monero specifically is a good pick for any wannabe virus creator, as it's designed to be anonymous (afaik).
I wouldn't expect it to be an antivirus or an otherwise legitimate thing, because why would they need to hide themselves from task manager?
Anyway, check your Windows Defender exclusions in case you forgot you excluded a folder, or the virus could've done it for some reason.
If that doesn't turn up anything, try instaling Malwarebytes and running a full scan. (They were pretty effective previously, I don't exactly know how effective they are today, still worth a try)
This is better than malwarebytes https://www.reddit.com/r/TronScript/wiki/index
Removed all the exclusions and ran Malwarebytes too. Still nothing.
This sounds like the typical thing that happens when you have drivers that aren't current.
Drivers can be found in many different places on your machine.
On Windows machines, typical symptoms of outdated drivers are CPUs maxing out, ports (like an ethernet port, or USB port etc.) not functioning, or only functioning when a laptop is charging, or memory overflow events when the machine has been running for substantial amount of time.
Both AMD's software and Windows' updates are now up to date. Still no fix.
I also suspected windows updater and cleanup, but the only programs that interrupt the high CPU usage are task manager and other monitoring software. Anything else that would normally make Windows let go of the processor won't stop the high usage (games, browser, media player etc). Similarly, having task manager open, the usage stays at near 0% and only after having been closed for a few minutes it starts back up.
It's like something intentionally trying to avoid detection. Just saying that makes me sound crazy, but at this point I don't know what else other than malware would even behave this way.
Worst case (if you're particularly worried), nuke it and reinstall Windows.
That really is the nuclear option and I'm hoping I don't have to do it. Just earlier this year I got off easy after having swapped some parts, including the motherboard, and didn't have to reinstall Windows which frankly surprised me.