Mfartura's blog : High Utilization

Real Case: Random apps running 100% CPU (advanced)

Marcelo Fartura — Wed, 28 Feb 2007 05:18:00 GMT

This is another 100% CPU issue. This time I’m not working on any customer case as the issue is happening on my own Windows XP SP2 machine. So I resolved trying to troubleshoot that just for fun J.

First, let me explain the scenario:

Random interactive applications, like Outlook, Word, Excel, Explorer, Internet Explorer etc, were unexpectedly consuming 100% CPU. Once they started eating up all the CPU they get completely hung and do not stop using all the CPU until I actually kill their processes. Some times after killing their process and restarting the application the issue was gone, some times the issue comes back right after the application restarts and I need to kill it again…

Ok, I made my part playing as an end user by just killing the processes for some time but it started buzzing me as it was becoming more frequent. So now it’s time have some fun and go to the core of the issue.

All I need to do is follow the steps in the post Lab: Win32 Application Causing 100% Condition. So let’s go start doing that:

Once the problem happened next time, it was in the infopath.exe application, I attached the Windbg (from the Debugging Tools For Windows) and executed the command below in order to find out which thread I should look at:

Ok, so now I know the thread 0 is the one I’m looking for since it’s the one who’s been consumed the CPU for the last 40 seconds. You might be asking “what if there were other threads also consuming the CPU?” Well, for this specific issue I knew we would find only one single thread since my machine is a dual CPU and whenever the problem happens the app takes only one of the CPUs.

With that said, let’s take a look at the call stack of the thread 0:

Ok, so we don’t have that much… the return address is 0x0 and ebp register is 0x0 so since we don’t have the proper symbols to work with this I guess we won’t be able to rebuild the stack. So we will have even more fun diving in the ASM from now on!!!

We already know the application nview.dll is the one loaded in the call stack. Let’s see what is it doing or trying to do. Our current instruction pointer tells us this:

So all we need to do to follow the assembler execution path is to get the current CPU registers value and start reproducing the effects the real instructions would have. The current value of the CPU registers is below:

Notice that both EAX and EDX (the two registers used by the first operation) are 0x0. So the first instruction mov eax, edx won’t change anything. It will make a copy of the EDX register to the EAX but since they are both 0x0 this will result in no changes at our registers. Let’s take a look at the subsequent instructions and their effects:

and eax, 01000000h

It will make an AND logical operation between EAX and the value 0x1000000 and load the result at the EAX register. Again, this won’t change the EAX value since 0x0 AND 0x1000000 results in 0x0 which is already the current EAX value.

xor ebp,ebp

It will make an Exclusive-OR operation, or XOR, between the stack base pointer EBP and itself and load the result at the EBP (which is the destination operand on this operation). Needless to say this would load EBP with 0x0, however as we can notice below from the current register values, EBP is already 0x0:

or eax,ebp

It will make an OR logical operation between EAX and EBP and load the result at the EAX. We already know this will be the equivalent of making 0x0 OR 0x0 which will result in guess what… Exactly! – It will result in 0x0 which doesn’t change the original value of EAX.

je nview!NVLoadDatabase+0xc8a (100020ea)

This will cause the instruction pointer EIP to “jump” to 100020ea just in case the operands of the previous OR operation were equal in value. Well, EAX is indeed equal, in value, to EBP since they’re both 0x0. So the EIP is loaded with the value 100020ea and our assembly execution path is properly changed as below:

So, let’s continue from the instruction located at 100020ea.

shl edx,8

It will make a shift left on the EDX value of 8 positions. EDX is a 32-bit representation of the value 0x0, so shifting it 8 positions wouldn’t change anything. EDX remains 0x0 after the operation as we can see below:

mov eax,edx

This one we already know. It won’t change anything as EAX = EDX = 0x0.

sar eax,8

It will a shift right on the EAX of 8 positions. As we’ve seen before with the EDX and the shift left operation, this won’t change anything as EAX = 0x0.

add eax,esi

Finally EAX changed its original value of 0x0 to the result of the sum between itself and ESI register. ESI = 0003fff8 and so EAX will from now on be EAX = 0003fff8 as can see below:

sar edx,1Fh

Again, a shift righ operation on the EDX with 31 positions. EDX will remain with 0x0 after that as we’ve seen before.

cdq

This will convert the value of EAX to a 64-bit value. But it will keep it original value of 0003fff8.

mov eax, esi

It will copy the value of ESI to EAX, however as we noticed before EAX was made equal to ESI by the operation add eax, esi previously executed (since EAX was 0x0 by that time). So this operation doesn’t change anything either.

lea eax,[ecx+esi]

This will load EAX with the value resultant from the operation ECX + ESI. So let’s make a little math here… ECX + ESI = 00c90000 + 0003fff8 = 00ccfff8. So EAX will be from now on = 00ccfff8 as we see below:

cmp eax, edi

This will compare the values of EAX and EDI and change the proper flags accordingly.

mov dword ptr [esp+14h],edx

This will copy the EDX value to the memory location referred by the stack pointer plus 20 bytes, or in other words, this will copy EDX value to 20 bytes down on the stack. So, doing a little math again we will have that such a position would be the ESP = 0012c6c0 plus 20 bytes, so 0012c6c0 + 0x14 = 0012c6d4. Let’s see what is current content of 0012c6d4:

All right, so it’s currently 0x0 and we are copying the value of EDX which is also 0x0 to that location in the memory. So, we won’t actually change anything here. Let’s move on.

jb nview!NVLoadDatabase+0xc60 (100020c0)

This will make our execution path jumping to 100020c0 just in case the result of the operation cmp previously executed, tells us the value of EAX is lower (or below) EDI. By the time the cpm operation was executed, EAX was 00xxfff8 and EDI was 00cd0000 so EAX is indeed below EDI and will therefore jump in the execution path as below:

So we moved back some bytes on our execution path. Let’s keep moving…

mov edx, dword prt [eax]

It will copy the value referred by EAX to the register EDX. The value currently referred by EAX is the following:

So we’re just copying 0x0 to EDX which is already 0x0, so it doesn’t change our register’s value.

mov eax, dword ptr [eax+4]

This will copy the value referred by the EAX plus 4 bytes to EAX. The valued pointed by EAX + 4 is the value pointed by 00ccfffc which is 0x0. So now we’re basically making EAX = 0x0 again – As we had in the very beginning of our execution path.

mov dword ptr [esp+14h],eax

This will just copy the EAX value to a specific position on the stack (20 bytes under the top pointed by the ESP). So it doesn’t change any register and it actually doesn’t change the stack value either since EAX is currently 0x0 once again and we had already saved the value 0x0 at that same position on the stack when executed the instruction located at 100020ff.

Now hold on: The next instruction is exactly the one we executed in the very first step of all this investigation. And guess what? The registers and the stack have exactly the same values as we had in the very beginning. So we don’t need to move forward on this to conclude that we will end up again in the same place, and again, and again, and again… indefinitely! This turns out to be an infinite loop!!

Conclusion:

This explains why this thread is using 100% of our CPU and concludes our investigation. Unfortunately this is something we can’t fix since it’s happening within the nview.dll’s code and this is not a MS product.

NVIEW.DLL is a NVidia module apparently used by the NVidia Desktop Manager software. I’ve done some research through the NVidia web site and I haven’t found any reference to this so I believe there is no definitive solution for this yet. As a workaround I simply disabled the Desktop Manager feature and everything seems to be fine now.

Lab: Win32 Application causing 100% CPU condition (Advanced)

Marcelo Fartura — Mon, 18 Sep 2006 21:32:00 GMT

This is lab for simulating a real 100% CPU condition being caused by a generic Win32 application when there are no symbols available for such application.

Let’s start supposing the situation is currently occurring. So, the first step is to confirm the symptoms, which we can easily do by using, for instance the task manager. As we see in the picture below we have a 50% utilization on a dual core machine which represents 100% of one CPU being utilized.

If we navigate to the process tab in the task manager we will be able to identify which process is causing the problem as shown in the picture below:

Ok, so it’s the MyApp.exe that is keeping one of our CPUs totally busy. It's time to bring the debugger and look what’s happening under the hood…

By using the Windbg from the Debugging Tools For Windows package, we can choose, by pressing F6, which process we want to attach the debugger to:

After attaching to the MyApp.exe process, the debugger will, by default, list all the modules loaded at the address space as well as it will break the execution through the break instruction exception (80000003). Now, since the execution is broken, our CPU is no longer busy and we can start investigating what is going on here.

Microsoft (R) Windows Debugger Version 6.6.0005.0

Executable search path is:

ModLoad: 00400000 00446000 C:\Temp\MyApp.exe

ModLoad: 7c900000 7c9b0000 C:\WINDOWS\system32\ntdll.dll

ModLoad: 7c800000 7c8f4000 C:\WINDOWS\system32\kernel32.dll

ModLoad: 77d40000 77dd0000 C:\WINDOWS\system32\USER32.dll

ModLoad: 77f10000 77f57000 C:\WINDOWS\system32\GDI32.dll

ModLoad: 76b40000 76b6d000 C:\WINDOWS\system32\WINMM.dll

ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\ADVAPI32.dll

ModLoad: 77e70000 77f01000 C:\WINDOWS\system32\RPCRT4.dll

ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll

ModLoad: 76c30000 76c5e000 C:\WINDOWS\system32\WINTRUST.dll

ModLoad: 77a80000 77b14000 C:\WINDOWS\system32\CRYPT32.dll

ModLoad: 77b20000 77b32000 C:\WINDOWS\system32\MSASN1.dll

ModLoad: 76c90000 76cb8000 C:\WINDOWS\system32\IMAGEHLP.dll

ModLoad: 72d20000 72d29000 C:\WINDOWS\system32\wdmaud.drv

ModLoad: 72d10000 72d18000 C:\WINDOWS\system32\msacm32.drv

ModLoad: 77be0000 77bf5000 C:\WINDOWS\system32\MSACM32.dll

ModLoad: 77bd0000 77bd7000 C:\WINDOWS\system32\midimap.dll

ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\uxtheme.dll

ModLoad: 74720000 7476b000 C:\WINDOWS\system32\MSCTF.dll

ModLoad: 77120000 771ac000 C:\WINDOWS\system32\OLEAUT32.DLL

ModLoad: 774e0000 7761d000 C:\WINDOWS\system32\ole32.dll

ModLoad: 10000000 1001e000 C:\Program Files\Babylon\CAPTLIB.DLL

ModLoad: 77f60000 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll

ModLoad: 74c80000 74cac000 C:\WINDOWS\system32\OLEACC.dll

ModLoad: 76080000 760e5000 C:\WINDOWS\system32\MSVCP60.dll

(8a8.c5c): Break instruction exception - code 80000003 (first chance)

eax=7ffd6000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005

eip=7c901230 esp=00fcffcc ebp=00fcfff4 iopl=0 nv up ei pl zr na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246

ntdll!DbgBreakPoint:

7c901230 cc int 3

Let’s make sure you have the right symbol path so we can load at least the MS public symbols.

0:003> .sympath

Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols

We have 4 threads as below:

0:003> ~

0 Id: 8a8.da8 Suspend: 1 Teb: 7ffdf000 Unfrozen

1 Id: 8a8.f1c Suspend: 1 Teb: 7ffde000 Unfrozen

2 Id: 8a8.75c Suspend: 1 Teb: 7ffdd000 Unfrozen

. 3 Id: 8a8.c5c Suspend: 1 Teb: 7ffdc000 Unfrozen

Our current context is set to thread 03.

The more reliable way to find out which thread is consuming the processor time would be use the System Monitor tool with the right objects and counters (process and thread objects) as described in the article Troubleshooting IIS 100% CPU issues - Step by Step. However we will try something different here. We will use the extension command !uext.runaway or simply !runaway (since the extension uext.dll is loaded by default when debugging user mode apps from Windbg.exe):

0:003> !uext.runaway

User Mode Time

Thread Time

0:da8 0 days 0:03:36.703

3:c5c 0 days 0:00:00.000

2:75c 0 days 0:00:00.000

1:f1c 0 days 0:00:00.000

The !runaway extension command returns a list containing all the current threads and the processor time spent by them. As we see in the result above our thread 0 has to be the one we are interested in since it's not only the one with more time, but is also the only one with any processor time.

So let’s change the context to thread 0 in order to verify what has been executed by it:

0:003> ~0s

*** WARNING: Unable to verify checksum for C:\Temp\MyApp.exe

*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Temp\MyApp.exe -

eax=00000000 ebx=00000000 ecx=0012fd7c edx=7c90eb94 esi=00402150 edi=0012fe40

eip=00401a73 esp=0012fd74 ebp=0012fd74 iopl=0 nv up ei pl zr na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246

MyApp!AboutDlgProc+0xa73:

00401a73 5d pop ebp

There is a message warning us about the lack of symbols. Let's see what we can find about what this thread is doing even with no symbols for the application. Looking at the call stack we have the following:

0:000> kL

ChildEBP RetAddr

WARNING: Stack unwind information not available. Following frames may be wrong.

0012fd74 00401a69 MyApp!AboutDlgProc+0xa73

0012fd80 0040248f MyApp!AboutDlgProc+0xa69

0012fdd8 77d48734 MyApp!WndProc+0x33f

0012fe04 77d48816 USER32!InternalCallWinProc+0x28

0012fe6c 77d489cd USER32!UserCallWinProcCheckWow+0x150

0012fecc 77d496c7 USER32!DispatchMessageWorker+0x306

0012fedc 00401244 USER32!DispatchMessageA+0xf

0012ff30 00402cd3 MyApp!AboutDlgProc+0x244

0012ffc0 7c816fd7 MyApp!WndProc+0xb83

0012fff0 00000000 kernel32!BaseProcessStart+0x23

This just tells us, based on the first frame, that this is the first thread and also it has some MyApp.exe code being executed (we have a chain of at least 5 MyApp.exe functions in the stack). But with no symbols this won't help us any longer since the function names for MyApp.exe are not reliable. Time to look at the asm being executed...

The current instruction pointer (represented by the CPU register EIP) is pointing to this asm:

0:000> u eip

MyApp!AboutDlgProc+0xa73:

00401a73 5d pop ebp

00401a74 c3 ret

00401a75 cc int 3

As we can see, it's just taking the top value on the stack and saving it to the CPU register EBP (pop EBP) and the next instruction is setting the EIP to the return address (this will load the EIP with the instruction located at the address at EBP + 4 in the memory). We can identify this asm block as part of epilog which means we are at the end of it's execution. So let's look a little bit before in the asm to verify what was being executed before the epilog block:

0:000> u eip -13 eip+1

MyApp!AboutDlgProc+0xa60:

00401a60 55 push ebp

00401a61 8bec mov ebp,esp

00401a63 51 push ecx

00401a64 e805000000 call MyApp!AboutDlgProc+0xa6e (00401a6e)

00401a69 8945fc mov dword ptr [ebp-4],eax

00401a6c ebf6 jmp MyApp!AboutDlgProc+0xa64 (00401a64)

00401a6e 55 push ebp

00401a6f 8bec mov ebp,esp

00401a71 33c0 xor eax,eax

00401a73 5d pop ebp

Now we got the complete block since the execution of the prologue (the push EBP; mov EBP, ESP; push ECX instructions). By analyzing the block above we see that after the prolog execution, we make a function call to the instrution at 00401a6e (call MyApp!AboutDlgProc+0xa6e), so let's verify what should be executed when doing that:

0:000> u 00401a6e

MyApp!AboutDlgProc+0xa6e:

00401a6e 55 push ebp

00401a6f 8bec mov ebp,esp

00401a71 33c0 xor eax,eax

00401a73 5d pop ebp

00401a74 c3 ret

All right, so what we see here, after the prolog block, is an exclusive OR (XOR) operation being executed using EAX as both operands, and then the epilog block is executed - This epilog block is the same one (the instruction at the address 00401a73) our EIP is currently set to (notice the first asm block at the beginning of this analysis).

The XOR operation is just being used to set the EAX register to 0 (the result of the operation is loaded to the destination operand, in this case the EAX itself). If we have a chance to look at the application source code, this is likely something like "MyLocalVar = 0;". So it comes the question: Why not make a "mov EAX,0" instead of a "xor EAX,EAX"? The answer is simple: it's a matter of cost. The instruction XOR costs less than the instruction MOV to the CPU, so it's faster to execute a XOR since in this case it will produce the same desired result.

So what we know so far is that we have a function being called and the only thing this function does is set a variable to 0 and returns. So let's keep going from the return of this function in the following block:

MyApp!AboutDlgProc+0xa60:

00401a60 55 push ebp

00401a61 8bec mov ebp,esp

00401a63 51 push ecx

00401a64 e805000000 call MyApp!AboutDlgProc+0xa6e (00401a6e)

00401a69 8945fc mov dword ptr [ebp-4],eax

00401a6c ebf6 jmp MyApp!AboutDlgProc+0xa64 (00401a64)

00401a6e 55 push ebp

00401a6f 8bec mov ebp,esp

00401a71 33c0 xor eax,eax

00401a73 5d pop ebp

We've just returned from the instruction "call MyApp!AboutDlgProc+0xa6e". So the next instruction to be executed will the one at the address 00401a69 which is just moving the EAX value (which we already know at this point should be 0) to the location of EBP - 4. EBP - 4 is known to be the location of the first local variable of the current function at the call stack, so we're basically copying the EAX value to one or our local variables.

The next instrutcion (jmp MyApp!AboutDlgProc+0xa64) will cause the execution to "jump" to the address 00401a64 which, at this point, is already familiar to us. We know that the instruction at 00401a64 will make a function call to the function MyApp!AboutDlgProc+0xa6e which we analyzed before and know it's just setting the EAX to 0 and returning.

The conclusion now is obvious. We have an infinite loop being executed and this is the reason we have a 100% CPU condition happening. This has been proven to be a bug within the MyApp.exe application. The next step is to contact the MyApp.exe vendor and let them know about the bad news J

Troubleshooting IIS 100% CPU issues - Step by Step (intermediary)

Marcelo Fartura — Fri, 15 Sep 2006 02:17:00 GMT

Processes consuming 100% of a system's CPU time is such a situation everybody has faced at least once (likely much more than once :)), and normally as solution we just "kill the murderer" by stopping the culprit process. But what was really causing that process to behave like that? If you can't properly answer this question you might be convicted to repeat the "kill the murderer" process forever...

The procedures we will see below are general enough for troubleshoot any application causing the 100% CPU situation, however I will use IIS as an example here since, as a custom application's host, it is one of the products whereby this situation happens very often.

Notice: This has been classified as an intermediary level content, so it presumes you understand concepts like memory dumps, crashes, hangs, applications, processes, threads, call stacks etc, and also have some experience with debugging.

Before the problem happens...

Step 1:
Make sure you are familiar with and have the proper tools we will need for the further steps. We will need the System Monitor (perfmon.exe), the Debugging Tools for Windows package installed (preferably installed at the c:\debuggers folder) and if possible the proper symbol files.

You will also need some basic understanding about the IIS architecture.

Step 2:
Run the System Monitor (perfmon.exe), in a remote machine if possible, and create a new Counter Log: Chose any name, lets say "Performance_log". After confirming the name you've just chosen, in the General Tab, click in Add Objects and choose "Select counter objects from comupter". In the combo list, select or type the remote computer name (the one where the problem happens and which you're going to monitor)

Select the following objects::counters:

Processor(*)\*
Process(*)\*
Threads(*)\*

Start monitoring and wait until the server gets the high CPU utilization issue

When the problem happens...

Step 3:
First confirm that is an IIS process (any w3wp.exe for IIS6, inetinfo.exe or any dllhost.exe for IIS5/5.1 of inetinfo.exe or any MTX.exe - IIS4) that is consuming the CPU time. You can use even the task manager (CPU and Process columns) to confirm that.

After identifying which process is consuming the CPU time, take a note of the Process ID of such a process from task manager. You can also use other tools like tasklist.exe (builtin for Windows XP and Windows 2003) or tlist.exe from the Debugging Tools for Windows. For IIS5 servers, if you want to know what application is being hosted by the process (in case of a DLLHOST.EXE) you can use the Component Services mmc or simply run the following command from a command prompt:

c:\debuggers\>tlist -k | find /i "dllhost.exe"

It will list all the DLLHOST.EXE process and the respective applications being hosted by the processes in following output format:

C:\Debuggers>tlist -k | find /i "dllhost"
3496 dllhost.exe     MyCom+ Application 01
4892 dllhost.exe     MyCom+ Applicatoin 02
4900 dllhost.exe     IIS Out_Of_Proc_Pooled
3840 dllhost.exe     Mts:   System Application

For the IIS4, the same assumption is valid except that you have MTS Explorer instead and the surrogate name will change from dllhost.exe to mtx.exe.
For the IIS6 however, you can't use Component Services (IIS6 doesn't rely on COM+ for creating the surrogates as IIS5 does) nor tlist.exe to identify the applications being hosted by the processes. You will need to use the script iisapp.vbs instead (it's built in script for Windows 2003). Run iisapp from a command prompt with no parameters and it will return a list with the w3wp.exe processes, their PID and the application pools being hosted by them.

Step 4:
Once you've identified the PID (process ID) the CPU consumer you're ready to generate a hang memory dump (please note that the dump will contain useful information only, and if only, it was taken while the problem was happening). To generate the dump execute the following commands from a command prompt:

C:\Debuggers\>cscript adplus.vbs -hang -p <PID> -quiet -o c:\dumps

Adplus will spawn a debugger (cdb.exe) which will attach to the process, generate the hang dump and dettach itself. If you're familiar with the Debug Diagnostics Tool package (DebugDiag), feel free to use it. It doesn't matter which tool you will use as long as you generate a good full dump.

Generally is a good practice to generate more 1 or 2 dumps repeating above procedure 1 minute apart from each other. This might be useful when analyzing the problem cause.

Once the adplus.vbs is done, stop the perfmon log. At this point you can also apply the workaround (likely kill the process) you've been applying to make your server reponsive again.

Analyzing the data...

Step 5:
Open the perfmon log:

Run perfmon , select System Monitor on the left navigation bar and type Ctrl + Q to open the properties window.
Click in the Source tab and select Log Files. Click add and select the c:\perflogs\Performance_log000001.blg file and click ok.

Press Ctrl + I, or press the "+" button, to add objects and counters.
Select Process object, and the %Processor Time counter, select all the IIS related processes, click add then close.

The system monitor window will show the %CPU utilization of each process. Press Ctrl+ B to change the view to histogram. Determine the highest bar and double click it.

Press Ctrl+ H to confirm you selected the highest bar on the histigram view. Determine which process is the one that owns the highest bar. It must to be the same as the one you identified on the task manager as the culprit.

Press Ctrl + E to clean the histogram window and press CTRL + I to include new counters.

Select thread object, select %Processor Time counter and select all the instances of the process you determined as the culprit one.

Repeat the same process as before to determine which thread is the one consuming CPU - tip: Histogram is the best view to do that.

Once you know the process and thread within the process that is consuming the CPU, clean the perfmon System Monitor window one more time - Ctrl + E

Press Ctrl + I and select the Thread object again. Select the ID thread counter and select the instance of the previous determined thread. Click add and close. See how to simplify the Thread and Process ID identification in the perfmon in this article.

In the System Monitor Window, determine the thread ID of thread by looking at Min, Max and Avg values. THey should be all the same. If they are not the same is because you have monitored for a longer period than the high CPU utilization one. If that happened press Ctrl + Q, go to source tab and move the Time WIndow slide in order to get only the period of high utilization CPU, then go back to System Monitor Tool and chek for thread ID again.

Convert the Thread ID value from decimal to hexadecimal and take a note of this hex value.

How about some debugging now?

Step 6:
Open the Windbg.exe from the c:\debuggers folder.
Press Ctrl + D and select the hang dump (.dmp file) you generated earlier by uging adplus.vbs (they should be placed in the folder c:\dumps based on the option "-o c:\dumps" used before)

Close the Disassembly window if it opens (some versions of Windbg will do it autommaticaly)

Make sure your symbol path is properly set (remember to use the command !symfix or set it manually to http://msdl.microsoft.com/download/symbols) and run the .reload /s command if you needed to change the symbol path.

On the Windbg's command prompt type ~ and press enter. A thread list will show up as the example below:

0:00> ~
   0 Id: f4.f3 Suspend: 1 Teb: 7ffde000 Unfrozen
   1 Id: f4.f7 Suspend: 1 Teb: 7ffdd000 Unfrozen
   2 Id: f4.10a Suspend: 1 Teb: 7ffdb000 Unfrozen
   3 Id: f4.10f Suspend: 1 Teb: 7ffda000 Unfrozen
   4 Id: f4.110 Suspend: 1 Teb: 7ffd9000 Unfrozen
   5 Id: f4.111 Suspend: 1 Teb: 7ffd8000 Unfrozen
   6 Id: f4.112 Suspend: 1 Teb: 7ffd7000 Unfrozen
   7 Id: f4.115 Suspend: 1 Teb: 7ffd6000 Unfrozen
   8 Id: f4.116 Suspend: 1 Teb: 7ffd5000 Unfrozen
   9 Id: f4.117 Suspend: 1 Teb: 7ffd4000 Unfrozen
10 Id: f4.11a Suspend: 1 Teb: 7ffae000 Unfrozen
11 Id: f4.11b Suspend: 1 Teb: 7ffad000 Unfrozen
12 Id: f4.129 Suspend: 1 Teb: 7ffac000 Unfrozen
13 Id: f4.12a Suspend: 1 Teb: 7ffab000 Unfrozen
14 Id: f4.12e Suspend: 1 Teb: 7ffaa000 Unfrozen

The Id: identificator above is followed by the PID.TID where PID is the hex representation of the process ID and TID is the hex representation of the thread ID.

Find the one which has the thread ID you determined before. Tip: you can convert from hex to decimal by the the "?" in the debugger's command prompt. Ex.: "? f4" will generate the following output:

0:00> ? f4
Evaluate expression: 244 = 000000f4

Once you identified the thread in the list you have two options to set this thread's context the active one. You run the following command with using the TID:

~~[TID]s

Or you run the following command using the corresponding thread number (#):

~#s

Both command will produce the same result which is set the thread's context the active one in the debugger. Now you can check the thread stack to see what is causing the high CPU utilization by just typing one of stack commands (k). For example, the kb command will show you the stack with the some additional information like the three first arguments passed through the functions as below:

0:065> kb
ChildEBP RetAddr Args to Child
07c7bc20 623016d6 60a27460 07c7bff8 00000200 oran8!nnciqdn+0xab
07c7bd3c 60b2695a 60a27460 00298880 07c7bff8 orantns8!nnftboot+0x6d6
07c7bd68 60b25881 00298880 07c7bff8 00000200 oran8!nnfgqdn+0x3a
07c7bdc0 60a10acf 60a27460 07c7e630 00000000 oran8!nnfgrne+0x2c1
07c7c418 60b6e222 60a27460 07c7e630 00000016 oranl8!nlolgobj+0x6df
07c7c458 60b27be0 60a27460 07c7e630 00298930 oran8!sntseltst+0xc072
07c7c488 60b16472 60a27460 07c7e630 000000ff oran8!nnfsn2a+0x30
07c7d600 60b60ebc 60a27460 00001803 07c7e630 oran8!niqname+0x252
07c7f76c 604b0c93 07c7e630 00000007 00001803 oran8!osncon+0x23c
07c7f94c 604b849e 07012e44 14414d22 00000007 ORACLIENT8!xaolog+0x1f533
07c7f970 604b84ea 14414df8 14414d22 00000007 ORACLIENT8!xaolog+0x26d3e
07c7f98c 604ba15d 14414df8 14414d22 00000007 ORACLIENT8!xaolog+0x26d8a
07c7fe44 604bb128 14414df8 14414cf6 0000002b ORACLIENT8!xaolog+0x289fd
07c7fe84 6047fed4 14414df8 14414cf6 ffffffff ORACLIENT8!xaolog+0x299c8
07c7febc 604614a0 14414df8 14414cf6 ffffffff ORACLIENT8!upilog+0x64
07c7fef0 10002642 14414db8 14414df8 14414cf6 ORACLIENT8!ocirlo+0xb0
07c7ff84 7800265a 14414b90 01b0ed14 7800ef03 ociw32!olog+0x62
07c7ffb8 77f04ef0 00297850 01b0ed14 7800ef03 MSVCRT!beginthreadex+0xb2
07c7ffec 00000000 780025ff 00297850 00000000 KERNEL32!lstrcmpiW+0xbe

By looking at thread stack you should be able to identify what is causing the high CPU utilization problem. You can always unassembly (u) from the intruction pointer to try digging a little bit more and obtain some additional information. Ex.:

0:065> u eip
oran8!nnciqdn+0xab:
60b1fefb 8b10            mov     edx,dword ptr [eax]
60b1fefd 83c004          add     eax,4
60b1ff00 52              push    edx
60b1ff01 50              push    eax
60b1ff02 8b4510          mov     eax,dword ptr [ebp+10h]
60b1ff05 53              push    ebx
60b1ff06 50              push    eax
60b1ff07 56              push    esi

I will post a real case analysis very soon in this blog...