We have a physical server that is running Windows Server 2016 and is acting as a domain controller. We are monitoring several services/parameters on this server via Nagios/Check MK and are noticing that Nagios is reporting svchost.exe is gradually consuming more and more CPU over time. Looking at the graph of Kernel usage for svchost.exe in Nagios, it is obvious that the CPU usage is trending up. Unfortunately, it appears that Nagios monitors the aggregate of all svchost.exe instances and doesn't provide any granularity into individual instances or services.
I have run PerfMon and recorded CPU privileged time for each instance of svchost.exe and determined that the instance of svchost.exe containing the following services is consuming the most CPU: CryptSvc, Dnscache, LanmanWorkstation, NlaSvc, and WinRM.
I've attempted to stop each of those 5 services to find a culprit and it appears that when I stop Dnscache, the CPU time for that instance of svchost.exe goes down BUT doing this makes the CPU time for the instance of svchost.exe containing RpcEptMapper and RpcSs increase by a noticeable amount.
Does anyone have any suggestions for things to try/check or any idea of what could be causing this gradually increasing CPU usage from svchost?
