P3 · Active Directory

Domain Controller CPU Spikes Caused by Full Security Event Log

Windows Server 2008 Domain Controllers hosted on vSphere exhibited cyclic 80–100% CPU spikes every 2–3 seconds traced to the EventLog service (svchost.exe). The root cause was the Security Event Log reaching its configured maximum size of 131,072 KB, forcing the EventLog service into continuous and expensive in-place overwrite operations. Clearing the Security Event Log and adjusting the retention policy immediately returned CPU usage to approximately 5%.

Indicators

svchost.exe CPU usage spiking to 80–100% every 2–3 seconds on Domain Controllers
CPU spikes affecting multiple Domain Controllers simultaneously
Offending svchost instance hosts DHCP Client, EventLog, and LMHOSTS services
Thousands of RpcBindingUnbind calls per second visible in Process Explorer
Security Event Log file size held at its configured maximum (e.g. 131,072 KB)
Continuous ReadFile operations against Security.evtx observed in Process Monitor

Likely causes

Security Event Log at maximum capacity with 'Overwrite events as needed' enabled, causing expensive continuous in-place overwrite operations
Remote monitoring software or RODC scraping event logs at high frequency via MSRPC
Poorly registered Event Sources from badly written applications causing repeated failed registry key lookups by the EventLog service
Verbose security or application auditing policy left enabled, generating excessive event volume

Diagnostic steps

Open Task Manager or Process Explorer to identify the specific svchost.exe PID consuming high CPU. Confirm it hosts the EventLog service (wevtsvc.dll) by reviewing the process's hosted services.
Isolate the EventLog service into its own dedicated svchost process for cleaner monitoring: run 'SC config EventLog Type= own' from an elevated command prompt, then reboot the server. Remember to revert with 'SC config EventLog Type= share' after investigation.
Launch Process Monitor (ProcMon), add a filter to include only the EventLog svchost PID, and observe file system operations. Look for a high rate of ReadFile calls against C:\Windows\System32\WinEvt\Logs\Security.evtx as confirmation of the overwrite loop.
Check the Security Event Log size: open Event Viewer, right-click the Security log, select Properties, and compare the current log size to the configured maximum size. A log sitting exactly at its maximum is a strong indicator.
Install and run Microsoft Network Monitor with the filter 'ProtocolName == MSRPC' to determine if external processes or remote systems are scraping event logs over the network, which could be an additional driver of EventLog CPU load.
If the Security Event Log is confirmed at maximum capacity, first save the log to an archive file for auditing (Event Viewer > Security > Save All Events As), then clear the log (right-click Security > Clear Log). Monitor CPU usage immediately after to confirm resolution.
Increase the maximum log size or switch the retention policy to 'Archive the log when full, do not overwrite events' to prevent recurrence. Go to Event Viewer > Security > Properties and adjust Maximum log size and retention settings accordingly.

Resolution path

Isolate the EventLog service into its own svchost process using 'SC config EventLog Type= own' and reboot to enable clean per-process monitoring
Use Process Monitor filtered by the EventLog PID to confirm a high rate of ReadFile operations against Security.evtx
Open Event Viewer and verify the Security log is sitting at its configured maximum size
Save the existing Security Event Log to an archive file for auditing and compliance purposes
Clear the Security Event Log via Event Viewer to create a fresh, empty log file
Monitor CPU usage immediately after clearing — expect a return to ~5% baseline if this was the root cause
Adjust the maximum log size and retention policy (prefer 'Archive the log when full') to prevent recurrence
Revert the EventLog service type back to shared: 'SC config EventLog Type= share' and reboot

Prevention

Proactively monitor Security Event Log file sizes on all Domain Controllers and alert when approaching the configured maximum
Set maximum log sizes appropriate to event volume and retention requirements — the default 20 MB is typically insufficient for busy DCs
Configure log retention to 'Archive the log when full, do not overwrite events' rather than 'Overwrite events as needed' to avoid in-place overwrite CPU overhead
Establish a scheduled task or script to archive and clear Security Event Logs on Domain Controllers at regular intervals
Audit MSRPC traffic to Domain Controllers to detect and review unexpected or high-frequency event log scraping by monitoring tools
Periodically review audit policy settings to ensure verbose auditing categories not required by compliance policy are disabled

Tools

Process Explorer (Sysinternals)
Process Monitor / ProcMon (Sysinternals)
Microsoft Network Monitor
Windows Event Viewer
SC.exe (Windows Service Control command)
Task Manager

References

Server Fault — Peaky CPU Usage on Domain Controllers

windows-server-2008active-directorydomain-controllerevent-logsecurity-logcpu-usagesvchosteventlog-serviceperformancevsphereprocess-explorerprocmontroubleshooting