Svchost.exe uses excessive CPU resources on a Windows Server 2012 domain controller

Applies to: Windows Server 2012 DatacenterWindows Server 2012 DatacenterWindows Server 2012 Standard More

Symptoms


Consider the following scenario:
  • The WinRMRemoteWMIUsers__ group is missing from Active Directory Domain Services (AD DS).
  • The domain has trust relationships with other domains.
  • The domain controller does not have the NeverPing parameter, or this parameter is disabled.
  • The domain controller receives two or more WinRM requests in a short period (for example, within 1 second).
In this scenario, a Svchost.exe process that's running the Windows Remote Management (WinRM) service consumes 100 percent of CPU resources on the domain controller. This causes the system to run very slowly or to freeze.

Cause


The issue occurs when a WinRM 3.0-enabled computer is promoted to the status of domain controller of a domain that was created in an earlier version of Windows. Possible scenarios include the following:
  • WinRM 3.0 is installed on a Windows Server 2008 R2 domain controller as part of the Windows Management Framework 3.0.
  • A Windows Server 2012 or Windows Server 2012 R2 computer is promoted to a status of domain controller of a Windows 2008 R2 domain.

Resolution


To resolve this issue, create a domain local group that's name "WinRMRemoteWMIUsers__" under any container in AD DS.

Additionally, you can mitigate this issue by eliminating any of the conditions that are described in the "Symptoms" section.