As far as Mac threats go, it’s not always easy to tell the wheat from the chaff. Sometimes these pieces of unwanted code manifest themselves very distinctly, as is the case with browser redirect viruses and scareware. There are situations, though, when figuring out whether you are dealing with a harmful program is a wild guess. This frustrating obscurity applies to the problem where a process named WindowServer sucks out the greater part of a computer’s CPU and RAM.

Those familiar with the basics of macOS architecture must know that this entity is both legitimate and important. It is tasked with the correct rendering of content inside different windows, manages their positions on the screen, and makes sure that the graphical side of things is properly reflected in general. The opposite facet of this usefulness is that the WindowServer process may periodically get out of hand and start consuming too much CPU and memory power. In some scenarios, its resource usage shown in the Activity Monitor app doesn’t seem to make sense, exceeding 100% as illustrated on the screenshot above.

WindowServer high CPU problem – the common causes

There are several non-malicious factors setting this condition in motion. One of the most-encountered catalysts is an instance of connecting an external monitor to a Mac. If it’s a 4K monitor, then the odds of seeing a spike in WindowServer CPU usage increase dramatically. Another possible trigger for the issue involves plugging peripheral devices into a USB Type-C port. Even if it’s just a mouse or a keyboard, the outcome can be unpredictable. Releases of new operating system versions, at their early stages, can lead to odd behavior of this process, too. Last year’s macOS 11 Big Sur update reportedly became a launchpad for excessive use of the processing resources by WindowServer on numerous machines.

At some point, a Mac may suddenly become finicky in terms of graphics processing, and the reasons are typically trivial. This buggy behavior often coincides with similar quirks of several other tasks, such as kernel_task, nsurlsessiond, hidd, trustd, mds_stores, and syslogd. If the issue kicks in, the fixes are typically uncomplicated, but with the caveat that they may not last. Several best-practice tips are as follows: restart the Mac; terminate unused apps; change the screen resolution; disconnect external devices one by one; use Mission Control to close redundant desktops; update your apps; and install the latest available version of macOS.

Blaming it on malware isn’t a far-fetched theory

The WindowServer CPU overuse predicament doesn’t always stem from garden-variety glitches at the system level. It can also be precipitated by malware interference with the normal functioning of your Mac. Here is one of the plausible situations: a harmful app might skillfully mimic this benign process to stay undetected by the built-in XProtect feature and third-party security tools. While doing its evil thing, the parasite will siphon off the computer’s processing capacity, especially if it’s a coin miner. To the naked eye, this will look like a skyrocketing resource usage by WindowServer.

Another shadowy tactic comes down to riddling this authentic executable file with malicious components. The goal is the same as in the previous attack vector: to use the trusted process as a curtain for bad activity. Finally, malware authors don’t always stick with proper coding and testing practices, and therefore the stuff they create can cause malfunctions when running inside a real-world environment. No matter which hypothesis holds true in your case, it’s a good idea to check the Mac for potentially unwanted applications (PUAs) and viruses that may be manipulating the WindowServer task in different ways.

WindowServer high CPU virus removal: manual how-to

Reining in on this infection could be a challenge, but it’s doable as long as you follow a tried-and-tested Mac adware removal procedure. Here’s how you do it.

1. Open the Go menu from the Finder area and click Utilities.

2. Open the Activity Monitor.

3. Take a close look at the running processes and try to identify the malicious one. The common giveaways of Mac malware are eye-catching icons or high CPU and RAM usage.

4. If you spot the potentially unwanted process, use the X button in the Activity Monitor’s top toolbar to force quit it. Confirm as illustrated below.

5. Open the Go menu again and select the option called Go to Folder. It provides a quick and easy way to navigate to specific folders.

6. Type ~/Library/Application Support/ in the “Go to Folder” popup dialog and click Go.

7. Check the Application Support folder for bad items that have been added recently. Delete everything suspicious you can find.

8. Now, browse to the ~/Library/LaunchAgents/ folder as shown below.

9. Look for dubious *.plist files inside the LaunchAgents folder and move them all to the Trash.

10. Open the /Library/LaunchDaemons/ directory using the same workflow.

11. Examine the LaunchDaemons folder’s contents for shady files and remove them once found.

12. Click the Finder icon in your Dock. 

13. Select Applications in the sidebar. Look for the dodgy app and move it to the Trash.

14. Open up the System Preferences screen and select Users & Groups.

15. Click the Login Items tab and find the intrusive entry in the list. Before you proceed, click the padlock sign and type your administrator password. Select the shady app and click the “minus” symbol to keep it from being executed at boot time.

16. Select Profiles in the System Preferences interface.

17. Locate the unwanted user profile and click the “minus” symbol to eliminate it.

18. Empty the Trash folder.

How to get rid of WindowServer resource hog in web browser on Mac

Uninstalling the bothersome application may not be enough to stop WindowServer high CPU usage in its tracks. You will probably also need to remove breadcrumbs of the infection from your web browser.

1. Remove viruses from Safari

• Launch Safari, expand the Safari menu and select Preferences.

• Click Advanced and enable the option at the bottom saying Show Develop menu in menu bar.

• Open the just-added Develop menu and select Empty Caches.

• Now open the History menu, select Clear History, keep the pre-selected “all history” option, and click the Clear History button on the dialog.

• Return to the Safari Preferences, select Privacy, and click the Manage Website Data button.

• Click the Remove All option to obliterate all data stored by websites.

• Restart Safari.

2. Remove malware from Google Chrome

• Open Chrome, head to Settings, click Advanced, and select Reset settings.
• Select the option saying Restore settings to their original defaults and follow further prompts to reset the browser’s settings.

3. Remove threats from Mozilla Firefox

• Run Firefox, go to the Firefox menu, click Help, and pick Troubleshooting Information.
• Click Refresh Firefox and confirm the action on a popup dialog that will appear.

• Restart Firefox.

Take care

The lesson to learn from the long-running WindowServer high CPU quagmire is that software installation hygiene won’t go amiss, to put it mildly. This attack always starts with a bundle in which one benign app works as a distraction for the infiltration of one or several malicious extras.

Also, Mac malware attacks are growingly hybrid, as they intertwine legitimate services like WindowServer with malicious activity. So, stay vigilant and don’t put off system remediation in a scenario like this.

Enjoy! 🙂