The svchost and WMI processes use increased CPU with Antimalware Scan Interface (AMSI) scanning enabled. With automation tasks, for example, being performed on/by a system, the svchost and WMI processes can invoke and execute scripts on behalf of the operating system. The scripts trigger a scan through the AMSI interface. Any registered provider (if ENS is configured accordingly) picks up activities that are routed through the AMSI interface for scanning.

For a general overview of how AMSI works, see: https://docs.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps.