mnielson323
asked on
Problem with High CPU Usage with SVCHost.EXE
I am running WinXP Pro and am having very slow and sluggish response times. I looked at the Task Manager and the services eating up most of my CPU Usage was SVCHost.EXE. There are actually five different SVCHost.EXE running. I did a tasklist /svc from DOS and the PID associated with the highest CPU Usage has around 32 services/programs running. Any reason why this service is doing this. The System Idle Process used to be in the 90+% usage, now it's less than 5%.
Thanks,
Mike
Thanks,
Mike
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I already am running Spybot S&D Advanced spyware on a regular basis. I also keep Windows Updates and NAV up-to-date. I will, tho, check into ad-ware, CWshredder, and Hijackthis. THANKS!
mnielson323,
just happened to view this I was having almost the same exact problem just wondering if you got your problem resolved ?
just happened to view this I was having almost the same exact problem just wondering if you got your problem resolved ?
ASKER
Brian,
Well....I hate to say that whatever suggestions I got, just caused more problems. I did what was suggested to me and immediately started getting POPUP adds, which I now can't get rid of. Concerning my original problem, it seems to have rectified itself. My CPU Usage (for System Idle Process) is running in the 90+% - which is great. I however did nothing to accomplish that. So, bottom line...I don't know what to tell you.
Sorry.......Mike
Well....I hate to say that whatever suggestions I got, just caused more problems. I did what was suggested to me and immediately started getting POPUP adds, which I now can't get rid of. Concerning my original problem, it seems to have rectified itself. My CPU Usage (for System Idle Process) is running in the 90+% - which is great. I however did nothing to accomplish that. So, bottom line...I don't know what to tell you.
Sorry.......Mike
The reason why I asked is I had the same problem which is caused by a backdoor trojan which was recently discovered April 4th 2004
Check task manager under processes and see if you have a 5 digit number running as a process in the background also go into your registry by going to start run type regedit hit enter and then go to HKEY_LOCAL MACHINE - Software - Microsoft- Windows - Current Version- Run see if their is a 5 digit number listed here (it is a random number) if so then you have the Trojan known as either RDOM.A ( F-Prot) or Sdown.A by trend micro. Let me know if you find this if you do it has to be gotten rid of it opens a back door of your system to hackers.
Some of the other problems were CPU was at 99% usage with SVCHOST.EXE using 99% of the processor could not access MY Computer, Network Places, the Internet or anything computer would just have the wait icon then refresh the screen all icons would be removed then come back but nothing would happen.
Check task manager under processes and see if you have a 5 digit number running as a process in the background also go into your registry by going to start run type regedit hit enter and then go to HKEY_LOCAL MACHINE - Software - Microsoft- Windows - Current Version- Run see if their is a 5 digit number listed here (it is a random number) if so then you have the Trojan known as either RDOM.A ( F-Prot) or Sdown.A by trend micro. Let me know if you find this if you do it has to be gotten rid of it opens a back door of your system to hackers.
Some of the other problems were CPU was at 99% usage with SVCHOST.EXE using 99% of the processor could not access MY Computer, Network Places, the Internet or anything computer would just have the wait icon then refresh the screen all icons would be removed then come back but nothing would happen.
I experienced this problem on two successive boots of Windows XP earlier today. Now everything is fine. An additional symptom is that the computer will not safely shut down -- it gets hung when saving system settings. I found a suspicious entry in the registry location referenced above, but it looks like 9 random letters as opposed to 5 digit numbers. The entry points to C:\WINDOWS\AHNUELRYF.exe, but the file is no longer there.
ASKER
briancassin (and sugarstevie),
First, thanks for the replies. Second, I followed the instructions to get to the HKEY_ (never been there before - and by the way, AWESOME instructions), but found NOTHING. There weren't any 5 or even 9 digit numbers. There were a few processes with strings of LETTERS, but none with numbers. But lastly, I will go ahead and run that URL scan.
Thanks again,
Mike
First, thanks for the replies. Second, I followed the instructions to get to the HKEY_ (never been there before - and by the way, AWESOME instructions), but found NOTHING. There weren't any 5 or even 9 digit numbers. There were a few processes with strings of LETTERS, but none with numbers. But lastly, I will go ahead and run that URL scan.
Thanks again,
Mike
I called Microsoft on this a few months back. It's kind of a tough fix.
I am looking for my notes...
I am looking for my notes...
ASKER
briancassin (and sugarstevie),
I ran that scan from the URL you sent...nothing found.
Chris,
Thanks for checking. Hope you find something.
Mike
I ran that scan from the URL you sent...nothing found.
Chris,
Thanks for checking. Hope you find something.
Mike
check the first link in this to see if this is a possibility they have a tool that checks for it...
This is the Sasser worm (or a variant).
See the following links for removal tools and more information:
http://www.microsoft.com/security/incident/sasser.asp
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.A
Security Patch in response to this vulnerability:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
Also try this go to the site listed below and download the program run it and post the log report up here... I will look through it and see if their is anything suspicious.
http://www.tomcoyote.com/hjt/
This is the Sasser worm (or a variant).
See the following links for removal tools and more information:
http://www.microsoft.com/security/incident/sasser.asp
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.A
Security Patch in response to this vulnerability:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
Also try this go to the site listed below and download the program run it and post the log report up here... I will look through it and see if their is anything suspicious.
http://www.tomcoyote.com/hjt/
Mike,
I too experienced the same problem you did, as I previously commented. I recently did a scan with Lavasoft's AdAware 6.0. It found 18 problems that SpyBot did not find. You might try downloading and running this specific adware detection software and see if it helps. My machine has not hung since I ran the scan.
-Steve
I too experienced the same problem you did, as I previously commented. I recently did a scan with Lavasoft's AdAware 6.0. It found 18 problems that SpyBot did not find. You might try downloading and running this specific adware detection software and see if it helps. My machine has not hung since I ran the scan.
-Steve
Mike,
The previous report that Ad-aware discovered malware that was causing the problem was erroneous. The system continued to experience the problem. Svchost runs a whole slew of services on behalf of the system – so the trick was to find which one was running away. I downloaded a tool called Process Explorer from http://www.sysinternals.com/ntw2k/freeware/procexp.shtml. It will report the process ID and in the case of the svchost process, all services attached to it. At Control Panel - Admin Tools – Services, I selectively stopped each service to see which one was causing the load (then start them again if stopping had no effect). In my case, I found that the System Restore Service (srservice – srsvc.dll) was running away at 99%. I have disabled the service, and the condition has not surfaced again. That doesn’t solve the problem of what is wrong with this particular service, but at least the machine will no longer become crippled.
-Steve
The previous report that Ad-aware discovered malware that was causing the problem was erroneous. The system continued to experience the problem. Svchost runs a whole slew of services on behalf of the system – so the trick was to find which one was running away. I downloaded a tool called Process Explorer from http://www.sysinternals.com/ntw2k/freeware/procexp.shtml. It will report the process ID and in the case of the svchost process, all services attached to it. At Control Panel - Admin Tools – Services, I selectively stopped each service to see which one was causing the load (then start them again if stopping had no effect). In my case, I found that the System Restore Service (srservice – srsvc.dll) was running away at 99%. I have disabled the service, and the condition has not surfaced again. That doesn’t solve the problem of what is wrong with this particular service, but at least the machine will no longer become crippled.
-Steve
Ok found my notes here was the problem and solution I had... it wasn't spyware.
http://support.microsoft.com/default.aspx?scid=KB;EN-US;317843
http://support.microsoft.com/default.aspx?scid=KB;EN-US;317843
Mike,
I finally got the bottom of what was causing System Restore Service running under SVCHOST to saturate the CPU at 100%. I'll document it here for any unlucky soles who may encounter the same problem.
Svchost runs a whole slew of services on behalf of the system – so the trick was to find which one was running away. I downloaded a tool called Process Explorer from http://www.sysinternals.com/ntw2k/freeware/procexp.shtml. It will report the process ID of each process in memory, and in the case of the svchost process, all services attached to it. At Control Panel - Admin Tools – Services, I selectively stopped each service to see which one was causing the load (then later started it again if stopping had no effect). In my case, I found that the System Restore Service (srservice – srsvc.dll) was running away at 99%.
Next I opened a support case with Microsoft. We used numerous tools to troubleshoot the service. One of the more valuable tools was FILEMON, available at http://www.sysinternals.com/ntw2k/source/filemon.shtml. It shows all files that are touched during the monitor period. We also used the proprietary USERDUMP tool from Microsoft, which is not available for download, and for which I had no tool to analyze the results.
Microsoft determined that the latest restore point in the SRService database was corrupt, and the service was getting hung when it tried to delete one of its files. The restore points comprising the SRService database are stored on my machine at the following location: C:\System Volume Information\_restore{2EDE8
The solution was to manually remove all restore points in the SRService database, using Windows Explorer. Here are the steps to accomplish this.
1. Boot the machine with SRService disabled (Select Start / Control Panel / Administrative Tools / Services. Double click System Restore Service, and set Startup Type to Disabled, then click OK. Re-boot. You may have to rename srsvc.dll, even in the DLL cache, to keep it from starting - it's fairly persistent.)
2. You must grant access to the System Volume Information folder on C: (Article 309531).
2a. Get a command prompt and type the following, including quotes:
cacls "C:\System Volume Information" /E /G username:F
2b. (To undo these permissions later when finished, type the follwing)
cacls "C:\System Volume Information" /E /R username
3. Move the offending folder, in my case C:\System Volume Information\_restore{2EDE8
4. reboot
5. Right click My Computer, and select Properties. This automatically starts SRService and changes its startup from disabled to automatic
6. Click the System Restore tab
7. Select “Turn Off System Restore” and click apply. Notice the _restore… folder disappears in the System Volume Information folder. Warning: all restore points are deleted.
8. Go back and uncheck “Turn Off System Restore” then click apply. Notice the _restore… folder appears in the System Volume Information folder (No, the previous restore points don’t re-appear.)
9. SRService should no longer hog the CPU!
Regards,
Steve
I finally got the bottom of what was causing System Restore Service running under SVCHOST to saturate the CPU at 100%. I'll document it here for any unlucky soles who may encounter the same problem.
Svchost runs a whole slew of services on behalf of the system – so the trick was to find which one was running away. I downloaded a tool called Process Explorer from http://www.sysinternals.com/ntw2k/freeware/procexp.shtml. It will report the process ID of each process in memory, and in the case of the svchost process, all services attached to it. At Control Panel - Admin Tools – Services, I selectively stopped each service to see which one was causing the load (then later started it again if stopping had no effect). In my case, I found that the System Restore Service (srservice – srsvc.dll) was running away at 99%.
Next I opened a support case with Microsoft. We used numerous tools to troubleshoot the service. One of the more valuable tools was FILEMON, available at http://www.sysinternals.com/ntw2k/source/filemon.shtml. It shows all files that are touched during the monitor period. We also used the proprietary USERDUMP tool from Microsoft, which is not available for download, and for which I had no tool to analyze the results.
Microsoft determined that the latest restore point in the SRService database was corrupt, and the service was getting hung when it tried to delete one of its files. The restore points comprising the SRService database are stored on my machine at the following location: C:\System Volume Information\_restore{2EDE8
The solution was to manually remove all restore points in the SRService database, using Windows Explorer. Here are the steps to accomplish this.
1. Boot the machine with SRService disabled (Select Start / Control Panel / Administrative Tools / Services. Double click System Restore Service, and set Startup Type to Disabled, then click OK. Re-boot. You may have to rename srsvc.dll, even in the DLL cache, to keep it from starting - it's fairly persistent.)
2. You must grant access to the System Volume Information folder on C: (Article 309531).
2a. Get a command prompt and type the following, including quotes:
cacls "C:\System Volume Information" /E /G username:F
2b. (To undo these permissions later when finished, type the follwing)
cacls "C:\System Volume Information" /E /R username
3. Move the offending folder, in my case C:\System Volume Information\_restore{2EDE8
4. reboot
5. Right click My Computer, and select Properties. This automatically starts SRService and changes its startup from disabled to automatic
6. Click the System Restore tab
7. Select “Turn Off System Restore” and click apply. Notice the _restore… folder disappears in the System Volume Information folder. Warning: all restore points are deleted.
8. Go back and uncheck “Turn Off System Restore” then click apply. Notice the _restore… folder appears in the System Volume Information folder (No, the previous restore points don’t re-appear.)
9. SRService should no longer hog the CPU!
Regards,
Steve
mnielson323 I have the same problem, so which one of the spyware in the accepted answer solve this problem?
Thanks.
Thanks.
ASKER
Abdu Allah,
Unfortunately I don't recall how my problem was resolved. I read all of the previous comments. The last one got to be so detailed, I gave up on it. However, the problem appears to have gone away (knock on wood). I still have like 6 SVCHOST.EXE processes running, but their CPU usage is way low, if not 0%. In the meantime, I do run Spybot1.3 Search & Destroy on a regular basis. I couldn't tell you, tho, if that has fixed everything. I have all of the latest updates applied - Windows XP SP2, NAV, and Lavasoft Ad-Aware6.0. At this point, my response time isn't bad. Sorry I couldn't be of more assistance.
Mike
Unfortunately I don't recall how my problem was resolved. I read all of the previous comments. The last one got to be so detailed, I gave up on it. However, the problem appears to have gone away (knock on wood). I still have like 6 SVCHOST.EXE processes running, but their CPU usage is way low, if not 0%. In the meantime, I do run Spybot1.3 Search & Destroy on a regular basis. I couldn't tell you, tho, if that has fixed everything. I have all of the latest updates applied - Windows XP SP2, NAV, and Lavasoft Ad-Aware6.0. At this point, my response time isn't bad. Sorry I couldn't be of more assistance.
Mike
Sorry mnielson323, my English did not let me understand you well, Spybot1.3 is a name of spyware or what?
ASKER
Yes....Spybot1.3 S&D is a great tool to find unwanted files/folders/registries in your system. It is safe to download and install and use. Check out this link: http://www.safer-networking.org/en/index.html.
Ok mnielson323, Thank you very much.
mnielson323, Are you sure that Spybot1.3 S&D who has fixed this problem!
I used it but the problem is still exist!
I discovered that it is a common problem, and no one find solution for it,
Have a look here:
http://www.techsupportforum.com/showthread.php?s=fc4ba1018a5da354ba29359d844b1788&p=75968#post75968
http://www.winportal.com/chat_sin.asp?ObjectID=8675
http://forum.pcvsconsole.com/viewthread.php?tid=8191&page=3
I used it but the problem is still exist!
I discovered that it is a common problem, and no one find solution for it,
Have a look here:
http://www.techsupportforum.com/showthread.php?s=fc4ba1018a5da354ba29359d844b1788&p=75968#post75968
http://www.winportal.com/chat_sin.asp?ObjectID=8675
http://forum.pcvsconsole.com/viewthread.php?tid=8191&page=3
I had the same problem with SVCHOST eating 99% of my CPU. The problem only occurred when I connected to my DSL connection at home and not when I was connected to the office LAN. I tried every damn solution I found on the net and was about to format and reinstall my XP Professional. As I was cleaning up I uninstalled TuneUp Utilities and the problem disappeared. It seems TuneUp had tried to optimise my computer for broadband access and was causing this issue.
Thanks for all the inputs guys and good luck to those still in dealing with the misery of SVCHOST
Thanks for all the inputs guys and good luck to those still in dealing with the misery of SVCHOST
need a solution !!!!
Please open the question...
Please open the question...
But also look at these links explaining why there could be multiple svchost
http://www.jsiinc.com/SUBJ/tip4600/rh4660.htm
http://www.winnetmag.com/Article/ArticleID/20609/20609.html