Solved

sysrvce.exe using 99% cpu

Posted on 2004-03-29
17
336 Views
Last Modified: 2008-03-10
Hello everyone,
I have a server running win2k server and had restarted on its own somehow over the weekend. Now the network is extrememly slow.
In taskmanager I see that sysrvce.exe is using almost all of the cpu time. I rebooted to see if it would clear and it did not. In task manager, I select it to end process and it won't let me saying, "access denied". Does anybody know what this program is and how do I get it to shut off and/or not use the whole cpu time? I can't seem to find out any info on sysrvce. Thanks.
0
Comment
Question by:DwayneW
  • 7
  • 5
  • 3
  • +2
17 Comments
 
LVL 1

Assisted Solution

by:nchristy0
nchristy0 earned 25 total points
Comment Utility
When you say server, is it an actual server or is a PC designated as a server?  If it is a PC designated as a server, and you are running high speed internet through that PC it is not equiped to share that internet.  This is my assumption and I may be off line, but if it fits this is your problem

High Speed Internet is designed to be shared through a router, not through a PC attatched to a hub.  If this is the case you need to purchase a router.  Even though you have a server O/S installed, the sysrvc.exe is the process that is attempting to route that internet connection.

If this is not the case, best thing to do is run virus scan on the server.  It may not be a virus however, it could be a O/S service that has its hands full.  If that is the case, check the amount of RAM and processor power verse what it is trying to accomplish.  In other words if you have a program running that requires more RAM than you have, or if you have a resource intensive program with little clock speed.

hope this helps
0
 
LVL 29

Accepted Solution

by:
blue_zee earned 100 total points
Comment Utility
Get Ad-Aware 6.0, Build 181 or later, here:
http://www.lavasoftusa.com/support/download/. Update and run this regularly to get rid of most "spyware/hijackware" on your machine. If it has to fix things, be sure to re-boot and rerun AdAware again and repeat this cycle until you get a clean scan. The reason is that it may have to remove things which are currently "in use" before it can then clean up others.

Another excellent program for this purpose is SpyBot Search and Destroy available here:
http://security.kolla.de/
I recommend using both normally.
After fixing things with SpyBot S&D, be sure to re-boot and rerun SpyBot again and repeat this cycle until you get a clean "no red" scan. The reason is that SpyBot sometimes has to remove things which are currently "in use" before it can then clean up others.

Once you get this cleaned up, you might want to consider installing the SpywareBlaster and SpywareGuard here to help prevent this kind of thing from happening in the future:

http://www.wilderssecurity.com/spywareblaster.html
Prevents malware Active X installs.
SpyWare Blaster is not memory resident ... no CPU or memory load - but keep it updated.
The latest version as of this writing will prevent installation or prevent the malware from running if it is already installed, and it provides information and fixit-links for a variety of parasites.

http://www.wilderssecurity.net/spywareguard.html
Monitors for attempts to install malware.

Both very highly recommended.

Zee


0
 

Author Comment

by:DwayneW
Comment Utility
I do have a designated server that is connected to a hub. The broadband comes into a router which goes to the hub also.
This came about all of a sudden. I don't know what service it's trying to run, but I can't end the process manually.
0
 

Author Comment

by:DwayneW
Comment Utility
Many programs around the network are "not reponding", but do not totally lock up. If they wait then the program will resume. Could this be a result of the server being "tied up" with this other program? This network is crawling.
0
 

Author Comment

by:DwayneW
Comment Utility
I'm trying to use Ad aware, but with the cpu usage from this other program holding at 99% +, it is going very slow. So far it has been an hour and isn't done yet.
0
 
LVL 29

Expert Comment

by:blue_zee
Comment Utility

>>So far it has been an hour and isn't done yet.<<

Ouch!!!

Amazing...

I have no idea what it is.

Zee
0
 

Expert Comment

by:AscendedGuard
Comment Utility
Heres what you can do:

End the process (I'm assuming you know how because you know how much CPU Usage there is)

If nothing bad happens in windows, you can probably get rid of it.
Open the registry. (Run -> regedit)

Search the registry for sysrvce.exe, and delete it from the registry.
Also you can do a file search across the system for sysrvce.exe and delete that as well.

Most of these programs are explotation programs that attempt to connect you to someone else in an attempt to open the security on your system.
0
 
LVL 21

Expert Comment

by:jvuz
Comment Utility
Boot in safe mode and launch Adaware.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 1

Expert Comment

by:nchristy0
Comment Utility
AscendedGuard,

did you read his post?  The O/S has designated that process as critical and he can not kill it.
And you definitially dont want to delete sysrvce.exe from the registry, bc there are soo many actual system processes that use the name sysrvce.exe
Follow what jvuz says, boot in safe mode and use Adaware
0
 

Author Comment

by:DwayneW
Comment Utility
Yeah, I knew not to delete something like that from the registry. I am going to try safe mode in a while. Symantec thinks it's a virus somewhere and need to send them the file to review, if I can get through the search command..which has been running for about 40 min now.
Thanks for checking!
0
 
LVL 29

Expert Comment

by:blue_zee
Comment Utility

What a pain...

I'm sorry for you.
:-(

Zee
0
 

Author Comment

by:DwayneW
Comment Utility
Got into safe mode and ran a virus scan (clean) and adaware(only a couple of things but nothing to change).
I searched for this file and came up empty, I searched through regedit and found it to be in..HKEY_CURRENT_USER\software\microsoft\interneteplorer\ExplorerBars\{c4ee31f3-4768-11d2-be5c-00a0c9a83da1}.
Rebooted and same problem existed. I could hear the thing start chugging (for lack of a better word!) as soon as I got to the log in screen.

Advil has been working for me, maybe I should throw a couple in the server! ha
0
 
LVL 29

Expert Comment

by:blue_zee
Comment Utility

Download, install and run (FIX) Cool Web Shredder:

http://www.zerosrealm.com/downloads/CWShredder.zip
http://radiosplace.com/
http://computercops.biz/downloads-cat-14.html

If that doesn't do it, try ToolbarCop:

http://www.mvps.org/sramesh2k/toolbarcop.htm

You could also try backing up your registry and deleting the string or the entry.

Zee
 
0
 

Author Comment

by:DwayneW
Comment Utility
I really appreciate the input and suggestions here! After talking with Symantec for the 4th time, they directed me to www.sysinternals.com. There is freeware that can monitor process like task manager except that it shows much more; especially programs associated with the processes and paths. I used this and found that there was a program that is corrupted that is run off of the server. This program (procexpnt.zip) is great. It not only identified the culprit, but also allowed me to kill or suspend it. When I suspended it, the cpu usage dropped like a rock. I would suggest that anyone check out this site for other types of programs! It may not be new to others, but I'm sold on it. Thanks to all!!

DwayneW
0
 

Author Comment

by:DwayneW
Comment Utility
I split the points just for the fact that both helped me, even though I luckily solved it myself. Your inputs have led me to gain more insight.
I hope you think it's fair. Thanks again you all!
0
 
LVL 29

Expert Comment

by:blue_zee
Comment Utility

Dwayne,

Yup, fair enough no doubt.

Thanks for your comments and I'm really glad you found your way out of this.

And, yes I already know and use Process Explorer...

Never came to mind!
:-(

Thanks again.

Zee
0
 
LVL 1

Expert Comment

by:nchristy0
Comment Utility
Dwayne,

Fair way of doing it!  Glad that you found a resolution.  Hadn't used the program before but I have heard about it, i will have to check it out.

Thanks,

Nick
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Occasionally Windows/Microsoft Updates will fail to update. We have found a code that will delete all temporary files and re-register all dll's related to Windows/Microsoft Updates! This works 99% of the time to get the updates working again! The…
Hello I read in a discussion about a person who configured a very simple mirror RAID with two hard drives; the system and data were on the same partition. He asked how to repair the system as it was not booting up anymore. In his case running …
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now