Solved

Svchost in Windows Xp

Posted on 2004-04-06
8
1,597 Views
Last Modified: 2011-09-20
I have installed Windows XP with service pack 1 on a computer, and before connecting it to the itnernet i made all the updates possible to the anti virus and installed all the hotfixes not included in the service pack ( including the blaster fix ).
But shortly after the install, svchost is constantly putting the cpu in max charge.

How can i fix this?
0
Comment
Question by:VanAlex
8 Comments
 
LVL 44

Expert Comment

by:CrazyOne
Comment Utility
http://www.jsiinc.com/SUBJ/tip4600/rh4660.htm

4660 » What is the Svchost.exe process(es) in Windows XP?

In tip 2060, I explained the Svchost process in Windows 2000.

In tip 4310, you can see multiple Svchost processes in Windows XP.

%SystemRoot%\System32\Svchost.exe is a generic process name for services that run from dynamic-link libraries (DLLs). When you start Windows XP, Svchost,exe constructs multiple lists of service groupings that need to be loaded. Each instance can run at the same time. Svchost,exe groups are delineated at:

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost.

Each Value Name contains a list of included serviceDLL values, in a REG_MULTI_SZ data type. These servies are extracted from HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\<Service Short Name>.

To see the list of active services in each process, open a CMD prompt and Type:

Tasklist /SVC

The following was displayed from one of my Windows XP Professional computers:

Image Name                   PID Services
========================= ====== =============================================
System Idle Process            0 N/A
System                         4 N/A
smss.exe                     372 N/A
csrss.exe                    484 N/A
winlogon.exe                 512 N/A
services.exe                 572 Eventlog, PlugPlay
lsass.exe                    584 Netlogon, PolicyAgent, ProtectedStorage,
                                 SamSs
svchost.exe                  748 RpcSs
svchost.exe                  816 AudioSrv, Browser, CryptSvc, Dhcp, dmserver,
                                 ERSvc, EventSystem, helpsvc, lanmanserver,
                                 lanmanworkstation, Messenger, Netman, Nla,
                                 Schedule, seclogon, SENS, ShellHWDetection,
                                 srservice, TermService, Themes, TrkWks,
                                 uploadmgr, W32Time, winmgmt, WmdmPmSp,
                                 wuauserv, WZCSVC
svchost.exe                  920 Dnscache
svchost.exe                  964 Alerter, LmHosts, RemoteRegistry, SSDPSRV,
                                 WebClient
spoolsv.exe                 1048 Spooler
explorer.exe                1328 N/A
TaskSwitch.exe              1484 N/A
taskmgr.exe                 1512 N/A
point32.exe                 1536 N/A
msmsgs.exe                  1560 N/A
fastkey.exe                 1568 N/A
IEXPLORE.EXE                1580 N/A
prntscrn.exe                1596 N/A
SetiSpy.exe                 1604 N/A
setiathome-3.03.i386-winn   1676 N/A
svchost.exe                 1828 stisvc
UdServe.exe                 1852 UndeleteService
Fast.exe                    1984 InteractiveLogon
dllhost.exe                 1224 COMSysApp
msdtc.exe                   1208 MSDTC
wmiprvse.exe                3056 N/A
cmd.exe                     3428 N/A
tasklist.exe                3460 N/A
The matching registry entries are:
Key Name:          SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
  Name:            imgsvc
  Type:            REG_MULTI_SZ
  Data:            StiSvc
                   
  Name:            LocalService
  Type:            REG_MULTI_SZ
  Data:            Alerter
                   WebClient
                   LmHosts
                   RemoteRegistry
                   upnphost
                   SSDPSRV
                   
  Name:            netsvcs
  Type:            REG_MULTI_SZ
  Data:            6to4
                   AppMgmt
                   AudioSrv
                   Browser
                   CryptSvc
                   DMServer
                   DHCP
                   ERSvc
                   EventSystem
                   FastUserSwitchingCompatibility
                   HidServ
                   Ias
                   Iprip
                   Irmon
                   LanmanServer
                   LanmanWorkstation
                   Messenger
                   Netman
                   Nla
                   Ntmssvc
                   NWCWorkstation
                   Nwsapagent
                   Rasauto
                   Rasman
                   Remoteaccess
                   Schedule
                   Seclogon
                   SENS
                   Sharedaccess
                   SRService
                   Tapisrv
                   Themes
                   TrkWks
                   W32Time
                   WZCSVC
                   Wmi
                   WmdmPmSp
                   winmgmt
                   TermService
                   wuauserv
                   BITS
                   ShellHWDetection
                   helpsvc
                   uploadmgr
                   
  Name:            NetworkService
  Type:            REG_MULTI_SZ
  Data:            DnsCache
                   
  Name:            rpcss
  Type:            REG_MULTI_SZ
  Data:            RpcSs
                   
  Name:            termsvcs
  Type:            REG_MULTI_SZ
  Data:            TermService
0
 
LVL 67

Expert Comment

by:sirbounty
Comment Utility
Try disabling unneeded services:
 http://www.blackviper.com/WinXP/servicecfg.htm
 http://www.techspot.com/tweaks/win2k_services/index.shtml

You can also try the following method to eliminate items from startup:
  Click Start->Run->MSCONFIG

  In the Startup tab, start out by disabling everything you're unfamiliar with (or everything if you're unsure).
  Optionally, you can also disable non-Microsoft services from the Services tab.
  If the problem no longer exists after a reboot, then you can narrow it down as one of the items in your
  startup.  To permanently remove these item(s), proceed as follows...

  Click Start->Run->Regedit
  *Be careful when editing the registry as an accidental deletion can render your system inoperable.
  First navigate to the following key in the registry:
   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
   *You might also find RunOnce, RunOnceEx, RunServices, RunServiceOnce or any of these with a trailing dash (-)

  Once found, click File, Export to save a copy of the key before you delete any items (if necessary).
  After the file has been saved, delete items as needed from the right pane.
  Now find the next startup key:
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
   *You might also find RunOnce, RunServices, RunServiceOnce or any of these with a trailing dash (-)
  Follow the previous procedures to export a copy before deleting items from the right pane.
0
 
LVL 4

Expert Comment

by:Veegertx
Comment Utility
You have the Coolwebsearch hijacker I think.
Go to this page http://www.spywareinfo.com/~merijn/downloads.html and download CWshredder
Read that page for further info on that. Say's to run HijackThis afterward's.
Direct Link:  http://209.133.47.200/~merijn/files/CWShredder.exe
Get that and run it to remove it.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:VanAlex
Comment Utility
I checked the running processes and there is nothing abnormal, neither on the registry. I also ran the CWshredder but the problem still remains.
0
 
LVL 4

Accepted Solution

by:
Veegertx earned 250 total points
Comment Utility
Paste in RUN     eventvwr.exe
On each App, Security, System right click and select Clear all events - Don't save
Reboot and when it starts acting up again go to Event viewer and see what Service or error is causing problems.

If you have Visioneer USB Scanner - http://support.microsoft.com/default.aspx?scid=kb;en-us;303777

You can put services.msc in RUN and thats the service panel to disable any of the below.

Here are a list of other peoples cure to their problem.
1. Run services.msc, and stop 'rip listener'. Change the startup to manual.
2. SSDP Discovery Service was hogging the CPU. It seems this service will stop and start continuously. This defaults to Manual... so i just disabled it.... and what do you know.. no more CPU problems.
3. SSDP UPnP Discovery Service
4. Cpucool installation was occupying all my cpu
5. With a bit of trail and error i found that it was the fax service that was causeing the trouble
6. HOSTS file. Either one of the entries was the culprit or the file itself was corrupt.
7. SVCHOST has a memory leak that causes a linked list of services that should be running to grow continuously. The problem arises when SVChost tries to start a service and can't. It carries on almost forever and eats memory and CPU. In my case the problem service was the SSPD service (Universal Plug and Play), and disabling it fixed my problem. Check the system event log for services being stopped and started over frequently. Another possible cause of a problem of this type is downloading a big hosts file to block ads. This causes DNS client to eat all the CPU whenever the hosts file is referred to. See the post below.
8. checked the Event Log and SSPD Discovery Services was being stopped and started over and over and over...... so I disabled it.
9. s3serv.exe - http://www.tbreak.com/forums/showthread.php?s=3e28390bb6a5d61b4c291fb07bb33c38&p=223331#post223331

Two of the things pointed to HOSTS file located in C:\Windows\System32\Drivers\etc
The normal file is only 734 bytes. One entry in it could be causing the bad things. Did you add entries to this?
Heres the normal file.
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

-------------------------------------------------

Need Any help with any of the above - Reply


0
 

Author Comment

by:VanAlex
Comment Utility
I believe Veegertx got the right awnser, I reinstalled the system and I didn't have the problem again because I still have not placed the original Hosts file with one I have to block ads that is over 1 MB.

Even though I haven't tested it , I'm pretty sure that is it because this was the only PC in the network that was using it.
I noticed it blocked some msft sites, that can explain why it would mess the system when I opened Outlook.

THanks man, sorry for the delay, way too much work.
0
 
LVL 4

Expert Comment

by:Veegertx
Comment Utility
Thanks and
Glad you enlightened us to this also. I've used those really large HOST files before and I remember problem's but not exactly like you had. Perhap's a firewall may be better with a limited HOST file.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Hyper V vm 4 119
Weird keyboard issue in Windows XP 8 78
Windows startup/shutdown date/time log 7 113
Event ID: 5719 / Source: NETLOGON 9 52
We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now