?
Solved

Problem with High CPU Usage with SVCHost.EXE

Posted on 2004-04-08
24
Medium Priority
?
130,779 Views
Last Modified: 2011-08-18
I am running WinXP Pro and am having very slow and sluggish response times.  I looked at the Task Manager and the services eating up most of my CPU Usage was SVCHost.EXE.  There are actually five different SVCHost.EXE running.  I did a tasklist /svc from DOS and the PID associated with the highest CPU Usage has around 32 services/programs running.  Any reason why this service is doing this.  The System Idle Process used to be in the 90+% usage, now it's less than 5%.

Thanks,

Mike
0
Comment
Question by:mnielson323
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 4
  • +5
24 Comments
 
LVL 49

Accepted Solution

by:
sunray_2003 earned 540 total points
ID: 10784380
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10784386
You may want to check for spyware and virus first

But also look at these links explaining why there could be multiple svchost

http://www.jsiinc.com/SUBJ/tip4600/rh4660.htm 

http://www.winnetmag.com/Article/ArticleID/20609/20609.html 
0
 

Author Comment

by:mnielson323
ID: 10784465
I already am running Spybot S&D Advanced spyware on a regular basis.  I also keep Windows Updates and NAV up-to-date.  I will, tho, check into ad-ware, CWshredder, and Hijackthis.  THANKS!

0
What Is Blockchain Technology?

Blockchain is a technology that underpins the success of Bitcoin and other digital currencies, but it has uses far beyond finance. Learn how blockchain works and why it is proving disruptive to other areas of IT.

 
LVL 21

Expert Comment

by:briancassin
ID: 10935769
mnielson323,

just happened to view this I was having almost the same exact problem just wondering if you got your problem resolved ?
0
 

Author Comment

by:mnielson323
ID: 10943264
Brian,

Well....I hate to say that whatever suggestions I got, just caused more problems.  I did what was suggested to me and immediately started getting POPUP adds, which I now can't get rid of.  Concerning my original problem, it seems to have rectified itself.  My CPU Usage (for System Idle Process) is running in the 90+% - which is great.  I however did nothing to accomplish that.  So, bottom line...I don't know what to tell you.

Sorry.......Mike

0
 
LVL 21

Expert Comment

by:briancassin
ID: 10944756
The reason why I asked is I had the same problem which is caused by a backdoor trojan which was recently discovered April 4th 2004

Check task manager under processes and see if you have a 5 digit number running as a process in the background also go into your registry by going to start run type regedit hit enter and then go to HKEY_LOCAL MACHINE - Software - Microsoft- Windows - Current Version- Run see if their is a 5 digit number listed here (it is a random number) if so then you have the Trojan known as either RDOM.A  ( F-Prot) or Sdown.A by trend micro. Let me know if you find this if you do it has to be gotten rid of it opens a back door of your system to hackers.

Some of the other problems were CPU was at 99% usage with SVCHOST.EXE using 99% of the processor could not access MY Computer, Network Places, the Internet or anything computer would just have the wait icon then refresh the screen all icons would be removed then come back but nothing would happen.
0
 

Expert Comment

by:sugarstevie
ID: 10945715
I experienced this problem on two successive boots of Windows XP earlier today.  Now everything is fine.  An additional symptom is that the computer will not safely shut down -- it gets hung when saving system settings.  I found a suspicious entry in the registry location referenced above, but it looks like 9 random letters as opposed to 5 digit numbers.  The entry points to C:\WINDOWS\AHNUELRYF.exe, but the file is no longer there.
0
 
LVL 21

Expert Comment

by:briancassin
ID: 10945959
sugarstevie I would say scan your system good

use

http://housecall.trendmicro.com
0
 

Author Comment

by:mnielson323
ID: 10949348
briancassin (and sugarstevie),

First, thanks for the replies.  Second, I followed the instructions to get to the HKEY_ (never been there before - and by the way, AWESOME instructions), but found NOTHING.  There weren't any 5 or even 9 digit numbers.  There were a few processes with strings of LETTERS, but none with numbers.  But lastly, I will go ahead and run that URL scan.

Thanks again,

Mike
 
0
 

Expert Comment

by:Chris_McMahon
ID: 11020439
I called Microsoft on this a few months back. It's kind of a tough fix.
I am looking for my notes...
0
 

Author Comment

by:mnielson323
ID: 11046246
briancassin (and sugarstevie),

I ran that scan from the URL you sent...nothing found.

Chris,

Thanks for checking.  Hope you find something.

Mike

0
 
LVL 21

Expert Comment

by:briancassin
ID: 11046396
check the first link in this to see if this is a possibility they have a tool that checks for it...

This is the Sasser worm (or a variant).
See the following links for removal tools and more information:

http://www.microsoft.com/security/incident/sasser.asp
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.A

Security Patch in response to this vulnerability:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx


Also try this go to the site listed below and download the program run it and post the log report up here... I will look through it and see if their is anything suspicious.

http://www.tomcoyote.com/hjt/
0
 

Expert Comment

by:sugarstevie
ID: 11123815
Mike,

I too experienced the same problem you did, as I previously commented.  I recently did a scan with Lavasoft's AdAware 6.0.  It found 18 problems that SpyBot did not find.  You might try downloading and running this specific adware detection software and see if it helps.  My machine has not hung since I ran the scan.

-Steve
0
 

Expert Comment

by:sugarstevie
ID: 11302389
Mike,
The previous report that Ad-aware discovered malware that was causing the problem was erroneous.  The system continued to experience the problem.  Svchost runs a whole slew of services on behalf of the system – so the trick was to find which one was running away.  I downloaded a tool called Process Explorer from http://www.sysinternals.com/ntw2k/freeware/procexp.shtml.  It will report the process ID and in the case of the svchost process, all services attached to it. At Control Panel - Admin Tools – Services, I selectively stopped each service to see which one was causing the load (then start them again if stopping had no effect).  In my case, I found that the System Restore Service (srservice – srsvc.dll) was running away at 99%.  I have disabled the service, and the condition has not surfaced again.  That doesn’t solve the problem of what is wrong with this particular service, but at least the machine will no longer become crippled.
-Steve
0
 

Expert Comment

by:Chris_McMahon
ID: 11302410
Ok found my notes here was the problem and solution I had... it wasn't spyware.

http://support.microsoft.com/default.aspx?scid=KB;EN-US;317843
0
 

Expert Comment

by:sugarstevie
ID: 11747154
Mike,
     I finally got the bottom of what was causing System Restore Service running under SVCHOST to saturate the CPU at 100%.  I'll document it here for any unlucky soles who may encounter the same problem.
     Svchost runs a whole slew of services on behalf of the system – so the trick was to find which one was running away. I downloaded a tool called Process Explorer from http://www.sysinternals.com/ntw2k/freeware/procexp.shtml. It will report the process ID of each process in memory, and in the case of the svchost process, all services attached to it. At Control Panel - Admin Tools – Services, I selectively stopped each service to see which one was causing the load (then later started it again if stopping had no effect). In my case, I found that the System Restore Service (srservice – srsvc.dll) was running away at 99%.
     Next I opened a support case with Microsoft.  We used numerous tools to troubleshoot the service.  One of the more valuable tools was FILEMON, available at http://www.sysinternals.com/ntw2k/source/filemon.shtml.  It shows all files that are touched during the monitor period.  We also used the proprietary USERDUMP tool from Microsoft, which is not available for download, and for which I had no tool to analyze the results.
     Microsoft determined that the latest restore point in the SRService database was corrupt, and the service was getting hung when it tried to delete one of its files.  The restore points comprising the SRService database are stored on my machine at the following location:  C:\System Volume Information\_restore{2EDE8FBE-CD64-4AC6-BB82-21229910E44C}
The solution was to manually remove all restore points in the SRService database, using Windows Explorer.  Here are the steps to accomplish this.
1. Boot the machine with SRService disabled (Select Start / Control Panel / Administrative Tools / Services.  Double click System Restore Service, and set Startup Type to Disabled, then click OK. Re-boot.  You may have to rename srsvc.dll, even in the DLL cache, to keep it from starting - it's fairly persistent.)
2. You must grant access to the System Volume Information folder on C: (Article 309531).
   2a. Get a command prompt and type the following, including quotes:
   cacls "C:\System Volume Information" /E /G username:F
   2b. (To undo these permissions later when finished, type the follwing)
   cacls "C:\System Volume Information" /E /R username
3. Move the offending folder, in my case C:\System Volume Information\_restore{2EDE8FBE-CD64-4AC6-BB82-21229910E44C}\RP140", to a temporary location
4. reboot
5. Right click My Computer, and select Properties.  This automatically starts SRService and changes its startup  from disabled to automatic
6. Click the System Restore tab
7. Select “Turn Off System Restore” and click apply.  Notice the _restore… folder disappears in the System Volume Information folder.  Warning: all restore points are deleted.
8. Go back and uncheck “Turn Off System Restore” then click apply.  Notice the _restore… folder appears in the System Volume Information folder (No, the previous restore points don’t  re-appear.)
9. SRService should no longer hog the CPU!

Regards,
Steve
0
 
LVL 3

Expert Comment

by:Abdu_Allah
ID: 12238309
mnielson323 I have the same problem, so which one of the spyware in the accepted answer solve this problem?

Thanks.
0
 

Author Comment

by:mnielson323
ID: 12238642
Abdu Allah,

Unfortunately I don't recall how my problem was resolved.  I read all of the previous comments.  The last one got to be so detailed, I gave up on it.  However, the problem appears to have gone away (knock on wood).  I still have like 6 SVCHOST.EXE processes running, but their CPU usage is way low, if not 0%.  In the meantime, I do run Spybot1.3 Search & Destroy on a regular basis.  I couldn't tell you, tho, if that has fixed everything.  I have all of the latest updates applied - Windows XP SP2, NAV, and Lavasoft Ad-Aware6.0.  At this point, my response time isn't bad.  Sorry I couldn't be of more assistance.

Mike


0
 
LVL 3

Expert Comment

by:Abdu_Allah
ID: 12240585
Sorry mnielson323, my English did not let me understand you well, Spybot1.3 is a name of spyware or what?
0
 

Author Comment

by:mnielson323
ID: 12240716
Yes....Spybot1.3 S&D is a great tool to find unwanted files/folders/registries in your system.  It is safe to download and install and use.  Check out this link:  http://www.safer-networking.org/en/index.html.
0
 
LVL 3

Expert Comment

by:Abdu_Allah
ID: 12240993
Ok mnielson323, Thank you very much.
0
 
LVL 3

Expert Comment

by:Abdu_Allah
ID: 12262241
mnielson323, Are you sure that Spybot1.3 S&D who has fixed this problem!
I used it but the problem is still exist!
I discovered that it is a common problem, and no one find solution for it,
Have a look here:
http://www.techsupportforum.com/showthread.php?s=fc4ba1018a5da354ba29359d844b1788&p=75968#post75968

http://www.winportal.com/chat_sin.asp?ObjectID=8675

http://forum.pcvsconsole.com/viewthread.php?tid=8191&page=3
0
 

Expert Comment

by:Phuza123
ID: 13317325
I had the same problem with SVCHOST eating 99% of my CPU. The problem only occurred when I connected to my DSL connection at home and not when I was connected to the office LAN. I tried every damn solution I found on the net and was about to format and reinstall my XP Professional. As I was cleaning up I uninstalled TuneUp Utilities and the problem disappeared. It seems TuneUp had tried to optimise my computer for broadband access and was causing this issue.
Thanks for all the inputs guys and good luck to those still in dealing with the misery of SVCHOST
0
 

Expert Comment

by:GetStart
ID: 14830212
need a solution !!!!

Please open the question...
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are 2 things you must have in order to connect to the internet behind a router, The "Gateway IP" of the router, which is usually something like 192.168.xxx.1, I've seen routers with default values of: 192.168.0.1, 192.168.1.1, 192.168.11.1, …
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question