Solved

Problem with High CPU Usage with SVCHost.EXE

Posted on 2004-04-08
24
130,623 Views
Last Modified: 2011-08-18
I am running WinXP Pro and am having very slow and sluggish response times.  I looked at the Task Manager and the services eating up most of my CPU Usage was SVCHost.EXE.  There are actually five different SVCHost.EXE running.  I did a tasklist /svc from DOS and the PID associated with the highest CPU Usage has around 32 services/programs running.  Any reason why this service is doing this.  The System Idle Process used to be in the 90+% usage, now it's less than 5%.

Thanks,

Mike
0
Comment
Question by:mnielson323
  • 6
  • 4
  • 4
  • +5
24 Comments
 
LVL 49

Accepted Solution

by:
sunray_2003 earned 135 total points
Comment Utility
0
 
LVL 49

Expert Comment

by:sunray_2003
Comment Utility
You may want to check for spyware and virus first

But also look at these links explaining why there could be multiple svchost

http://www.jsiinc.com/SUBJ/tip4600/rh4660.htm  

http://www.winnetmag.com/Article/ArticleID/20609/20609.html
0
 

Author Comment

by:mnielson323
Comment Utility
I already am running Spybot S&D Advanced spyware on a regular basis.  I also keep Windows Updates and NAV up-to-date.  I will, tho, check into ad-ware, CWshredder, and Hijackthis.  THANKS!

0
 
LVL 21

Expert Comment

by:briancassin
Comment Utility
mnielson323,

just happened to view this I was having almost the same exact problem just wondering if you got your problem resolved ?
0
 

Author Comment

by:mnielson323
Comment Utility
Brian,

Well....I hate to say that whatever suggestions I got, just caused more problems.  I did what was suggested to me and immediately started getting POPUP adds, which I now can't get rid of.  Concerning my original problem, it seems to have rectified itself.  My CPU Usage (for System Idle Process) is running in the 90+% - which is great.  I however did nothing to accomplish that.  So, bottom line...I don't know what to tell you.

Sorry.......Mike

0
 
LVL 21

Expert Comment

by:briancassin
Comment Utility
The reason why I asked is I had the same problem which is caused by a backdoor trojan which was recently discovered April 4th 2004

Check task manager under processes and see if you have a 5 digit number running as a process in the background also go into your registry by going to start run type regedit hit enter and then go to HKEY_LOCAL MACHINE - Software - Microsoft- Windows - Current Version- Run see if their is a 5 digit number listed here (it is a random number) if so then you have the Trojan known as either RDOM.A  ( F-Prot) or Sdown.A by trend micro. Let me know if you find this if you do it has to be gotten rid of it opens a back door of your system to hackers.

Some of the other problems were CPU was at 99% usage with SVCHOST.EXE using 99% of the processor could not access MY Computer, Network Places, the Internet or anything computer would just have the wait icon then refresh the screen all icons would be removed then come back but nothing would happen.
0
 

Expert Comment

by:sugarstevie
Comment Utility
I experienced this problem on two successive boots of Windows XP earlier today.  Now everything is fine.  An additional symptom is that the computer will not safely shut down -- it gets hung when saving system settings.  I found a suspicious entry in the registry location referenced above, but it looks like 9 random letters as opposed to 5 digit numbers.  The entry points to C:\WINDOWS\AHNUELRYF.exe, but the file is no longer there.
0
 
LVL 21

Expert Comment

by:briancassin
Comment Utility
sugarstevie I would say scan your system good

use

http://housecall.trendmicro.com
0
 

Author Comment

by:mnielson323
Comment Utility
briancassin (and sugarstevie),

First, thanks for the replies.  Second, I followed the instructions to get to the HKEY_ (never been there before - and by the way, AWESOME instructions), but found NOTHING.  There weren't any 5 or even 9 digit numbers.  There were a few processes with strings of LETTERS, but none with numbers.  But lastly, I will go ahead and run that URL scan.

Thanks again,

Mike
 
0
 

Expert Comment

by:Chris_McMahon
Comment Utility
I called Microsoft on this a few months back. It's kind of a tough fix.
I am looking for my notes...
0
 

Author Comment

by:mnielson323
Comment Utility
briancassin (and sugarstevie),

I ran that scan from the URL you sent...nothing found.

Chris,

Thanks for checking.  Hope you find something.

Mike

0
 
LVL 21

Expert Comment

by:briancassin
Comment Utility
check the first link in this to see if this is a possibility they have a tool that checks for it...

This is the Sasser worm (or a variant).
See the following links for removal tools and more information:

http://www.microsoft.com/security/incident/sasser.asp
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.A

Security Patch in response to this vulnerability:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx


Also try this go to the site listed below and download the program run it and post the log report up here... I will look through it and see if their is anything suspicious.

http://www.tomcoyote.com/hjt/
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Expert Comment

by:sugarstevie
Comment Utility
Mike,

I too experienced the same problem you did, as I previously commented.  I recently did a scan with Lavasoft's AdAware 6.0.  It found 18 problems that SpyBot did not find.  You might try downloading and running this specific adware detection software and see if it helps.  My machine has not hung since I ran the scan.

-Steve
0
 

Expert Comment

by:sugarstevie
Comment Utility
Mike,
The previous report that Ad-aware discovered malware that was causing the problem was erroneous.  The system continued to experience the problem.  Svchost runs a whole slew of services on behalf of the system – so the trick was to find which one was running away.  I downloaded a tool called Process Explorer from http://www.sysinternals.com/ntw2k/freeware/procexp.shtml.  It will report the process ID and in the case of the svchost process, all services attached to it. At Control Panel - Admin Tools – Services, I selectively stopped each service to see which one was causing the load (then start them again if stopping had no effect).  In my case, I found that the System Restore Service (srservice – srsvc.dll) was running away at 99%.  I have disabled the service, and the condition has not surfaced again.  That doesn’t solve the problem of what is wrong with this particular service, but at least the machine will no longer become crippled.
-Steve
0
 

Expert Comment

by:Chris_McMahon
Comment Utility
Ok found my notes here was the problem and solution I had... it wasn't spyware.

http://support.microsoft.com/default.aspx?scid=KB;EN-US;317843
0
 

Expert Comment

by:sugarstevie
Comment Utility
Mike,
     I finally got the bottom of what was causing System Restore Service running under SVCHOST to saturate the CPU at 100%.  I'll document it here for any unlucky soles who may encounter the same problem.
     Svchost runs a whole slew of services on behalf of the system – so the trick was to find which one was running away. I downloaded a tool called Process Explorer from http://www.sysinternals.com/ntw2k/freeware/procexp.shtml. It will report the process ID of each process in memory, and in the case of the svchost process, all services attached to it. At Control Panel - Admin Tools – Services, I selectively stopped each service to see which one was causing the load (then later started it again if stopping had no effect). In my case, I found that the System Restore Service (srservice – srsvc.dll) was running away at 99%.
     Next I opened a support case with Microsoft.  We used numerous tools to troubleshoot the service.  One of the more valuable tools was FILEMON, available at http://www.sysinternals.com/ntw2k/source/filemon.shtml.  It shows all files that are touched during the monitor period.  We also used the proprietary USERDUMP tool from Microsoft, which is not available for download, and for which I had no tool to analyze the results.
     Microsoft determined that the latest restore point in the SRService database was corrupt, and the service was getting hung when it tried to delete one of its files.  The restore points comprising the SRService database are stored on my machine at the following location:  C:\System Volume Information\_restore{2EDE8FBE-CD64-4AC6-BB82-21229910E44C}
The solution was to manually remove all restore points in the SRService database, using Windows Explorer.  Here are the steps to accomplish this.
1. Boot the machine with SRService disabled (Select Start / Control Panel / Administrative Tools / Services.  Double click System Restore Service, and set Startup Type to Disabled, then click OK. Re-boot.  You may have to rename srsvc.dll, even in the DLL cache, to keep it from starting - it's fairly persistent.)
2. You must grant access to the System Volume Information folder on C: (Article 309531).
   2a. Get a command prompt and type the following, including quotes:
   cacls "C:\System Volume Information" /E /G username:F
   2b. (To undo these permissions later when finished, type the follwing)
   cacls "C:\System Volume Information" /E /R username
3. Move the offending folder, in my case C:\System Volume Information\_restore{2EDE8FBE-CD64-4AC6-BB82-21229910E44C}\RP140", to a temporary location
4. reboot
5. Right click My Computer, and select Properties.  This automatically starts SRService and changes its startup  from disabled to automatic
6. Click the System Restore tab
7. Select “Turn Off System Restore” and click apply.  Notice the _restore… folder disappears in the System Volume Information folder.  Warning: all restore points are deleted.
8. Go back and uncheck “Turn Off System Restore” then click apply.  Notice the _restore… folder appears in the System Volume Information folder (No, the previous restore points don’t  re-appear.)
9. SRService should no longer hog the CPU!

Regards,
Steve
0
 
LVL 3

Expert Comment

by:Abdu_Allah
Comment Utility
mnielson323 I have the same problem, so which one of the spyware in the accepted answer solve this problem?

Thanks.
0
 

Author Comment

by:mnielson323
Comment Utility
Abdu Allah,

Unfortunately I don't recall how my problem was resolved.  I read all of the previous comments.  The last one got to be so detailed, I gave up on it.  However, the problem appears to have gone away (knock on wood).  I still have like 6 SVCHOST.EXE processes running, but their CPU usage is way low, if not 0%.  In the meantime, I do run Spybot1.3 Search & Destroy on a regular basis.  I couldn't tell you, tho, if that has fixed everything.  I have all of the latest updates applied - Windows XP SP2, NAV, and Lavasoft Ad-Aware6.0.  At this point, my response time isn't bad.  Sorry I couldn't be of more assistance.

Mike


0
 
LVL 3

Expert Comment

by:Abdu_Allah
Comment Utility
Sorry mnielson323, my English did not let me understand you well, Spybot1.3 is a name of spyware or what?
0
 

Author Comment

by:mnielson323
Comment Utility
Yes....Spybot1.3 S&D is a great tool to find unwanted files/folders/registries in your system.  It is safe to download and install and use.  Check out this link:  http://www.safer-networking.org/en/index.html.
0
 
LVL 3

Expert Comment

by:Abdu_Allah
Comment Utility
Ok mnielson323, Thank you very much.
0
 
LVL 3

Expert Comment

by:Abdu_Allah
Comment Utility
mnielson323, Are you sure that Spybot1.3 S&D who has fixed this problem!
I used it but the problem is still exist!
I discovered that it is a common problem, and no one find solution for it,
Have a look here:
http://www.techsupportforum.com/showthread.php?s=fc4ba1018a5da354ba29359d844b1788&p=75968#post75968

http://www.winportal.com/chat_sin.asp?ObjectID=8675

http://forum.pcvsconsole.com/viewthread.php?tid=8191&page=3
0
 

Expert Comment

by:Phuza123
Comment Utility
I had the same problem with SVCHOST eating 99% of my CPU. The problem only occurred when I connected to my DSL connection at home and not when I was connected to the office LAN. I tried every damn solution I found on the net and was about to format and reinstall my XP Professional. As I was cleaning up I uninstalled TuneUp Utilities and the problem disappeared. It seems TuneUp had tried to optimise my computer for broadband access and was causing this issue.
Thanks for all the inputs guys and good luck to those still in dealing with the misery of SVCHOST
0
 

Expert Comment

by:GetStart
Comment Utility
need a solution !!!!

Please open the question...
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

cPanel is a Unix based web hosting control panel that provides a graphical interface and automation tools designed to simplify the process of hosting a web site. cPanel utilizes a 3 tier structure that provides functionality for administrators, rese…
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now