Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 6703
  • Last Modified:

svchost.exe is at 100% CPU utilization; Computer is slow; Can't get a response from Start button

OS: Win XP
Computer: Compaq Presario S6200CL

When I move the mouse cursor over the Start button, all I get is the hourglass, and I cannot click on it.
Have run Ad-Aware, AVG, Spybot, and Spyware Blaster, using the very lastest Internet updates, and deleted all malware found.
Cannot delete the svchost process in Task Manager, says 'not allowed'.
Cannot delete svchost from Process Explorer, either.
Can only get programs to execute by clicking File->New Tasks (Run) from within Task Manager.
Still, the problem persists.
Why can't I get rid of the svchost thread, or whatever it is? Thanks, this is critical.
0
coderlen
Asked:
coderlen
  • 2
  • 2
  • 2
  • +3
5 Solutions
 
LeeTutorretiredCommented:
This MS article may be of help:

http://support.microsoft.com/?kbid=314056
A Description of Svchost.exe in Windows XP
0
 
senadCommented:
Svchost.exe" (Generic Host Process for Win32 Services) is an integral part of Windows OS. It cannot be stopped or restarted manually. It manages 32-bit DLLs and other services. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. In normal conditions multiple instances of Svchost.exe run at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.
The svchost.exe file is located in the c:\windows\System32 folder. In other cases, svchost.exe is a virus, spyware, trojan or worm!
Svchost is a generic host process that hosts services run from DLLs. During development, it's customary to separate new or changing services to increase the reliability and ease of troubleshooting; thus, on a beta OS version, you see more svchost processes running than on a release version.

To find out what's inside each copy of svchost.exe, use the Resource Kit Support Tools' tlist.exe (with the -s switch). (You need to install the Support Tools from \support\tools on your product CD-ROM; they don't install by default.) Below is sample output from the tlist command:
C:\>tlist -s
0 System Process
4 System
176 smss.exe
208 csrss.exe Title:
172 winlogon.exe Title: NetDDE Agent
256 services.exe Svcs: Eventlog,PlugPlay
268 lsass.exe Svcs: Netlogon,PolicyAgent,ProtectedStorage,SamSs
320 svchost.exe Svcs: RpcSs
420 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,dmserver,
EventSystem,FastUserSwitchingCompatibilityServices,helpsvc,HidServ,
lanmanserver,lanmanworkstation,Netman,Nla,Schedule,seclogon,SENS,
ShellHWDetection,TermService,ThemeService,TrkWks,uploadmgr,W32Time,
WmdmPmSp,wuauser
480 svchost.exe Svcs: Dnscache
500 svchost.exe Svcs: LmHosts,Messenger,RemoteRegistry,SSDPSRV,WebClient
544 spoolsv.exe Svcs: Spooler
660 DKService.exe Svcs: Diskeeper
800 svchost.exe Svcs: winmgmt
1092 explorer.exe Title: Program Manager
1244 ctfmon.exe Title:
900 ISATRAY.EXE Title: IsaTray
1344 NAVAPW32.EXE Title: Norton AntiVirus Auto-Protect
1212 FRONTPG.EXE Title: Microsoft FrontPage - D:\asp
www.ntfaq.com\NTFAQ\5apr2001.htm
428 NAVAPSVC.EXE Svcs: NAV Auto-Protect
1376 ALERTSVC.EXE Svcs: NAV Alert
1372 PowerDVD.exe Title: PowerDVD
444 OUTLOOK.EXE Title: Tasks - Microsoft Outlook
1268 msmsgs.exe Title:
1436 MDM.EXE Title: OleMainThreadWndName
632 WINWORD.EXE Title: DDE Server Window
1404 IEXPLORE.EXE Title: Q250320 - Description of Svchost.exe -
Microsoft Internet Explorer
1348 cmd.exe Title: E:\WINDOWS\System32\cmd.exe - tlist -s
1428 tlist.exe


Many services, drivers, and modules load at system startup and are essential to system operation. Even though they show up in Task Manager, they're still critical.

The svchosts are defined in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost.


Similar issues :
http://www.daniweb.com/techtalkforums/thread154.html


0
 
bullshooter5Commented:
Try this:

Hold down the keys CTRL and ALT with left hand and while holding them down tap the DEL key.  This brings up the task manager.   Select the processes tab. Hopefully the "Mem usage column is visible but if it is not configure it up from the options heading.

Now click on the heading until the heavy users come to the top.  Now, who is he memory hog, or which program

bs5    
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
bullshooter5Commented:
other than svchost that is
0
 
senadCommented:
I hope you have read carefully my comment.
Service can not be stopped.
However your svchost is triggering a process that is responsible for your CPU usage.
These high consuming CPU processes are usually antivirus programmes and stuff like that...
If you do not have a powerfull machines then I suggest you wait till the red (or green) led on your PC
stops blinking.
CTRL-ALT-DEL does not show you CPU usage on current operation.
(Example:You will se system idle proces uses 97% CPU but if you check preformance you will see CPU usage about 2%)
0
 
coderlenAuthor Commented:
Thanks for all the responses.

LeeTutor, that link is dead. In fact, I think Microsoft has completely turned off any links that begin with
"http://support.microsoft.com/?kbid=...". Probably something in their grand scheme of things, to stop supporting some of their products. Thanks. I just wish the information was still available.

senad, I read that info. earlier today, and I think you left out the "not". Here is what you said:
The svchost.exe file is located in the c:\windows\System32 folder. In other cases, svchost.exe is a virus, spyware, trojan or worm!

And this is what I think it should be, with the "not" added:
The svchost.exe file is located in the c:\windows\System32 folder. In other cases, svchost.exe is a NOT virus, spyware, trojan or worm!
Anyway, senad, you had some good information in there, especially about the "tlist" command. Thanks.

senad, I looked at that link you posted. (http://www.daniweb.com/techtalkforums/thread154.html) I tried the "services.msc /s". That is a very interesting service. However, even after trying that, the problem remains unchanged.

All these suggestions are interesting, but in my case, they are not helping.

What could it be? Surely someone out there has the answer. I am dead-ended. I still can't click on the "Start" button, and still I must use Start->Start Task (run) to execute any new programs or tasks.

I'm still waiting for the answer. Thanks.
0
 
jholland79Commented:
Firstly,
I don't think that link is dead. I have just navigated to it.
Secondly,
what happens when you boot to Safe Mode?
I would recommend that you boot to Safe Mode and run all those programs repeatedly until each of them reports no detections.
Then run msconfig from the run dialog, under Services select Hide MS Services and disable all others. Disable all Startup items. Reboot and see what happens then.
You should also download Hijack This (prob best to enable your AV in msconfig and reboot first):
http://80.237.140.193/downloads/hijackthis_199.zip
and run the log files through the following tools:
http://www.hijackthis.de/en
http://hjt.iamnotageek.com/
Let us know if they find anything.
John.
ps I tend to use HJT as follows:
1. Boot into windows with non-MS services and startup items disabled
2. Enable 'Normal Startup' in msconfig but exit WITHOUT restarting.
3. Then run HJT and parse through above sites.

0
 
LeeTutorretiredCommented:
Nope, it's not dead.  I can access it.  However, I have copied the article from my Windows Problems database below:

http://support.microsoft.com/?kbid=314056
A Description of Svchost.exe in Windows XP
The information in this article applies to:
Microsoft Windows XP Professional

This article was previously published under Q314056
For a Microsoft Windows 2000 version of this article, see 250320.

SUMMARY
This article describes Svchost.exe and its functions. Svchost.exe is a generic host process name for services that run from dynamic-link libraries (DLLs).
MORE INFORMATION
The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can run, depending on how and where Svchost.exe is started. This allows for better control and easier debugging.

Svchost.exe groups are identified in the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost

Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service names that are extracted from the following registry key, whose Parameters key contains a ServiceDLL value:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Service

To view the list of services that are running in Svchost:
Click Start on the Windows taskbar, and then click Run.
In the Open box, type CMD, and then press ENTER.
Type Tasklist /SVC, and then press ENTER.
Tasklist displays a list of active processes. The /SVC switch shows the list of active services in each process. For further information about a process, type the following command, and then press ENTER:
Tasklist /FI "PID eq processID" (with the quotation marks)

The following example of Tasklist output shows two instances of Svchost.exe that are running.
   Image Name         PID      Services
   ========================================================================
   System Process        0     N/A
   System                8     N/A    
   Smss.exe            132     N/A
   Csrss.exe           160     N/A
   Winlogon.exe        180     N/A
   Services.exe        208     AppMgmt,Browser,Dhcp,Dmserver,Dnscache,
                               Eventlog,LanmanServer,LanmanWorkstation,
                               LmHosts,Messenger,PlugPlay,ProtectedStorage,
                               Seclogon,TrkWks,W32Time,Wmi
   Lsass.exe            220    Netlogon,PolicyAgent,SamSs
   Svchost.exe          404    RpcSs
   Spoolsv.exe          452    Spooler
   Cisvc.exe            544    Cisvc
   Svchost.exe          556    EventSystem,Netman,NtmsSvc,RasMan,
                               SENS,TapiSrv
   Regsvc.exe           580    RemoteRegistry
   Mstask.exe           596    Schedule
   Snmp.exe             660    SNMP
   Winmgmt.exe          728    WinMgmt
   Explorer.exe         812    N/A
   Cmd.exe             1300    N/A
   Tasklist.exe        1144    N/A
                        
The registry setting for the two groupings for this example are as follows:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost:
Netsvcs: Reg_Multi_SZ: EventSystem Ias Iprip Irmon Netman Nwsapagent Rasauto Rasman Remoteaccess SENS Sharedaccess Tapisrv Ntmssvc
RApcss :Reg_Multi_SZ: RpcSs


Last Reviewed: 8/6/2002
Keywords: kbinfo KB314056
0
 
RomeynCommented:
I recent'y had this same problem while helping someone with their Windows 2000 box.  I had to give up.  The Start button worked, but there were other anomalies:

- I couldn't drag anything from anywhere to anywhere else (e.g. desktop icons)
- attempts to go to windowsupdate.microsoft.com resulted in a blank web page.
- Various web sites that would otherwise allow me to download utilities like adaware and spybot were modified to prevent it.  (I had to download everything from an FTP server I maintain...from the command line)
- Add/Remove programs was completely broken, displaying gibberish when opened.
- Processor utilization was at 100%: svchost.exe
- gpedit.msc wouldn't let me select anything
- System was scanned with the latest versions/defs of F-Secure, Ad-Aware, and Spybot.  Things were found, all deleted.  Machine still wonky
- MS INstaller was busted, so I couldn't install MS AntiSpyware.  All attempts at re-installation os MS Installer failed.

I don't give up easily, but this thing kicked my ass.  I spent over 30 hours researching and troubleshooting it.  We're going to format it and start from scratch.

I sincerely hope you have better luck.
0
 
coderlenAuthor Commented:
Please don't get offended on the grades I gave. At least I gave out all the points! The reason for the "C" grades was that this was such a complicated situation, and while the replies were all excellent, they weren't right on the mark. Of course, it's tough to be on the mark through a forum. And this WAS a tough one.

Anyway, I thought I would post the solution here. Keep in mind that this computer is STILL not fixed, but the question I posted is. The computer is still not responding well, and the Start button and the Taskbar are still non-respondent. I have posted another question (also worth 500 points) at this link:
http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21385722.html

Here is how I solved this one. I had to dig it out of the EE archives. I used tasklist /svc to identify the offending process. In this case, "Iprip" was listed for my system. I noticed that it was not listed on another person's tasklist which they posted to the forum, nor is it listed on my other XP computer. Hmmm... Then I used Start->Control Panel->Administrative Tools->Services, and turned off each of the services one by one. After I turned off a service, I would check the Task Manager to see if the "svchost" CPU time was still at 99%. If it was unchanged, I just turned that service back on. When I turned off the "RIP Listener" service, the svchost CPU time immediately went down, and "System Idle Process" was again back up to 99% or so, where it should be. So, I knew I had solved THAT problem.

However, you would never know that anything was better, for I STILL can't click on the Start button. All I get is the hourglass.

Actually, I found a way to TEMPORARILY solve the Start button problem. If I use Task Manager to kill the "Explorer" process, and then start it up again with Task Manager, the Start button responds, but only for a few seconds. When the Start Menu came up, I couldn't select anything. Hence, the extra question which I posted.

Thanks again for the help. This is a great forum. Usually somebody has the answer, but even in a case like this one, the mental juices are flowing, and it's a great sounding board for ideas.
0

Featured Post

Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

  • 2
  • 2
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now