[Last Call] Learn how to a build a cloud-first strategyRegister Now


svchost.exe 100% cpu

Posted on 2006-04-07
Medium Priority
Last Modified: 2008-02-01
Hi Folks,

I have a PC running Windows XP Home edition. This Pc stopped working and could not get past the logon screen (you would click on the user then it would just hang loading personal settings). I could start in safe mode, the desktop would load up but i could not access anything due to the svchost.exe and explorer.exe taking up all the CPU usage. If i stop the svchost.exe process then the explorer.exe process shoots up to 100%.

I have started in safe mode with command prompt and ran sophos command line software with the latest IDE's and it found a few viruses

After removing these and restarting i have the same problem.

Also when i start in safe mode with command prompt and then go into task manager svchost.exe is sitting at 100%

Anyone have any ideas on what i can do to sort this problem?

Many thanks in adavnce,


Question by:Baikie
  • 3
  • 2
  • 2
LVL 59

Expert Comment

ID: 16400246
Besides viruses, you should check for adware, spyware, etc.  Also try these free programs to rid your system of spyware, trojans, and other malware:

Spybot - Search & Destroy

LavaSoft Ad-aware  

I use BOTH of the above programs on my 3 Windows systems; what one program misses, the other catches.  Also make sure to download the most up-to-date data before you run the programs.
LVL 59

Expert Comment

ID: 16400265
from Lockergnome, 1-28-03 edition:

Question: How do I find out what is starting a service on my computer? The name of the service is svchost.exe and the user name is Local Service. It starts with the first logon and eats a consistent 25-35% of CPU processing time. I have ended the process using the Windows Task Manager and have not had any problems. Any insight would be appreciated.
Answer: I think we can shed a little light on your svchost.exe problem. You didn't say whether you are using Windows XP or Windows 2000, so I will try to give the information for both. First, let's address what the svchost.exe program is used for. As quoted from Microsoft Knowledge Base Article - 314056: "At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can run, depending on how and where Svchost.exe is started. This allows for better control and easier debugging." In layman's terms, it is basically an easy way for your computer to execute a lot of DLL files that are needed at startup. So instead of just ending one of the instances of svchost.exe, we need to find what set of DLLs might be causing your processing problem.

In Windows XP, you can get a list of running services by going to Start | Run | type "CMD" | click OK. Type "tasklist /svc" (sans quotes) and then press Enter. Now you will have a list of every DLL running under each svchost.exe instance. For Windows 2000, you need to extract the Tlist.exe utility from the Support.cab file on your Windows 2000 installation CD. You still need to open a command window, but you will need to navigate to where you extracted the Tlist.exe file to, type "tlist -s" (sans quotes), and then press Enter.

For more information, see Microsoft Knowledge Base Article - 250320. Svchost.exe groups are identified in the following registry key: HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Svchost. Also, each svchost group extracts its service names from the following registry key, whose Parameters key contains a ServiceDLL value: HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services \ . Be sure to back up the registry key you are configuring before you make a change. You do this by browsing the desired registry key, and then going to File | Export. Follow the prompts, and you will now have a way to bring back that registry key (if you accidentally damaged it). I hope this helps to answer your question, but if you're still hunting for an answer after trying this suggestion, feel free to post your question in the Lockergnome forums, at help.lockergnome.com. [Brian]

Author Comment

ID: 16400522

cheers for the reply.

I would be interested to know the list of running services but unfortunately when i start windows in anything other than 'safe mode with command prompt' it freezes up as the cpu is at 100%.

Would i be able to run this tasklist form the command prompt?

This is Xp Home edition also



Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

LVL 59

Expert Comment

ID: 16400756
Yes, you should be able to run it from Safe mode with command prompt.
LVL 47

Expert Comment

ID: 16406315
This is just a shot in the dark, hijackthis will not show much info in safe mode.

Still it might show something.
Please download HijackThis 1.99.1
Open Hijackthis, click "scan and save a logfile" don't fix anything yet, just upload the logfile created, go here and paste your Hijackthis log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or copy and paste the log at;
and click "Analyse", "Save".  Post a link to the saved list here.

Author Comment

ID: 16415505
Once again cheers for the replies,

I ran Sophos from the command line and it picked the SpyJack-E virus but it could not delete the file as access denied.

the files it could not delete were as follows:


I  downloaded a program called Process explorer and had a look at what processes the svchost was using and sure enough the oleext.dll was listed. I killed the process from within Process explorer and the CPU came down to 0%.

I then went back into the command prompt and manually deleted the oleext.dll without any problem. However i cannot seem to be able to delete the wininet.dll as access denied.

Have you heard of this virus before and do you know how i can rid of it? or delete the other offending dll?

Many Thanks,

LVL 47

Accepted Solution

rpggamergirl earned 500 total points
ID: 16415829
oleext.dll is one of the smitrem file in smitfraud family of infections. Smitfraud  also infects wininet.dll.
If you use "Smitrem" it removes all the files belonging to smitfraud variants and it also replaces a clean copy of wininet.dll.
The malware should've showed up in your Hijackthis log.

Download http://noahdfear.geekstogo.com/click%20counter/click.php?id=1
and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Next, please reboot your computer in Safe Mode:

Open the "smitRem" folder, then double click the "RunThis.bat" file to start the tool. Follow the prompts on screen.  Your desktop and icons will disappear and then reappear again --- this is normal.
Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient.

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Can I legally transfer my OEM version of Windows to another PC?  (AKA - Can I put a new systemboard in my OEM PC?) Few of us are both IT and legal experts but we all have our own views of Microsoft's licensing rules and how they apply.  There are…
If you have done a reformat of your hard drive and proceeded to do a successful Windows XP installation, you may notice that a choice between two operating systems when you start up the machine. Here is how to get rid of this: Click Start Clic…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Suggested Courses
Course of the Month18 days, 1 hour left to enroll

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question