Discovering what is running on the svchost.exe stack

How does one find out what services or applications are running under svchost.exe?  I have a situation where svchost.exe is peaking out the processor and the battery of av/am applications that I've run have not discovered anything (including three rootkit detection tools).  There is something going on here as it is causing terrible pauses in the system and it should be much more responsive with 768 MB of memory.

Again, I believe that the root is digging out what is going on exactly with svchost.exe.  I'm assuming that this process is some sort of a container process for services of some sort.
gpsocsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LeeTutorretiredCommented:
This MSKB article gives you some info on SVCHOST.EXE:

http://support.microsoft.com/default.aspx?scid=kb;en-us;314056
A Description of Svchost.exe in Windows XP

In order to see what services are connected with each instance of Svchost.exe that is running under Task Manager, you should:  go to Start -> Run -> type CMD and hit Enter key -> type tasklist /svc in the DOS-like dialog box and hit the Enter key.
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
You can also use ProcessExplorer to see more details on usage. - Formerly a sysinternals tool, it's currently available from Microsoft.

http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx
0
gpsocsAuthor Commented:
Oddly enough `Tasklist` is not available on this system it appears.  As you, and Microsoft, describe the command it cannot be run on this system.  Am I missing something, has this been deleted by an infection per chance?  I'll keep digging...
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

LeeTutorretiredCommented:
The article says it applies to XP Pro.  Are you running Home?
0
rpggamergirlCommented:
Sometimes svchost problems are caused by the windows auto-update software.
If you have it on, try turning auto-update off and reboot, at least that's one cause that can be ruled out at least.

Svchost of course, usually malware/viruses are most common causes for this but not always.

Please show us your hijackthis log, most malware show up in the scan.
http://danborg.org/spy/hjt/alternativ.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.

0
gpsocsAuthor Commented:
Yes, it is Home.  I'll grab a copy off of a Pro box.  

With regards to HJT, I've already run that previously and scrubbed down what appeared to be infections and invalid entries as normal, but I can certainly check it again and post my result.

Give me a few minutes and I'll be back.
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
Is there a reason you are not going to try Process Explorer?
0
hvymtl0u812Commented:
I would agree with leew.  ProcessExplorer will give you a detailed description of all the images (files) being used by each instance of svchost.exe.  I have ProcessExplorer as a part of my standard "toolbox."  It can also be used to monitor network connections in a far more user-friendly manner than netstat.  VERY useful tool.
0
rpggamergirlCommented:
>>With regards to HJT, I've already run that previously and scrubbed down what appeared to be infections<<

Can you also please show us those entries that you already removed? it will help us. You can get it from the backup that hijackthis keeps, thanks.

A clean hijackthis log won't be helpful to us.
Bad entries once removed will no longer show up in the scan unless it's one of those persistent and stubborn malware.
0
gpsocsAuthor Commented:
Alright, I pulled the results of that unit on over and I'll paste it below.  First will be the `tasklist /svc` result.  Next will be the HJT result.

`tasklist /svc` output:
Image Name                     PID Services
========================= ======== ============================================
System Idle Process              0 N/A
System                           4 N/A
smss.exe                       624 N/A
csrss.exe                      672 N/A
winlogon.exe                   696 N/A
services.exe                   740 Eventlog, PlugPlay
lsass.exe                      752 PolicyAgent, ProtectedStorage, SamSs
svchost.exe                    900 DcomLaunch, TermService
svchost.exe                    964 RpcSs
MsMpEng.exe                   1052 WinDefend
svchost.exe                   1096 AudioSrv, BITS, CryptSvc, Dhcp, ERSvc,
                                   EventSystem,
                                   FastUserSwitchingCompatibility, helpsvc,
                                   lanmanserver, lanmanworkstation, Netman,
                                   Nla, RasMan, Schedule, seclogon, SENS,
                                   SharedAccess, ShellHWDetection, srservice,
                                   TapiSrv, Themes, TrkWks, W32Time, winmgmt,
                                   wscsvc, wuauserv
svchost.exe                   1208 Dnscache
svchost.exe                   1260 LmHosts, SSDPSRV, WebClient
explorer.exe                  1428 N/A
LEXBCES.EXE                   1464 LexBceS
spoolsv.exe                   1504 Spooler
LEXPPS.EXE                    1540 N/A
Nhksrv.exe                    1648 Nhksrv
guard.exe                     1664 AVG Anti-Spyware Guard
avgamsvr.exe                  1676 Avg7Alrt
avgupsvc.exe                  1748 Avg7UpdSvc
FrameworkService.exe          1820 McAfeeFramework
MDM.EXE                       1892 MDM
svchost.exe                    184 stisvc
naPrdMgr.exe                   508 N/A
DellMMKb.exe                   584 N/A
LXSUPMON.EXE                   320 N/A
iTunesHelper.exe               604 N/A
MSASCui.exe                    612 N/A
avgcc.exe                      588 N/A
avgas.exe                      644 N/A
PicasaMediaDetector.exe        648 N/A
ctfmon.exe                     652 N/A
OSD.exe                        856 N/A
AIRPLUS.EXE                   2508 N/A
iPodService.exe               2520 iPod Service
alg.exe                       2580 ALG
wuauclt.exe                    440 N/A
taskmgr.exe                   2892 N/A
UpdaterUI.exe                 3648 N/A
cmd.exe                       3720 N/A
tasklist.exe                  3964 N/A
wmiprvse.exe                  2928 N/A


HijackThis Output:
Logfile of HijackThis v1.99.1
Scan saved at 9:21:38 PM, on 4/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\D-Link AirPlus\AIRPLUS.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\cmd.exe
\192.168.0.3\gplymale\Repair\Repair USB\Repair CD\HijackThis\alternativ.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\tbu5\toolbaru.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program Files\ICQToolbar\tbu5\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: D-Link AirPlus Utility.lnk = ?
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174342726421
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

0
rpggamergirlCommented:
Thanks for the log, sorry nothing stood out there, is it possible for us to see those bad entries that you removed? thanks.
0
gpsocsAuthor Commented:
No, sorry, those were removed some time ago and this unit is one that returned for a modem repair but I noticed those pauses were still existent and driving me nuts so I'm trying to figure out what might be going on.  I've only seen an issue like this once before of the last several years and it took a reinstallation (ie, not repair installation) to resolve the issue...  So I'm worried as to what could be causing this pause.

I really wish Windows had better diagnostic tools that could isolate pauses like this.  Are there any other deeper tools that pick up unresponsive apps and services as such that I'm overlooking?
0
r-kCommented:
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Lee W, MVPTechnology and Business Process AdvisorCommented:
Oh look - that article says to use process explorer - mentioned much earlier in your question... again... is there ANY reason you are ignoring my posts?
0
gpsocsAuthor Commented:
I apologize leew, I had already used that long ago.  I did check it again at your behest and did find another item, however this was not the issue, but useful nonetheless so thanks.  

It appears that the article referred to by r-k was the key in terms of a resolution even though the proc hanging was hard to isolate (read, I did not find it with process explorer again as it is acting very erratic, however after applying the hotfix things seem to have reached normalcy).
0
rpggamergirlCommented:
So I was right in my very first post all along, that this was caused by windows auto-update software.
If you'd turned off autoupdates you would have found out that that was the one causing it.
0
r-kCommented:
"So I was right in my very first post all along"

Yes, rpggamergirl, you are correct once again. We may only ignore your comments at our own peril :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.