• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1203
  • Last Modified:

SVCHOST is consuming cpu utilization!

SVCHOST is consuming cpu utilization!

How do I see which service under the Image Name of svchost.exe is causing the problem and how do I stop that individual service ?
Just killing the svchost.exe PID that is using the CPU affects a number of services that are needed.

This is on Windows XP with SP2.

Here is part of the tasklist detail:

C:\Program Files\Windows Resource Kits\Tools>tasklist /svc

Image Name                   PID Services
========================= ====== =============================================
System Idle Process            0 N/A
System                         4 N/A
smss.exe                     472 N/A
csrss.exe                    976 N/A
winlogon.exe                1004 N/A
services.exe                1048 Eventlog, PlugPlay
lsass.exe                   1060 PolicyAgent, ProtectedStorage, SamSs
ati2evxx.exe                1224 Ati HotKey Poller
svchost.exe                 1236 DcomLaunch, TermService
svchost.exe                 1332 RpcSs
MsMpEng.exe                 1524 WinDefend
svchost.exe                 1576 AudioSrv, BITS, Browser, CryptSvc, Dhcp,
                                 dmserver, ERSvc, EventSystem, helpsvc,
                                 lanmanserver, lanmanworkstation, Netman,
                                 Nla, RasMan, Schedule, seclogon, SENS,
                                 SharedAccess, ShellHWDetection, srservice,
                                 TapiSrv, Themes, TrkWks, W32Time, winmgmt,
                                 wscsvc, wuauserv
svchost.exe                 1616 Dnscache
svchost.exe                 1844 LmHosts, RemoteRegistry, SSDPSRV, upnphost,
                                 WebClient

Here is the PSTAT output but just with the offending service:

pid:628 pri: 8 Hnd: 1870 Pf:63823505 Ws:  24144K svchost.exe
 tid pri Ctx Swtch StrtAddr    User Time  Kernel Time  State
 62c   9       384 7C810665  0:00:00.000  0:00:00.000 Wait:Executive
 630   9      1607 7C810659  0:00:00.015  0:00:00.015 Wait:LpcReceive
 634   8       680 7C810659  0:00:00.000  0:00:00.000 Wait:DelayExecution
 64c   8        27 7C810659  0:00:00.000  0:00:00.000 Wait:UserRequest
 680   9      2372 7C810659  0:00:00.187  0:00:03.765 Wait:UserRequest
 694   8         5 7C810659  0:00:00.000  0:00:00.000 Wait:UserRequest
 698   8        72 7C810659  0:00:00.000  0:00:00.000 Wait:LpcReceive
  b4   8       260 7C810659  0:00:00.015  0:00:00.000 Wait:UserRequest
  c4   8       300 7C810659  0:00:00.015  0:00:00.015 Wait:UserRequest
  d0   8       889 7C810659  0:00:00.015  0:00:00.031 Wait:EventPairLow
  d4  10       140 7C810659  0:00:00.000  0:00:00.000 Wait:UserRequest
  dc   8       140 7C810659  0:00:00.000  0:00:00.000 Wait:UserRequest
 110   8      2791 7C810659  0:00:00.796  0:00:01.015 Wait:UserRequest
 128   8       107 7C810659  0:00:00.000  0:00:00.000 Wait:DelayExecution
 13c   8      1412 7C810659  0:00:00.203  0:00:00.156 Wait:EventPairLow
 16c  10       122 7C810659  0:00:00.015  0:00:00.000 Wait:UserRequest
 178   8       400 7C810659  0:00:00.000  0:00:00.000 Wait:UserRequest
 17c   8        15 7C810659  0:00:00.000  0:00:00.000 Wait:UserRequest
 184   9        18 7C810659  0:00:00.000  0:00:00.000 Wait:UserRequest
 19c   8       139 7C810659  0:00:00.000  0:00:00.000 Wait:UserRequest
 208  10      5120 7C810659  0:00:00.343  0:00:00.281 Wait:LpcReceive
 254  11        25 7C810659  0:00:00.000  0:00:00.000 Wait:LpcReceive
 558  10        32 7C810659  0:00:00.000  0:00:00.000 Wait:LpcReceive
 55c   9         3 7C810659  0:00:00.000  0:00:00.000 Wait:UserRequest
 56c   8       216 7C810659  0:00:00.000  0:00:00.046 Wait:UserRequest
 578  15        12 7C810659  0:00:00.000  0:00:00.000 Wait:UserRequest
 6b0   9       571 7C810659  0:00:00.062  0:00:00.015 Wait:UserRequest
  cc   9       253 7C810659  0:00:00.000  0:00:00.000 Wait:UserRequest
 160   8       328 7C810659  0:00:00.000  0:00:00.000 Wait:UserRequest
 288   8      1258 7C810659  0:00:00.218  0:00:00.171 Wait:EventPairLow
 2e8   9      3134 7C810659  0:00:00.000  0:00:00.140 Wait:UserRequest
 370   9        44 7C810659  0:00:00.000  0:00:00.000 Wait:UserRequest
  80   9         5 7C810659  0:00:00.000  0:00:00.000 Wait:UserRequest
 49c   9         5 7C810659  0:00:00.000  0:00:00.000 Wait:UserRequest
 6fc   9        64 7C810659  0:00:00.000  0:00:00.000 Wait:UserRequest
 5e0   8        99 7C810659  0:00:00.000  0:00:00.078 Wait:UserRequest
 8e0  10        80 7C810659  0:00:00.000  0:00:00.000 Wait:UserRequest
 930   9        18 7C810659  0:00:00.000  0:00:00.015 Wait:UserRequest
 a58   8       577 7C810659  0:00:00.000  0:00:00.015 Wait:UserRequest
 a6c   8         4 7C810659  0:00:00.000  0:00:00.000 Wait:LpcReply
 ad8   9       102 7C810659  0:00:00.000  0:00:00.000 Wait:UserRequest
 ae0   8       299 7C810659  0:00:00.015  0:00:00.000 Wait:EventPairLow
 b38   8      1494 7C810659  0:00:00.031  0:00:00.078 Wait:LpcReceive
 b48  10       109 7C810659  0:00:00.000  0:00:00.000 Wait:UserRequest
 b64   9    109284 7C810659  0:00:07.484  0:00:05.500 Wait:LpcReceive
 b68   9         1 7C810659  0:00:00.000  0:00:00.000 Wait:DelayExecution
 b70  10        69 7C810659  0:00:00.000  0:00:00.000 Wait:UserRequest
 bec   8         1 7C810659  0:00:00.000  0:00:00.000 Wait:EventPairLow
 bf0   9         3 7C810659  0:00:00.000  0:00:00.000 Wait:EventPairLow
 c00   9         2 7C810659  0:00:00.000  0:00:00.000 Wait:EventPairLow
 c2c  10        58 7C810659  0:00:00.000  0:00:00.000 Wait:UserRequest
 c4c   8         1 7C810659  0:00:00.000  0:00:00.000 Wait:UserRequest
 cec   8        17 7C810659  0:00:00.000  0:00:00.015 Wait:UserRequest
 e1c   8      9049 7C810659  0:00:00.156  0:00:00.015 Wait:LpcReceive
 e20   8       852 7C810659  0:00:00.015  0:00:00.000 Wait:EventPairLow
 e28   9      5839 7C810659  0:00:00.421  0:00:00.234 Wait:LpcReceive
 e58   9      9078 7C810659  0:00:00.093  0:00:00.062 Wait:LpcReceive
 eb8   8      9043 7C810659  0:00:00.125  0:00:00.078 Wait:LpcReceive
 f58   8        49 7C810659  0:00:00.000  0:00:00.000 Wait:UserRequest
  f0   9        91 7C810659  0:00:00.000  0:00:00.000 Wait:UserRequest
 f74   9     43812 7C810659  0:00:02.421  0:00:02.015 Wait:LpcReceive
 f78   8   1156415 7C810659  0:25:58.062  0:09:26.828 Wait:UserRequest
 1fc   8       138 7C810659  0:00:00.000  0:00:00.000 Wait:LpcReceive
 1074   9      2406 7C810659  0:00:00.218  0:00:00.187 Wait:LpcReceive
 17e0   9    149899 7C810659  0:00:09.843  0:00:07.562 Wait:DelayExecution
 17d4   9     19833 7C810659  0:00:01.421  0:00:01.015 Wait:LpcReceive
 718   8      9625 7C810659  0:00:00.375  0:00:00.390 Wait:LpcReceive
 13ac   9     62412 7C810659  0:00:03.640  0:00:03.656 Wait:LpcReceive
 17bc   8     49819 7C810659  0:00:03.578  0:00:02.812 Wait:LpcReceive
 1248   9     12673 7C810659  0:00:00.671  0:00:00.703 Wait:DelayExecution
 ee4   8     15753 7C810659  0:00:00.859  0:00:00.796 Ready
0
paultormey
Asked:
paultormey
  • 3
  • 2
1 Solution
 
spiritfanCommented:
Process Explorer (http://www.sysinternals.com/Utilities/ProcessExplorer.html) might help you find out what is causing your svchost to run so run so much.
0
 
r-kCommented:
Yes, Process Explorer is a good place to start. Most likely you'll find that svchost is not the real culprit. Here is my list of things to look for when cpu usage appears abnormally high:

(1) Hardware malfunction
(2) Malware or rootkit
(3) Corrupted user profile
(4) Misbehaving AV or other service or driver.

I would suggest the following:
(a) log-in as a different user - does the problem persist, if so then rule out  option (3) above.
(b) Disable any AV program or anything else unnecessary and see if that helps.
(c) Run Process Explorer from http://www.sysinternals.com/Utilities/ProcessExplorer.html 
    It shows a lot more detail then Task Manager. In particular, if it shows CPU
    time being used by "Interrupts" then there might be a hardware problem.
(d) Scan your system for malware. At the very least, run the following two programs:
 (d.1) RootkitRevealer from: http://www.sysinternals.com/Utilities/RootkitRevealer.html
 (d.2) Download and run HijackThis from http://www.hijackthis.de/
       Copy-and-paste the resulting log back to that same web site (not here)
       Click on "Analyze", and then click on "Save Analysis" at the bottom of the next page.
       Review for anything unusual.
0
 
paultormeyAuthor Commented:
The above link takes you to:
http://www.microsoft.com/technet/sysinternals/Utilities/ProcessExplorer.html

Which is a Microsoft page with all sorts of info...so what now?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
r-kCommented:
Oops, sorry, MS changed the links on us. Here are the correct links:

 Process Explorer: http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx

 Rootkit Revealer: http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx

0
 
paultormeyAuthor Commented:
r-k,

I was about to rebuild the laptop, was really getting desperate. Biggest problem was, this laptop was my wife's. I had given away her old Sony laptop and given her my newer Fujitsu-Siemens Laptop. Ever since then, we have been having this problem.

I had installed AntiSpywareBOT, REGCLEAN and also MS Windows Defender. They all found problems which they resolved, but my problem persisted.

I had tried everything and didn't try your advice on a possibly corrupt user profile - until tis afternoon. I mean, how can that affect the system so badly ?

Well guess what, it did. All I had to do was:
... log off as WIFE
... logon as ME
.......problem wasn't there anymore
... logoff as ME
...logon as WIFE....VOILA!!!

Thanks for your help..
...
0
 
r-kCommented:
Great to hear that. Thanks and good luck.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now