?
Solved

svchost issue on windows 2003 server

Posted on 2010-09-07
16
Medium Priority
?
251 Views
Last Modified: 2012-08-13
Hi there,

I have an issue whereby I have a svchost process that is taking up over half of my server memory and I would very much like to get into this process as I am sure alot of it is not needed...! How can i do this..?

thx

phil
0
Comment
Question by:philipgecko
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 6
16 Comments
 
LVL 6

Expert Comment

by:PartnerTek
ID: 33618699
You can use process explorer from Microsoft Sysinternals to determine which applications are running under that specific svchost.  download it here: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
 
0
 
LVL 2

Expert Comment

by:Thomas Gibson
ID: 33619429
Stop the Automatic Updates and BITS services and see if it goes down.
0
 

Author Comment

by:philipgecko
ID: 33621240
ive done that, it just shows me that the svchost process is taking up 854mb which is way too much... how can I reduce this...?? not sure what BITS services is but I have ensured that in msconfig that nothing is ion the startup and the windows updates are just on notify....
0
Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

 
LVL 6

Expert Comment

by:PartnerTek
ID: 33621255
BITS is Backgroung Intelligent transfer Service
0
 
LVL 6

Expert Comment

by:PartnerTek
ID: 33621306
In Process Explorer, hover over the svchost.exe in question and it will display a list of services that are running under that particular process.  Report those back here and we may be able to help you further.
0
 
LVL 6

Expert Comment

by:PartnerTek
ID: 33621317
you can also right click on the svchost process in Process Explorer and click the service tab for a complete list of services running under that particular svchost process.
0
 

Author Comment

by:philipgecko
ID: 33621364
ooh thanks.. have a look at what I can see... see attached.... :)
Capture.PNG
0
 
LVL 6

Expert Comment

by:PartnerTek
ID: 33621419
DCOMlaunch: Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
Have you added any new hardware to the machine lately?
0
 

Author Comment

by:philipgecko
ID: 33621464
nope none whatsoever... we were hacked into last friday by some russian and it hasnt been right since.....
0
 
LVL 6

Expert Comment

by:PartnerTek
ID: 33621473
If you reboot, does it continue to use a lot of memory?
0
 
LVL 6

Expert Comment

by:PartnerTek
ID: 33621487
That process should be using less than 1MB of RAM.  If your server was hacked, you may want to consider restoring the system state from backup.
0
 

Author Comment

by:philipgecko
ID: 33621495
not to start off with but it just creeps up, i have a sneaky suspicion though that it only happens when logged in as administrator... i will double check this...
0
 
LVL 6

Expert Comment

by:PartnerTek
ID: 33621547
in Process Explorer, hover over the wmiprvse process directly below the svchost in question and either post a screenshot or post the path to the executable.  If it is no in the system32 folder, it is most likely a virus.  This could be the issue.
0
 

Author Comment

by:philipgecko
ID: 33621589
here it is...
Capture.PNG
0
 
LVL 6

Accepted Solution

by:
PartnerTek earned 2000 total points
ID: 33621757
That is the correct location that it should be running from, but doesn't rule out the possibility it is being hijacked by another malicious process to send information bout your machine to a 3rd party.  Run a virus scan on the machine and then go to http://www.superantispyware.com/download.html and download either the free version or Professional trial version and run a full scan with SuperAntispyware.  I am confident your server is infected by some sort of malware due the fact that the svchost in question is using a ton of memory and CPU, and also that the wmiprvse.exe is running as a a sub-process of the SVCHOST, which is not normal.
0
 

Author Comment

by:philipgecko
ID: 33624356
Ok that's great I'll do just that, thank you
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question