Solved

svchost issue on windows 2003 server

Posted on 2010-09-07
16
241 Views
Last Modified: 2012-08-13
Hi there,

I have an issue whereby I have a svchost process that is taking up over half of my server memory and I would very much like to get into this process as I am sure alot of it is not needed...! How can i do this..?

thx

phil
0
Comment
Question by:philipgecko
  • 9
  • 6
16 Comments
 
LVL 6

Expert Comment

by:PartnerTek
ID: 33618699
You can use process explorer from Microsoft Sysinternals to determine which applications are running under that specific svchost.  download it here: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
 
0
 
LVL 2

Expert Comment

by:Thomas Gibson
ID: 33619429
Stop the Automatic Updates and BITS services and see if it goes down.
0
 

Author Comment

by:philipgecko
ID: 33621240
ive done that, it just shows me that the svchost process is taking up 854mb which is way too much... how can I reduce this...?? not sure what BITS services is but I have ensured that in msconfig that nothing is ion the startup and the windows updates are just on notify....
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 6

Expert Comment

by:PartnerTek
ID: 33621255
BITS is Backgroung Intelligent transfer Service
0
 
LVL 6

Expert Comment

by:PartnerTek
ID: 33621306
In Process Explorer, hover over the svchost.exe in question and it will display a list of services that are running under that particular process.  Report those back here and we may be able to help you further.
0
 
LVL 6

Expert Comment

by:PartnerTek
ID: 33621317
you can also right click on the svchost process in Process Explorer and click the service tab for a complete list of services running under that particular svchost process.
0
 

Author Comment

by:philipgecko
ID: 33621364
ooh thanks.. have a look at what I can see... see attached.... :)
Capture.PNG
0
 
LVL 6

Expert Comment

by:PartnerTek
ID: 33621419
DCOMlaunch: Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
Have you added any new hardware to the machine lately?
0
 

Author Comment

by:philipgecko
ID: 33621464
nope none whatsoever... we were hacked into last friday by some russian and it hasnt been right since.....
0
 
LVL 6

Expert Comment

by:PartnerTek
ID: 33621473
If you reboot, does it continue to use a lot of memory?
0
 
LVL 6

Expert Comment

by:PartnerTek
ID: 33621487
That process should be using less than 1MB of RAM.  If your server was hacked, you may want to consider restoring the system state from backup.
0
 

Author Comment

by:philipgecko
ID: 33621495
not to start off with but it just creeps up, i have a sneaky suspicion though that it only happens when logged in as administrator... i will double check this...
0
 
LVL 6

Expert Comment

by:PartnerTek
ID: 33621547
in Process Explorer, hover over the wmiprvse process directly below the svchost in question and either post a screenshot or post the path to the executable.  If it is no in the system32 folder, it is most likely a virus.  This could be the issue.
0
 

Author Comment

by:philipgecko
ID: 33621589
here it is...
Capture.PNG
0
 
LVL 6

Accepted Solution

by:
PartnerTek earned 500 total points
ID: 33621757
That is the correct location that it should be running from, but doesn't rule out the possibility it is being hijacked by another malicious process to send information bout your machine to a 3rd party.  Run a virus scan on the machine and then go to http://www.superantispyware.com/download.html and download either the free version or Professional trial version and run a full scan with SuperAntispyware.  I am confident your server is infected by some sort of malware due the fact that the svchost in question is using a ton of memory and CPU, and also that the wmiprvse.exe is running as a a sub-process of the SVCHOST, which is not normal.
0
 

Author Comment

by:philipgecko
ID: 33624356
Ok that's great I'll do just that, thank you
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question