Solved

svchost issue on windows 2003 server

Posted on 2010-09-07
16
249 Views
Last Modified: 2012-08-13
Hi there,

I have an issue whereby I have a svchost process that is taking up over half of my server memory and I would very much like to get into this process as I am sure alot of it is not needed...! How can i do this..?

thx

phil
0
Comment
Question by:philipgecko
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 6
16 Comments
 
LVL 6

Expert Comment

by:PartnerTek
ID: 33618699
You can use process explorer from Microsoft Sysinternals to determine which applications are running under that specific svchost.  download it here: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
 
0
 
LVL 2

Expert Comment

by:Thomas Gibson
ID: 33619429
Stop the Automatic Updates and BITS services and see if it goes down.
0
 

Author Comment

by:philipgecko
ID: 33621240
ive done that, it just shows me that the svchost process is taking up 854mb which is way too much... how can I reduce this...?? not sure what BITS services is but I have ensured that in msconfig that nothing is ion the startup and the windows updates are just on notify....
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 6

Expert Comment

by:PartnerTek
ID: 33621255
BITS is Backgroung Intelligent transfer Service
0
 
LVL 6

Expert Comment

by:PartnerTek
ID: 33621306
In Process Explorer, hover over the svchost.exe in question and it will display a list of services that are running under that particular process.  Report those back here and we may be able to help you further.
0
 
LVL 6

Expert Comment

by:PartnerTek
ID: 33621317
you can also right click on the svchost process in Process Explorer and click the service tab for a complete list of services running under that particular svchost process.
0
 

Author Comment

by:philipgecko
ID: 33621364
ooh thanks.. have a look at what I can see... see attached.... :)
Capture.PNG
0
 
LVL 6

Expert Comment

by:PartnerTek
ID: 33621419
DCOMlaunch: Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
Have you added any new hardware to the machine lately?
0
 

Author Comment

by:philipgecko
ID: 33621464
nope none whatsoever... we were hacked into last friday by some russian and it hasnt been right since.....
0
 
LVL 6

Expert Comment

by:PartnerTek
ID: 33621473
If you reboot, does it continue to use a lot of memory?
0
 
LVL 6

Expert Comment

by:PartnerTek
ID: 33621487
That process should be using less than 1MB of RAM.  If your server was hacked, you may want to consider restoring the system state from backup.
0
 

Author Comment

by:philipgecko
ID: 33621495
not to start off with but it just creeps up, i have a sneaky suspicion though that it only happens when logged in as administrator... i will double check this...
0
 
LVL 6

Expert Comment

by:PartnerTek
ID: 33621547
in Process Explorer, hover over the wmiprvse process directly below the svchost in question and either post a screenshot or post the path to the executable.  If it is no in the system32 folder, it is most likely a virus.  This could be the issue.
0
 

Author Comment

by:philipgecko
ID: 33621589
here it is...
Capture.PNG
0
 
LVL 6

Accepted Solution

by:
PartnerTek earned 500 total points
ID: 33621757
That is the correct location that it should be running from, but doesn't rule out the possibility it is being hijacked by another malicious process to send information bout your machine to a 3rd party.  Run a virus scan on the machine and then go to http://www.superantispyware.com/download.html and download either the free version or Professional trial version and run a full scan with SuperAntispyware.  I am confident your server is infected by some sort of malware due the fact that the svchost in question is using a ton of memory and CPU, and also that the wmiprvse.exe is running as a a sub-process of the SVCHOST, which is not normal.
0
 

Author Comment

by:philipgecko
ID: 33624356
Ok that's great I'll do just that, thank you
0

Featured Post

Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
Learn about cloud computing and its benefits for small business owners.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question