Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

svchost issue on windows 2003 server

Posted on 2010-09-07
16
Medium Priority
?
254 Views
Last Modified: 2012-08-13
Hi there,

I have an issue whereby I have a svchost process that is taking up over half of my server memory and I would very much like to get into this process as I am sure alot of it is not needed...! How can i do this..?

thx

phil
0
Comment
Question by:philipgecko
  • 9
  • 6
16 Comments
 
LVL 6

Expert Comment

by:PartnerTek
ID: 33618699
You can use process explorer from Microsoft Sysinternals to determine which applications are running under that specific svchost.  download it here: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
 
0
 
LVL 2

Expert Comment

by:Thomas Gibson
ID: 33619429
Stop the Automatic Updates and BITS services and see if it goes down.
0
 

Author Comment

by:philipgecko
ID: 33621240
ive done that, it just shows me that the svchost process is taking up 854mb which is way too much... how can I reduce this...?? not sure what BITS services is but I have ensured that in msconfig that nothing is ion the startup and the windows updates are just on notify....
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 6

Expert Comment

by:PartnerTek
ID: 33621255
BITS is Backgroung Intelligent transfer Service
0
 
LVL 6

Expert Comment

by:PartnerTek
ID: 33621306
In Process Explorer, hover over the svchost.exe in question and it will display a list of services that are running under that particular process.  Report those back here and we may be able to help you further.
0
 
LVL 6

Expert Comment

by:PartnerTek
ID: 33621317
you can also right click on the svchost process in Process Explorer and click the service tab for a complete list of services running under that particular svchost process.
0
 

Author Comment

by:philipgecko
ID: 33621364
ooh thanks.. have a look at what I can see... see attached.... :)
Capture.PNG
0
 
LVL 6

Expert Comment

by:PartnerTek
ID: 33621419
DCOMlaunch: Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
Have you added any new hardware to the machine lately?
0
 

Author Comment

by:philipgecko
ID: 33621464
nope none whatsoever... we were hacked into last friday by some russian and it hasnt been right since.....
0
 
LVL 6

Expert Comment

by:PartnerTek
ID: 33621473
If you reboot, does it continue to use a lot of memory?
0
 
LVL 6

Expert Comment

by:PartnerTek
ID: 33621487
That process should be using less than 1MB of RAM.  If your server was hacked, you may want to consider restoring the system state from backup.
0
 

Author Comment

by:philipgecko
ID: 33621495
not to start off with but it just creeps up, i have a sneaky suspicion though that it only happens when logged in as administrator... i will double check this...
0
 
LVL 6

Expert Comment

by:PartnerTek
ID: 33621547
in Process Explorer, hover over the wmiprvse process directly below the svchost in question and either post a screenshot or post the path to the executable.  If it is no in the system32 folder, it is most likely a virus.  This could be the issue.
0
 

Author Comment

by:philipgecko
ID: 33621589
here it is...
Capture.PNG
0
 
LVL 6

Accepted Solution

by:
PartnerTek earned 2000 total points
ID: 33621757
That is the correct location that it should be running from, but doesn't rule out the possibility it is being hijacked by another malicious process to send information bout your machine to a 3rd party.  Run a virus scan on the machine and then go to http://www.superantispyware.com/download.html and download either the free version or Professional trial version and run a full scan with SuperAntispyware.  I am confident your server is infected by some sort of malware due the fact that the svchost in question is using a ton of memory and CPU, and also that the wmiprvse.exe is running as a a sub-process of the SVCHOST, which is not normal.
0
 

Author Comment

by:philipgecko
ID: 33624356
Ok that's great I'll do just that, thank you
0

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question