Solved

svchost issue on windows 2003 server

Posted on 2010-09-07
16
245 Views
Last Modified: 2012-08-13
Hi there,

I have an issue whereby I have a svchost process that is taking up over half of my server memory and I would very much like to get into this process as I am sure alot of it is not needed...! How can i do this..?

thx

phil
0
Comment
Question by:philipgecko
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 6
16 Comments
 
LVL 6

Expert Comment

by:PartnerTek
ID: 33618699
You can use process explorer from Microsoft Sysinternals to determine which applications are running under that specific svchost.  download it here: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
 
0
 
LVL 2

Expert Comment

by:Thomas Gibson
ID: 33619429
Stop the Automatic Updates and BITS services and see if it goes down.
0
 

Author Comment

by:philipgecko
ID: 33621240
ive done that, it just shows me that the svchost process is taking up 854mb which is way too much... how can I reduce this...?? not sure what BITS services is but I have ensured that in msconfig that nothing is ion the startup and the windows updates are just on notify....
0
Is Your DevOps Pipeline Leaking?

Is your CI/CD pipeline a hodge-podge of randomly connected tools? You’ve likely got a tool to fix one problem & then a different tool to fix another, resulting in a cluster of tools with overlapping functionality. Learn how to optimize your pipeline with Gartner's recommendations

 
LVL 6

Expert Comment

by:PartnerTek
ID: 33621255
BITS is Backgroung Intelligent transfer Service
0
 
LVL 6

Expert Comment

by:PartnerTek
ID: 33621306
In Process Explorer, hover over the svchost.exe in question and it will display a list of services that are running under that particular process.  Report those back here and we may be able to help you further.
0
 
LVL 6

Expert Comment

by:PartnerTek
ID: 33621317
you can also right click on the svchost process in Process Explorer and click the service tab for a complete list of services running under that particular svchost process.
0
 

Author Comment

by:philipgecko
ID: 33621364
ooh thanks.. have a look at what I can see... see attached.... :)
Capture.PNG
0
 
LVL 6

Expert Comment

by:PartnerTek
ID: 33621419
DCOMlaunch: Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
Have you added any new hardware to the machine lately?
0
 

Author Comment

by:philipgecko
ID: 33621464
nope none whatsoever... we were hacked into last friday by some russian and it hasnt been right since.....
0
 
LVL 6

Expert Comment

by:PartnerTek
ID: 33621473
If you reboot, does it continue to use a lot of memory?
0
 
LVL 6

Expert Comment

by:PartnerTek
ID: 33621487
That process should be using less than 1MB of RAM.  If your server was hacked, you may want to consider restoring the system state from backup.
0
 

Author Comment

by:philipgecko
ID: 33621495
not to start off with but it just creeps up, i have a sneaky suspicion though that it only happens when logged in as administrator... i will double check this...
0
 
LVL 6

Expert Comment

by:PartnerTek
ID: 33621547
in Process Explorer, hover over the wmiprvse process directly below the svchost in question and either post a screenshot or post the path to the executable.  If it is no in the system32 folder, it is most likely a virus.  This could be the issue.
0
 

Author Comment

by:philipgecko
ID: 33621589
here it is...
Capture.PNG
0
 
LVL 6

Accepted Solution

by:
PartnerTek earned 500 total points
ID: 33621757
That is the correct location that it should be running from, but doesn't rule out the possibility it is being hijacked by another malicious process to send information bout your machine to a 3rd party.  Run a virus scan on the machine and then go to http://www.superantispyware.com/download.html and download either the free version or Professional trial version and run a full scan with SuperAntispyware.  I am confident your server is infected by some sort of malware due the fact that the svchost in question is using a ton of memory and CPU, and also that the wmiprvse.exe is running as a a sub-process of the SVCHOST, which is not normal.
0
 

Author Comment

by:philipgecko
ID: 33624356
Ok that's great I'll do just that, thank you
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question