Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 256
  • Last Modified:

svchost issue on windows 2003 server

Hi there,

I have an issue whereby I have a svchost process that is taking up over half of my server memory and I would very much like to get into this process as I am sure alot of it is not needed...! How can i do this..?

thx

phil
0
philipgecko
Asked:
philipgecko
  • 9
  • 6
1 Solution
 
PartnerTekCommented:
You can use process explorer from Microsoft Sysinternals to determine which applications are running under that specific svchost.  download it here: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
 
0
 
Thomas GibsonCommented:
Stop the Automatic Updates and BITS services and see if it goes down.
0
 
philipgeckoAuthor Commented:
ive done that, it just shows me that the svchost process is taking up 854mb which is way too much... how can I reduce this...?? not sure what BITS services is but I have ensured that in msconfig that nothing is ion the startup and the windows updates are just on notify....
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
PartnerTekCommented:
BITS is Backgroung Intelligent transfer Service
0
 
PartnerTekCommented:
In Process Explorer, hover over the svchost.exe in question and it will display a list of services that are running under that particular process.  Report those back here and we may be able to help you further.
0
 
PartnerTekCommented:
you can also right click on the svchost process in Process Explorer and click the service tab for a complete list of services running under that particular svchost process.
0
 
philipgeckoAuthor Commented:
ooh thanks.. have a look at what I can see... see attached.... :)
Capture.PNG
0
 
PartnerTekCommented:
DCOMlaunch: Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
Have you added any new hardware to the machine lately?
0
 
philipgeckoAuthor Commented:
nope none whatsoever... we were hacked into last friday by some russian and it hasnt been right since.....
0
 
PartnerTekCommented:
If you reboot, does it continue to use a lot of memory?
0
 
PartnerTekCommented:
That process should be using less than 1MB of RAM.  If your server was hacked, you may want to consider restoring the system state from backup.
0
 
philipgeckoAuthor Commented:
not to start off with but it just creeps up, i have a sneaky suspicion though that it only happens when logged in as administrator... i will double check this...
0
 
PartnerTekCommented:
in Process Explorer, hover over the wmiprvse process directly below the svchost in question and either post a screenshot or post the path to the executable.  If it is no in the system32 folder, it is most likely a virus.  This could be the issue.
0
 
philipgeckoAuthor Commented:
here it is...
Capture.PNG
0
 
PartnerTekCommented:
That is the correct location that it should be running from, but doesn't rule out the possibility it is being hijacked by another malicious process to send information bout your machine to a 3rd party.  Run a virus scan on the machine and then go to http://www.superantispyware.com/download.html and download either the free version or Professional trial version and run a full scan with SuperAntispyware.  I am confident your server is infected by some sort of malware due the fact that the svchost in question is using a ton of memory and CPU, and also that the wmiprvse.exe is running as a a sub-process of the SVCHOST, which is not normal.
0
 
philipgeckoAuthor Commented:
Ok that's great I'll do just that, thank you
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

  • 9
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now