SVCHOST.exe consuming all memory in Windows 2008 R2

Posted on 2013-12-31
Last Modified: 2014-07-14
As the title states, I have an issue where SVCHOST.exe is slowly consuming all the memory on a server running Windows 2008 R2. The services being used by the svchost.exe PID are: nsi, netprofm, FontCache and EventSystem. Within two days it will consume all memory causing IIS to throw out errors.

I've tried various hotfixes, but none are applicable to this system. The issue appeared within the past 2 months. I've tried updating the drivers for the nic as well.

About the server: 2008 R2 Server, using IIS (Primary role), anti-virus is System Center 2012 Endpoint Protection (and SCCM 2012 agent), Landesk Agent, Broadcom BCM5716, 12GB of memory and it is the head node of a clustering search application where it displays results via a webpage (IIS) and communicates to four other nodes. The system has all MS security updates installed.
Question by:futureman0
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
LVL 18

Expert Comment

by:Jeremy Weisinger
ID: 39748135
When memory usage is high, can you restart the services you listed one by one, checking the memory usage each time to see if the usage drops. If the memory stays high then there's other services being hosted by that instance that we need to check. If it drops for a particular service then we will know which one has the leak and can further troubleshoot.

BTW, what are you using to find the services running in that instance of svchost?

Author Comment

ID: 39748193
NSI, Network Store Interface Service, appears to be the culprit. I stopped the other three services, but they didn't have any affect till NSI was stopped.

SVCHOST.exe usage dropped back to normal once NSI was stopped (or attempted to) and the system became unstable and had to be reboot.

I'm just using the task manager, going to the services tab and the PID number is a column.
LVL 18

Expert Comment

by:Jeremy Weisinger
ID: 39748208
Well it seems that is could be caused by several things like AV, malware, excessive pings, bad patches, and/or driver and firmware issues.

I would:
- Check to see if there are any updates for the NIC drivers and firmware.
- Make sure you server is free from infections
- Check your AV configuration
- Update your AV software

Also, are there any network related tasks that the server does on a regular basis that would use ping a lot?
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments


Author Comment

ID: 39748260
I've already tried updating the NIC drivers and it didn't help. The anti-virus, SCEP 2012, has not reported any infections. Additionally looking at the network firewall I'm not see any sort of suspicious incoming/outgoing traffic.

This is the primary system in a cluster, and ping is used to see if the other nodes are online. This configuration has been running for over 3 years without a problem - any windows updates that might have caused this?
LVL 18

Expert Comment

by:Jeremy Weisinger
ID: 39748280
It's definitely possible an update caused this but I'm seeing people having this issue dating back several years.

I would run a manual full scan with the AV and possibly use a few different products. Also check the processes running to see if there's any suspicious activity. In my experience, just because the AV doesn't report anything doesn't mean the system isn't infected.

Expert Comment

by:Ratnesh Mishra
ID: 39751357
Use following command to without quote to seperate all the services in individual svchost.exe "sc <service_name> type= own" , here you should use all the services under the same PID . Thereafter restart those services . In order to confirm whether its working or not ,you can use "tasklist /svc >tasks.txt" and then open tasks.txt file to validate all services are running in seperate svchost container with seperate PID.
This will give you clear picture of the culprit, once you have real culprit it will be easy to chalk-out solution for the issue.
Updating these files to the latest may fix the issue Nsi.dll, siproxy.sys, Nsisvc.dll, Winnsi.dll

Would also request to block ICMP i.e ping ack packets , if possible you can check whats the amount of ICMP packets in netmon trace.

Assisted Solution

futureman0 earned 0 total points
ID: 39754801
Figured out what caused the problem - IE 10.

Found this:

After uninstalling IE10 and going back to IE9 the memory leak for the NSI service went away. I tried installing IE11, but same issue as IE10.

Accepted Solution

Ratnesh Mishra earned 500 total points
ID: 39825523
Great findings and thanks for sharing however in case of SVCHOST consuming resource its always best to find specific process or service causing issue in order to troubleshooting properly without effecting other services. In this regards you may follow below mentioned link as a reference :-

Author Closing Comment

ID: 40193993
I found the reason what was causing the issue

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question