Solved

Need help processing a .DMP file

Posted on 2014-09-15
12
578 Views
Last Modified: 2014-09-16
This is my 1st experience with this type of dump and haven't a clue what I am doing and need some help

OS - Server 2008 r2 Standard
All updates applied

I created the .DMP file on a machine that is having a problem with 32 bit  SVCHOST processes being cloned.  I am trying to figure out what is creating the SVCHOST processes.  The last time it started I forced a dump from the Task Manager in hopes of finding the true name of the process cloning the SVCHOSTS but then found I didn't know what to do with this type of dump.

Background
When the problem begins I find the name of the Parent Process, kill its Process Tree and it then kills all of the Children, but then the it just starts all over again.  The machine gets restarted and is ok for about 20 - 60 minutes and then the problem starts.  There is nothing in the Task Scheduler that is getting kickicking it off

The parent process of the SVCHOST can be any the name of any 32 bit process on the machine and can change from one system restart to another.

I've run numerous scans on the machine with no problems being found

Please take a look at the attached .dmp file and let me know if there is any clue
svchost.DMP
0
Comment
Question by:c7c4c7
  • 6
  • 4
  • 2
12 Comments
 
LVL 19

Expert Comment

by:marsilies
ID: 40323952
Any normal Windows install is going to have several svchost.exe processes running at any given time. That's because it's a "host" executable for running services from dll library, hence the name of the file being a condensed form of "service host."

See here for more details:
http://www.howtogeek.com/howto/windows-vista/what-is-svchostexe-and-why-is-it-running/


If there's a runaway number of svchost.exe files that keep multiplying, my guess is that it's malware. Be sure to run a malware scan using multiple anti-malware programs. Malwarebytes is a good one you can use for free for basic scanning.
https://www.malwarebytes.org/
0
 
LVL 62

Accepted Solution

by:
☠ MASQ ☠ earned 250 total points
ID: 40324108
FWIW here's your minidump analysis:

FAULTING_IP: 
+0
00000000`00000000 ??              ???

EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
.exr 0xffffffffffffffff
ExceptionAddress: 0000000000000000
   ExceptionCode: 80000003 (Break instruction exception)
  ExceptionFlags: 00000000
NumberParameters: 0

FAULTING_THREAD:  0000000000000e14

DEFAULT_BUCKET_ID:  STATUS_BREAKPOINT

PROCESS_NAME:  svchost.exe

ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION}  Breakpoint  A breakpoint has been reached.

EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

PRIMARY_PROBLEM_CLASS:  STATUS_BREAKPOINT

BUGCHECK_STR:  APPLICATION_FAULT_STATUS_BREAKPOINT

LAST_CONTROL_TRANSFER:  from 0000000074b02cb4 to 0000000074b02e09

STACK_TEXT:  
00000000`000fe748 00000000`74b02cb4 : 00000000`773201b4 00000000`74b70023 00000000`00000246 00000000`001afc00 : wow64cpu!CpupSyscallStub+0x9
00000000`000fe750 00000000`74b7d286 : 00000000`00000000 00000000`74b01920 00000000`000fe9e0 00000000`7715ecf1 : wow64cpu!Thunk2ArgNSpNSpReloadState+0x2a
00000000`000fe810 00000000`74b7c69e : 00000000`00000000 00000000`00000000 00000000`74b74b10 00000000`7ffe0030 : wow64!RunCpuSimulation+0xa
00000000`000fe860 00000000`77174966 : 00000000`002e3330 00000000`00000000 00000000`77262670 00000000`77235978 : wow64!Wow64LdrpInitialize+0x42a
00000000`000fedb0 00000000`77171937 : 00000000`00000000 00000000`77174071 00000000`000ff360 00000000`00000000 : ntdll!LdrpInitializeProcess+0x17e3
00000000`000ff2a0 00000000`7715c34e : 00000000`000ff360 00000000`00000000 00000000`7efdf000 00000000`00000000 : ntdll! ?? ::FNODOBFM::`string'+0x28ff0
00000000`000ff310 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrInitializeThunk+0xe


STACK_COMMAND:  ~0s; .ecxr ; kb

FOLLOWUP_IP: 
wow64cpu!CpupSyscallStub+9
00000000`74b02e09 c3              ret

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  wow64cpu!CpupSyscallStub+9

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: wow64cpu

IMAGE_NAME:  wow64cpu.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  5315a0c4

FAILURE_BUCKET_ID:  STATUS_BREAKPOINT_80000003_wow64cpu.dll!CpupSyscallStub

BUCKET_ID:  X64_APPLICATION_FAULT_STATUS_BREAKPOINT_wow64cpu!CpupSyscallStub+9

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/svchost_exe/6_1_7600_16385/4a5bc100/unknown/0_0_0_0/bbbbbbb4/80000003/00000000.htm?Retriage=1

Followup: MachineOwner
---------

rax=00000000001af818 rbx=0000000000000246 rcx=00000000001af840
rdx=0000000000000010 rsi=00000000001afaf4 rdi=0000000000000000
rip=0000000074b02e09 rsp=00000000000fe748 rbp=00000000001afb18
 r8=000000000000002b  r9=000000007732f9f2 r10=0000000000000000
r11=0000000000000202 r12=000000007efdb000 r13=00000000000ffd20
r14=00000000000fe7c0 r15=0000000074b02450
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
wow64cpu!CpupSyscallStub+0x9:
00000000`74b02e09 c3              ret
Child-SP          RetAddr           : Args to Child                                                           : Call Site
00000000`000fe748 00000000`74b02cb4 : 00000000`773201b4 00000000`74b70023 00000000`00000246 00000000`001afc00 : wow64cpu!CpupSyscallStub+0x9
00000000`000fe750 00000000`74b7d286 : 00000000`00000000 00000000`74b01920 00000000`000fe9e0 00000000`7715ecf1 : wow64cpu!Thunk2ArgNSpNSpReloadState+0x2a
00000000`000fe810 00000000`74b7c69e : 00000000`00000000 00000000`00000000 00000000`74b74b10 00000000`7ffe0030 : wow64!RunCpuSimulation+0xa
00000000`000fe860 00000000`77174966 : 00000000`002e3330 00000000`00000000 00000000`77262670 00000000`77235978 : wow64!Wow64LdrpInitialize+0x42a
00000000`000fedb0 00000000`77171937 : 00000000`00000000 00000000`77174071 00000000`000ff360 00000000`00000000 : ntdll!LdrpInitializeProcess+0x17e3
00000000`000ff2a0 00000000`7715c34e : 00000000`000ff360 00000000`00000000 00000000`7efdf000 00000000`00000000 : ntdll! ?? ::FNODOBFM::`string'+0x28ff0
00000000`000ff310 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrInitializeThunk+0xe
start             end                 module name
00000000`00d10000 00000000`00d18000   svchost  svchost.exe  Tue Jul 14 00:19:28 2009 (4A5BC100)
00000000`74170000 00000000`7417b000   winrnr   winrnr.dll   Tue Jul 14 02:34:43 2009 (4A5BE0B3)
00000000`74180000 00000000`74195000   NapiNSP  NapiNSP.dll  Tue Jul 14 02:30:46 2009 (4A5BDFC6)
00000000`74190000 00000000`741a5000   nlaapi   nlaapi.dll   Sat Nov 20 13:09:43 2010 (4CE7C897)
00000000`74480000 00000000`74486000   rasadhlp rasadhlp.dll Tue Jul 14 02:09:42 2009 (4A5BDAD6)
00000000`74490000 00000000`744e3000   FWPUCLNT FWPUCLNT.DLL Sat Oct 12 03:29:39 2013 (5258B413)
00000000`745e0000 00000000`74635000   mswsock  mswsock.dll  Sun Sep 08 03:28:03 2013 (522BE0B3)
00000000`74620000 00000000`74664000   dnsapi   dnsapi.dll   Thu Mar 03 05:29:23 2011 (4D6F2733)
00000000`74670000 00000000`74677000   winnsi   winnsi.dll   Tue Jul 14 02:11:31 2009 (4A5BDB43)
00000000`74680000 00000000`7469c000   IPHLPAPI IPHLPAPI.DLL Sat Nov 20 12:00:25 2010 (4CE7B859)
00000000`74b00000 00000000`74b08000   wow64cpu wow64cpu.dll Tue Mar 04 09:45:40 2014 (5315A0C4)
00000000`74b10000 00000000`74b6c000   wow64win wow64win.dll Tue Mar 04 09:45:42 2014 (5315A0C6)
00000000`74b70000 00000000`74baf000   wow64    wow64.dll    Tue Mar 04 09:45:39 2014 (5315A0C3)
00000000`74d10000 00000000`74d1c000   CRYPTBASE CRYPTBASE.dll Tue Jul 14 00:12:01 2009 (4A5BBF41)
00000000`74d20000 00000000`74d80000   sspicli  sspicli.dll  Thu Jun 05 15:25:49 2014 (53907DED)
00000000`74d80000 00000000`74e4c000   msctf    msctf.dll    Tue Jul 14 02:07:53 2009 (4A5BDA69)
00000000`75010000 00000000`75029000   sechost  sechost.dll  Tue Jul 14 02:10:28 2009 (4A5BDB04)
00000000`75150000 00000000`75260000   kernel32 kernel32.dll Tue Mar 04 09:19:01 2014 (53159A85)
00000000`76160000 00000000`76260000   user32   user32.dll   Sat Nov 20 12:08:57 2010 (4CE7BA59)
00000000`76400000 00000000`7640a000   lpk      lpk.dll      Thu Jun 06 05:57:01 2013 (51B0169D)
00000000`76420000 00000000`764cc000   msvcrt   msvcrt.dll   Fri Dec 16 07:45:38 2011 (4EEAF722)
00000000`764f0000 00000000`7651e000   imm32    imm32.dll    Tue Jul 14 02:28:32 2009 (4A5BDF40)
00000000`76560000 00000000`76566000   nsi      nsi.dll      Tue Jul 14 02:09:45 2009 (4A5BDAD9)
00000000`765a0000 00000000`76690000   rpcrt4   rpcrt4.dll   Tue Jul 09 05:52:32 2013 (51DB9710)
00000000`766a0000 00000000`76730000   gdi32    gdi32.dll    Thu Oct 03 03:00:44 2013 (524CCFCC)
00000000`76890000 00000000`76930000   advapi32 advapi32.dll Thu Aug 29 02:48:26 2013 (521EA86A)
00000000`76b10000 00000000`76bad000   usp10    usp10.dll    Fri Apr 25 03:04:57 2014 (5359C2C9)
00000000`76c40000 00000000`76c87000   KERNELBASE KERNELBASE.dll Tue Mar 04 09:19:02 2014 (53159A86)
00000000`76ed0000 00000000`76f05000   ws2_32   ws2_32.dll   Sat Nov 20 12:09:12 2010 (4CE7BA68)
00000000`77130000 00000000`772d9000   ntdll    ntdll.dll    Thu Aug 29 03:17:08 2013 (521EAF24)
00000000`77310000 00000000`77490000   ntdll_77310000 ntdll.dll    Thu Aug 29 02:50:31 2013 (521EA8E7)

Open in new window


Not really my field but it looks like a memory overflow - I'm wondering if you should check your RAM?
0
 

Author Comment

by:c7c4c7
ID: 40324328
Not really my field either, why do you suggest memory overflow?
0
 
LVL 19

Assisted Solution

by:marsilies
marsilies earned 250 total points
ID: 40324436
I really don't think a forced memory dump is going to help in this case. A memory dump is used to help figure out what caused the system to crash, but since you know what caused the system to crash (you caused it on purpose), I don't think deciphering the dump file will help much.
http://superuser.com/questions/224496/how-do-i-create-a-memory-dump-of-my-computer-freeze-or-crash

Is the system crashing on its own ever?
0
 

Author Comment

by:c7c4c7
ID: 40324543
Ultimately all I am trying to do is find what is causing these SVCHOST process to be generated.  I've scanned the machine with several programs and it always comes up clear, so that is a no go.

So the real question is how do I back trace one of these processes and find what is creating them
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 40324616
You can use the Processes tab in Task Manager (Ctrl+Shift+Esc)
Right=Click on the SVCHOST entries one at a time and select "Go to Services" to identify what services & dependencies are being controlled with each entry.
(See the Windows 7 section here)
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:c7c4c7
ID: 40324643
That doesn't work.  When I use that method there are times that it goes to the Services tab but does not Identify the process.

Some of the things I've seen
SVCHOSTS created by Googleupdater
SVCHOSTS created by CMD
SVCHOSTS does not highlight any process
SVCHOSTS created by LogMeIn
etc.

If you uninstall the program it identifies, it finds another and then replicates that one

I know it sounds just like a virus, but the programs don'e find it.
0
 
LVL 19

Expert Comment

by:marsilies
ID: 40325355
So the real question is how do I back trace one of these processes and find what is creating them

This answer was provided in the first link I gave. You can go to the command line and enter this command:
tasklist /SVC

Open in new window


This will create a list of processes running, but more importantly, for svchost.exe it was say what services each instance is running.

As an example, these are the svchost entries it listed for my PC:
svchost.exe                    352 DcomLaunch, PlugPlay, Power
svchost.exe                    604 RpcEptMapper, RpcSs
svchost.exe                   1124 AudioSrv, Dhcp, eventlog, lmhosts, wscsvc
svchost.exe                   1160 AudioEndpointBuilder, CscService, hidserv,
                                   Netman, PcaSvc, SysMain, TrkWks,
                                   UmRdpService, UxSms, WPDBusEnum, wudfsvc
svchost.exe                   1188 EventSystem, fdPHost, FontCache, netprofm,
                                   nsi, W32Time, WdiServiceHost,
                                   WinHttpAutoProxySvc
svchost.exe                   1216 AeLookupSvc, Appinfo, BITS, Browser,
                                   CertPropSvc, gpsvc, iphlpsvc, LanmanServer,
                                   MMCSS, ProfSvc, Schedule, SENS, SessionEnv,
                                   ShellHWDetection, Themes, Winmgmt, wuauserv
svchost.exe                   1572 CryptSvc, Dnscache, LanmanWorkstation,
                                   NlaSvc, TermService
svchost.exe                   1740 BFE, DPS, MpsSvc
svchost.exe                   2260 FDResPub, SSDPSRV, upnphost, wcncsvc
svchost.exe                   3712 PolicyAgent

Open in new window


Windows creates a number of instances because it doesn't want every service running under one process, since if that process crashes, all the services running under it stop. How it separates them out and how many separate instances it creates is up to Windows to decide, likely based on available resources and such.

Again, having a number of svchost.exe processes running is normal. There have been reports of as many as 20 instances running on a PC. Unless the performance of the PC is being affected, I'm guessing Windows is spreading the running services out on many svchost instances to reduce risk of crashes, due to there being plenty of available RAM and such for it to do so.
http://ask-leo.com/what_is_svchost_and_why_is_there_more_than_one_copy_running.html
http://www.sevenforums.com/performance-maintenance/99106-20-instances-svchost-exe-supposed-many.html
0
 

Author Comment

by:c7c4c7
ID: 40325767
marsilies
I understand your point about the fact that Windows has numerous SVCHOST processes running at any one time.  This machine, when it is running correctly usually runs around 14-16, I have no problem with that.  My problems is when it starts cloning them at a rate of about 1 per second and reaches 100-200 at which point the machine has to be hard booted.

As far as the command line tasklist /svc the information from that, in this case is alleged parent process,  as the parent process changes from incident to incident I do not believe that is what is truly launching the process.  If it was I could simply uninstall the program and it would never happen again.  I have uninstalled numerous programs using that theory but the problem persists.  That is why I was going down the road of trying to backtrace, using a dump, to find out what was going on around the time that the process was being launched.  I also understand yourt previous point about the dump not providing any useful data because it would deal with the fact that we forced the dump.

Thanks for helping with this.  If I've missed something in what you are telling me, please let me know
0
 
LVL 19

Expert Comment

by:marsilies
ID: 40325832
Does the computer crash on its own when it has that many instances of svchost? A dump file from that type of crash may be more instructive.

That said, it really sounds like malware. The topics I can find only where others have experienced this issue have all been a case of malware:
http://www.techspot.com/community/topics/javaw-exe-variant-hundreds-of-conhost-svchost-netsh-etc.190131/
http://www.techsupportforum.com/forums/f100/hjt-log-and-attachments-here-thank-you-336334.html
http://community.norton.com/forums/multiple-viruses-svchostexe-infostealer-hacktool-rootkit

What anti-malware programs have you run?
0
 

Author Comment

by:c7c4c7
ID: 40325918
We hard boot the machine, I will look at the URL's

Thx
0
 

Author Closing Comment

by:c7c4c7
ID: 40327225
I rebuilt the server.  I couldn't spend anymore time chasing down the actual cause of the problem.  Thanks for the help
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Event ID: 7023 / Source: Service Control Manager 4 48
Windows 2012 Auto Grow Volume 11 56
pdf to word 13 56
windows disk management 5 65
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now