Solved

svchiost.exe using all my systems memory please help

Posted on 2016-11-03
26
38 Views
Last Modified: 2016-12-01
see screenshot
svchost.png
0
Comment
Question by:frankbustos
  • 11
  • 5
  • 5
  • +2
26 Comments
 
LVL 28

Expert Comment

by:omgang
Comment Utility
Right click the svchost.exe process and choose Go To Service(s) from the context menu.  This will show you the running services associated with that process.  Hopefully you can identify the culprit.
OM Gang
0
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 125 total points (awarded by participants)
Comment Utility
SHCHOST controls many things. A very common cause of it consuming resources is malware.

Get a good commercial AV package, do a full scan and then follow that with Malwarebytes.
0
 
LVL 20

Expert Comment

by:CompProbSolv
Comment Utility
While it is generally a good idea to do the scanning that John recommended (and I wouldn't discourage it at all here), I'd want to identify exactly which process is using the memory (as suggested by omgang).

You can install Process Explorer from sysinternals to get more details about the individual processes.
0
 
LVL 47

Expert Comment

by:dbrunton
Comment Utility
I'll second Process Explorer as suggested by CompProbSolv.

Download from here https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx

It may very well be Malware as suggested by John Hurst (and that would be my first thought) but you can use Process Explorer to identify the file or dll that is causing the problem quickly this way.
0
 

Author Comment

by:frankbustos
Comment Utility
ok I downloaded process explorer and here is the results, please look at the attachedment.
0
 

Author Comment

by:frankbustos
Comment Utility
sorry here is the screenshot
process-explorer.png
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
The screen shot was not very illuminating. Can you sort on CPU (not memory) and that will help you see what is using the memory.
0
 

Author Comment

by:frankbustos
Comment Utility
how about now look at this one
process1.png
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
It seems to point to a virus on your machine (virus scanning running) and then an SVCHOST process I do not see an identifier for.

So back to an earlier post, the cause here appears to be malware.
0
 

Author Comment

by:frankbustos
Comment Utility
ok i'll scan again and let you know the results.
0
 

Author Comment

by:frankbustos
Comment Utility
it came back clean from malware.
malware.png
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
You may have some legacy software running

Try running System File Checker. SFC /SCANNOW from an admin command prompt.

More likely (given the above), you are going to need to back up and re-install Windows
0
 

Author Comment

by:frankbustos
Comment Utility
I just did that a few days ago. I had windows 7 -32bit and I changed to 64bit. it's a clean system as it is.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
Wow - very strange.

Try a new, test, Windows User Profile (Account). Log into the new Windows Account and test.
0
 
LVL 20

Expert Comment

by:CompProbSolv
Comment Utility
In first and third screenshots, SVCHOST was using 1.1-1.5G of RAM.  In the second one it is about a tenth of that.

Do you know what changed?
0
 

Author Comment

by:frankbustos
Comment Utility
so I ended up formatting the hard drive and re-installing everything then after I installed office 2010 I noticed that svchost took over memory.
0
 
LVL 47

Expert Comment

by:dbrunton
Comment Utility
So, the problem still exists?

If so then try the Microsoft Malicious Removal Tool https://www.microsoft.com/en-nz/download/malicious-software-removal-tool-details.aspx and see what it finds on your system.
0
 

Author Comment

by:frankbustos
Comment Utility
yes I did a scan with malware bytes and found Trojan.dropper.fav and pup.optional.downloadadmin I'm doing a scan now with hitman pro and then i'll try Microsoft and keep you posted.
0
 
LVL 20

Expert Comment

by:CompProbSolv
Comment Utility
Before doing a wipe and reinstall (or major attempts at resolving problems), I typically make a complete copy of the original drive.  It can be done with software or with fairly inexpensive (<$40) hardware tools.  That way I can always get back to where I started if needed.

I would also disconnect it from the internet and reboot.  You may be seeing some effects of it trying to do updates.

In addition to John's scanning suggestion, I'd use TDSSKiller:
https://support.kaspersky.com/viruses/disinfection/5350#block1
Click on "How to disinfect..." then "tdsskiller.exe".
It just looks for rootkits and is very quick to run.

I'd also boot in Safe Mode and see if the issue persists.  I've seen things of this sort that were resolved by disabling the WMI service.
0
 

Author Comment

by:frankbustos
Comment Utility
I'm doing scans in safemode now, it seems to be working normal in safemode
0
 

Author Comment

by:frankbustos
Comment Utility
Ok, I did scans in safemode and it's free of malware . I log back into normal mode and I see two svchost.exe starts piking up taking all of memory resources. ARGH
0
 
LVL 47

Expert Comment

by:dbrunton
Comment Utility
>>  it seems to be working normal in safemode

Something in your Startup is getting loaded then.  Read http://answers.microsoft.com/en-us/windows/forum/all/how-to-get-startup-folder-in-start-all-programs/d3f5486a-16c0-4e69-8446-c50dd35163f1 and the post by Steve Winograd on the location of Startup folders and see what is there.  This isn't necessarily all of the locations where Startup occurs but might help.
0
 

Accepted Solution

by:
frankbustos earned 125 total points (awarded by participants)
Comment Utility
ok, so I narrowed it down. I went to services and I stopped services one by one. and everytime I stopped the service Windows Updates the memory goes down to normal and as soon as I start it, it goes back to using all memory. So it's a problem with windows updates because it just keeps saying checking for updates but never completes. How do I get updates using another method?
0
 
LVL 47

Assisted Solution

by:dbrunton
dbrunton earned 125 total points (awarded by participants)
Comment Utility
Have you got SP 1 installed and then the Rollup pack?

This https://support.microsoft.com/en-us/kb/3172605 talks about the Rollup pack and the SP 1 and gives you links to both.
0
 
LVL 20

Assisted Solution

by:CompProbSolv
CompProbSolv earned 125 total points (awarded by participants)
Comment Utility
There are numerous posts on EE about this.  The solution that usually works is to install some key updates and then use offline WSUS to download and install the other updates.

If you don't get a response with the detail or can't find them here, drop a note and I'll look.
0
 
LVL 47

Expert Comment

by:dbrunton
Comment Utility
frankbustos for identifying the problem, Update process hogging memory.
John Hurst for suggesting malware on machine.  Some malware was found.
dbrunton for suggestion Service Pack and Rollup pack to be installed.  Unknown if this was done.
CompProbSolv for asking for feedback so he could suggest other links to solve Windows Update problems.
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Image capture and Deploy method is consist on two phases. In our first phase we capture the image of windows from the PC in which Windows and others softwares are already installed. In second phase we deploy the created image on new PC in which we…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now