SVCHOST.EXE Network Service hogging CPU 100% on XP

Discussion in 'Computer Support' started by TJ, Apr 21, 2006.

  1. TJ

    TJ Guest

    Advice please how to uninstall/stop this program which starts on every
    boot and hogs almost 100% of the CPU in a new install Windows XP setup.

    At present I have to manually 'end process' to stop it after each boot
    up

    I see in Google groups a few people have had this problem over the
    years but I have found no clear explanation how to remove this
    function.

    Can it be done through the registry?

    Thanks
     
    TJ, Apr 21, 2006
    #1
    1. Advertisements

  2. TJ

    Duane Arnold Guest

    Svchost.exe does the biding for the O/S programs and other programs such
    as malware, as it doesn't do anything on its own. If svchost.exe is
    cranking 100% of the CPU, then something is running with svchost.exe
    causing it to do it.

    You can look inside the running svchost.exe and see what's running with
    it that maybe causing svchost.exe to run at 100% with Process Explorer.

    You right-click the Svchost.exe that's running in PE and select
    Properties and it will tell you everything about it.

    You go to menu/View/Show lower pane/Show all Dll(s) and it it will tell
    you everything that's running with a svchost.exe. You can right-click in
    the lower pane too.

    If svchost.exe is not running out of Windows/System32 XP and up or
    Winnt/system32 Win2k and down, then it's a Trojan.

    Long

    http://www.windowsecurity.com/artic...d_Rootkit_Tools_in_a_Windows_Environment.html

    Short

    http://tinyurl.com/klw1

    It may not even be malware but something that's using svchost.exe has it
    cranking at 100% or it's Trojan.

    Duane :)
     
    Duane Arnold, Apr 21, 2006
    #2
    1. Advertisements

  3. TJ

    Jimchip Guest

    SVCHOST.EXE isn't what you seem to imply. When you say "hogs almost 100%",
    does that mean you think SVCHOST.EXE is not letting other apps have cpu
    cycles or just that, when nothing else is going on, SVCHOST.EXE is the only
    service doing something?

    http://support.microsoft.com/?kbid=314056

    Don't delete SVCHOST.EXE! There could be a problem with an application that
    SVCHOST.EXE is built to interact with (making SVCHOST.EXE build bad lists)
    but it not something you can do without.
     
    Jimchip, Apr 21, 2006
    #3
  4. TJ

    Duane Arnold Guest

    He couldn't delete SCVhost.exe if he wanted to as it's always running
    and protected. And even if he somehow was to delete svchost.exe, the O/S
    would go to its failsafe directory and put it back in System32.

    Duane :)
     
    Duane Arnold, Apr 21, 2006
    #4
  5. TJ

    Jimchip Guest

    I believe 'He' was getting ready to go into the registry and yank it out. It
    would not have been a pretty site and after 'He' had finished with his
    little 'brain surgery experiment' there would not have been any 'failsafe'
    anything going on.
     
    Jimchip, Apr 21, 2006
    #5
  6. TJ

    Meat Plow Guest

    Figure out what is causing svchost to run hot, it doesn't do it by itself.
     
    Meat Plow, Apr 21, 2006
    #6
  7. Beauregard T. Shagnasty, Apr 21, 2006
    #7
  8. TJ

    Duane Arnold Guest

    Let him learn his lesson that's the only way to learn. ;-)

    Duane :)
     
    Duane Arnold, Apr 21, 2006
    #8
  9. TJ

    TJ Guest

    Many thanks for this info.
    I already ran antivirus and Adaware - no trojans or hyjacks showed.

    Following is the results of Process Explorer.

    SVChost.exe does appear to be running out of Windows XP/ 32 but I don't
    know what I should be looking for now - and most importantly - what to
    do when I find it.

    I see there is the option in XP Task Manager to change the Priority -
    at worst if I don't 'end process' on every boot, perhaps I can minimize
    the priority so it doesn't disrupt everything??

    Thanks for your help

    TJ



    Process PID CPU Description Company Name
    System Idle Process 0
    Interrupts n/a Hardware Interrupts
    DPCs n/a Deferred Procedure Calls
    System 4
    SMSS.EXE 340 Windows NT Session Manager Microsoft Corporation
    CSRSS.EXE 440 Client Server Runtime Process Microsoft Corporation
    WINLOGON.EXE 668 Windows NT Logon Application Microsoft Corporation
    SERVICES.EXE 712 0.96 Services and Controller app Microsoft
    Corporation
    ATI2EVXX.EXE 868 ATI External Event Utility EXE Module ATI
    Technologies Inc.
    SVCHOST.EXE 884 Generic Host Process for Win32 Services Microsoft
    Corporation
    WMIPRVSE.EXE 412 WMI Microsoft Corporation
    SVCHOST.EXE 960 Generic Host Process for Win32 Services Microsoft
    Corporation
    SVCHOST.EXE 1000 Generic Host Process for Win32
    Services Microsoft Corporation
    WSCNTFY.EXE 176 Windows Security Center Notification
    App Microsoft Corporation
    WUAUCLT.EXE 2152 Automatic Updates Microsoft Corporation
    SVCHOST.EXE 1064 96.15 Generic Host Process for Win32
    Services Microsoft Corporation
    SVCHOST.EXE 1136 Generic Host Process for Win32
    Services Microsoft Corporation
    SPOOLSV.EXE 1236 Spooler SubSystem App Microsoft Corporation
    iSafe.exe 1348 CA ISafe Service Computer Associates
    International, Inc.
    mxserver.exe 1400 Fix-It Task Launcher Service Ontrack Data
    International
    SVCHOST.EXE 1476 Generic Host Process for Win32
    Services Microsoft Corporation
    VetMsg.exe 1564 CA Antivirus Realtime Messaging Service Computer
    Associates International, Inc.
    ALG.EXE 1732 Application Layer Gateway Service Microsoft
    Corporation
    LSASS.EXE 724 LSA Shell (Export Version) Microsoft Corporation
    ATI2EVXX.EXE 220 ATI External Event Utility EXE Module ATI
    Technologies Inc.
    taskmgr.exe 2056 Windows TaskManager Microsoft Corporation
    EXPLORER.EXE 400 0.96 Windows Explorer Microsoft Corporation
    HPZTSB04.EXE 520 HP
    CAVTray.exe 528 CA Antivirus System Tray Application Computer
    Associates International, Inc.
    autodown.exe 2228 Update Antivirus Application Computer Associates
    International, Inc.
    CAVRid.exe 552 CA Antivirus Realtime Infection Report Computer
    Associates International, Inc.
    CLI.EXE 572 CLI Application (Command Line Interface) ATI Technologies
    Inc.
    SpyBlocker.exe 604 SpyBlocker SpyBlocker Software
    CTFMON.EXE 644 CTF Loader Microsoft Corporation
    MSMSGS.EXE 728 Windows Messenger Microsoft Corporation
    dslmon.exe 1408 ADIMON MFC Application
    FINDFAST.EXE 1448 Microsoft Office Find Fast Microsoft Corporation
    OSA.EXE 1556
    reader_sl.exe 1772 Adobe Acrobat SpeedLauncher Adobe Systems
    Incorporated
    procexp.exe 2140 1.92 Sysinternals Process Explorer Sysinternals

    Process: SVCHOST.EXE Pid: 1064

    Name Description Company Name Version
    AcGenral.dll Windows Compatibility DLL Microsoft
    Corporation 5.01.2600.2180
    advapi32.dll Advanced Windows 32 Base API Microsoft
    Corporation 5.01.2600.2180
    comctl32.dll User Experience Controls Library Microsoft
    Corporation 6.00.2900.2180
    comctl32.dll Common Controls Library Microsoft
    Corporation 5.82.2900.2180
    ctype.nls
    dnsapi.dll DNS Client API DLL Microsoft Corporation 5.01.2600.2180
    dnsrslvr.dll DNS Caching Resolver Service Microsoft
    Corporation 5.01.2600.2180
    gdi32.dll GDI Client DLL Microsoft Corporation 5.01.2600.2818
    iphlpapi.dll IP Helper API Microsoft Corporation 5.01.2600.2180
    kernel32.dll Windows NT BASE API Client DLL Microsoft
    Corporation 5.01.2600.2180
    locale.nls
    msacm32.dll Microsoft ACM Audio Filter Microsoft
    Corporation 5.01.2600.2180
    msvcrt.dll Windows NT CRT DLL Microsoft Corporation 7.00.2600.2180
    ntdll.dll NT Layer DLL Microsoft Corporation 5.01.2600.2180
    ole32.dll Microsoft OLE for Windows Microsoft
    Corporation 5.01.2600.2726
    oleaut32.dll Microsoft Corporation 5.01.2600.2180
    rpcrt4.dll Remote Procedure Call Runtime Microsoft
    Corporation 5.01.2600.2180
    shell32.dll Windows Shell Common Dll Microsoft
    Corporation 6.00.2900.2869
    shimeng.dll Shim Engine DLL Microsoft Corporation 5.01.2600.2180
    shlwapi.dll Shell Light-weight Utility Library Microsoft
    Corporation 6.00.2900.2861
    sortkey.nls
    sorttbls.nls
    svchost.exe Generic Host Process for Win32 Services Microsoft
    Corporation 5.01.2600.2180
    unicode.nls
    user32.dll Windows XP USER API Client DLL Microsoft
    Corporation 5.01.2600.2622
    userenv.dll Userenv Microsoft Corporation 5.01.2600.2180
    uxtheme.dll Microsoft UxTheme Library Microsoft
    Corporation 6.00.2900.2180
    version.dll Version Checking and File Installation Libraries Microsoft
    Corporation 5.01.2600.2180
    winmm.dll MCI API DLL Microsoft Corporation 5.01.2600.2180
    ws2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft
    Corporation 5.01.2600.2180
    ws2help.dll Windows Socket 2.0 Helper for Windows NT Microsoft
    Corporation 5.01.2600.2180
     
    TJ, Apr 21, 2006
    #9
  10. TJ

    Plato Guest

    scchost handles lots of legit files. And, it;s common to have 4 or 5
    instances of it running in XP. Chances are, you got a virus/malware.
     
    Plato, Apr 21, 2006
    #10
  11. TJ

    Jimchip Guest

    [end snippage]

    It's a little hard to read because of my 80 col. limit but:
    You have 1 that is really cooking:
    * SVCHOST.EXE 1064 96.15 Generic Host Process for Win32 *

    and it would be good if you could just go tie it to some application in
    order to find out what it is servicing but the printout at the bottom
    doesn't help, AFIK. Barring that, and you can do this safely, start turning
    off the following but checking task manager every time to see when the CPU
    usage drops:

    Turn OFF:
    1) AutoUpdates

    2) All the CA stuff. You'll be safe if you're clean now and you don't
    download anything while it's off

    3)Find Fast

    I actually hate Find Fast and I will bet that's the sucker running busily in
    the background indexing your harddrive so you could just start with
    'OFF-ing' it.

    If still no joy:
    4) Turn off SpyBlocker but I don't think that's the problem.
    I'm betting Find Fast is using one of these^^^^'up there^^^^^^^^
     
    Jimchip, Apr 22, 2006
    #11
  12. TJ

    Duane Arnold Guest

    First, you must find out what is running with the svchost.exe. It may
    take that you make a determination that everything that's running with
    that svchost.exe is legit ot not legit by looking at each process, dll,
    or whatever that's running with the svchost.exe in the lower pane by
    right-clicking each one and going to Properties to see where it's
    running from and is it a legit process. You may have to use Google or
    something to do a look-up on the process, dll, or whatever.

    Again, it might not even be malware and it could be a legit process that
    is sucking up the CPU. You must determine what it is and then take
    the appropriate action whatever that may be to resolve the issue.
    No you need to find out what process is causing svchost.exe to use up
    the CPU.
    You should be able to right-click the svchost.exe in question and select
    Properties and go to the Threads tab and it will clearly show out all
    the processes that are running with that svchost.exe which process
    running on a thread is causing svchost.exe to suck up the CPU.

    Duane :)
     
    Duane Arnold, Apr 22, 2006
    #12
  13. TJ

    TJ Guest

    Thanks!

    I reran Adaware and EZ Trust antivirus. all clean . But I did notice
    Adaware too a long time scanning DLL files although it found nothing.

    So this is going to be a long grind.

    Something which comes to mind: I downloaded the latest XP driver for a
    RADEON 7000 graphics card - the ATI Catalyst program. This required a
    network program installer before it could be set up. It might be that
    which is causing the problem. Will investigate

    At worst, ending scvhost exe network doesn't seem to affect the PC
    performance, it rips along
     
    TJ, Apr 22, 2006
    #13
  14. TJ

    Meat Plow Guest


    Roll back the Radeon driver and see what gives.
     
    Meat Plow, Apr 22, 2006
    #14
  15. TJ

    TJ Guest

    I uninstalled the Radeon driver, and Windows network - same story.

    But interestingly I have noticed that the program does not cut in
    immediately. It can take minutes to turn on and wind up to 99% CPU
    usage.

    I will just have to keep looking.
     
    TJ, Apr 22, 2006
    #15
  16. TJ

    Jimchip Guest

    Is Find Fast still running?
     
    Jimchip, Apr 22, 2006
    #16
  17. TJ

    Duane Arnold Guest

    You can also use PRCview (free) to look at a process and what's running
    with the process.

    Duane :)
     
    Duane Arnold, Apr 22, 2006
    #17
  18. TJ

    Duane Arnold Guest

    In Process Explorer when you select the svchost.exe in question and
    right-click Properties/Thread tab and looking at the CSWITCH Delta
    column, which gives the number of context switches to the process (the
    number of times the process has been given time to run by the kernel’s
    scheduler).

    The process should be standing out from all the rest of the processes
    that are running with that svchost.exe the one that's getting the most
    switches.

    Also the CPU Usage column on the Thread tab is by running processes
    within a running process and should be clearly shown on the line under
    the column what process that's running or using the svchost.exe process
    has the highest percentage usage within that running scvhost.exe process.

    That should be an indication as to what process is sucking up the
    process time within svchost.exe that is causing svchost.exe to suck up
    CPU processing percentage.

    Start looking at services that are loaded and are running due to that
    svchost.exe running, which is also in the Tab selection when Properties
    is selected.

    PE will clearly show what is doing it, if you take the time to look and
    understand what it is you're looking at based on the information being
    shown to you.

    Duane :)
     
    Duane Arnold, Apr 22, 2006
    #18
  19. TJ

    TJ Guest

    Duane, I really have to thank you! I believe I am tracking the problem
    down.

    This is the thread which is running flat out. Tens of thousands of
    contact switches occurr, increasing as you look at it.

    Kernel32.dll! Create Thread +0x27. thread ID: 1976

    WINDOWS NT BASE API CLIENT DLL USER : NT Authority\network
    service


    An error msg also shows on startup : fatal execution engine error
    0x7927baca cli.exe
    related to the CPU problem. But it is related to the ATI graphics
    Catalyst software. And I'm not sure yet Catalyst isn't related to the
    CPU problem

    Google show others have tracked it down as the source of CPU max-out.
    But no solutions shown.

    Where to go from here??

    Thanks again
    TJ


    Below is just a tiny fraction of the text showing (which I won't post.
    It is literally thousands of lines).

    "The kerberos protocol encountered an error while attempting to utilize
    the smartcard subsystem.
    The system detected a possible attempt to compromise security. Please
    ensure that you can contact the server that authenticated you.
    The smartcard certificate used for authentication has been revoked.
    Please contact your system administrator. There may be additional
    information in the
    event log.
    An untrusted certificate authority was detected While processing the
    smartcard certificate used for authentication. Please contact your
    system
    administrator.
    The revocation status of the smartcard certificate used for
    authentication could not be determined. Please contact your system
    administrator.
    The smartcard certificate used for authentication was not trusted.
    Please
    contact your system administrator.
    The smartcard certificate used for authentication has expired. Please
    contact your system administrator.
    The machine is locked and can not be shut down without the force
    option.
    An application-defined callback gave invalid data when called.
    The group policy framework should call the extension in the synchronous
    "
     
    TJ, Apr 23, 2006
    #19
  20. TJ

    beenthere Guest

    I really zapped this post TJ, but kerberos caught my eye.
    Go have a read here, about k.
    http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#whatis
    It`s a security system.
    So what have you got on your computer that`s using it ?.
     
    beenthere, Apr 23, 2006
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.