Proper location of svchost.exe?

K

kmcdowell

I have a svchost.exe process running at near 100% CPU util
all the time. I have two other svchost.exe instances that
both are at 0% CPU util. I have scanned for virii with the
latest eTrust signature, nothing found. I can not end the
process, access is denied.
There are dozens of infectors that either
infect the MS SVCHOST file or use their
own file with that name.
Click to expand...

When searching my computer, I have two svchost.exe files:
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\dllcache\svchost.exe

Which folder is this file supposed to be in? Is it normal
to have two files in these folders like this?

There are a few differences between the files. The most
significant difference is Security permissions. The file
in the \system32\ folder has "Everyone" and "Power Users"
and "Users" groups selected as well, all with "Read"
and "Read and Execute" permissions. Both files
have "Administrators" and "System" groups.

Am I barking up the wrong tree here? Anyone know anything
more about this?

kmcdowell
 
A

Aurelien [MS]

kmcdowell said:
I have a svchost.exe process running at near 100% CPU util
all the time. I have two other svchost.exe instances that
both are at 0% CPU util. I have scanned for virii with the
latest eTrust signature, nothing found. I can not end the
process, access is denied.


When searching my computer, I have two svchost.exe files:
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\dllcache\svchost.exe

Which folder is this file supposed to be in? Is it normal
to have two files in these folders like this?

There are a few differences between the files. The most
significant difference is Security permissions. The file
in the \system32\ folder has "Everyone" and "Power Users"
and "Users" groups selected as well, all with "Read"
and "Read and Execute" permissions. Both files
have "Administrators" and "System" groups.

Am I barking up the wrong tree here? Anyone know anything
more about this?

kmcdowell
Click to expand...
________

Hi,

Svchost.exe is a system process which host other processes. The system and
some applications uses svchost to host there own processes. Because it is a
system process you cannot stop it.

The dll cache folder is a system folder which caches some dlls and exe in
order to use it at reboot and replace the ones in system32 if different. To
be simple it is a kind of backup and security folder (that is why there is
security differences on both processes).
It is normal to find svchost in system32.dll cache.

The svchost you see in the task manager is the one in system32.

Regarding you 100% cpu issue you have to identify what process hosted by
svchost is guilty. To do this you need to dump svchost.exe and analyse the
dump.
Unfortunalty cannot be done on newsgroup.

If you want to have an idea of what hosted process is faulty you can use the
tlist tool to list the processes in svchost.

Because you can have more that one svchost process running you have to
identify the PID of the 100% CPU svchost process.
As soon as you have the PID, use the tool tlist to list the processes hosted
in. "tlist <PID>"

More informations here:
250320 Description of Svchost.exe in Windows 2000
http://support.microsoft.com/?id=250320

Aurelien Goillot
Microsoft France
 
K

kmcdowell

-----Original Message-----
"kmcdowell" <[email protected]> a écrit dans le message de

________

Hi,

Svchost.exe is a system process which host other processes. The system and
some applications uses svchost to host there own processes. Because it is a
system process you cannot stop it.

The dll cache folder is a system folder which caches some dlls and exe in
order to use it at reboot and replace the ones in system32 if different. To
be simple it is a kind of backup and security folder (that is why there is
security differences on both processes).
It is normal to find svchost in system32.dll cache.

The svchost you see in the task manager is the one in system32.

Regarding you 100% cpu issue you have to identify what process hosted by
svchost is guilty. To do this you need to dump svchost.exe and analyse the
dump.
Unfortunalty cannot be done on newsgroup.

If you want to have an idea of what hosted process is faulty you can use the
tlist tool to list the processes in svchost.

Because you can have more that one svchost process running you have to
identify the PID of the 100% CPU svchost process.
As soon as you have the PID, use the tool tlist to list the processes hosted
in. "tlist <PID>"

More informations here:
250320 Description of Svchost.exe in Windows 2000
http://support.microsoft.com/?id=250320

Aurelien Goillot
Microsoft France

.
Click to expand...

THank you Aurelien,

OK, I have the output of "tlist 644" (644 being the PID of
the guilty instance of svchost.exe). I get some intro
lines, which I will copy here, then what appears to be a
line for each of the 31 threads. Each thread has a state,
all of which are "Waiting" except one is "Ready". I then
see a long list of what appear to be dll's with version
numbers.

C:\>tlist 644
644 svchost.exe
CWD: C:\WINNT\system32\
CmdLine: C:\WINNT\System32\svchost.exe -k netsvcs
VirtualSize: 46416 KB PeakVirtualSize: 48564 KB
WorkingSetSize: 9752 KB PeakWorkingSetSize: 9936 KB
NumberOfThreads: 31

The "Ready" state thread looks like this:

1200 Win32StartAddr:0x78008532 LastErr:0x00000000
State:Ready


I also looked in the Registry like the MS doc said, and I
found four REG_MULTI_SZ values, one of which matches the
tlist output for the PID: netsvcs.

The values in the netsvcs group are as follows:

EventSystem
Ias
Iprip
Irmon
Netman
Nwsapagent
Rasauto
Rasman
Remoteaccess
SENS
Sharedaccess
Tapisrv
Ntmssvc
wzcsvc
WmdmPmSN

Now with all this info, how could I possibly figure out
what is causing the high CPU utilization problem?

kmcdowell
 
A

Aurelien [MS]

"kmcdowell" <[email protected]> a écrit dans le message de

THank you Aurelien,

OK, I have the output of "tlist 644" (644 being the PID of
the guilty instance of svchost.exe). I get some intro
lines, which I will copy here, then what appears to be a
line for each of the 31 threads. Each thread has a state,
all of which are "Waiting" except one is "Ready". I then
see a long list of what appear to be dll's with version
numbers.

C:\>tlist 644
644 svchost.exe
CWD: C:\WINNT\system32\
CmdLine: C:\WINNT\System32\svchost.exe -k netsvcs
VirtualSize: 46416 KB PeakVirtualSize: 48564 KB
WorkingSetSize: 9752 KB PeakWorkingSetSize: 9936 KB
NumberOfThreads: 31

The "Ready" state thread looks like this:

1200 Win32StartAddr:0x78008532 LastErr:0x00000000
State:Ready


I also looked in the Registry like the MS doc said, and I
found four REG_MULTI_SZ values, one of which matches the
tlist output for the PID: netsvcs.

The values in the netsvcs group are as follows:

EventSystem
Ias
Iprip
Irmon
Netman
Nwsapagent
Rasauto
Rasman
Remoteaccess
SENS
Sharedaccess
Tapisrv
Ntmssvc
wzcsvc
WmdmPmSN

Now with all this info, how could I possibly figure out
what is causing the high CPU utilization problem?

kmcdowell
_________

Hi,

Without a dump it sounds difficult to go furhter.
However you can try to identify all the values in netsvcs group and in a
first time disable third party one to see if you reproduce.

You can also boot in safe mode (or using msconfig) and see if you reproduce
the issue. If not you will have to check one by one which netsvc value is
guilty.

You can also try to unplug the network cable during the 100% and see if it
carries on. It meens that the issue comes from the network. Maybe you ave a
procees in netvcs group that interacts with network in the netsvcs group.

If in task manager you see scvhost.exe and not svchost.exe you may be
infected by a virus.
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.ae.html

Aurelien
 
K

kmcdowell

-----Original Message-----
"kmcdowell" <[email protected]> a écrit dans le message de

THank you Aurelien,

OK, I have the output of "tlist 644" (644 being the PID of
the guilty instance of svchost.exe). I get some intro
lines, which I will copy here, then what appears to be a
line for each of the 31 threads. Each thread has a state,
all of which are "Waiting" except one is "Ready". I then
see a long list of what appear to be dll's with version
numbers.

C:\>tlist 644
644 svchost.exe
CWD: C:\WINNT\system32\
CmdLine: C:\WINNT\System32\svchost.exe -k netsvcs
VirtualSize: 46416 KB PeakVirtualSize: 48564 KB
WorkingSetSize: 9752 KB PeakWorkingSetSize: 9936 KB
NumberOfThreads: 31

The "Ready" state thread looks like this:

1200 Win32StartAddr:0x78008532 LastErr:0x00000000
State:Ready


I also looked in the Registry like the MS doc said, and I
found four REG_MULTI_SZ values, one of which matches the
tlist output for the PID: netsvcs.

The values in the netsvcs group are as follows:

EventSystem
Ias
Iprip
Irmon
Netman
Nwsapagent
Rasauto
Rasman
Remoteaccess
SENS
Sharedaccess
Tapisrv
Ntmssvc
wzcsvc
WmdmPmSN

Now with all this info, how could I possibly figure out
what is causing the high CPU utilization problem?

kmcdowell
_________

Hi,

Without a dump it sounds difficult to go furhter.
However you can try to identify all the values in netsvcs group and in a
first time disable third party one to see if you reproduce.

You can also boot in safe mode (or using msconfig) and see if you reproduce
the issue. If not you will have to check one by one which netsvc value is
guilty.

You can also try to unplug the network cable during the 100% and see if it
carries on. It meens that the issue comes from the network. Maybe you ave a
procees in netvcs group that interacts with network in the netsvcs group.

If in task manager you see scvhost.exe and not svchost.exe you may be
infected by a virus.
http://securityresponse.symantec.com/avcenter/venc/data/w3 2.hllw.gaobot.ae.html

Aurelien

.
Click to expand...

Aurelian, you talk about a "dump" and you mentioned that
in another post. How do I do this "dump" you speak of?

I unplugged network connectivity, no changes.

I checked for the scvhost thing, not an issue.

The state:Ready line in the tlist output for the PID
concerns me, it does not change, it is always in the same
state of "Ready". I checked some other computers, and have
not seen any threads stuck in a state of "Ready". The
problem is, the thread number 1144 has no reference to
what it is.

Anyone know how to find out what this thread means or how
to correlate the thread number with a process, service or
otherwise? Here is the line:

1144 Win32StartAddr:0x78008532 LastErr:0x00000000
State:Ready

kmcdowell
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

svchost.exe 2
Continued 100% proc util from svchost.exe 4
svchost.exe problem 1
problemas with svchost.exe 9
svchost.exe consumes CPU memory 7
Windows Explorer crashes in several circumstances 6
Internet Usage Error 2
Error: Symbol file could not be found 5

Top