100% CPU usage

[Linea Recta]

Recently performance of my XP PC is very bad. After booting I get: 100% CPU
usage in task manager.
Processes:

svchost.exe
system


Any ideas?



--


|\ /|
| \/ |@rk
\../
\/os

 

[Paul]

Recently performance of my XP PC is very bad. After booting I get: 100%
CPU usage in task manager.
Processes:

svchost.exe
system


Any ideas?

I have a theory, but you can test it.

Svchosts are a kind of deception. They contain multiple
executables inside. Some genius did this, to make them harder
to debug. And usually, all the guilty parties (the ones that
go rogue), are kept in the same svchost. I'm convinced they
do this, just to piss us off.

In WinXP Pro, you can open a command prompt, and do

tasklist /svc

That shows running processes, as well as the contents
of a svchost container. My PID 1468 for example,
has about fifteen things in that svchost.

On WinXP Home, that command isn't available. Or so they
tell me. Instead, you can use Process Explorer, click on
a svchost (or hold your mouse over it), you can do Properties
then click the Services tab, and it'll show you a list of
items inside that svchost.

http://technet.microsoft.com/en-us/sysinternals/bb896653

The one I have my eye on, is this one. It checks, amongst
other things, the dependencies of all the potential
Windows Updates. Currently, it gets a little confused when
figuring out what to do about your copy of Internet Explorer.
And in the process, chews up a CPU core. It will release the
core in around 30 minutes. Until Windows Update is checked
again, and then it'll go nuts again. The time constant
(the delay factor), has been getting worse month by month.
At one time, the delay was 5 minutes of 100% CPU, now it's
up to 30 minutes of 100% CPU.

wuauserv Automatic Updates wuauserv.dll

*******

I got this from some Microsoft blog post.

You can split it out into its own service by running:

"sc config <service> type= own"

And revert it via

"sc config <service> type= share"

In the case of the wayward Windows Update thing, that
means I'd do one of these. Once I do this, wuauserv
is kept in its own svchost. The idea being, if
it is using CPU cycles, it's the only one inside
a separate svchost, and it's guilty as charged.

sc config wuauserv type= own

So if I do that, reboot, check which svchost is
using 100%, and I find that one with wuauserv
inside it, then wuauserv is the one doing it.

*******

If your symptoms seem to match, the current workaround
is to install a pending Internet Explorer update.
There could be a KB2888505 update waiting for you.
You could go to Windows Update, check your update
history, and see if it is already installed.

Without going to Windows update, you can also get
the update as a standalone download. These are two
I could find.

------

Use this, if you're running IE6.

"Cumulative Security Update for Internet Explorer for Windows XP (KB2888505)
This update applies to Internet Explorer 6 with the following operating systems:
* Windows XP SP3"

http://www.microsoft.com/en-us/download/details.aspx?id=41064

------

Use this, if you're running IE8.

Cumulative Security Update for Internet Explorer 8 for Windows XP (KB2888505)
This update applies to Internet Explorer 8 with the following operating systems:
* Windows XP SP3

http://www.microsoft.com/en-us/download/details.aspx?id=41074

------

Now, how this works, it isn't like some code in that
package, "fixes" your Windows Update. Instead, the
introduction of that patch, juggles the dependencies
enough, that the wuauserv doesn't get stuck in a loop.
I haven't read anything to convince me, we've seen the
last of this bug.

If that theory doesn't pan out, and you can't finger
that particular one, you can still use some of those
ideas to help track it down. If necessary, you could
take all fifteen services out of the "common" svchost
and make them run separately. It probably requires a
reboot, to see the new orientation (type= own).

Paul

 

[JJ]

Svchosts are a kind of deception. They contain multiple
executables inside. Some genius did this, to make them harder
to debug. And usually, all the guilty parties (the ones that
go rogue), are kept in the same svchost. I'm convinced they
do this, just to piss us off.

It for efficiency, but yes, it does make things much more complicated and
annoying when something goes wrong.

I wonder if I could use a copy of the svchost.exe but with different name,
in order to isolate a service in its own process.
For example, for the dnscache service, make a copy of "svchost.exe" as
"svchost_dnscache.exe". Then change the dnscache's service configuration to
point to "svchost_dnscache.exe" instead of "svchost.exe". Of course, keeping
all the command line parameters intact.

 

[Paul in Houston TX]

Recently performance of my XP PC is very bad. After booting I get: 100%
CPU usage in task manager.
Processes:

svchost.exe
system

Any ideas?

Better look for a trojan, virus, rootkit, slug, malware.

 

[Paul]

It for efficiency, but yes, it does make things much more complicated and
annoying when something goes wrong.

I wonder if I could use a copy of the svchost.exe but with different name,
in order to isolate a service in its own process.
For example, for the dnscache service, make a copy of "svchost.exe" as
"svchost_dnscache.exe". Then change the dnscache's service configuration to
point to "svchost_dnscache.exe" instead of "svchost.exe". Of course, keeping
all the command line parameters intact.

I think I've seen that idea mentioned in the past.

By sheer luck, one of the two bookmarks I've got,
contains a similar idea. All I've ever done,
is the "sc config" thing, long enough to
confirm who is the guilty party.

http://blogs.msdn.com/b/spatdsg/archive/2007/09/17/debugging-services.aspx

http://support.microsoft.com/kb/934650

Paul

 

[Linea Recta]

I have a theory, but you can test it.

Svchosts are a kind of deception. They contain multiple
executables inside. Some genius did this, to make them harder
to debug. And usually, all the guilty parties (the ones that
go rogue), are kept in the same svchost. I'm convinced they
do this, just to piss us off.

In WinXP Pro, you can open a command prompt, and do

tasklist /svc

That shows running processes, as well as the contents
of a svchost container. My PID 1468 for example,
has about fifteen things in that svchost.

On WinXP Home, that command isn't available. Or so they
tell me. Instead, you can use Process Explorer, click on
a svchost (or hold your mouse over it), you can do Properties
then click the Services tab, and it'll show you a list of
items inside that svchost.

http://technet.microsoft.com/en-us/sysinternals/bb896653

The one I have my eye on, is this one. It checks, amongst
other things, the dependencies of all the potential
Windows Updates. Currently, it gets a little confused when
figuring out what to do about your copy of Internet Explorer.
And in the process, chews up a CPU core. It will release the
core in around 30 minutes. Until Windows Update is checked
again, and then it'll go nuts again. The time constant
(the delay factor), has been getting worse month by month.
At one time, the delay was 5 minutes of 100% CPU, now it's
up to 30 minutes of 100% CPU.

wuauserv Automatic Updates wuauserv.dll

*******

I got this from some Microsoft blog post.

You can split it out into its own service by running:

"sc config <service> type= own"

And revert it via

"sc config <service> type= share"

In the case of the wayward Windows Update thing, that
means I'd do one of these. Once I do this, wuauserv
is kept in its own svchost. The idea being, if
it is using CPU cycles, it's the only one inside
a separate svchost, and it's guilty as charged.

sc config wuauserv type= own

So if I do that, reboot, check which svchost is
using 100%, and I find that one with wuauserv
inside it, then wuauserv is the one doing it.

*******

If your symptoms seem to match, the current workaround
is to install a pending Internet Explorer update.
There could be a KB2888505 update waiting for you.
You could go to Windows Update, check your update
history, and see if it is already installed.

Without going to Windows update, you can also get
the update as a standalone download. These are two
I could find.

------

Use this, if you're running IE6.

"Cumulative Security Update for Internet Explorer for Windows XP
(KB2888505)
This update applies to Internet Explorer 6 with the following operating
systems:
* Windows XP SP3"

http://www.microsoft.com/en-us/download/details.aspx?id=41064

------

Use this, if you're running IE8.

Cumulative Security Update for Internet Explorer 8 for Windows XP
(KB2888505)
This update applies to Internet Explorer 8 with the following operating
systems:
* Windows XP SP3

http://www.microsoft.com/en-us/download/details.aspx?id=41074

------

Now, how this works, it isn't like some code in that
package, "fixes" your Windows Update. Instead, the
introduction of that patch, juggles the dependencies
enough, that the wuauserv doesn't get stuck in a loop.
I haven't read anything to convince me, we've seen the
last of this bug.

If that theory doesn't pan out, and you can't finger
that particular one, you can still use some of those
ideas to help track it down. If necessary, you could
take all fifteen services out of the "common" svchost
and make them run separately. It probably requires a
reboot, to see the new orientation (type= own).

Paul

hi Paul,


I have been trying hard this evening to implement your ideas, but I can
hardly get things moving at all on the mentioned computer and am now mailing
from another computer. I did manage to run process explorer, but sadly the
list of services can't be saved in any sensible way, so I saved a
screenshot.
wuauserv was one of the services. While working I saw the yellow update
shield on the task bar dissapearing and reappearing and stuck again on 8% so
I suppose it is an update issue (again).

I'll see what I can do because I can hardly get anything moving with the OS
going nuts. Very annoying.


Thanks for reply.


--


|\ /|
| \/ |@rk
\../
\/os

 

[Linea Recta]

At last I succeeded in performing the 9 MS security updates, which seem to
have resolved the 100% CPU usage problem. For now...



--


|\ /|
| \/ |@rk
\../
\/os

 

[Paul]

At last I succeeded in performing the 9 MS security updates, which seem to
have resolved the 100% CPU usage problem. For now...

So it's probably the same problem I was seeing.

As far as I know, the problem isn't fixed, so
expect it to show up again.

Paul

 

[Linea Recta]

So it's probably the same problem I was seeing.

As far as I know, the problem isn't fixed, so
expect it to show up again.

Still running fine and this evening again: another update (small, no reboot)



--


|\ /|
| \/ |@rk
\../
\/os

 

[Paul]

Still running fine and this evening again: another update (small, no reboot)

The next time an Internet Explorer security update is offered,
we'll check this again

Paul

 

[J. P. Gilliver (John)]

Better look for a trojan, virus, rootkit, slug, malware.

I had this - for something like two to four weeks - and it went away.

It _wasn't_ those two processes: in fact it wasn't any obvious culprit.

I don't _think_ it was malware - I did full scans, but also my router's
light wasn't constantly flashing so I hadn't been pwned as part of a
botnet (and my ISP didn't complain), and there's nothing unusual on my
credit card statement for the period it was happening.

It wasn't the commonest problem which googling suggested, which is
indexing (?) large video files to extract an icon or something for them
- I don't have lots of such anyway, and my icon for them is the VLC cone
anyway.

My disc light wasn't on a lot, and SMART and other tests reported
nothing amiss.

I don't _think_ it was the update thing you're discussing - from what
you're saying that eventually resolves after 30 minutes; I was getting
it for as I say many days. (And I don't think I have automatic updates
turned on anyway.)

The weird thing is that it didn't actually seem to affect performance
much: it was almost as if the "System Idle process" was just being
replaced by one of the other processes. I initially noticed that I was
at 100% CPU usage (single core here) when checking Firefox's memory
usage, as it tends to be a bit of a memory hog, and also a CPU hog once
it's been up a while. But basically, although some process I was running
- often Firefox, but others too, such as explorer - showed up as 100%
(or 75%, or whatever was necessary to "take up the slack" when something
else was doing something) CPU, much like the System Idle process does -
but when I wanted to do something, I usually got CPU time back.

There _was_ a further symptom: whatever explorer windows (not IE - I
tend not to use that) I had open would at random intervals (at least I
didn't figure out any trigger) close, apart from one, whose focus would
be on My Computer. This _was_ a pain, since the news/email client I use
(Turnpike) operates as an explorer shell extension (a decision the
designers eventually came to regret, but it's abandonware now anyway),
which meant I lost my place in newsgroups, and also any news post or
email I was in the middle of composing (and no, it didn't appear in the
drafts "folder"); that _was_ annoying.

But, as I say, it all went away as mysteriously as it came: one day I
noticed I hadn't had any explorer-closes for a while, and looked and CPU
usage wasn't quite at 100%, I closed Firefox, and CPU usage went back
down to its usual around 8 to 14%, and the system has behaved since.
(CPU usage now 100% and PF 1.18 GB, but that's probably because I have
Firefox open with 47 tabs; system still responsive. Hang on, I'll close
F: yes, it's settled down at 7 to 25% and 706 MB. While the oddness was
occurring, if I closed Firefox, IIRR I got the memory back, but the CPU
usage stayed at 100%, something else - probably explorer - taking the
rest).

I _think_ I did try in safe mode and it wasn't any different, but I
can't remember now.

I do have Process Lasso running, one of the effects of which is - if I
understand it correctly! - to prevent any process taking so much of the
CPU that the system becomes unusable in terms of responsiveness; maybe
if I hadn't, it would have been worse.

All very odd!

 

[gargoyle60]

Still running fine and this evening again: another update (small, no reboot)

Similar issues here. I notice that recent updates have switched of the BITS entry in Admininstrative
Tools, Services. This small update didn't, but other updates have. I have found switching BITS back
on and setting it to Automatic mode seems to help, although I admit this might just be a
coincidence.

 

[Paul]

Did MS say they fixed it in December 2013 updates?

I think the responsible employee at Microsoft,
is still looking up the word "supersedence"
in his dictionary Then the repair project
can begin.

Don't expect this to be fixed quickly.
A link in your other post shows they tried to
rush out a fix (a zero cost fix, no developer time)
and that didn't work. They'll need budget
approval, to have a dude work on actually
changing code for WinXP. They don't like to
do that, because of the support level at
this point in time. It means some
managers in cushy offices, will have to
sign off on it.

The reason I can joke about it, is I just
tried Windows Update and it's in a loop again.
LOL. Nice. I told you the KB2888xxx side effect
wouldn't last. And it hasn't. I'm timing it now,
to see how long it'll last this time. I predict
more than half an hour. Of 100% CPU on one core.

Paul

 

[Paul]

As of today, my 100% CPU delay is over 30 minutes.
The problem is back, and for a good reason.

*******

This page has Internet Explorer for Dec 2013. I will be
installing one of these manually. KB2898785 for the
appropriate version of Internet Explorer. For my
setup, this is a 4MB download. WindowsXP-KB2898785-x86-ENU.exe
There are many different versions. People running a
different version of IE than I am, will get a different
download.

http://technet.microsoft.com/en-us/security/bulletin/ms13-097

OK, finished installing, but did not restart. In other words,
the code for IE isn't changed yet.

Theory being, just updating the state of my machine (the fact
that Internet Explorer is now "up to date"), when I test
Windows Update manually now, the over 30 minute delay is gone.

We're back to 15 seconds or so of delay, because the wuauserv thing
is no longer considering how out of date IE is. Since no update
for IE is pending, it doesn't work on that fork.

It's when the svchost thing starts up, checks the Microsoft server,
sees an Internet Explorer update incoming, that's when it
goes off into an infinite look, looking at the "supersedence"
of past IE updates. Of which, there are many.

So if January offers an IE update, then the 30 minute delay
will come back. Until I manually install the January IE update.
As long as I can prevent Windows Update from "seeing" an
incoming IE update, the problem is "worked around". For people
on automatic updates, if their 100% CPU comes back, start
looking for the incoming IE update. Install manually if it
isn't already installed.

Paul

 

[Linea Recta]

The next time an Internet Explorer security update is offered,
we'll check this again

And then you should know I don't even use the bl**dy IE. I use Chrome
nowadays, which by the way isn't as fast anymore as it used to be because
they "enhanced" it... :-(




--


|\ /|
| \/ |@rk
\../
\/os

 

[Linea Recta]

Similar issues here. I notice that recent updates have switched of the
BITS entry in Admininstrative
Tools, Services. This small update didn't, but other updates have. I have
found switching BITS back
on and setting it to Automatic mode seems to help, although I admit this
might just be a
coincidence.

I know nothing about BITS, but I certainly don't want automatic updating
going on without me knowing about it...



--


|\ /|
| \/ |@rk
\../
\/os

 

[gargoyle60]

I use Chrome
nowadays, which by the way isn't as fast anymore as it used to be because
they "enhanced" it...

You mean they overloaded it with tracking mechanisms that invade your PC and slow it down!!!
I uninstalled Chrome as soon as I noticed other programs that had been installed alongside it.

 

[Linea Recta]

You mean they overloaded it with tracking mechanisms that invade your PC
and slow it down!!!
I uninstalled Chrome as soon as I noticed other programs that had been
installed alongside it.

You mean there were no opt out choices? What programs do you mean? Then I
can check it out here.



--


|\ /|
| \/ |@rk
\../
\/os

 

[gargoyle60]

You mean there were no opt out choices? What programs do you mean? Then I
can check it out here.

Sorry, can't remember, it was a long time ago. They may have been helper applications or ad-ins, but
I noticed at least two new programs running in the background and my PC slowed down enough to be
annoying, so Chrome got the chop. I don't recall opt-ins/opt-outs.