40-60% CPU usage with Windows Firewall/ICS on

[Guest]

I first had a similar issue with SVCHOST running at 100% for prolonged
periods of time. I installed the hotfix and WSUS 3.1 updates, and my problem
got a little better, but not totally. I narrowed my issue down to the
Firewall/ICS service. If I turn it off, my CPU usage drops to 3%. As soon as
I start it, it jumps and hovers between 40 and 60%. Using Process explorer I
was able to narrow the offending thread down to the wbemcore.dll. The
following dumps are from 3 different stack captures I did:
Thread: wbemcore.dll+0xf010

1)
ntoskrnl.exe!ZwAssignProcessToJobObject+0x15
ntoskrnl.exe!KeQueryRuntimeThread+0x5e8
hal.dll!HalClearSoftwareInterrupt+0x342
hal.dll!ExReleaseFastMutex+0x26
ntoskrnl.exe!ZwSetSystemInformation+0x23
ntdll.dll!KiFastSystemCallRet
kernel32.dll!VirtualAlloc+0x18
esscli.dll!CTempMemoryManager::Allocate+0xb4
repdrvfs.dll+0x145a4
wbemcore.dll+0x10d3b
wbemcore.dll+0x11884
wbemcore.dll+0x3e8e4
wbemcore.dll+0x3f899
wbemcore.dll+0x40d86
wbemcore.dll+0x414b1
wbemcore.dll+0x348d9
wbemcore.dll+0x3d755
wbemcore.dll+0x34d09
wbemcore.dll+0x4edcc
wbemcore.dll+0x11273
wbemcore.dll+0x11a19
wbemcore.dll+0x40f2a
wbemcore.dll+0x51c57
wbemcore.dll+0xef24
wbemcore.dll+0xed4e
wbemcore.dll+0x325cb
wbemcore.dll+0xdecc
wbemcore.dll+0x4d438
wbemcore.dll+0x4d624
wbemcore.dll+0x42fd1
wbemcore.dll+0x432bd
wbemcore.dll+0x3c769
wbemcore.dll+0xed4e
wbemcore.dll+0x325cb
wbemcore.dll+0xee89
wbemcore.dll+0xf055
kernel32.dll!GetModuleFileNameA+0x1b4

2)
ntoskrnl.exe!ZwAssignProcessToJobObject+0x15
ntoskrnl.exe!KeQueryRuntimeThread+0x5e8
ntoskrnl.exe!CcPurgeCacheSection+0x240
ntoskrnl.exe!NtQueryInformationToken+0x16c6
ntoskrnl.exe!ZwSetSystemInformation+0x23
ntdll.dll!KiFastSystemCallRet
USER32.dll!GetLastInputInfo+0x105
USER32.dll!MsgWaitForMultipleObjects+0x1f
wbemcore.dll+0x52791
wbemcore.dll+0x527ea
wbemcore.dll+0xedfd
wbemcore.dll+0xf055
kernel32.dll!GetModuleFileNameA+0x1b4

3)
ntoskrnl.exe!ZwAssignProcessToJobObject+0x15
ntoskrnl.exe!KeQueryRuntimeThread+0x5e8
hal.dll!HalClearSoftwareInterrupt+0x342
kernel32.dll!InterlockedDecrement+0xd
FastProx.dll!CQualifierSet::~CQualifierSet+0x2b
FastProx.dll!CClassQualifierSet::~CClassQualifierSet+0x17
FastProx.dll!CClassPart::~CClassPart+0x1a
FastProx.dll!CClassAndMethods::~CClassAndMethods+0x1a
FastProx.dll!CWbemClass::~CWbemClass+0x5a
FastProx.dll!CWbemClass::MergeClassPart+0x4a
FastProx.dll!CWbemObject::Release+0x2a
wbemcore.dll+0xf414
wbemcore.dll+0x3f899
wbemcore.dll+0x40d86
wbemcore.dll+0x414b1
wbemcore.dll+0x348d9
wbemcore.dll+0x3d755
wbemcore.dll+0x34d09
wbemcore.dll+0x4edcc
wbemcore.dll+0x11273
wbemcore.dll+0x11a19
wbemcore.dll+0x40f2a
wbemcore.dll+0x51c57
wbemcore.dll+0xef24
wbemcore.dll+0xed4e
wbemcore.dll+0x325cb
wbemcore.dll+0xdecc
wbemcore.dll+0x4d438
wbemcore.dll+0x4d624
wbemcore.dll+0x42fd1
wbemcore.dll+0x432bd
wbemcore.dll+0x3c769
wbemcore.dll+0xed4e
wbemcore.dll+0x325cb
wbemcore.dll+0xee89
wbemcore.dll+0xf055
kernel32.dll!GetModuleFileNameA+0x1b4

Can any MS or other experienced person try to figure why this is occurring?
I don't mind having my firewall off at home (since I have a hardware firewall
in place), but when I go out, I would really like to have it on. If you need
more info, please contact me. Thanks!

Derek Wade

 

[Benny]

Regarding the svchost problem. If you want to get rid of it totally do the
following.
The problem is caused by Microsoft Update (ie auto updates for Office etc).
This became an auto function in a recent Windows update. Windows Update is
separate and does not cause any problems.
To stop the excessive CPU usage caused by svhost.exe, you need to turn off
Microsoft Update by going to 'Start / Help and Support / Windows Update'.
This will open the on-line Windows Update page.
Click on "Change Settings" down the leftside of the webpage and then you
should be able to turn off the Microsoft Update.
This will not effect your Windows Update. It will continue to function.
This will stop the high CPU usage problem.
Benny

 

[Guest]

Thank you for your reply. Unfortunately, even stopping the Automatic Update
service doesn't solve this problem. I've gone down every path for solving it
by the "Automatic Update" issue, but still it occurs, and is consistent. I
start the firewall and it spikes. I stop the firewall, and it goes to near
zero.

 

[Jim Byrd]

Hi Derek - You can give this a try - it's part of a 'pre-Update Agent 3 fix'
workaround that I developed in conjunction with MS personnel for the
svchost-100% WU problem, but it _may_, repeat _may_, help your issue also.
In any event, it shouldn't hurt anything. Do the following _exactly_
(*******WARNING - Since in your case you aren't trying to fix WU, do NOT do
the 'click on "Flush Software Distribution" ' step*******):

1. Go to http://wiki.djlizard.net/Dial-a-fix and download Dial-a-fix
v0.60.0.24 (2006-10-27) Here's a direct download link:
http://djlizard.net.nyud.net:8080/software/Dial-a-fix-v0.60.0.24.zip and a
secondary: http://djlizard.net/software/Dial-a-fix-v0.60.0.24.zip from
that page's download section, here:
http://wiki.djlizard.net/Dial-a-fix#Mirrors.2Fdownload_locations.2C_and_articles .

2. Unzip it to a new folder at root with any name, e.g.
c:\Dial-a-fix-v0.60.0.24

3. Double click on Dial-a-fix.exe in that folder.

4. Click on the following:
- Options/tooltips (just to get an idea of what it does in each
section.
)
- Both boxes under Prep
- The 'all' (top) box for Sections 2, 3 and 4 (which will automatically
be set when you check 3)
- In Section 3 click on 'Flush Software Distribution' and choose 'Yes'
to force the deletion of the folder.
- In Section 5, 'Programming cores/runtimes',
'Explorer/IE/OE/shell/WMP', and 'Object linking libraries (OLE)' only.
- Click 'Go' . (Some of the re-registrations may take what seems like
a
long time for some .dll's - Don't be impatient.)

5. Reboot. Now Reboot Again. (Yes, twice.)


See if that does the trick, and please post back with your
experience.



--
Regards, Jim Byrd,
My Blog, Defending Your Machine,
http://defendingyourmachine2.blogspot.com/



In d_wade <[email protected]> typed:
|| I first had a similar issue with SVCHOST running at 100% for
|| prolonged periods of time. I installed the hotfix and WSUS 3.1
|| updates, and my problem got a little better, but not totally. I
|| narrowed my issue down to the Firewall/ICS service. If I turn it
|| off, my CPU usage drops to 3%. As soon as I start it, it jumps and
|| hovers between 40 and 60%. Using Process explorer I was able to
|| narrow the offending thread down to the wbemcore.dll. The following
|| dumps are from 3 different stack captures I did:
|| Thread: wbemcore.dll+0xf010
||
|| 1)
|| ntoskrnl.exe!ZwAssignProcessToJobObject+0x15
|| ntoskrnl.exe!KeQueryRuntimeThread+0x5e8
|| hal.dll!HalClearSoftwareInterrupt+0x342
|| hal.dll!ExReleaseFastMutex+0x26
|| ntoskrnl.exe!ZwSetSystemInformation+0x23
|| ntdll.dll!KiFastSystemCallRet
|| kernel32.dll!VirtualAlloc+0x18
|| esscli.dll!CTempMemoryManager::Allocate+0xb4
|| repdrvfs.dll+0x145a4
|| wbemcore.dll+0x10d3b
|| wbemcore.dll+0x11884
|| wbemcore.dll+0x3e8e4
|| wbemcore.dll+0x3f899
|| wbemcore.dll+0x40d86
|| wbemcore.dll+0x414b1
|| wbemcore.dll+0x348d9
|| wbemcore.dll+0x3d755
|| wbemcore.dll+0x34d09
|| wbemcore.dll+0x4edcc
|| wbemcore.dll+0x11273
|| wbemcore.dll+0x11a19
|| wbemcore.dll+0x40f2a
|| wbemcore.dll+0x51c57
|| wbemcore.dll+0xef24
|| wbemcore.dll+0xed4e
|| wbemcore.dll+0x325cb
|| wbemcore.dll+0xdecc
|| wbemcore.dll+0x4d438
|| wbemcore.dll+0x4d624
|| wbemcore.dll+0x42fd1
|| wbemcore.dll+0x432bd
|| wbemcore.dll+0x3c769
|| wbemcore.dll+0xed4e
|| wbemcore.dll+0x325cb
|| wbemcore.dll+0xee89
|| wbemcore.dll+0xf055
|| kernel32.dll!GetModuleFileNameA+0x1b4
||
|| 2)
|| ntoskrnl.exe!ZwAssignProcessToJobObject+0x15
|| ntoskrnl.exe!KeQueryRuntimeThread+0x5e8
|| ntoskrnl.exe!CcPurgeCacheSection+0x240
|| ntoskrnl.exe!NtQueryInformationToken+0x16c6
|| ntoskrnl.exe!ZwSetSystemInformation+0x23
|| ntdll.dll!KiFastSystemCallRet
|| USER32.dll!GetLastInputInfo+0x105
|| USER32.dll!MsgWaitForMultipleObjects+0x1f
|| wbemcore.dll+0x52791
|| wbemcore.dll+0x527ea
|| wbemcore.dll+0xedfd
|| wbemcore.dll+0xf055
|| kernel32.dll!GetModuleFileNameA+0x1b4
||
|| 3)
|| ntoskrnl.exe!ZwAssignProcessToJobObject+0x15
|| ntoskrnl.exe!KeQueryRuntimeThread+0x5e8
|| hal.dll!HalClearSoftwareInterrupt+0x342
|| kernel32.dll!InterlockedDecrement+0xd
|| FastProx.dll!CQualifierSet::~CQualifierSet+0x2b
|| FastProx.dll!CClassQualifierSet::~CClassQualifierSet+0x17
|| FastProx.dll!CClassPart::~CClassPart+0x1a
|| FastProx.dll!CClassAndMethods::~CClassAndMethods+0x1a
|| FastProx.dll!CWbemClass::~CWbemClass+0x5a
|| FastProx.dll!CWbemClass::MergeClassPart+0x4a
|| FastProx.dll!CWbemObject::Release+0x2a
|| wbemcore.dll+0xf414
|| wbemcore.dll+0x3f899
|| wbemcore.dll+0x40d86
|| wbemcore.dll+0x414b1
|| wbemcore.dll+0x348d9
|| wbemcore.dll+0x3d755
|| wbemcore.dll+0x34d09
|| wbemcore.dll+0x4edcc
|| wbemcore.dll+0x11273
|| wbemcore.dll+0x11a19
|| wbemcore.dll+0x40f2a
|| wbemcore.dll+0x51c57
|| wbemcore.dll+0xef24
|| wbemcore.dll+0xed4e
|| wbemcore.dll+0x325cb
|| wbemcore.dll+0xdecc
|| wbemcore.dll+0x4d438
|| wbemcore.dll+0x4d624
|| wbemcore.dll+0x42fd1
|| wbemcore.dll+0x432bd
|| wbemcore.dll+0x3c769
|| wbemcore.dll+0xed4e
|| wbemcore.dll+0x325cb
|| wbemcore.dll+0xee89
|| wbemcore.dll+0xf055
|| kernel32.dll!GetModuleFileNameA+0x1b4
||
|| Can any MS or other experienced person try to figure why this is
|| occurring? I don't mind having my firewall off at home (since I have
|| a hardware firewall in place), but when I go out, I would really
|| like to have it on. If you need more info, please contact me.
|| Thanks!
||
|| Derek Wade

 

[Plato]

Did all the Dialafix stuff and still same problem

You wanty use all the cPu POEWER YOUR CPU has to offer.