svchost.exe 99% cpu bigfix

[Guest]

This one is causing hugh problems to lots of people so having fixed it (for
the machine I had the problem on at least I thought I would share the
solution that worked for me.

MS confirm its a problem with windows update so the first thing you may need
to do is boot the PC (no network) and in contorl panel temporarily disable
automatic updates to prevent your machine effectively locking up due to the
bug.

Now having got a machine you can use again you need to apply a two part the
first part only is detailed in the KB article number 927891

http://support.microsoft.com/kb/927891

MS very helpfully plan to distribute these through MSupdate in May and June
2007 though how you are meant to get them when the bug lock up your PC
whenever Auto or Manual windows update is run is an interesting question, as
is what your meant to do with your machine till they issue this in June.
Answers on a postcard, to Microsoft not me.

Anyway download the first part of the fic from the page above.

Now it gets more devlish, MS admit the other part of the fix is the updated
update installation client due out in June, however if you know MS internal
name for this client is WSUS client version 3 and search long enough you can
find below where its available for download now.

For x86 clients (ie 32 bit Windows 2000-Vista)
http://download.windowsupdate.com/v7/windowsupdate/redist/standalone/WindowsUpdateAgent30-x86.exe

For x64 Clients (ie AMD 64 bit pc's running the 64 bit versions of XP and
Vista)
http://download.windowsupdate.com/v7/windowsupdate/redist/standalone/WindowsUpdateAgent30-x64.exe

For ia64 Clients (ie Intel Itanium processor boxes)
http://download.windowsupdate.com/v7/windowsupdate/redist/standalone/WindowsUpdateAgent30-ia64.exe

MS hide this well away, I found it through a WSUS BLOG which linked to a
page which was just a xml doc with the download links in.

Anyway having installed both parts all is well with MS/Windows update again.

I do think MS should have put a major warning out about this problem with at
least instruction on sorting it on the widnows update website main page.

Given how much is published on the web re this problem there must be many
thousand of people affected by this.

Cheers and good luck.

 

[MowGreen [MVP]]

Another semi hidden KB article that is pertinent to this issue is -

Virus scanning recommendations for computers that are running Windows
Server 2003, Windows 2000, or Windows XP
http://support.microsoft.com/kb/822158

The svchost/CPU issue is exacerbated by fragmented/damaged core files
for updating, transaction logs, and the *extensible database* -

For computers that are running Windows Server 2003, Windows 2000, or Windows XP
Do not scan the following files and folders. These files are not at risk of infection. If
you scan these files, serious performance problems may occur because of file locking.
Where a specific set of files is identified by name, exclude only those files instead of
the whole folder. Sometimes, the whole folder must be excluded. Do not exclude any one of
these based on the file name extension. For example, do not exclude all files that have a
.dit extension. Microsoft has no control over other files that may use the same extensions
as the following files.
• Microsoft Windows Update or Automatic Update related files
• The Windows Update or Automatic Update database file. This file is located in the
following folder:
%windir%\SoftwareDistribution\Datastore
Exclude the Datastore.edb file.
• The transaction log files. These files are located in the following folder:
%windir%\SoftwareDistribution\Datastore\Logs
Exclude the following files:
• Edb*.log

Note The wildcard character indicates that there may be several files.
• Res1.log
• Res2.log
• Edb.chk
• Tmp.edb

When the detection scan hits the DataStore.edb there's are buffer
overflow. The following is from ProcessMonitor -

"wuauclt.exe","2984","IRP_MJ_QUERY_INFORMATION","D:\WINDOWS\SoftwareDistribution\DataStore\
DataStore.edb","BUFFER OVERFLOW","Type: QueryAllInformationFile,
CreationTime: 12/20/2004 1:33:36 PM, LastAccessTime: 11/29/2006 1:43:01
PM, LastWriteTime: 11/29/2006 1:43:01 PM, ChangeTime: 11/29/2006 1:43:01
PM, FileAttributes: A, AllocationSize: 18,882,560, EndOfFile:
18,882,560, NumberOfLi???A?K???
"

Same for edb.chk, located in DataStore\Logs folder -

"wuauclt.exe","2984","IRP_MJ_QUERY_INFORMATION","D:\WINDOWS\SoftwareDistribution\DataStore\
Logs\edb.chk","BUFFER OVERFLOW","Type: QueryAllInformationFile,
CreationTime: 3/25/2005 9:38:26 PM, LastAccessTime: 11/29/2006 1:43:01
PM, LastWriteTime: 11/29/2006 1:39:38 PM, ChangeTime: 11/29/2006 1:39:38
PM, FileAttributes: A, AllocationSize: 8,192, EndOfFile: 8,192,
NumberOfLinks: 1, Del???A?K???
"

After installing the latest WUA and then applying KB927891, the issue
should be alleviated. If not, one can attempt a defragmentation of
DataStore.edb from a Command Prompt -

esentutl /d %windir%\SoftwareDistribution\Datastore\datastore.edb

NOTE: XP Home Edition requires that the AU service be stopped prior to
running any operation involving DataStore.edb

There are commands for Recovery and Repair of said edb.

esentutl /r %windir%\SoftwareDistribution\Datastore\datastore.edb

[This command performs Recovery, bringing all databases to a
consistent state]

esentutl /p %windir%\SoftwareDistribution\Datastore\datastore.edb

[ This command attempts to repair the damaged database ]

MS recommends that for systems that have been imaged, a reimage be done
after running *any* of the operations.

A more efficient way is to just delete DataStore.edb, which requires
stopping the AU service first. The only thing lost is the update history
shown at either Windows or Microsoft Update.
One can visit WU/MU, view the updating history, print it out, and then
delete DataStore.edb .


MowGreen [MVP 2003-2007]
===============
*-343-* FDNY
Never Forgotten
===============