svchost.exe eating up CPU all of a sudden... on BOTH my machines

[k9boy]

Hi,

I booted up my Win2k SP4 machine yesterday. It has run fairly solid for
the last few months (years?). But this time, it froze. So I rebooted.
Then I powered up my WinXP SP2 machine. Oddly, it froze during the
login. I rebooted this as well. At this point, I'm thoroughly curious.
I managed to get into my XP machine when it restarted, but about a
minute later, it was extremely sluggish. I checked my task manager and
svchost.exe (SYSTEM process) was at close to 100%. When I got into my
Win2k machine, I noticed svchost.exe (SYSTEM process) there was also
eating up large amounts of CPU. It was also eating up memory in 80MB
range.

When it happened again today, I opened up TCPView.exe (from
SysInternals... excellent application). From a fresh boot/login (no
manually started apps yet), see the rogue svchost.exe making HTTP and
HTTPS connections to assorted web addresses, such as:

C:\Windows\System32\svchost.exe -k netsvcs
user104.osisoft.com:http
user102.osisoft.com:http
65.222.92.103:http
207.46.253.157:https

And:

C:\WINNT\system32\svchost.exe -k wugroup
62.55.192.126:https
user111.osisoft.com

After a few minutes (15 minutes, perhaps) of all this activity stops
and svchost.exe behaves again. Here is a TCPView session:

alg.exe:240 TCP polar:1048 polar:0 LISTENING
svchost.exe:804 TCP polar:epmap polar:0 LISTENING
svchost.exe:868 UDP polar:ntp *:*
svchost.exe:868 UDP polar:1038 *:*
svchost.exe:868 UDP polar:1039 *:*
svchost.exe:868 UDP polar:ntp *:*
svchost.exe:868 UDP polar:1053 *:*
svchost.exe:868 UDP polar:1054 *:*
svchost.exe:868 UDP polar:1055 *:*
svchost.exe:868 UDP polar:1061 *:*
svchost.exe:868 UDP polar:1062 *:*
svchost.exe:868 UDP polar:1063 *:*
svchost.exe:868 UDP polar:1064 *:*
svchost.exe:868 UDP polar:1066 *:*
svchost.exe:868 UDP polar:1067 *:*
svchost.exe:868 UDP polar:1068 *:*
svchost.exe:868 UDP polar:1071 *:*
svchost.exe:868 UDP polar:1072 *:*
svchost.exe:912 UDP polar:1025 *:*
svchost.exe:912 UDP polar:1030 *:*
svchost.exe:912 UDP polar:1034 *:*
svchost.exe:960 UDP polar:1900 *:*
svchost.exe:960 UDP polar:1900 *:*
System:4 TCP polar:microsoft-ds polar:0 LISTENING
System:4 TCP polar:netbios-ssn polar:0 LISTENING
System:4 UDP polar:microsoft-ds *:*
System:4 UDP polar:netbios-ns *:*
System:4 UDP polar:netbios-dgm *:*

Here is a snippet from my tasklist:

Image Name PID Services

========================= ======
=============================================
System Idle Process 0 N/A

System 4 N/A

smss.exe 456 N/A

csrss.exe 516 N/A

winlogon.exe 540 N/A

services.exe 584 Eventlog, PlugPlay

lsass.exe 596 ProtectedStorage, SamSs

svchost.exe 748 DcomLaunch, TermService

svchost.exe 804 RpcSs

svchost.exe 868 AudioSrv, BITS, Browser, CryptSvc,
Dhcp,
dmserver, ERSvc, EventSystem,

FastUserSwitchingCompatibility,
helpsvc,
lanmanserver, lanmanworkstation,
Netman,
Nla, Schedule, seclogon, SENS,
SharedAccess,
ShellHWDetection, Themes, TrkWks,
W32Time,
winmgmt, wscsvc, wuauserv, WZCSVC

svchost.exe 912 Dnscache

svchost.exe 960 LmHosts, RemoteRegistry, SSDPSRV,
WebClient
vsmon.exe 996 vsmon

spoolsv.exe 1316 Spooler

DefWatch.exe 1492 DefWatch

Rtvscan.exe 1552 Norton AntiVirus Server

wdfmgr.exe 1604 UMWdf


I'm not sure what's going on. I'm more than willing to reformat my
machines, but if this is normal, then there wouldn't be much point.
I've also updated and run Symantec AV, Adaware and Spybot with no
improvement.

Well, if anyone can help, I'd greatly appreciate it.

Tom

 

[Guest]

I am receiving a *very* similar problem on my machines. One is WinXP SP2 Home
and the other is WinXP SP2 Pro. *Both are Pentium 3* (I put that in asterisks
because I think it is very important.)

Since Tuesday, svchost.exe (the one with the win auto update server running
under it) pegs at 85%, and it doesn't let me open up new programs while it is
doing so. Using Process Explorer I found that it had something to do with
ntdll.dll's heap allocation being where all the CPU time is going. I kill
that particular thread under svchost.exe, and everything comes back up.

I even reformatted a box using a XP SP2 disc and receive this exact problem
before installing *any* software (all drivers out of box since machines are a
bit old).

I *suspect* that something in the new September security updates is causing
it. When auto update tries to download the update list and start checking
things that's when it pegs out.

 

[Antioch]

Svchost and update probs are currently a subject of discussion in the
windowsupdate group

Antioch

 

[Guest]

Hello there,
I have the same problem with my old Dell Latitude CPx spare PC. And as you
can see here below others have found it to be a big problem too:
http://ask-leo.com/svchost_and_svchostexe_crashs_cpu_maximization_viruses_exploits_and_more.html

It seams to work for me to turn off the Automatic updates as described
above, but we need some kind of statement from MS what to do for the future.
I believe that if I turn it back on to get a new update where this (perhaps)
update bug is fixed, my system will crash before the fixed version is
downloaded and installed! Can someone from Microsoft comment it, please !

 

[Antioch]

MS do not comment in newsgroups - you are here for peer-to-peer discussion
and problem solving.
Ms may read these groups - dont know - some MVP's do have the 'ears' of some
MS employees.
Perhaps you may consider putting your post into the appropriate
group(windowsupdate) so more can benefit.
Rgds
Antioch