SVCHOST.EXE getting fatter than a Texan twinkie-beast

[Industrial One]

This bastard just got up to 1 GB yesterday after a system uptime of
maybe 2-3 days. It just keeps growing indefinitely and I have given up
with these useless fixes that never work like
http://www.technibble.com/how-to-fix-svchost-using-100-cpu-memory-leak/

Is there some way I can effectively isolate whatever is causing this?
I've gotten a dump of its services and it runs the same ****ing
services when its bloated to a gig as when its 20 MB when the system
starts up.

I can restart the process with ProcessExplorer but then I have no
sound unless I restart.

 

[Mayayana]

I don't know if this will help, but it might provide
more info.: In Task Manager go to View ->
Select Columns and add PID. You can then find
out what instances of SvcHost are running what
in Process Explorer and cross-reference to T.M., by
comparing the Process IDs, to see the activity and
memory usage of each instance. That might narrow
down any badly-behaved service.

It sounds like you should probably also go through
the running services and see what you *really* need.
Many are pointless and/or risky, and many are not
necessary on a standalone PC.

--
--
| This bastard just got up to 1 GB yesterday after a system uptime of
| maybe 2-3 days. It just keeps growing indefinitely and I have given up
| with these useless fixes that never work like
| http://www.technibble.com/how-to-fix-svchost-using-100-cpu-memory-leak/
|
| Is there some way I can effectively isolate whatever is causing this?
| I've gotten a dump of its services and it runs the same ****ing
| services when its bloated to a gig as when its 20 MB when the system
| starts up.
|
| I can restart the process with ProcessExplorer but then I have no
| sound unless I restart.

 

[Paul]

This bastard just got up to 1 GB yesterday after a system uptime of
maybe 2-3 days. It just keeps growing indefinitely and I have given up
with these useless fixes that never work like
http://www.technibble.com/how-to-fix-svchost-using-100-cpu-memory-leak/

Is there some way I can effectively isolate whatever is causing this?
I've gotten a dump of its services and it runs the same ****ing
services when its bloated to a gig as when its 20 MB when the system
starts up.

I can restart the process with ProcessExplorer but then I have no
sound unless I restart.

The svchost process, holds groups of things. It's presumably to
save on resources, perhaps allowing each service to run in its
own thread, but without taking up an entire process while doing it.

If you have WinXP Pro, you can use "tasklist /svc" to list them.
The svchosts aren't set up to be symmetric or anything. One tends
to have way more items in it than others. You might be able to
get their names with Process Explorer as well.

I found a command here, which can separate the services and run
each one in its own svchost. And perhaps by doing that, you can
determine which one has the memory leak ?

http://blogs.msdn.com/b/spatdsg/archive/2007/09/17/debugging-services.aspx

You can split it out into its own service by running:

“sc config <service> type= own”

And revert it via

“sc config <service> type= share”

The idea would be, say a svchost has fifteen different things in it.
You issue fourteen "type= own" commands, one for each named service.
Now, there'll be an additional fourteen svchost processes, as well
as the initial svchost process with its one remaining service.
Then, you wait until one of them balloons up, and you have the
leaker in your sights.

Sort of a "divide and conquer" approach.

Using a debugger on it, doesn't look like it would be that much fun.
My success with debuggers, even getting them to start, is pretty low,
and wouldn't be my first choice unless I had a "worked example" on a
web page to use as a reference.

Paul

 

[Industrial One]

Mayayana, I already have disabled several services that I don't need,
and knowing which services the fat svchost.exe is running doesn't mean
shit to me if I don't know which one is using how much memory.

The svchost process, holds groups of things. It's presumably to
save on resources, perhaps allowing each service to run in its
own thread, but without taking up an entire process while doing it.

If you have WinXP Pro, you can use "tasklist /svc" to list them.
The svchosts aren't set up to be symmetric or anything. One tends
to have way more items in it than others. You might be able to
get their names with Process Explorer as well.

I found a command here, which can separate the services and run
each one in its own svchost. And perhaps by doing that, you can
determine which one has the memory leak ?

http://blogs.msdn.com/b/spatdsg/archive/2007/09/17/debugging-services...

    You can split it out into its own service by running:

    “sc config <service> type= own”

    And revert it via

    “sc config <service> type= share”

The idea would be, say a svchost has fifteen different things in it.
You issue fourteen "type= own" commands, one for each named service.
Now, there'll be an additional fourteen svchost processes, as well
as the initial svchost process with its one remaining service.
Then, you wait until one of them balloons up, and you have the
leaker in your sights.

Sort of a "divide and conquer" approach.

Using a debugger on it, doesn't look like it would be that much fun.
My success with debuggers, even getting them to start, is pretty low,
and wouldn't be my first choice unless I had a "worked example" on a
web page to use as a reference.

    Paul

FUUUUCK!!!! I was so ecstatic about this when I read your post, then I
tried it, typed sc config AudioSrv type =own and it said SUCCESS
but... didn't do jack shit. WTF is wrong with this piece of shit
malfunctioning operating system?

 

[Paul]

FUUUUCK!!!! I was so ecstatic about this when I read your post, then I
tried it, typed sc config AudioSrv type =own and it said SUCCESS
but... didn't do jack shit. WTF is wrong with this piece of shit
malfunctioning operating system?

Um, reboot ?

There are two possibilities. The redirection happens immediately.
Or, the redirection is achieved by changing the "group" the
service is in, causing the fork of another svchost on the next boot
up.

Reboot, and test.

*******

http://technet.microsoft.com/en-us/library/cc990290(v=WS.10).aspx

"sc config

Modifies the value of a service's entries in the registry
and in the Service Control Manager database."

Sounds like a job for a reboot to me.

Paul

 

[Industrial One]

Um, reboot ?

There are two possibilities. The redirection happens immediately.
Or, the redirection is achieved by changing the "group" the
service is in, causing the fork of another svchost on the next boot
up.

Reboot, and test.

*******

http://technet.microsoft.com/en-us/library/cc990290(v=WS.10).aspx

    "sc config

     Modifies the value of a service's entries in the registry
     and in the Service Control Manager database."

Sounds like a job for a reboot to me.

    Paul

My bad, I didn't realize I had to restart the service until I checked
the links. Anyway, I'm now laughing because the once-500MB svchost.exe
now dropped to 25 MB and CryptSrvc is now running in a separate
svchost, taking up about 4 megs.

So, is the idea to separate all of them and see which one bloats up?
Why did memory usage drop?

 

[Mayayana]

Mayayana, I already have disabled several services that I don't need,
and knowing which services the fat svchost.exe is running doesn't mean
shit to me if I don't know which one is using how much memory.

My post was explaining how to at least narrow it down to
one instance of svchost. (There are usually several running.)
By hovering over each instance on ProcExp. you can see
which services it represents. By then showing the PID in
Task Manager you can match up the memory-intensive
svchost instance with the list of its services in ProcExp.

I think what Paul posted was instructions to separate
out each individual service.

 

[Paul]

My bad, I didn't realize I had to restart the service until I checked
the links. Anyway, I'm now laughing because the once-500MB svchost.exe
now dropped to 25 MB and CryptSrvc is now running in a separate
svchost, taking up about 4 megs.

So, is the idea to separate all of them and see which one bloats up?
Why did memory usage drop?

My objective here, was to debug this without a debugger, and try
and reduce it to the guilty party. It still might take a while
to balloon up again, if it's a leak.

The idea would be, if you made fifteen separate svchosts, and only
one of them swelled to 1GB, then you'd know the single service
contained inside was the culprit. And could then Google for an answer.

Paul

 

[Industrial One]

Mayayana, I can already tell which svchost is the fat one by sorting
processes by memory consumption, it's not exactly the feat of a gosu.

Paul, I have restarted my comp since the last post and it appears the
Cryptographic Services svchost.exe is the culprit here. At restart it
was 9 MB, the largest of them all, now it grew to 40 MB.

It is still too early to tell, but I won't be surprised if it reaches
hundreds of megs if I give it enough time. Do I even need this
service? This is the thing that blocks "uncertified" applications,
right? I wonder how many times I had to click "unblock" after it
intercepted the 100th legitimate program from installing.

 

[Paul]

Mayayana, I can already tell which svchost is the fat one by sorting
processes by memory consumption, it's not exactly the feat of a gosu.

Paul, I have restarted my comp since the last post and it appears the
Cryptographic Services svchost.exe is the culprit here. At restart it
was 9 MB, the largest of them all, now it grew to 40 MB.

It is still too early to tell, but I won't be surprised if it reaches
hundreds of megs if I give it enough time. Do I even need this
service? This is the thing that blocks "uncertified" applications,
right? I wonder how many times I had to click "unblock" after it
intercepted the 100th legitimate program from installing.

Any chance this is TDSS/Alureon rootkit ? I tried searching on cryptsvc,
and for some reason, ended up here.

http://answers.microsoft.com/en-us/...e-memory/d022cae7-0304-463c-a9de-e4f8b4eb078b

Kasperksy makes a TDSSKiller for things like this. It would be
a tool to use, if you can independently confirm that is what it is.
TDSSKiller can scan as well, but it's nice to know what you're
dealing with first. (Kaspersky also makes a rescue disc that scans
for everything, which might be another option.)

http://support.kaspersky.com/viruses/solutions?qid=208280684

Kaspersky (offline, self-booting) rescue disk, fresh version at 237MB.
When I tested this yesterday, the AV definitions were up to date, so this one
is hot off the presses. If you click the update button in here, I wouldn't
expect it to need a very large update at runtime.

http://support.kaspersky.com/viruses/rescuedisk/main?qid=208286083

Wuauserv (something to do with Windows Update?), also used to cause
a problem. If you're searching on "svchost", you're likely to get
distracted by these.

http://help.wugnet.com/windows/Windows-XP-svchost-exe-ftopict565259.html

Paul

 

[Industrial One]

Any chance this is TDSS/Alureon rootkit ? I tried searching on cryptsvc,
and for some reason, ended up here.

http://answers.microsoft.com/en-us/windows/forum/windows_xp-performan...

Yeah I got there too and downloaded that MSRT scan. It said I was in
the clear.

Kasperksy makes a TDSSKiller for things like this. It would be
a tool to use, if you can independently confirm that is what it is.
TDSSKiller can scan as well, but it's nice to know what you're
dealing with first. (Kaspersky also makes a rescue disc that scans
for everything, which might be another option.)

http://support.kaspersky.com/viruses/solutions?qid=208280684

I downloaded that small TDSSKiller and it found nothing.

Kaspersky (offline, self-booting) rescue disk, fresh version at 237MB.
When I tested this yesterday, the AV definitions were up to date, so thisone
is hot off the presses. If you click the update button in here, I wouldn't
expect it to need a very large update at runtime.

http://support.kaspersky.com/viruses/rescuedisk/main?qid=208286083

I had Kaspersky a few months ago and had to uninstall it, it got
corrupted when I tried to cheat my way out of the evaluation period
and the user interface is a lot less intuitive than Avast! but I had
to uninstall that too as it kept bluescreening my system.

Wuauserv (something to do with Windows Update?), also used to cause
a problem. If you're searching on "svchost", you're likely to get
distracted by these.

http://help.wugnet.com/windows/Windows-XP-svchost-exe-ftopict565259.html

    Paul

My auto updates are off.

So now that the mystery is solved, I could just terminate the Crypt
service and breathe some fresh air, but I'm genuinely curious what
caused it to go over the roof. On ProcessExplorer the DLL that uses up
the most user/kernel time and CSwitch delta is xpsp2res.dll. Do you
think it could be a virus?

 

[Paul]

My auto updates are off.

So now that the mystery is solved, I could just terminate the Crypt
service and breathe some fresh air, but I'm genuinely curious what
caused it to go over the roof. On ProcessExplorer the DLL that uses up
the most user/kernel time and CSwitch delta is xpsp2res.dll. Do you
think it could be a virus?

This is what I get on a search of C: for that DLL.

xpsp2res.dll

http://img803.imageshack.us/img803/1576/lotsadll.gif

The properties on mine say "Service Pack 2 messages" and
the MUI component implies something different is used for
each language of installation. The dates on mine, imply
they haven't been changed since my WinXP SP3 disc was used
for installation.

So it's probably some kind of container for "resources" that
other things use. Like error messages or messages for dialog boxes.
You wouldn't think you'd need to reference a resource, until
you actually use it ?

C:\WINDOWS\system32
2,897,920 bytes
5.1.2600.5512 (xpsp.080413-2113)
MD5sum = 16403217ab6fc5c30c14c6b12098ad4b

If I pop that MD5sum into the virustotal.com search, my copy is clean.
(I haven't done Feb.2012 patch tuesday yet, so I'm not completely up to date.)

https://www.virustotal.com/file/dea...3a77e428d493518d1c6f796b003d4f07305/analysis/

If your copy is different than that, you could upload a copy to virustotal
for a scan.

Paul

 

[Industrial One]

This is what I get on a search of C: for that DLL.

xpsp2res.dll

http://img803.imageshack.us/img803/1576/lotsadll.gif

The properties on mine say "Service Pack 2 messages" and
the MUI component implies something different is used for
each language of installation. The dates on mine, imply
they haven't been changed since my WinXP SP3 disc was used
for installation.

So it's probably some kind of container for "resources" that
other things use. Like error messages or messages for dialog boxes.
You wouldn't think you'd need to reference a resource, until
you actually use it ?

C:\WINDOWS\system32
2,897,920 bytes
5.1.2600.5512 (xpsp.080413-2113)
MD5sum = 16403217ab6fc5c30c14c6b12098ad4b

If I pop that MD5sum into the virustotal.com search, my copy is clean.
(I haven't done Feb.2012 patch tuesday yet, so I'm not completely up to date.)

https://www.virustotal.com/file/dea7c556ba9c91e056e6035e77a793a77e428...

If your copy is different than that, you could upload a copy to virustotal
for a scan.

    Paul

I have 53 xpsp2res.dll files in my WINDOWS folder, is this normal?
Most of them are in a folder called MUI.

 

[Paul]

I have 53 xpsp2res.dll files in my WINDOWS folder, is this normal?
Most of them are in a folder called MUI.

MUI = Multilingual User Interface

http://en.wikipedia.org/wiki/Multilingual_User_Interface

so they could represent resources to deliver messages in different languages.

I have about half as many as you. It's possible, that depending on what
country you bought the installer CD in, the MUI situation could differ.
So I might see something different than you.

http://img803.imageshack.us/img803/1576/lotsadll.gif

Paul

 

[Industrial One]

MUI = Multilingual User Interface

http://en.wikipedia.org/wiki/Multilingual_User_Interface

so they could represent resources to deliver messages in different languages.

I have about half as many as you. It's possible, that depending on what
country you bought the installer CD in, the MUI situation could differ.
So I might see something different than you.

http://img803.imageshack.us/img803/1576/lotsadll.gif

    Paul

I have 26 in the folder $NtServicePackUninstall$ and 25 in MUI. Screw
it, I can't spot any abnormality in any of this.

Thanks for the help in isolating the problematic bastard though, you
da man Paul!

 

[Paul]

I have 26 in the folder $NtServicePackUninstall$ and 25 in MUI. Screw
it, I can't spot any abnormality in any of this.

Thanks for the help in isolating the problematic bastard though, you
da man Paul!

Maybe you have a patch that I don't have ?

Check for a KB number on the folder holding the additional xpsp2res.dll
items.

Perhaps your OS, was originally installed from an SP2 disc, and
then Windows update delivered SP3, and the additional ones came
from that ?

Paul

 

[Industrial One]

Maybe you have a patch that I don't have ?

Check for a KB number on the folder holding the additional xpsp2res.dll
items.

Perhaps your OS, was originally installed from an SP2 disc, and
then Windows update delivered SP3, and the additional ones came
from that ?

    Paul

Correct. You were the one that convinced my reluctant-ass to upgrade
to SP3. I can't say I've regretted it all.

Anyway, the cryptsvc is still going out of whack. If I disable it, it
re-enables itself upon restart. I'm thinking I should do the latest
Windows update to see if it fixes the problem altogether but their
website won't accept my license key. It probably thinks it's pirated
because I've reinstalled XP a number of times and I've been to several
different locations and countries in the past 7 years, but I've always
used the same key.

Is there an alternative location where the latest patches can be
downloaded? Thanks.

 

[Paul]

Correct. You were the one that convinced my reluctant-ass to upgrade
to SP3. I can't say I've regretted it all.

Anyway, the cryptsvc is still going out of whack. If I disable it, it
re-enables itself upon restart. I'm thinking I should do the latest
Windows update to see if it fixes the problem altogether but their
website won't accept my license key. It probably thinks it's pirated
because I've reinstalled XP a number of times and I've been to several
different locations and countries in the past 7 years, but I've always
used the same key.

Is there an alternative location where the latest patches can be
downloaded? Thanks.

There may be alternative sites for the security patches. But
any packages to enhance the OS, shouldn't be available that
way. Things like AutoPatcher are one way to get security updates.
The AutoPatcher method is supposed to work, because there
aren't supposed to be any restrictions on security updates.
AutoPatcher still results in a download from Microsoft, as far
as I know.

http://en.wikipedia.org/wiki/AutoPatcher

Now, when they were about to shut down support for Win2K, I wanted
to get AutoPatcher set up for Win2K, and they'd stopped supporting
it, and since the setup wasn't complete for it, it would have been
a waste of time. I hope whoever works on it, does a better job for
WinXP. AutoPatcher requires work by the authors, after every
"Patch Tuesday", so it's not like the tool does all the work
by itself.

Microsoft support should be willing to talk about Windows Update
issues, like not being able to get in. There are certain topics
they should be able to support, without a credit card and fee.
Perhaps it can be resolved over the phone. For example, for about
a year after a Service Pack is offered for download, they should be
available to help with Service Pack installation issues. But if you
had some "general computing" problem, they'd pull the old credit
card trick. It's the part where they screwed up, that they support.
And in the case of Service Packs, for a limited time.

Paul