svchost.exe hogging my CPU

N

-Nisko-

For the past week or so, one instance of svchost has been hogging 70% to 90%
of my CPU. I have tried many ways to find the culprit to no avail. Once in
a while, when I boot, it doesn't happen - but, most of the time, it does
happen. The result is that my PC becomes extremely sluggish - so slow that
it's unusable. I use McAfee anti-virus and a variety of spyware finders -
and the Microsoft Windows Malicious Software Removal Tool. None of these
has found anything unusual going on. All my signatures are up to date. Can
anyone help me rid my PC of this issue? Thanks.......
 
D

Duane Arnold

-Nisko- said:
For the past week or so, one instance of svchost has been hogging 70% to 90%
of my CPU. I have tried many ways to find the culprit to no avail. Once in
a while, when I boot, it doesn't happen - but, most of the time, it does
happen. The result is that my PC becomes extremely sluggish - so slow that
it's unusable. I use McAfee anti-virus and a variety of spyware finders -
and the Microsoft Windows Malicious Software Removal Tool. None of these
has found anything unusual going on. All my signatures are up to date. Can
anyone help me rid my PC of this issue? Thanks.......

You can use Process Explorer and look at the SVchost.exe and see what's
running with it, a hidden process. Svchost.exe is the host process,
whether that by malware or a legit process. You can use PE to see what
processes SVChost.exe is hosting.

http://www.vernalex.com/guides/malware/tools.shtml

If svchost.exe is not running out of the Winnt/system32 directory, then
it's a Trojan.

Go to the area about Process Explorer and learn how to use it to look at
running processes. It may not even be malware that's causing the problem
too and you can see all processes running with a host process such as an
(exe).

Duane :)
 
T

thecreator

Hi Nisko,

Plug and Play Set to Manual
SSDP Discovery Service Set to Manual
Universal Plug and Play Device Host Set to Automatic

Go into Services and changes the above Services. Reboot.
 
V

Vanguard

Duane Arnold said:
You can use Process Explorer and look at the SVchost.exe and see
what's running with it, a hidden process. Svchost.exe is the host
process, whether that by malware or a legit process. You can use PE
to see what processes SVChost.exe is hosting.

http://www.vernalex.com/guides/malware/tools.shtml

If svchost.exe is not running out of the Winnt/system32 directory,
then it's a Trojan.

Go to the area about Process Explorer and learn how to use it to
look at running processes. It may not even be malware that's causing
the problem too and you can see all processes running with a host
process such as an (exe).

Duane :)


For Process Explorer and other system tools, tis probably best to go
to http://www.sysinternals.com to get them directly from SysInternals
instead of some 3rd party site.
 
D

David H. Lipman

From: "-Nisko-" <[email protected]>

| For the past week or so, one instance of svchost has been hogging 70% to 90%
| of my CPU. I have tried many ways to find the culprit to no avail. Once in
| a while, when I boot, it doesn't happen - but, most of the time, it does
| happen. The result is that my PC becomes extremely sluggish - so slow that
| it's unusable. I use McAfee anti-virus and a variety of spyware finders -
| and the Microsoft Windows Malicious Software Removal Tool. None of these
| has found anything unusual going on. All my signatures are up to date. Can
| anyone help me rid my PC of this issue? Thanks.......
|

Use the SysInternals ProcessExplorer and determine if SVCHOST.EXE is executed in a location
OTHER than %windir%\system32

http://www.sysinternals.com/Utilities/ProcessExplorer.html

If you find SVCHOST.EXE running in a different location, then its malware.

Look at "thecreator's" answers for possible resource hoggers.
 
N

-Nisko-

Hi! I've been researching this issue and I found that it's not new.
However, I haven't found the cause and it seems some things work for some
people - and some don't. Is your fix a sure thing? What causes this
problem? Thanks......


Hi Nisko,

Plug and Play Set to Manual
SSDP Discovery Service Set to Manual
Universal Plug and Play Device Host Set to Automatic

Go into Services and changes the above Services. Reboot.
 
N

-Nisko-

I used Process Explorer - and svchost is only in the system32 folder. BTW,
what does %windir% mean? In other words, how do I interpret something
inside % marks? Thanks.....
 
N

-Nisko-

Also, by changing the settings as you suggest, what does that do? What
should I look out for?


Hi Nisko,

Plug and Play Set to Manual
SSDP Discovery Service Set to Manual
Universal Plug and Play Device Host Set to Automatic

Go into Services and changes the above Services. Reboot.
 
D

David H. Lipman

From: "-Nisko-" <[email protected]>

| I used Process Explorer - and svchost is only in the system32 folder. BTW,
| what does %windir% mean? In other words, how do I interpret something
| inside % marks? Thanks.....
|


Text inside the %% are names of environmental variables.

For example;
%windir%
will point to c:\windows or c:\winnt (or other location) as the base Win32 folder
depending upon thye OS and what was chosen

%tmp% and %TEMP%
Point to the TEMPorary folder

Open a Command Prompt and type; set and then hist the enter key.
You will see a list of commonly displayed environmental variables.

They can be used within a Command Prompt, at; Start --> Run , within BAT and CMD files,
within LNK files, etc.

The important concept is that SVCHOST.EXE was the legitimate OS version and thus it in
itself is not malware and if SVCHOST.EXE is bringing the CPU utilization up aroun 99% then
one of the services it is serving up has a problem.

Using ProcessExplorer you will see what each running version of SVCHOST.EXE is serving up.
 
T

thecreator

Hi Nisko,

I was told to have the Startup Icon load or be displayed at Boot to disabled both SSDP Discovery Service and Universal Plug and Play Device Host. When I did that, on reboot SVCHOST.EXE CPU Usage was very high. I could not do a thing. Once I changed them to Manual Starting at least, and started them manually, the CPU Usage dropped.

Do this: Open Task Manager and double-click on CPU. Purpose to sort Processes by CPU Usage and bring the Processes that are using the CPU to the top. Next Open Services and scroll down until you locate and find the status of them. Whether they are disabled or Manual or Automatic. You can only open one at a time, but the next time it occurs with High CPU Usage, open Task Manager and open Services. Start the process(es) and see what effect it has on your computer and CPU Usage.

Remember, you aren't deleting anything, just changing how the Services start. So it really can't hurt your computer.
 
T

thecreator

If you are using Windows XP in default mode, where XP hides the Startup Icons, this will restore the missing icons.
 
N

-Nisko-

Thank you......


Hi Nisko,

I was told to have the Startup Icon load or be displayed at Boot to
disabled both SSDP Discovery Service and Universal Plug and Play Device
Host. When I did that, on reboot SVCHOST.EXE CPU Usage was very high. I
could not do a thing. Once I changed them to Manual Starting at least, and
started them manually, the CPU Usage dropped.

Do this: Open Task Manager and double-click on CPU. Purpose to sort
Processes by CPU Usage and bring the Processes that are using the CPU to the
top. Next Open Services and scroll down until you locate and find the status
of them. Whether they are disabled or Manual or Automatic. You can only open
one at a time, but the next time it occurs with High CPU Usage, open Task
Manager and open Services. Start the process(es) and see what effect it has
on your computer and CPU Usage.

Remember, you aren't deleting anything, just changing how the Services
start. So it really can't hurt your computer.
 
N

-Nisko-

Thanks...it's a little clearer now - but to understand it better, I'll have
to experiment like you suggested with the Command Prompt.
 
D

Duane Arnold

Vanguard said:
For Process Explorer and other system tools, tis probably best to go to
http://www.sysinternals.com to get them directly from SysInternals
instead of some 3rd party site.

For the most part I would agree, but for a novice with such software,
one doesn't know how to use it and sysinternals doesn't explain it at
all. This site shows very well how to use the solution, which I have
gotten tired of showing the how to use it. So, I'll continue to use this
site. Besides, MS brought out sysinternals so I don't know how long
systintranls is going to be around.

Duane :)
 
V

Vanguard

Besides, MS brought out sysinternals so I don't know how long
systintranls is going to be around.

Oh oh. Better download all the SysInternal tools before Microsoft
vaporizes them. Microsoft bought WinInternals who sponsors
SysInternals so, yeah, the SysInternals stuff could just disappear
since Microsoft only needs to comply with existing contracts with
paying *customers* of WinInternals.
 
D

Duane Arnold

David said:
From: "-Nisko-" <[email protected]>

| I used Process Explorer - and svchost is only in the system32 folder. BTW,
| what does %windir% mean? In other words, how do I interpret something
| inside % marks? Thanks.....
|


Text inside the %% are names of environmental variables.

For example;
%windir%
will point to c:\windows or c:\winnt (or other location) as the base Win32 folder
depending upon thye OS and what was chosen

%tmp% and %TEMP%
Point to the TEMPorary folder

Open a Command Prompt and type; set and then hist the enter key.
You will see a list of commonly displayed environmental variables.

They can be used within a Command Prompt, at; Start --> Run , within BAT and CMD files,
within LNK files, etc.

The important concept is that SVCHOST.EXE was the legitimate OS version and thus it in
itself is not malware and if SVCHOST.EXE is bringing the CPU utilization up aroun 99% then
one of the services it is serving up has a problem.

Using ProcessExplorer you will see what each running version of SVCHOST.EXE is serving up.

You know, I have mentioned Process Explorer to numerous posters in
various NG(s). It's only been twice in all that time that someone took
PE and was able to spot something. Those two were skilled professionals
that could tack down the culprit. One was a Web admin that used PE to
find malware, that everything she used couldn't find it. The other one
was a person who used PE to track down something MS had done to send
svchost.exe out of control.

Now, I am going back to watching Amreican Chopper. Paul Sr. and Jr. are
in another heated argument and are ready to kill each other on who has
control of the shop. ;-)

Duane :)
 
D

Duane Arnold

Vanguard said:
Oh oh. Better download all the SysInternal tools before Microsoft
vaporizes them. Microsoft bought WinInternals who sponsors SysInternals
so, yeah, the SysInternals stuff could just disappear since Microsoft
only needs to comply with existing contracts with paying *customers* of
WinInternals.

It was something about MS putting one or two guys that developed the
tools on MS's payroll. I am sure they are getting paid very well with
nice benefits and other things in the pot. They would have been fools
not to take the offer.

You know the old saying. $$$$ talk and BS walks. ;-)

Duane :)
 
N

-Nisko-

I don't know what you mean by default mode - or missing the startup icons.
Please explain. I'm learning something from your help. Thanks.......


If you are using Windows XP in default mode, where XP hides the Startup
Icons, this will restore the missing icons.
 
N

-Nisko-

I'm using PE and have found that svchost.exe is only in my system32 folder.
Also, all the processes associated with the out of control svchost are
legitimate.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top