SVCHost keeps crashing

[Andrew Faust]

I recently did a reinstall of Windows XP Pro and ever since svchost crashes
about 4 times a day. Specifically, it's the netsvcs instance of svchost.
After the process terminates, I lose all the functionality provided by those
services such as audio mixers, themes, network browsing, etc. However, I can
restart all the services manually to get functionality again (or reboot).

I've tried everything I can think of. I've run Microsoft's Memory Diagnostic
to ensure my RAM was good. I've installed all the latest windows updates.
I've virus and spyware scanned my system.

I never had any of these crashes on my previous install of windows.

At this point the only idea I have left is to modify my registry to make all
the services run under separate instances of svchost to narrow down the
specific service that's crashing. However, I've heard that this causes all
sorts of other problems so didn't want to pursue this option just yet.

Any ideas?

Thanks,

Andrew Faust

 

[PA Bear [MS MVP]]

Did you do a Repair Install or a format & reinstall?

Is Automatic Updates enabled and is the machine now fully patched at Windows
Update?...

Updates are not installed successfully from Windows Update, from Microsoft
Update, or by using Automatic Updates after you repair a Windows XP
installation:
http://support.microsoft.com/kb/943144

 

[Andrew Faust]

I reformatted and installed fresh. I have automatic updates turned on for
critical items and then use Windows Update Website for optional updates.
Currently Windows Update says there are 0 High, 0 Software and 0 Hardware
updates available to me, so my system is up to date.

 

[PA Bear [MS MVP]]

You have the equivalent of a new computer:

Before You Connect a New Computer to the Internet
http://www.cert.org/tech_tips/before_you_plug_in.html

Security FAQ & Checklist
http://www.dslreports.com/faq/8463

 

[Andrew Faust]

Thanks for the reply. I have a high degree of confidence that this isn't a
virus or spyware related issue. My belief at this point is that it's a driver
issue. Unfortunately, the instance of svchost (netsvcs) hosts about 20
different processes so it's difficult to figure out which one it is.

I contacted MS tech support, but they weren't very helpful. I spent hours on
the phone with the front line tech support people having them painstakingly
try everything I've already tried. I didn't have the energy to continue this
process for the additional hours it would take to get passed to the higher
level of tech support.

At this point I'm going to ensure I have all my important stuff backed up.
I'll then start splitting out services to separate svchost processes one at a
time until I find the offendng one. Hopefully that will give me the info I
need to find out what's wrong.

 

[PA Bear [MS MVP]]

You have the equivalent of a new computer:
Did you take care of EVERYTHING on the above webpage before otherwise
connecting the machine to the internet (e.g., to browse, check email, chat,
download other stuff)?

Have you done what http://support.microsoft.com/kb/943144 recommends?

 

[Andrew Faust]

Did you take care of EVERYTHING on the above webpage

Except for the Windows Update webpage, yes. I have a good hardware firewall
with SPI and installed XP SP2 which has the software firewall on by default.
This definitely isn't a virus of spyware issue.

Have you done what http://support.microsoft.com/kb/943144 recommends?

I didn't do a repair install. I only ever install fresh with a full format
of the drive.

I had mentioned previously I was going to start splitting out the services
in the netsvcs host process to find the offender. I decided to do a sort of
binary search by splitting the services in half and finding which host
crashed, then split that one until I found the issue. However, after making
the first split the crash stopped occuring.

I split Themes, AudioSrv, Lanmanserver & Lanmanworkstation to a new netsvcs2
host and haven't had the crash since. Apparently, the interaction of one of
these with one of the services I left in netsvcs is causing the problem. I'm
going to start moving services back until the crash shows up again.

BTW, for anyone reading this.
Splitting out the services from svchost is strongly discouraged. Larry
Osterman (http://blogs.msdn.com/larryosterman/archive/2004/08/16/215328.aspx)
makes it very clear that the services are meant to run under the same process
and this should only ever be done for debugging purposes. He doesn't explain
how to do it nor will I. If you can't figure out how to do it, you probably
shouldn't be doing it.

 

[PA Bear [MS MVP]]

This definitely isn't a virus of spyware issue.

Do you have an anti-virus application installed and running with up-to-date
definitions? What have you done to conclude the behavior is not due to "a
virus [or] spyware issue"?

I didn't do a repair install. I only ever install fresh with a full format
of the drive.

Ignore the title. Chances are you'll need the fix in KB943144 before you
will be able to get the machine fully patched at Windows Update.
*</Devil's Advocate>*

 

[Andrew Faust]

Do you have an anti-virus application installed and running with up-to-date

definitions? What have you done to conclude the behavior is not due to "a
virus [or] spyware issue"?

Yes. I'd mentioned previously that I had run virus scanning and anit-spyware
software. I guess I should have made it clear that it's the first thing I
installed after device drivers and windows patches. And before you ask, all
the drivers were proper WHQL certified drivers and the Windows patches were
direct from Microsoft's Windows Update site. Additionally, I run ZoneAlarm
Internet Security Suite which includes Firewall (in addition to my hardware
firewall), anti-virus & anti-spyware. I let it keep itself up to date and
leave it's active defense on all the time.

I suppose it's techically possible that a virus got in somewhere during that
tme period and was able to evade ZoneAlarm this entire time. However, if
there are any that can do that then the tenacious little bugger deserves to
win.

Doesn't really matter, though. Splitting the services in to two processes
has stopped the crashing. While I know this isn't recommended it hasn't
caused any noticable problems. I'm switching back to Vista after SP1 so it's
not really woth any more effort than I've already done.

--
Andrew Faust
http://www.andrewfaust.com

This definitely isn't a virus of spyware issue.

Do you have an anti-virus application installed and running with up-to-date
definitions? What have you done to conclude the behavior is not due to "a
virus [or] spyware issue"?

I didn't do a repair install. I only ever install fresh with a full format
of the drive.

Ignore the title. Chances are you'll need the fix in KB943144 before you
will be able to get the machine fully patched at Windows Update.
*</Devil's Advocate>*
--
~PA Bear, working offline

Except for the Windows Update webpage, yes. I have a good hardware
firewall
with SPI and installed XP SP2 which has the software firewall on by
default.
This definitely isn't a virus of spyware issue.


I didn't do a repair install. I only ever install fresh with a full format
of the drive.

I had mentioned previously I was going to start splitting out the services
in the netsvcs host process to find the offender. I decided to do a sort
of
binary search by splitting the services in half and finding which host
crashed, then split that one until I found the issue. However, after
making
the first split the crash stopped occuring.

I split Themes, AudioSrv, Lanmanserver & Lanmanworkstation to a new
netsvcs2
host and haven't had the crash since. Apparently, the interaction of one
of
these with one of the services I left in netsvcs is causing the problem.
I'm
going to start moving services back until the crash shows up again.

BTW, for anyone reading this.
Splitting out the services from svchost is strongly discouraged. Larry
Osterman
(http://blogs.msdn.com/larryosterman/archive/2004/08/16/215328.aspx) makes
it very clear that the services are meant to run under the same process
and
this should only ever be done for debugging purposes. He doesn't explain
how to do it nor will I. If you can't figure out how to do it, you
probably
shouldn't be doing it.

 

[PA Bear [MS MVP]]

You'd never stated that you had an anti-virus application installed before
now, hence my persistence.

ZA Internet Security includes an anti-virus application: Do you have any
other anti-virus applications also installed?

The above (and the ability of ZA Internet Security to protect the machine
from any/all hijackware) notwithstanding, is the machine currently fully
patched at Windows Update? A minimum of 70 critical security updates have
been released to-date since SP2 was released. If haven't already gotten all
of them installed, you may as well "wipe & reload".
--
~PA Bear

Do you have an anti-virus application installed and running with
up-to-date
definitions? What have you done to conclude the behavior is not due to
"a
virus [or] spyware issue"?

Yes. I'd mentioned previously that I had run virus scanning and
anit-spyware
software. I guess I should have made it clear that it's the first thing I
installed after device drivers and windows patches. And before you ask,
all
the drivers were proper WHQL certified drivers and the Windows patches
were
direct from Microsoft's Windows Update site. Additionally, I run ZoneAlarm
Internet Security Suite which includes Firewall (in addition to my
hardware
firewall), anti-virus & anti-spyware. I let it keep itself up to date and
leave it's active defense on all the time.

I suppose it's techically possible that a virus got in somewhere during
that
tme period and was able to evade ZoneAlarm this entire time. However, if
there are any that can do that then the tenacious little bugger deserves
to
win.

Doesn't really matter, though. Splitting the services in to two processes
has stopped the crashing. While I know this isn't recommended it hasn't
caused any noticable problems. I'm switching back to Vista after SP1 so
it's
not really woth any more effort than I've already done.

This definitely isn't a virus of spyware issue.

Do you have an anti-virus application installed and running with
up-to-date
definitions? What have you done to conclude the behavior is not due to
"a
virus [or] spyware issue"?

Have you done what http://support.microsoft.com/kb/943144 recommends?

I didn't do a repair install. I only ever install fresh with a full
format
of the drive.

Ignore the title. Chances are you'll need the fix in KB943144 before you
will be able to get the machine fully patched at Windows Update.
*</Devil's Advocate>*
--
~PA Bear, working offline

Did you take care of EVERYTHING on the above webpage

Except for the Windows Update webpage, yes. I have a good hardware
firewall
with SPI and installed XP SP2 which has the software firewall on by
default.
This definitely isn't a virus of spyware issue.

Have you done what http://support.microsoft.com/kb/943144 recommends?

I didn't do a repair install. I only ever install fresh with a full
format
of the drive.

I had mentioned previously I was going to start splitting out the
services
in the netsvcs host process to find the offender. I decided to do a sort
of
binary search by splitting the services in half and finding which host
crashed, then split that one until I found the issue. However, after
making
the first split the crash stopped occuring.

I split Themes, AudioSrv, Lanmanserver & Lanmanworkstation to a new
netsvcs2
host and haven't had the crash since. Apparently, the interaction of one
of
these with one of the services I left in netsvcs is causing the problem.
I'm
going to start moving services back until the crash shows up again.

BTW, for anyone reading this.
Splitting out the services from svchost is strongly discouraged. Larry
Osterman
(http://blogs.msdn.com/larryosterman/archive/2004/08/16/215328.aspx)
makes
it very clear that the services are meant to run under the same process
and
this should only ever be done for debugging purposes. He doesn't explain
how to do it nor will I. If you can't figure out how to do it, you
probably
shouldn't be doing it.


You have the equivalent of a new computer:

Before You Connect a New Computer to the Internet
http://www.cert.org/tech_tips/before_you_plug_in.html

Did you take care of EVERYTHING on the above webpage before otherwise
connecting the machine to the internet (e.g., to browse, check email,
chat,
download other stuff)?

Have you done what http://support.microsoft.com/kb/943144 recommends?
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/


Andrew Faust wrote:
Thanks for the reply. I have a high degree of confidence that this
isn't
a
virus or spyware related issue. My belief at this point is that it's a
driver issue. Unfortunately, the instance of svchost (netsvcs) hosts
about
20 different processes so it's difficult to figure out which one it
is.

I contacted MS tech support, but they weren't very helpful. I spent
hours
on
the phone with the front line tech support people having them
painstakingly
try everything I've already tried. I didn't have the energy to
continue
this
process for the additional hours it would take to get passed to the
higher
level of tech support.

At this point I'm going to ensure I have all my important stuff backed
up.
I'll then start splitting out services to separate svchost processes
one
at
a time until I find the offendng one. Hopefully that will give me the
info
I
need to find out what's wrong.


You have the equivalent of a new computer:

Before You Connect a New Computer to the Internet
http://www.cert.org/tech_tips/before_you_plug_in.html

Security FAQ & Checklist
http://www.dslreports.com/faq/8463
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/


Andrew Faust wrote:
I reformatted and installed fresh. I have automatic updates turned
on
for
critical items and then use Windows Update Website for optional
updates.
Currently Windows Update says there are 0 High, 0 Software and 0
Hardware
updates available to me, so my system is up to date.

Did you do a Repair Install or a format & reinstall?

Is Automatic Updates enabled and is the machine now fully patched
at
Windows Update?...

Updates are not installed successfully from Windows Update, from
Microsoft
Update, or by using Automatic Updates after you repair a Windows XP
installation:
http://support.microsoft.com/kb/943144
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/


Andrew Faust wrote:
I recently did a reinstall of Windows XP Pro and ever since
svchost
crashes
about 4 times a day. Specifically, it's the netsvcs instance of
svchost.
After the process terminates, I lose all the functionality
provided
by
those
services such as audio mixers, themes, network browsing, etc.
However,
I
can
restart all the services manually to get functionality again (or
reboot).

I've tried everything I can think of. I've run Microsoft's Memory
Diagnostic
to ensure my RAM was good. I've installed all the latest windows
updates.
I've virus and spyware scanned my system.

I never had any of these crashes on my previous install of
windows.

At this point the only idea I have left is to modify my registry
to
make
all
the services run under separate instances of svchost to narrow
down
the
specific service that's crashing. However, I've heard that this
causes
all
sorts of other problems so didn't want to pursue this option just
yet.

Any ideas?

Thanks,

Andrew Faust