tasklist.exe runs too fast!

[John Latter]

Hi,

I'm trying to track down why svchost.exe is coninuously accessing my
hard drive. Someone in another thread (lost your message if you are
reading this!) asked if I had XP PRO & suggested I ran tasklist.exe

I've downloaded tasklist.exe from the link on this page:

http://windowsxp.mvps.org/svchost.htm

I unzipped it but when I ran it a small black screen momentarily
appeared & that was it! - is there something I should do other than
clicking on the unzipped icon?

To be honest, I'm not sure what I'm looking for 'cept the person on
the other thread suggested posting the PID & probably any other info
that appears.

Well I've got the PID from Windows Task Manager (and its 960) but I
would like some help on how to run tasklist.exe

oh, and some info on what to expect, what to do with the results, what
they mean, stuff like that

 

[Wesley Vogel]

Copy or move tasklist.exe to...

C:\WINDOWS\system32
or
%windir%\system32

Open a Command Prompt.

Start | Run | type: cmd | OK
When the Command Prompt window opens type:

tasklist /svc

Hit your ENTER key.

Also:

tasklist /?

Displays Help and usage.


--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Dave Patrick]

From a command prompt;
netstat -aon
then;
tasklist /svc
now match up the PID > Image name

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Hi,
|
| I'm trying to track down why svchost.exe is coninuously accessing my
| hard drive. Someone in another thread (lost your message if you are
| reading this!) asked if I had XP PRO & suggested I ran tasklist.exe
|
| I've downloaded tasklist.exe from the link on this page:
|
| http://windowsxp.mvps.org/svchost.htm
|
| I unzipped it but when I ran it a small black screen momentarily
| appeared & that was it! - is there something I should do other than
| clicking on the unzipped icon?
|
| To be honest, I'm not sure what I'm looking for 'cept the person on
| the other thread suggested posting the PID & probably any other info
| that appears.
|
| Well I've got the PID from Windows Task Manager (and its 960) but I
| would like some help on how to run tasklist.exe
|
| oh, and some info on what to expect, what to do with the results, what
| they mean, stuff like that
|

 

[John Latter]

Copy or move tasklist.exe to...

C:\WINDOWS\system32
or
%windir%\system32

Open a Command Prompt.

Start | Run | type: cmd | OK
When the Command Prompt window opens type:

tasklist /svc

Hit your ENTER key.

Also:

tasklist /?

Displays Help and usage.

Hi Wes,

I did as you suggested and got this:

C:\Documents and Settings\John Latter>tasklist /svc
'tasklist' is not recognized as an internal or external command,
operable program or batch file.

Obviously I'm still doing something wrong - just dunno what it is!

 

[John Latter]

Copy or move tasklist.exe to...

C:\WINDOWS\system32
or
%windir%\system32

Open a Command Prompt.

Start | Run | type: cmd | OK
When the Command Prompt window opens type:

tasklist /svc

Hit your ENTER key.

Also:

tasklist /?

Displays Help and usage.

Er, I might have copied tasklist into System rather than System32..

Anyway, that's just a rumour & having successfully followed your
advice the problem lies with the svchost.exe which has a new PID today
of 956 (cross-referencing with Windows Task Manager).

The info tasklist.exe gives for it is:

svchost.exe 956 AudioSrv, CryptSvc, Dhcp, ERSvc,
EventSystem, helpsvc, lanmanserver,
lanmanworkstation, Netman, Nla,
RasMan,
Schedule, seclogon, SENS,
SharedAccess,
ShellHWDetection, srservice, TapiSrv,
Themes, TrkWks, W32Time, winmgmt,
wscsvc,
wuauserv

I right-clicked on the command window thingy, clicked on select all
and i then pressed CTRL plus C - just thought I would tell you exactly
what I've done cos everything has come out all staggered as you can
see & I wouldn't know if it was significant or not.

Hope you can help me with this - at least I feel I might be getting
somewhere at the moment

 

[John Latter]

From a command prompt;
netstat -aon
then;
tasklist /svc
now match up the PID > Image name

I guess you mean match up the PID numbers Dave (hope so anyway!).

For some reason I couldn't copy the netstat results but there are 3
entries for PID 956 which is the number of the svchost giving
problems.

The entries are:

Proto: UDP
Local: 127.0.0.1:123
Foreign: *:*
State: (no entry here)
PID: 956

Proto: UDP
Local: 169.254.219.158:123
Foreign: *:*
State: (no entry here)
PID: 956

Proto: UDP
Local: 172.212.66.113:123
Foreign: *:*
State: (no entry here)
PID: 956

Tasklist.exe gives:

svchost.exe 956 AudioSrv, CryptSvc, Dhcp, ERSvc,
EventSystem, helpsvc, lanmanserver,
lanmanworkstation, Netman,Nla,RasMan,
Schedule, seclogon,SENS,SharedAccess,
ShellHWDetection, srservice, TapiSrv,
Themes, TrkWks, W32Time, winmgmt,
wscsvc,wuauserv

Thats tidied up more or less as it appears in the command window,
after pasting it actually looked like this:

svchost.exe 956 AudioSrv, CryptSvc, Dhcp, ERSvc,
EventSystem, helpsvc, lanmanserver,
lanmanworkstation, Netman, Nla,
RasMan,
Schedule, seclogon, SENS,
SharedAccess,
ShellHWDetection, srservice, TapiSrv,
Themes, TrkWks, W32Time, winmgmt,
wscsvc,
wuauserv

Jorolat

 

[Dave Patrick]

Port 123 UDP = Network Time Protocol
aka W32Time

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| I guess you mean match up the PID numbers Dave (hope so anyway!).
|
| For some reason I couldn't copy the netstat results but there are 3
| entries for PID 956 which is the number of the svchost giving
| problems.
|
| The entries are:
|
| Proto: UDP
| Local: 127.0.0.1:123
| Foreign: *:*
| State: (no entry here)
| PID: 956
|
| Proto: UDP
| Local: 169.254.219.158:123
| Foreign: *:*
| State: (no entry here)
| PID: 956
|
| Proto: UDP
| Local: 172.212.66.113:123
| Foreign: *:*
| State: (no entry here)
| PID: 956
|
| Tasklist.exe gives:
|
| svchost.exe 956 AudioSrv, CryptSvc, Dhcp, ERSvc,
| EventSystem, helpsvc, lanmanserver,
| lanmanworkstation, Netman,Nla,RasMan,
| Schedule, seclogon,SENS,SharedAccess,
| ShellHWDetection, srservice, TapiSrv,
| Themes, TrkWks, W32Time, winmgmt,
| wscsvc,wuauserv
|
| Thats tidied up more or less as it appears in the command window,
| after pasting it actually looked like this:
|
| svchost.exe 956 AudioSrv, CryptSvc, Dhcp, ERSvc,
| EventSystem, helpsvc, lanmanserver,
| lanmanworkstation, Netman, Nla,
| RasMan,
| Schedule, seclogon, SENS,
| SharedAccess,
| ShellHWDetection, srservice, TapiSrv,
| Themes, TrkWks, W32Time, winmgmt,
| wscsvc,
| wuauserv
|
| Jorolat

 

[John Latter]

Port 123 UDP = Network Time Protocol
aka W32Time

Thanks Dave, that's eliminated W32Time from the svchost list (1 down -
lots to go!)

 

[David Candy]

Why do you think it's that service host?

Downloading tasklist is actually piracy unless you have Pro (in which case you already have the file).

 

[John Latter]

Why do you think it's that service host?

Because Windows Task Manager identified (and still does) an
svchost.exe with a PID (today) of 956 which is continuously accessing
the disc.

Tasklist.exe gives the following info for that PID:

svchost.exe 956 AudioSrv, CryptSvc, Dhcp, ERSvc,
EventSystem, helpsvc, lanmanserver,
lanmanworkstation, Netman,Nla,RasMan,
Schedule, seclogon,SENS,SharedAccess,
ShellHWDetection, srservice, TapiSrv,
Themes, TrkWks, W32Time, winmgmt,
wscsvc,wuauserv

Downloading tasklist is actually piracy unless you have Pro (in which case you already have the file).

I didn't know & just googled for info about it & got this page:

http://66.249.93.104/search?q=cache...list.exe+download+here&hl=en&client=firefox-a

(BTW I'm using firefox & dunno if that link'll work elsewhere)

Anyway, that page contains a link to:

http://windowsxp.mvps.org/utils/tasklist.zip

et voila!

Any help with the original problem would be greatly appreciated.

Jorolat
Model of an Internal Evoltionary Mechanism (based on an extension to homeostasis) linking Adaptive Mutations to the Baldwin Effect:
http://members.aol.com/jorolat/TEM.html

 

[David Candy]

It is still piracy. You don't have a license to use it. That's why your XP is $200 cheaper.

Get filemon from www.sysinternals.com and see what file it's accessing or what files. Enter in Edit menu - Filter/Highlight the PID.

 

[Technical Ecstasy]

Hoe far does Bill have his di*k up your a$$?

"David Candy" <.> wrote in message
It is still piracy. You don't have a license to use it. That's why your XP
is $200 cheaper.

Get filemon from www.sysinternals.com and see what file it's accessing or
what files. Enter in Edit menu - Filter/Highlight the PID.

 

[David Candy]

Smart people don't talk about their law breaking on forums owned by the person stolen from.

 

[Alasdair]

how can it be piracy when it is freely available at
http://windowsxp.mvps.org/utils/tasklist.zip ?
if you want to keep it a secret protect it...
Alasdair


please note email address requires editing

www.digitalmystic.co.uk

"David Candy" <.> wrote in message
Smart people don't talk about their law breaking on forums owned by the
person stolen from.

 

[David Candy]

Ask Ramesh. That web site has nothing to do with microsoft. Nor does this one (mine) also on the same server www.mvps.org/serenitymacros

 

[Technical Ecstasy]

Well then why doesn't Microsoft do anything about it? I have seen this
method recommended by other MVP"s on other Microsoft's newsgroups as well.
"David Candy" <.> wrote in message
Ask Ramesh. That web site has nothing to do with microsoft. Nor does this
one (mine) also on the same server www.mvps.org/serenitymacros

 

[Dave Patrick]

That was the only one you mentioned or listed.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Thanks Dave, that's eliminated W32Time from the svchost list (1 down -
| lots to go!)
|

 

[John Latter]

It is still piracy. You don't have a license to use it. That's why your XP is $200 cheaper.

Get filemon from www.sysinternals.com and see what file it's accessing or what files. Enter in Edit menu - Filter/Highlight the PID.

I don't know enough to understand whar I'm seeing - which is why I
posted here.

From my perspective (or speaking from ignorance) Filemon is giving
contradictory information insofar as most of the entries are for part
of Avast antivirus program.

There are repeated entries for:

22:36:21 ashServ.exe:1424 READ C:\Program Files\Alwil
Software\Avast4\DATA\Avast4.mdb SUCCESS Offset: 3584 Length: 512

I turned Avast off & the entries continued - obviously I haven't a
clue what I'm doing

These (Avast) are the most numerous and are identical - Windows Task
Manager, on the other hand, says that a greater volume of information
is being read/written by svchost.exe PID 956

At the moment I don't know what else to put that would enable anyone
to help

Jorolat

 

[John Latter]

That was the only one you mentioned or listed.

I think I see what you mean - I meant eliminated from this list:

svchost.exe 956 AudioSrv, CryptSvc, Dhcp, ERSvc,
EventSystem, helpsvc, lanmanserver,
lanmanworkstation, Netman,Nla,RasMan,
Schedule, seclogon,SENS,SharedAccess,
ShellHWDetection, srservice, TapiSrv,
Themes, TrkWks, W32Time, winmgmt,
wscsvc,wuauserv

Whereas I think you're referring to net access (localhost 123).

Jorolat

 

[Dave Patrick]

Port 123 UDP is the time service. Did you have others?

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| I think I see what you mean - I meant eliminated from this list:
|
| svchost.exe 956 AudioSrv, CryptSvc, Dhcp, ERSvc,
| EventSystem, helpsvc, lanmanserver,
| lanmanworkstation, Netman,Nla,RasMan,
| Schedule, seclogon,SENS,SharedAccess,
| ShellHWDetection, srservice, TapiSrv,
| Themes, TrkWks, W32Time, winmgmt,
| wscsvc,wuauserv
|
| Whereas I think you're referring to net access (localhost 123).
|
| Jorolat
|
| --
| Model of an Internal Evoltionary Mechanism (based on an extension to
homeostasis)
| linking Adaptive Mutations to the Baldwin Effect:
| http://members.aol.com/jorolat/TEM.html