What is SVCHOST.EXE doing?

[casey.o]

With my laptop on, I was noticing that every few minutes the HDD light
would start to flash for a half minute or so. There is nothing running,
except I do see the WIFI light flash every so often, telling me it's
probably trying to connect. But I'm at home and there are no WIFI
signals at all. To get an idead what's going on, I opened "Process
Hacker", and put it on the Main and the System Information screens.
That shows that "Services.Exe" is running all the time at 1.56%,(CPU
USAGE), but every so often it spikes to anywhere from 5% to 11%. I'm
just curious what is going on with that? And is services.exe and
svchost.exe the same thing, or are they related? Just curious?

 

[Mayayana]

Svchost is the "host" process for a number of services.
Go to sysinternals.com and download process explorer.
Run that, hover over each svchost instance to see what
services it's running.

XP has a large number of useless and/or risky services.
I mentioned this recently and gave you some links. You
really should learn about services if you're going to use NT.
If you haven't adjusted your services you probably have
all sorts of crap running, not least of which is the wasteful
indexing service, which indexes all of your files constantly,
so that Windows Find won't be able to find them anyway.
It runs the hard disl a lot for no good reason.
(Agent Ransack works better than Windows Find and doesn't
require indexing.)

| With my laptop on, I was noticing that every few minutes the HDD light
| would start to flash for a half minute or so. There is nothing running,
| except I do see the WIFI light flash every so often, telling me it's
| probably trying to connect. But I'm at home and there are no WIFI
| signals at all. To get an idead what's going on, I opened "Process
| Hacker", and put it on the Main and the System Information screens.
| That shows that "Services.Exe" is running all the time at 1.56%,(CPU
| USAGE), but every so often it spikes to anywhere from 5% to 11%. I'm
| just curious what is going on with that? And is services.exe and
| svchost.exe the same thing, or are they related? Just curious?
|

 

[Paul]

With my laptop on, I was noticing that every few minutes the HDD light
would start to flash for a half minute or so. There is nothing running,
except I do see the WIFI light flash every so often, telling me it's
probably trying to connect. But I'm at home and there are no WIFI
signals at all. To get an idead what's going on, I opened "Process
Hacker", and put it on the Main and the System Information screens.
That shows that "Services.Exe" is running all the time at 1.56%,(CPU
USAGE), but every so often it spikes to anywhere from 5% to 11%. I'm
just curious what is going on with that? And is services.exe and
svchost.exe the same thing, or are they related? Just curious?

It involves a level of indirection, in that individual executable
system services hide inside those. The svchosts are not equally loaded.
The things running in them are sorted according to type. The end
result is one svchost ends up with most of them in it.

Process Explorer is 1.2MB.

http://technet.microsoft.com/en-us/sysinternals/bb896653

When you hold your mouse over each svchost, it lists the
services inside. If you do Properties on the svchost, it
will give a path to the executable used for it (not that
it matters).

If you have WinXP Pro, you can use "tasklist /svc" command.

http://i60.tinypic.com/14l7vow.gif

The SVCHOST with PID 1588 in that picture, is the one
that has all the network services. It could be that
the glitchy one is "wuauserv".

*******

I found an article with the following advice, for SVCHOST
problems. You can split out a suspected service, into its
own separate SVCHOST. To verify that it is the one
sucking cycles.

You can split it out into its own service by running:

"sc config <service> type= own"

And revert it via

"sc config <service> type= share"

In this case, we would type this in command prompt.

sc config wuauserv type= own

That puts wuauserv into its own private SVCHOST.
Then, when it sucks cycles, that SVCHOST will
be the one standing out and it's a way of confirming
that it was the one.

There is a bug in Windows Update. Even when you're
not connected to the network, the computer is
always thinking about Windows Update. It likes
to play with its to-do list and things like wuauserv
can go into a loop for half an hour (dragging the
PC to its knees). The issue had to do with Internet
Explorer and pruning the dependency tree, when
examining the packages installed on the computer.
To stop it, you install the latest "cumulative update"
for Internet Explorer. If your machine was
running Internet Explorer 6, you'd look for
the Cumulative Update for it.

"Cumulative Security Update for Internet Explorer for Windows XP (KB2936068)"

http://www.microsoft.com/en-us/download/details.aspx?id=42431

WindowsXP-KB2936068-x86-ENU.exe (4.0 MB)

If you're running some other version of
Internet Explorer, you can drill down to
it with this. There is probably a download
for every possible combo of OS and IE (five
pages worth of links).

http://www.microsoft.com/en-us/search/DownloadResults.aspx?q=KB2936068

Once a Cumulative Security update for IE is loaded,
that tends to prune the loop that wuauserv gets into.
Since there won't be any more security updates
for IE on your WinXP, that is likely the last
one you'd need to install.

So if you want, you can force wuauserv to run in a
separate svchost. Reboot the computer for the "sc config"
change to take effect. Verify in Task Manager that it
is the pig. Then, you can try the last Cumulative
Security update for IE6. (Or for some other IE like
IE8 if that is what you're using. I don't list
that one above, so you'll have to drill down.)

As usual, safety first. Set a Restore Point or do a backup,
if you think that you'll mess things up.

Paul

 

[casey.o]

Svchost is the "host" process for a number of services.
Go to sysinternals.com and download process explorer.
Run that, hover over each svchost instance to see what
services it's running.

Process Explorer is about the same as Process Hacker. I have used both.
I like the graphic view of the CPU RAM and I/O better in Process Hacker.
In fact I highly recommend that program. It does everything, and is fun
to watch too....

 

[casey.o]

It involves a level of indirection, in that individual executable
system services hide inside those. The svchosts are not equally loaded.
The things running in them are sorted according to type. The end
result is one svchost ends up with most of them in it.

Process Explorer is 1.2MB.

http://technet.microsoft.com/en-us/sysinternals/bb896653

When you hold your mouse over each svchost, it lists the
services inside. If you do Properties on the svchost, it
will give a path to the executable used for it (not that
it matters).

If you have WinXP Pro, you can use "tasklist /svc" command.

http://i60.tinypic.com/14l7vow.gif

The SVCHOST with PID 1588 in that picture, is the one
that has all the network services. It could be that
the glitchy one is "wuauserv".

*******

I found an article with the following advice, for SVCHOST
problems. You can split out a suspected service, into its
own separate SVCHOST. To verify that it is the one
sucking cycles.

You can split it out into its own service by running:

"sc config <service> type= own"

And revert it via

"sc config <service> type= share"

In this case, we would type this in command prompt.

sc config wuauserv type= own

That puts wuauserv into its own private SVCHOST.
Then, when it sucks cycles, that SVCHOST will
be the one standing out and it's a way of confirming
that it was the one.

There is a bug in Windows Update. Even when you're
not connected to the network, the computer is
always thinking about Windows Update. It likes
to play with its to-do list and things like wuauserv
can go into a loop for half an hour (dragging the
PC to its knees). The issue had to do with Internet
Explorer and pruning the dependency tree, when
examining the packages installed on the computer.
To stop it, you install the latest "cumulative update"
for Internet Explorer. If your machine was
running Internet Explorer 6, you'd look for
the Cumulative Update for it.

"Cumulative Security Update for Internet Explorer for Windows XP (KB2936068)"

http://www.microsoft.com/en-us/download/details.aspx?id=42431

WindowsXP-KB2936068-x86-ENU.exe (4.0 MB)

If you're running some other version of
Internet Explorer, you can drill down to
it with this. There is probably a download
for every possible combo of OS and IE (five
pages worth of links).

http://www.microsoft.com/en-us/search/DownloadResults.aspx?q=KB2936068

Once a Cumulative Security update for IE is loaded,
that tends to prune the loop that wuauserv gets into.
Since there won't be any more security updates
for IE on your WinXP, that is likely the last
one you'd need to install.

So if you want, you can force wuauserv to run in a
separate svchost. Reboot the computer for the "sc config"
change to take effect. Verify in Task Manager that it
is the pig. Then, you can try the last Cumulative
Security update for IE6. (Or for some other IE like
IE8 if that is what you're using. I don't list
that one above, so you'll have to drill down.)

As usual, safety first. Set a Restore Point or do a backup,
if you think that you'll mess things up.

Paul

I think you just hit the jackpot. I was trying to recall the extension
..PID. Those files were severely infected with that sality virus. What
do those files do?
Most of the infected files were in the Windows\System33 folder too.

I installed a downloaded version of IE8. MS wont let me install the
updates, because it wont activate my installation, and until it's
activated, I cant get service packs till I have a legal install, which
apparently that Dell OEM copy wont do, even after hacking in my *REAL*
COA. I sort of have it in a state of suspense as far as the activation.
It kind of sucks that after all of this driver installation, I'll have
to reinstall when I can get a proper XP-Pro CD. That Ebay conmputer is
also a Lenovo (ThinkCentre), so if I can get that CD, I should be able
to use it on my ThinkPad.

I think installing Security Essentials (the updates) is what caused
those damn popups to start, which tell me XP is no longer supported.

Reinstalling should not be too difficult though. I have all the drivers
saved and because they have worthless filenames, I made folders
according to their use, and deleted the ones that I dont need.

 

[Mayayana]

| >Svchost is the "host" process for a number of services.
| >Go to sysinternals.com and download process explorer.
| >Run that, hover over each svchost instance to see what
| >services it's running.
|
| Process Explorer is about the same as Process Hacker. I have used both.
| I like the graphic view of the CPU RAM and I/O better in Process Hacker.
| In fact I highly recommend that program. It does everything, and is fun
| to watch too....
|

Use whatever software you like. If oyu already
know about finding services under svchost then
why are you asking what it does? Have you looked
up your services? If not then go here:

http://www.blackviper.com/

There's no reason for not knowing about what
services you have running. When you know that
you can figure out why your disk is running.

About the infected system: Have you checked for
a restore partition? Almost all OEM PCs have a
hidden (or not) installer that can be accessed at boot
to reinstall the original OS as it was on the day the
machine was bought. If you can't figure it out you
can search for a copy of the manual and that will
tell you.