Windows XP taken over by svchost.exe

[liu]

I'm puzzled by the behavior of one svchost.exe process on my Windows
XP. It takes over CPU power (99%) when the system starts each time.
The memory usage is 70MB and after 3-5 minutes, it gives the CPU uage
back to the system. Then, in the middle of my using the PC, it would
take over the XP again, and the memory usage would increase to ~100MB
and CPU increases to above 90% to 99%. Basically the system halts for
another 5 or so minutes, then it releases the CPU and memory goes back
to ~70MB. If I stop the process, the audio would stop working (and
maybe some others).

By typing "tasklist /svc >c:\tasklist.txt, I got :
lsass.exe 1264 PolicyAgent, ProtectedStorage,
SamSs
svchost.exe 1444 DcomLaunch,
TermService
svchost.exe 1492
RpcSs
svchost.exe 1648 AudioSrv, BITS, Browser, CryptSvc,
Dhcp,
dmserver, ERSvc, EventSystem,
helpsvc,
HidServ, lanmanserver,
lanmanworkstation,
Netman, Nla, RasMan, Schedule,
seclogon,
SENS, SharedAccess,
ShellHWDetection,
TapiSrv, Themes, TrkWks, W32Time,
winmgmt,
wscsvc, wuauserv,
WZCSVC

The last one seems to be the process in question. I checked by the
processors, and then look legit.
What is going on the background? How can I figure out what it is
doing? There has to be some kind of spyware/malware doing something in
the background.

Thanks for the help,

liu

 

[Guest]

Write down the unknown service(s),run search in my computer,run with
search hidden files & folders,see exactly what the service is...Also,if you
want
to eliminate some starting services,run Msconfig,follow kb310560

 

[Malke]

I'm puzzled by the behavior of one svchost.exe process on my Windows
XP. It takes over CPU power (99%) when the system starts each time.
The memory usage is 70MB and after 3-5 minutes, it gives the CPU uage
back to the system. Then, in the middle of my using the PC, it would
take over the XP again, and the memory usage would increase to ~100MB
and CPU increases to above 90% to 99%. Basically the system halts for
another 5 or so minutes, then it releases the CPU and memory goes back
to ~70MB. If I stop the process, the audio would stop working (and
maybe some others).

By typing "tasklist /svc >c:\tasklist.txt, I got :
lsass.exe 1264 PolicyAgent, ProtectedStorage,
SamSs
svchost.exe 1444 DcomLaunch,
TermService
svchost.exe 1492
RpcSs
svchost.exe 1648 AudioSrv, BITS, Browser, CryptSvc,
Dhcp,
dmserver, ERSvc, EventSystem,
helpsvc,
HidServ, lanmanserver,
lanmanworkstation,
Netman, Nla, RasMan, Schedule,
seclogon,
SENS, SharedAccess,
ShellHWDetection,
TapiSrv, Themes, TrkWks, W32Time,
winmgmt,
wscsvc, wuauserv,
WZCSVC

The last one seems to be the process in question. I checked by the
processors, and then look legit.
What is going on the background? How can I figure out what it is
doing? There has to be some kind of spyware/malware doing something in
the background.

Svchost/Wuauserv high CPU use (from MVP PA Bear)

Try deleting the contents of this folder (or the folder itself) & reboot:

C:\WINDOWS\SoftwareDistribution\DataStore

If no joy, try deleting the contents of this folder (or the folder
itself) & reboot:

C:\WINDOWS\SoftwareDistribution

Also see http://support.microsoft.com/kb/927891

Workaround: Change the default from Microsoft Update to Windows Update:
Go to Microsoft Update > Click on Change Settings in left pane > Scroll
to bottom of page > To Stop Using Microsoft Update > Disable Microsoft
Update software and let me use Windows Update only (check).


Malke

 

[Guest]

Hi there.
We have the exact same problem, svchost is killing our pc's.

Our major problem is that this is happening on about 250 pc's, so how do i
fix all those??? I don't want to do that many pc's by hand.

I have a feeling that is has got something to do with an update pushed out
last tuesday, but don't know for sure.
Any tips on this?

 

[Guest]

I only have about half of the computers, but they are spread out all over the
country. Is there a fix to this? It is causing MAJOR headaches and I have
just been turing off Automatic Updates to allow people to get back to work.
Even when the so-called patch(es) is installed it takes the updater much
longer than it used to, to scan for needed updates. There is NO excuse for
the Updater to take so long to figure out what needs to be patched even
before this bug.

 

[liu]

Svchost/Wuauserv high CPU use (from MVP PA Bear)

Try deleting the contents of this folder (or the folder itself) & reboot:

C:\WINDOWS\SoftwareDistribution\DataStore

Thank you. Thank you. Deleting the content of that folder does the
trick. So far, it does not happen any more. The svchost still has the
same processes but the largest memory usage is 22MB now. No more CPU
usage anymore.

thank you very much for the help, Malke.

 

[Malke]

Thank you. Thank you. Deleting the content of that folder does the
trick. So far, it does not happen any more. The svchost still has the
same processes but the largest memory usage is 22MB now. No more CPU
usage anymore.

thank you very much for the help, Malke.

I'm glad that helped. Thanks for taking the time to post back.


Malke

 

[Mike O'Brien]

Coming in late to this but just what is the above and what does it do?
Thanks.

 

[Guest]

I am having same problems and none of this works. I have been search for
fixes for two days. I have tried everything and nothing is working. Any
more ideas?

 

[liu]

Coming in late to this but just what is the above and what does it do?
Thanks.

I don't really know what it does. It is probably logs of updates as
someone mentioned. I only renamed the folder by adding "- " to the
beginning of the folder name. Rebooted. Windows created the folder
again. There are less files in the new Log folder of DataStore folder
and one file "DataStore.edb" is much smaller than the old (problem)
one. Maybe the problem will come back after accumulating logs!?

I don't have the svchost taking over CPU usage problem for the last 2
days or so now. This method works for me.

 

[Jim Byrd]

Hi kwid - How knowledgable about doing things are you? Do you know how to
start and stop services? How to run a .cmd file? If not, you'll need
access to someone who does to avoid problems. The following assumes you're
on Windows XP. If you're confident about what you're doing, then try the
following first - only if it doesn't work, then there's another level of
stuff that can be done following:

1. Stop and Disable Automatic Updates, Background Intelligent Transfer
Service and the Cryptographic Service.
2. Rename the folder %SystemRoot%\SoftwareDistribution to
%SystemRoot%\OldSoftwareDistribution
3. Open Notepad and create a file containing the following:

REGSVR32 WUAPI.DLL
REGSVR32 WUAUENG.DLL
REGSVR32 WUAUENG1.DLL
REGSVR32 ATL.DLL
REGSVR32 WUCLTUI.DLL
REGSVR32 WUPS.DLL
REGSVR32 WUPS2.DLL
REGSVR32 WUWEB.DLL


Save this file as 'Wudll.cmd' (without the quotes) to any convenient
location then exit Notepad and double click on the file you just saved. You
should get a 'Sucess' mesage for each of the .dll's listed above.

4. Now Re-enable to Automatic status and then Start each of the services
you stopped before - Automatic Updates, Background Intelligent Transfer
Service and the Cryptographic Service.

5. Now Reboot. Now Reboot Again. (Yes, twice.)

See if that solves it - give it a couple of days. If so, then you can
delete 'OldSoftwareDistribution'. I would request that you post back with
your results. _Only if the problem does re-occur_, then do the following
_exactly_:

1. Go to http://wiki.djlizard.net/Dial-a-fix and download Dial-a-fix
v0.60.0.24 (2006-10-27)

2. Unzip it to a new folder at root with any name, e.g.
c:\Dial-a-fix-v0.60.0.24

3. Double click on Dial-a-fix.exe in that folder.

4. Click on the following:
Options/tooltips (just to get an idea of what it does in each section.
)
Both boxes under Prep
The 'all' (top) box for Sections 2, 3 and 4 (which will automatically
be set when you check 3)
In Section 5, 'Programming cores/runtimes' and
'Explorer/IE/OE/shell/WMP' only.
Click 'Go' . (Some of the re-registrations may take what seems like a
long time for some .dll's - Don't be impatient.)

5. Reboot (if Dial-a-fix doesn't do it automatically at the end). Now
Reboot Again. (Yes, twice.)


See if that does the trick, and, again please post back with your
experience.

--
Regards, Jim Byrd,
My Blog, Defending Your Machine,
http://defendingyourmachine.blogspot.com/



In kwid <[email protected]> typed:
|| I am having same problems and none of this works. I have been
|| search for fixes for two days. I have tried everything and nothing
|| is working. Any more ideas?
||
|| "Mike O'Brien" wrote:
||
|||
|||||| Try deleting the contents of this folder (or the folder itself) &
|||||| reboot:
|||
|||||| C:\WINDOWS\SoftwareDistribution\DataStore
|||
||| Coming in late to this but just what is the above and what does it
||| do? Thanks.

 

[Guest]

I don't really know what it does. It is probably logs of updates as
someone mentioned. I only renamed the folder by adding "- " to the
beginning of the folder name. Rebooted. Windows created the folder
again. There are less files in the new Log folder of DataStore folder
and one file "DataStore.edb" is much smaller than the old (problem)
one. Maybe the problem will come back after accumulating logs!?

I don't have the svchost taking over CPU usage problem for the last 2
days or so now. This method works for me.

Renaming the DataStore folder as OldDataStore and rebooting has worked for
me so far.

Thanks

 

[GaryDean]

This is a MAJOR problem with Windows that, for some reason, Microsoft has
decided to stay quiet on. I'm afraid they can't fix it. In a nutshell,
Windows Update is busted. A solution might be to turn off Automatic Windows
update and do updates manually. I hear that eliminates the problem for a
lot of systems. For me, however on some systems, we had to go a step
further and stop doing windows updates altogether.

I don't know if this is a problem in Vista or not. If it is and if
Microsoft keeps ignoring it then I guess it's linux or a Mac.

 

[Leythos]

This is a MAJOR problem with Windows that, for some reason, Microsoft
has decided to stay quiet on. I'm afraid they can't fix it. In a
nutshell, Windows Update is busted. A solution might be to turn off
Automatic Windows update and do updates manually. I hear that
eliminates the problem for a lot of systems. For me, however on some
systems, we had to go a step further and stop doing windows updates
altogether.

Search for the error - there is a hot fix that I was able to find a link
for that references the specific error when automatic updates failed. This
appears to be related to SP2 machines.

 

[Rock]

This is a MAJOR problem with Windows that, for some reason, Microsoft has
decided to stay quiet on. I'm afraid they can't fix it. In a nutshell,
Windows Update is busted. A solution might be to turn off Automatic
Windows update and do updates manually. I hear that eliminates the
problem for a lot of systems. For me, however on some systems, we had to
go a step further and stop doing windows updates altogether.

I don't know if this is a problem in Vista or not. If it is and if
Microsoft keeps ignoring it then I guess it's linux or a Mac.

I have not seen it as a problem with Vista.

As an aside I don't use automatic updates. I visit the WU site
occasionally. I download those updates I want individually, save a copy to
CD, then apply them individually with some testing in between.

Most times the patches come out on the second Tuesday of the month (patch
Tuesday), so no point in checking daily. Occasionally for an important
issue an update will come outside of this schedule. Normally these are
security updates. I subscribe to a security bulletin from MS which alerts
me to security problems and new updates for them, so if something is coming
out I'll know and can get it.

It doesn't work for everyone but it works for me, and I haven't experienced
problems with WU or any of the updates.

 

[chobbney]

Svchost/Wuauserv high CPU use (from MVP PA Bear)

Try deleting the contents of this folder (or the folder itself) & reboot:

C:\WINDOWS\SoftwareDistribution\DataStore

If no joy, try deleting the contents of this folder (or the folder
itself) & reboot:

C:\WINDOWS\SoftwareDistribution

Also seehttp://support.microsoft.com/kb/927891

Workaround: Change the default from Microsoft Update to Windows Update:
Go to Microsoft Update > Click on Change Settings in left pane > Scroll
to bottom of page > To Stop Using Microsoft Update > Disable Microsoft
Update software and let me use Windows Update only (check).

Malke

This also fixed my instance of svchost.exe hogging the CPU.

Thanks very much.