XP Performance (svchost/advapi32 memory leak)

[Jason R. Clement]

After installing the first of Microsoft's security
patches to deal with blaster/welchia, I noticed a
performance degredation that got worse the longer the
computer was running. I isolated it to the svchost.exe
file, which was chomping down on about 20% of my CPU.
Over time, it works it's way up to 99% and I have seen it
eating up as much as 50MB of memory. I started asking my
coworkers about it and they were experiencing the same
issue, save one. First I used sysinternals process
explorer to isolate this issue to the advapi32.dll file,
and compared all our machines files with the one person
not experiencing the issue. The important files we all had
follows:

advapi32.dll
Advanced Windows 32 Base API
5.1.2600.1106 (xpsp1.020828-1920)

ntdll.dll
NT Layer DLL
5.1.2600.1217 (xpsp2.030429-2131)

Next I compared it with the one machine and here are
his files:

advapi32.dll
Advanced Windows 32 Base API
5.1.26010.1106 (xpsp1.020828-1920)

ntdll.dll
NT Layer DLL
5.1.2600.1106 (xpsp1.020828-1920)

Notice the difference in the ntdll.dll file. The
result was:

possible memory pool leak through advapi32
(ADVAPI32.dll!CreateProcessAsUserW+0x42e)specifically due
to the difference in ntdll.dll.

I looked through the knowledge base, and found
several articles talked around the subject, but nothing
that hit the nail on the head, including:

possible memory pool leak through advapi32
ADVAPI32.dll!CreateProcessAsUserW+0x42e

This is where my ability to further troubleshoot this
ended (I am not a programmer.) So I tried solving it from
a different angle. I tried looking at everything going on
in the system. I looked in the event viewer and found the
following events:

Security Event:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: 9/23/2003
Time: 3:28:23 PM
User: NT AUTHORITY\SYSTEM
Computer: XXXXXXXX
Description:
Logon Failure:
Reason: An error occurred during logon
User Name: LOCAL SERVICE
Domain: NT AUTHORITY
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Status code: 0xC00000DC
Substatus code: 0x0

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


System Event:


Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7036
Date: 9/23/2003
Time: 7:24:13 PM
User: N/A
Computer: XXXXXXXXXX
Description:
The SSDP Discovery Service service entered the stopped
state.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Could the two be connected? I disabled the SSDP
Discovery Service, and svchost.exe immediately returned to
a normal state and the performance of my system was
restored.

I submitted my findings to my manager, who replied
that even through we do not use UPnP on our network, we
are not authorized to disable any services on our systems,
despite the undeniable proof of this as a work-around. My
request was denied.

So now, for the last two months, we have all had to
put up with increasing performance degredation on our
systems until Microsoft identifies this as an issue,
releases an update, and our Net Ops department has tested
the update and implements it. (So I'm not Net Ops...I'm
still IT!)

I have also found the following KB articles which
talk around the subject:

http://support.microsoft.com/default.aspx?scid=kb;en-
us;818858&Product=winxp

http://support.microsoft.com/default.aspx?scid=kb;en-
us;824262&Product=winxp

http://support.microsoft.com/default.aspx?scid=kb;en-
us;816213&Product=winxp

As I am unable to go through official channels, would
someone at Microsoft please, please, please look into this.

Jason R. Clement
Perot Systems TM
(e-mail address removed)
(e-mail address removed)

 

[Paul B T Hodges]

Unfortunately nothing has changed in end user IT departments since I started
in the industry 20 years ago.

You have the petty squables and policitics of empire building over who owns
what areas of responsibility. .

You have insecure managers who won't take responsiblity and make a decision
for themselves even when a solution is staring them in the face. They wait
for an official fix from a manufacturer so they have somone else to blame if
they implement something that doesn't work. (Rather akin to "I was only
following orders, Microsoft recommended it).

In the meantime peoples productivity suffers, and hence the business
suffers.
People in end user IT sometimes forget that the computer is there to help
RUN THE BUSINESS. Its a means to an end, not an end in its own right. People
who work in IT work for the business first, and for the IT department
second.

Of course change control is needed, but it must be sensible change control.
Changes need to be prioritised, and the easiest changes which have the most
impact should be given priority.

Changes must be tested first. Their level of impact assessed against their
benefit, and a route established to return easily and quickly to a previous
environment should the cause arise..

There are numerous articles on the web advising turning off ssdp because of
security issues .At one point the FBI was advising that SSDP be disabled.

If you look at the change in terms of the following:-

Ease of Implementation - Easy, Disable ssdp service and stop it. No reboot.

Ease of Backing out of change - Easy, set ssdp service to manual, start it.
No reboot.

Benefit - High, Maximise return from Total Cost of Ownership. Boost moral
and working conditions. People get very stressed after a while if a pc
doesn;t respond quickly.

Possibly Adverse Impact - Low, only affects the pc on which the change is
implemented.
Very easy to back out of.


Why would you not implement it ?

Sometimes managers have to make a decision for the good of the business and
of their employees, and if they feel they are putting their necks on the
line, tough ! Lets face it, that's what they get payed for, don't they ?

Paul









Changes never get made becase either a manager is too weak or worried about
his job to take any responsibility

 

[Guest]

Well said. I've been in IT for about 8 years myself. And
I've seen exactly what you describe time and time again.
And my example is nothing new. And as such, the company
is making their own IT staff suffer. Don't get me wrong,
I believe in change management, but my company won't even
test my results. This is why I posted here, in the hopes
someone from Microsoft might read it and make a suggestion
or, dare I say it, develop a fix. Small hope I know, but
I might get lucky.

Thank you for a very interesting response.

Jason

 

[Paul B T Hodges]

Hey Jason,

You'll have to learn to live with it, or do what I did, and go and work for
a manufacturer, or go contracting where you're not so affected by internal
wranglings.

Paul