J
Jason R. Clement
After installing the first of Microsoft's security
patches to deal with blaster/welchia, I noticed a
performance degredation that got worse the longer the
computer was running. I isolated it to the svchost.exe
file, which was chomping down on about 20% of my CPU.
Over time, it works it's way up to 99% and I have seen it
eating up as much as 50MB of memory. I started asking my
coworkers about it and they were experiencing the same
issue, save one. First I used sysinternals process
explorer to isolate this issue to the advapi32.dll file,
and compared all our machines files with the one person
not experiencing the issue. The important files we all had
follows:
advapi32.dll
Advanced Windows 32 Base API
5.1.2600.1106 (xpsp1.020828-1920)
ntdll.dll
NT Layer DLL
5.1.2600.1217 (xpsp2.030429-2131)
Next I compared it with the one machine and here are
his files:
advapi32.dll
Advanced Windows 32 Base API
5.1.26010.1106 (xpsp1.020828-1920)
ntdll.dll
NT Layer DLL
5.1.2600.1106 (xpsp1.020828-1920)
Notice the difference in the ntdll.dll file. The
result was:
possible memory pool leak through advapi32
(ADVAPI32.dll!CreateProcessAsUserW+0x42e)specifically due
to the difference in ntdll.dll.
I looked through the knowledge base, and found
several articles talked around the subject, but nothing
that hit the nail on the head, including:
possible memory pool leak through advapi32
ADVAPI32.dll!CreateProcessAsUserW+0x42e
This is where my ability to further troubleshoot this
ended (I am not a programmer.) So I tried solving it from
a different angle. I tried looking at everything going on
in the system. I looked in the event viewer and found the
following events:
Security Event:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: 9/23/2003
Time: 3:28:23 PM
User: NT AUTHORITY\SYSTEM
Computer: XXXXXXXX
Description:
Logon Failure:
Reason: An error occurred during logon
User Name: LOCAL SERVICE
Domain: NT AUTHORITY
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Status code: 0xC00000DC
Substatus code: 0x0
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
System Event:
Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7036
Date: 9/23/2003
Time: 7:24:13 PM
User: N/A
Computer: XXXXXXXXXX
Description:
The SSDP Discovery Service service entered the stopped
state.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Could the two be connected? I disabled the SSDP
Discovery Service, and svchost.exe immediately returned to
a normal state and the performance of my system was
restored.
I submitted my findings to my manager, who replied
that even through we do not use UPnP on our network, we
are not authorized to disable any services on our systems,
despite the undeniable proof of this as a work-around. My
request was denied.
So now, for the last two months, we have all had to
put up with increasing performance degredation on our
systems until Microsoft identifies this as an issue,
releases an update, and our Net Ops department has tested
the update and implements it. (So I'm not Net Ops...I'm
still IT!)
I have also found the following KB articles which
talk around the subject:
http://support.microsoft.com/default.aspx?scid=kb;en-
us;818858&Product=winxp
http://support.microsoft.com/default.aspx?scid=kb;en-
us;824262&Product=winxp
http://support.microsoft.com/default.aspx?scid=kb;en-
us;816213&Product=winxp
As I am unable to go through official channels, would
someone at Microsoft please, please, please look into this.
Jason R. Clement
Perot Systems TM
(e-mail address removed)
(e-mail address removed)
patches to deal with blaster/welchia, I noticed a
performance degredation that got worse the longer the
computer was running. I isolated it to the svchost.exe
file, which was chomping down on about 20% of my CPU.
Over time, it works it's way up to 99% and I have seen it
eating up as much as 50MB of memory. I started asking my
coworkers about it and they were experiencing the same
issue, save one. First I used sysinternals process
explorer to isolate this issue to the advapi32.dll file,
and compared all our machines files with the one person
not experiencing the issue. The important files we all had
follows:
advapi32.dll
Advanced Windows 32 Base API
5.1.2600.1106 (xpsp1.020828-1920)
ntdll.dll
NT Layer DLL
5.1.2600.1217 (xpsp2.030429-2131)
Next I compared it with the one machine and here are
his files:
advapi32.dll
Advanced Windows 32 Base API
5.1.26010.1106 (xpsp1.020828-1920)
ntdll.dll
NT Layer DLL
5.1.2600.1106 (xpsp1.020828-1920)
Notice the difference in the ntdll.dll file. The
result was:
possible memory pool leak through advapi32
(ADVAPI32.dll!CreateProcessAsUserW+0x42e)specifically due
to the difference in ntdll.dll.
I looked through the knowledge base, and found
several articles talked around the subject, but nothing
that hit the nail on the head, including:
possible memory pool leak through advapi32
ADVAPI32.dll!CreateProcessAsUserW+0x42e
This is where my ability to further troubleshoot this
ended (I am not a programmer.) So I tried solving it from
a different angle. I tried looking at everything going on
in the system. I looked in the event viewer and found the
following events:
Security Event:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: 9/23/2003
Time: 3:28:23 PM
User: NT AUTHORITY\SYSTEM
Computer: XXXXXXXX
Description:
Logon Failure:
Reason: An error occurred during logon
User Name: LOCAL SERVICE
Domain: NT AUTHORITY
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Status code: 0xC00000DC
Substatus code: 0x0
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
System Event:
Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7036
Date: 9/23/2003
Time: 7:24:13 PM
User: N/A
Computer: XXXXXXXXXX
Description:
The SSDP Discovery Service service entered the stopped
state.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Could the two be connected? I disabled the SSDP
Discovery Service, and svchost.exe immediately returned to
a normal state and the performance of my system was
restored.
I submitted my findings to my manager, who replied
that even through we do not use UPnP on our network, we
are not authorized to disable any services on our systems,
despite the undeniable proof of this as a work-around. My
request was denied.
So now, for the last two months, we have all had to
put up with increasing performance degredation on our
systems until Microsoft identifies this as an issue,
releases an update, and our Net Ops department has tested
the update and implements it. (So I'm not Net Ops...I'm
still IT!)
I have also found the following KB articles which
talk around the subject:
http://support.microsoft.com/default.aspx?scid=kb;en-
us;818858&Product=winxp
http://support.microsoft.com/default.aspx?scid=kb;en-
us;824262&Product=winxp
http://support.microsoft.com/default.aspx?scid=kb;en-
us;816213&Product=winxp
As I am unable to go through official channels, would
someone at Microsoft please, please, please look into this.
Jason R. Clement
Perot Systems TM
(e-mail address removed)
(e-mail address removed)