Sign in with
Sign up | Sign in
Your question

WinXP SE: SvcHost (SYSTEM) process takes most of CPU

Last response: in Windows XP
Share
Anonymous
a b à CPUs
January 27, 2005 12:31:43 PM

Archived from groups: microsoft.public.windowsxp.basics,microsoft.public.windowsxp.general (More info?)

Hi

Yesterday evening I was asked to control a computer (WinXP HE, SP1, ADSL)
modem, WinXP firewall), because it was too slow. I checked it with 3
different antivirus (AntiVir, Housecall PC-Cillin on-line, AVG) and removed
25-30 infected files, mostly troyans. I checked the computer with Ad-Aware
SE and Spybot too ~70 objects were found and removed. All temporary folders
were emptied. I checked with regedit all Run keys in HKLM & HKCU and removed
all abundant (2 spyware records) from there. Comfile, exefile etc. keys in
HKCR looked OK.

After that, when restarted, all was OK in task manager's TaskList - until
ADSL connection started. Then one of svchost (SYSTEM) processes started to
take more and more CPU. It was 4%-10% at start, then 10%-30%, etc. until
50%-95% after some time. A little after the CPU usage stabilized, there was
a sudden change - CPU dropped to ~20%, and then rised again to ~90% - then
dropped again, etc. The length of cycle was less than a minute.

At same time as svchost, was active taskmgr which used ~4% CPU.

I tried to investigate, what really was using this much CPU (from command
window: tasklist /svc), but tasklist.exe was missing from computer at all.
Then I checked with regedit, what was started from various svchost's
(HKLM\Software\Microsoft\Windows NT\CurrentVersion\SvcHost) , and I deleted
all entries which somehow dad to do with remote access to computer and were
not essential to OS working. Nothing was changed!

Maybe some fresh ideas available here!
Thanks in advance!

--
When sending mail, use address arvil<at>tarkon.ee
Arvi Laanemets
January 27, 2005 12:31:44 PM

Archived from groups: microsoft.public.windowsxp.basics,microsoft.public.windowsxp.general (More info?)

Pretty much normal. What does System Idle read?
http://www.google.com/search?hl=en&q=SvcHost&btnG=Googl...

In the meantime, run this combo:

Run Ad-Aware SE, Spybot and HijackThis:
http://www.majorgeeks.com/downloads31.html

Note: Update each program, once installed, before running.

Free Online Virus Scan
http://housecall.trendmicro.com/housecall/start_corp.as...


--
All the Best,
Kelly (MS-MVP)

Troubleshooting Windows XP
http://www.kellys-korner-xp.com


"Arvi Laanemets" <garbage@hot.ee> wrote in message
news:eP7PDOEBFHA.3140@TK2MSFTNGP15.phx.gbl...
> Hi
>
> Yesterday evening I was asked to control a computer (WinXP HE, SP1, ADSL)
> modem, WinXP firewall), because it was too slow. I checked it with 3
> different antivirus (AntiVir, Housecall PC-Cillin on-line, AVG) and
> removed
> 25-30 infected files, mostly troyans. I checked the computer with Ad-Aware
> SE and Spybot too ~70 objects were found and removed. All temporary
> folders
> were emptied. I checked with regedit all Run keys in HKLM & HKCU and
> removed
> all abundant (2 spyware records) from there. Comfile, exefile etc. keys in
> HKCR looked OK.
>
> After that, when restarted, all was OK in task manager's TaskList - until
> ADSL connection started. Then one of svchost (SYSTEM) processes started to
> take more and more CPU. It was 4%-10% at start, then 10%-30%, etc. until
> 50%-95% after some time. A little after the CPU usage stabilized, there
> was
> a sudden change - CPU dropped to ~20%, and then rised again to ~90% -
> then
> dropped again, etc. The length of cycle was less than a minute.
>
> At same time as svchost, was active taskmgr which used ~4% CPU.
>
> I tried to investigate, what really was using this much CPU (from command
> window: tasklist /svc), but tasklist.exe was missing from computer at all.
> Then I checked with regedit, what was started from various svchost's
> (HKLM\Software\Microsoft\Windows NT\CurrentVersion\SvcHost) , and I
> deleted
> all entries which somehow dad to do with remote access to computer and
> were
> not essential to OS working. Nothing was changed!
>
> Maybe some fresh ideas available here!
> Thanks in advance!
>
> --
> When sending mail, use address arvil<at>tarkon.ee
> Arvi Laanemets
>
>
Anonymous
a b à CPUs
January 27, 2005 2:42:28 PM

Archived from groups: microsoft.public.windowsxp.basics,microsoft.public.windowsxp.general (More info?)

Hi


"Kelly" <kelly@mvps.org> wrote in message
news:uxoSV0EBFHA.2192@TK2MSFTNGP14.phx.gbl...
> Pretty much normal. What does System Idle read?

100% - SvcHost% - taskmgr%(~4%) - RemainingProcesses%(~2%...3%), i.e.
something between 70% and 0% mostly, average will be somewhere between
30%-40%, I think, but ~10% of time it's less than 10% System Idle CPU - with
only Task manager opened.

> http://www.google.com/search?hl=en&q=SvcHost&btnG=Googl...
>
> In the meantime, run this combo:
>
> Run Ad-Aware SE, Spybot and HijackThis:
> http://www.majorgeeks.com/downloads31.html

Runned both Ad-Aware and Spybot (both updated). I didn't use HijackThis,
because I have tried it once only on my own computer, and I was not sure
about results it returned. There was a bunch or registry entries which were
defined as changed, but I didn't have such entries in my registry at all !?


>
> Note: Update each program, once installed, before running.
>
> Free Online Virus Scan
> http://housecall.trendmicro.com/housecall/start_corp.as...

It was one of 3 various antiviruses I used to scan the computer with. It was
too late for me yesterday to try the second another online scanner, I use
sometimes (www.bitdefender.com).


--
When sending mail, use address arvil<at>tarkon.ee
Arvi Laanemets
Related resources
Anonymous
a b à CPUs
January 27, 2005 3:26:08 PM

Archived from groups: microsoft.public.windowsxp.basics,microsoft.public.windowsxp.general (More info?)

Hi Arvi,

It would come in handy to know exactly which process of the SVCHost is
giving you problems, as svchost is controlling loads and loads of processes.
(Just to name a couple: DNSCache, Eventsystem, Seclogon, WinMgmt, etc...
there's more than 20 on a normal Domain Networked XP-Pro machine. On a HE
machine, there will be a couple less, but still an impressive amount)

Check if you're able to download the process explorer from
http://www.sysinternals.com
Let us know what you finally find out which exact SVCHost process is giving
you trouble. To be quite honest with you, I don't think this is a virus,
however, it might be malware or a rogue service...

Cheers,

Robert


"Arvi Laanemets" <garbage@hot.ee> wrote in message
news:o SCkJYFBFHA.2156@TK2MSFTNGP10.phx.gbl...
> Hi
>
>
> "Kelly" <kelly@mvps.org> wrote in message
> news:uxoSV0EBFHA.2192@TK2MSFTNGP14.phx.gbl...
>> Pretty much normal. What does System Idle read?
>
> 100% - SvcHost% - taskmgr%(~4%) - RemainingProcesses%(~2%...3%), i.e.
> something between 70% and 0% mostly, average will be somewhere between
> 30%-40%, I think, but ~10% of time it's less than 10% System Idle CPU -
> with
> only Task manager opened.
>
>> http://www.google.com/search?hl=en&q=SvcHost&btnG=Googl...
>>
>> In the meantime, run this combo:
>>
>> Run Ad-Aware SE, Spybot and HijackThis:
>> http://www.majorgeeks.com/downloads31.html
>
> Runned both Ad-Aware and Spybot (both updated). I didn't use HijackThis,
> because I have tried it once only on my own computer, and I was not sure
> about results it returned. There was a bunch or registry entries which
> were
> defined as changed, but I didn't have such entries in my registry at all
> !?
>
>
>>
>> Note: Update each program, once installed, before running.
>>
>> Free Online Virus Scan
>> http://housecall.trendmicro.com/housecall/start_corp.as...
>
> It was one of 3 various antiviruses I used to scan the computer with. It
> was
> too late for me yesterday to try the second another online scanner, I use
> sometimes (www.bitdefender.com).
>
>
> --
> When sending mail, use address arvil<at>tarkon.ee
> Arvi Laanemets
>
>
>
Anonymous
a b à CPUs
January 27, 2005 6:38:41 PM

Archived from groups: microsoft.public.windowsxp.basics,microsoft.public.windowsxp.general (More info?)

Hi

Thanks! I downloaded it. I'll give it a try today or tomorrow evening.

I agree that this don't look like virus. Maybe something is trying to
connect to somewhere outside, but can't. P.e. some trojan or spyware
component, which was partially removed. Or firewall doesn't let it to
connect. It look like some process is desperately trying to connect at
start, and when convienced that this isn't possible, runs some check after
every 20-30 seconds.

--
When sending mail, use address arvil<at>tarkon.ee
Arvi Laanemets


"PaddyBob" <PaddyBob@discussions.microsoft.com> wrote in message
news:o N63usGBFHA.3336@TK2MSFTNGP11.phx.gbl...
> Hi Arvi,
>
> It would come in handy to know exactly which process of the SVCHost is
> giving you problems, as svchost is controlling loads and loads of
processes.
> (Just to name a couple: DNSCache, Eventsystem, Seclogon, WinMgmt, etc...
> there's more than 20 on a normal Domain Networked XP-Pro machine. On a HE
> machine, there will be a couple less, but still an impressive amount)
>
> Check if you're able to download the process explorer from
> http://www.sysinternals.com
> Let us know what you finally find out which exact SVCHost process is
giving
> you trouble. To be quite honest with you, I don't think this is a virus,
> however, it might be malware or a rogue service...
>
> Cheers,
>
> Robert
>
>
> "Arvi Laanemets" <garbage@hot.ee> wrote in message
> news:o SCkJYFBFHA.2156@TK2MSFTNGP10.phx.gbl...
> > Hi
> >
> >
> > "Kelly" <kelly@mvps.org> wrote in message
> > news:uxoSV0EBFHA.2192@TK2MSFTNGP14.phx.gbl...
> >> Pretty much normal. What does System Idle read?
> >
> > 100% - SvcHost% - taskmgr%(~4%) - RemainingProcesses%(~2%...3%), i.e.
> > something between 70% and 0% mostly, average will be somewhere between
> > 30%-40%, I think, but ~10% of time it's less than 10% System Idle CPU -
> > with
> > only Task manager opened.
> >
> >> http://www.google.com/search?hl=en&q=SvcHost&btnG=Googl...
> >>
> >> In the meantime, run this combo:
> >>
> >> Run Ad-Aware SE, Spybot and HijackThis:
> >> http://www.majorgeeks.com/downloads31.html
> >
> > Runned both Ad-Aware and Spybot (both updated). I didn't use HijackThis,
> > because I have tried it once only on my own computer, and I was not sure
> > about results it returned. There was a bunch or registry entries which
> > were
> > defined as changed, but I didn't have such entries in my registry at all
> > !?
> >
> >
> >>
> >> Note: Update each program, once installed, before running.
> >>
> >> Free Online Virus Scan
> >> http://housecall.trendmicro.com/housecall/start_corp.as...
> >
> > It was one of 3 various antiviruses I used to scan the computer with. It
> > was
> > too late for me yesterday to try the second another online scanner, I
use
> > sometimes (www.bitdefender.com).
> >
> >
> > --
> > When sending mail, use address arvil<at>tarkon.ee
> > Arvi Laanemets
> >
> >
> >
>
>
Anonymous
a b à CPUs
January 27, 2005 6:38:50 PM

Archived from groups: microsoft.public.windowsxp.basics,microsoft.public.windowsxp.general (More info?)

"Arvi Laanemets" <garbage@hot.ee> wrote in
news:o xr7JcHBFHA.3908@TK2MSFTNGP12.phx.gbl:

> Hi
>
> Thanks! I downloaded it. I'll give it a try today or tomorrow evening.
>
> I agree that this don't look like virus. Maybe something is trying to
> connect to somewhere outside, but can't. P.e. some trojan or spyware
> component, which was partially removed. Or firewall doesn't let it to
> connect. It look like some process is desperately trying to connect at
> start, and when convienced that this isn't possible, runs some check
> after every 20-30 seconds.
>

a good port monitor program is DiamondCS Port Explorer. there's a time
limit demo at their website. with this you can be able to tell if
something's trying to phone home.

www.diamondcs.com.au/portexplorer/
January 28, 2005 3:23:03 AM

Archived from groups: microsoft.public.windowsxp.basics,microsoft.public.windowsxp.general (More info?)

Exactly why you need to trust HijackThis! I use this program daily in my
shop here and have never been led wrong. You can look over the config if
you like to be sure of setting your defaults and/or send the report to:

Browser Hijack and Malware Removal Forums
http://forums.net-integration.net/index.php?c=19

How to obtain the most effective support
http://www.net-integration.net/tools/procedure.html

Spyware, Thiefware, Browser Hijackers, etc. Parasites Forum
http://forums.spywareinfo.com/index.php?s=7dc4817293382...


--
All the Best,
Kelly (MS-MVP)

Troubleshooting Windows XP
http://www.kellys-korner-xp.com


"Arvi Laanemets" <garbage@hot.ee> wrote in message
news:o xr7JcHBFHA.3908@TK2MSFTNGP12.phx.gbl...
> Hi
>
> Thanks! I downloaded it. I'll give it a try today or tomorrow evening.
>
> I agree that this don't look like virus. Maybe something is trying to
> connect to somewhere outside, but can't. P.e. some trojan or spyware
> component, which was partially removed. Or firewall doesn't let it to
> connect. It look like some process is desperately trying to connect at
> start, and when convienced that this isn't possible, runs some check after
> every 20-30 seconds.
>
> --
> When sending mail, use address arvil<at>tarkon.ee
> Arvi Laanemets
>
>
> "PaddyBob" <PaddyBob@discussions.microsoft.com> wrote in message
> news:o N63usGBFHA.3336@TK2MSFTNGP11.phx.gbl...
>> Hi Arvi,
>>
>> It would come in handy to know exactly which process of the SVCHost is
>> giving you problems, as svchost is controlling loads and loads of
> processes.
>> (Just to name a couple: DNSCache, Eventsystem, Seclogon, WinMgmt, etc...
>> there's more than 20 on a normal Domain Networked XP-Pro machine. On a HE
>> machine, there will be a couple less, but still an impressive amount)
>>
>> Check if you're able to download the process explorer from
>> http://www.sysinternals.com
>> Let us know what you finally find out which exact SVCHost process is
> giving
>> you trouble. To be quite honest with you, I don't think this is a virus,
>> however, it might be malware or a rogue service...
>>
>> Cheers,
>>
>> Robert
>>
>>
>> "Arvi Laanemets" <garbage@hot.ee> wrote in message
>> news:o SCkJYFBFHA.2156@TK2MSFTNGP10.phx.gbl...
>> > Hi
>> >
>> >
>> > "Kelly" <kelly@mvps.org> wrote in message
>> > news:uxoSV0EBFHA.2192@TK2MSFTNGP14.phx.gbl...
>> >> Pretty much normal. What does System Idle read?
>> >
>> > 100% - SvcHost% - taskmgr%(~4%) - RemainingProcesses%(~2%...3%), i.e.
>> > something between 70% and 0% mostly, average will be somewhere between
>> > 30%-40%, I think, but ~10% of time it's less than 10% System Idle CPU -
>> > with
>> > only Task manager opened.
>> >
>> >> http://www.google.com/search?hl=en&q=SvcHost&btnG=Googl...
>> >>
>> >> In the meantime, run this combo:
>> >>
>> >> Run Ad-Aware SE, Spybot and HijackThis:
>> >> http://www.majorgeeks.com/downloads31.html
>> >
>> > Runned both Ad-Aware and Spybot (both updated). I didn't use
>> > HijackThis,
>> > because I have tried it once only on my own computer, and I was not
>> > sure
>> > about results it returned. There was a bunch or registry entries which
>> > were
>> > defined as changed, but I didn't have such entries in my registry at
>> > all
>> > !?
>> >
>> >
>> >>
>> >> Note: Update each program, once installed, before running.
>> >>
>> >> Free Online Virus Scan
>> >> http://housecall.trendmicro.com/housecall/start_corp.as...
>> >
>> > It was one of 3 various antiviruses I used to scan the computer with.
>> > It
>> > was
>> > too late for me yesterday to try the second another online scanner, I
> use
>> > sometimes (www.bitdefender.com).
>> >
>> >
>> > --
>> > When sending mail, use address arvil<at>tarkon.ee
>> > Arvi Laanemets
>> >
>> >
>> >
>>
>>
>
>
!