WinXP SE: SvcHost (SYSTEM) process takes most of CPU

Archived from groups: microsoft.public.windowsxp.basics,microsoft.public.windowsxp.general (More info?)

Hi

Yesterday evening I was asked to control a computer (WinXP HE, SP1, ADSL)
modem, WinXP firewall), because it was too slow. I checked it with 3
different antivirus (AntiVir, Housecall PC-Cillin on-line, AVG) and removed
25-30 infected files, mostly troyans. I checked the computer with Ad-Aware
SE and Spybot too ~70 objects were found and removed. All temporary folders
were emptied. I checked with regedit all Run keys in HKLM & HKCU and removed
all abundant (2 spyware records) from there. Comfile, exefile etc. keys in
HKCR looked OK.

After that, when restarted, all was OK in task manager's TaskList - until
ADSL connection started. Then one of svchost (SYSTEM) processes started to
take more and more CPU. It was 4%-10% at start, then 10%-30%, etc. until
50%-95% after some time. A little after the CPU usage stabilized, there was
a sudden change - CPU dropped to ~20%, and then rised again to ~90% - then
dropped again, etc. The length of cycle was less than a minute.

At same time as svchost, was active taskmgr which used ~4% CPU.

I tried to investigate, what really was using this much CPU (from command
window: tasklist /svc), but tasklist.exe was missing from computer at all.
Then I checked with regedit, what was started from various svchost's
(HKLM\Software\Microsoft\Windows NT\CurrentVersion\SvcHost) , and I deleted
all entries which somehow dad to do with remote access to computer and were
not essential to OS working. Nothing was changed!

Maybe some fresh ideas available here!
Thanks in advance!

--
When sending mail, use address arvil<at>tarkon.ee
Arvi Laanemets
6 answers Last reply
More about winxp svchost system process takes
  1. Archived from groups: microsoft.public.windowsxp.basics,microsoft.public.windowsxp.general (More info?)

    Pretty much normal. What does System Idle read?
    http://www.google.com/search?hl=en&q=SvcHost&btnG=Google+Search

    In the meantime, run this combo:

    Run Ad-Aware SE, Spybot and HijackThis:
    http://www.majorgeeks.com/downloads31.html

    Note: Update each program, once installed, before running.

    Free Online Virus Scan
    http://housecall.trendmicro.com/housecall/start_corp.asp


    --
    All the Best,
    Kelly (MS-MVP)

    Troubleshooting Windows XP
    http://www.kellys-korner-xp.com


    "Arvi Laanemets" <garbage@hot.ee> wrote in message
    news:eP7PDOEBFHA.3140@TK2MSFTNGP15.phx.gbl...
    > Hi
    >
    > Yesterday evening I was asked to control a computer (WinXP HE, SP1, ADSL)
    > modem, WinXP firewall), because it was too slow. I checked it with 3
    > different antivirus (AntiVir, Housecall PC-Cillin on-line, AVG) and
    > removed
    > 25-30 infected files, mostly troyans. I checked the computer with Ad-Aware
    > SE and Spybot too ~70 objects were found and removed. All temporary
    > folders
    > were emptied. I checked with regedit all Run keys in HKLM & HKCU and
    > removed
    > all abundant (2 spyware records) from there. Comfile, exefile etc. keys in
    > HKCR looked OK.
    >
    > After that, when restarted, all was OK in task manager's TaskList - until
    > ADSL connection started. Then one of svchost (SYSTEM) processes started to
    > take more and more CPU. It was 4%-10% at start, then 10%-30%, etc. until
    > 50%-95% after some time. A little after the CPU usage stabilized, there
    > was
    > a sudden change - CPU dropped to ~20%, and then rised again to ~90% -
    > then
    > dropped again, etc. The length of cycle was less than a minute.
    >
    > At same time as svchost, was active taskmgr which used ~4% CPU.
    >
    > I tried to investigate, what really was using this much CPU (from command
    > window: tasklist /svc), but tasklist.exe was missing from computer at all.
    > Then I checked with regedit, what was started from various svchost's
    > (HKLM\Software\Microsoft\Windows NT\CurrentVersion\SvcHost) , and I
    > deleted
    > all entries which somehow dad to do with remote access to computer and
    > were
    > not essential to OS working. Nothing was changed!
    >
    > Maybe some fresh ideas available here!
    > Thanks in advance!
    >
    > --
    > When sending mail, use address arvil<at>tarkon.ee
    > Arvi Laanemets
    >
    >
  2. Archived from groups: microsoft.public.windowsxp.basics,microsoft.public.windowsxp.general (More info?)

    Hi


    "Kelly" <kelly@mvps.org> wrote in message
    news:uxoSV0EBFHA.2192@TK2MSFTNGP14.phx.gbl...
    > Pretty much normal. What does System Idle read?

    100% - SvcHost% - taskmgr%(~4%) - RemainingProcesses%(~2%...3%), i.e.
    something between 70% and 0% mostly, average will be somewhere between
    30%-40%, I think, but ~10% of time it's less than 10% System Idle CPU - with
    only Task manager opened.

    > http://www.google.com/search?hl=en&q=SvcHost&btnG=Google+Search
    >
    > In the meantime, run this combo:
    >
    > Run Ad-Aware SE, Spybot and HijackThis:
    > http://www.majorgeeks.com/downloads31.html

    Runned both Ad-Aware and Spybot (both updated). I didn't use HijackThis,
    because I have tried it once only on my own computer, and I was not sure
    about results it returned. There was a bunch or registry entries which were
    defined as changed, but I didn't have such entries in my registry at all !?


    >
    > Note: Update each program, once installed, before running.
    >
    > Free Online Virus Scan
    > http://housecall.trendmicro.com/housecall/start_corp.asp

    It was one of 3 various antiviruses I used to scan the computer with. It was
    too late for me yesterday to try the second another online scanner, I use
    sometimes (www.bitdefender.com).


    --
    When sending mail, use address arvil<at>tarkon.ee
    Arvi Laanemets
  3. Archived from groups: microsoft.public.windowsxp.basics,microsoft.public.windowsxp.general (More info?)

    Hi Arvi,

    It would come in handy to know exactly which process of the SVCHost is
    giving you problems, as svchost is controlling loads and loads of processes.
    (Just to name a couple: DNSCache, Eventsystem, Seclogon, WinMgmt, etc...
    there's more than 20 on a normal Domain Networked XP-Pro machine. On a HE
    machine, there will be a couple less, but still an impressive amount)

    Check if you're able to download the process explorer from
    http://www.sysinternals.com
    Let us know what you finally find out which exact SVCHost process is giving
    you trouble. To be quite honest with you, I don't think this is a virus,
    however, it might be malware or a rogue service...

    Cheers,

    Robert


    "Arvi Laanemets" <garbage@hot.ee> wrote in message
    news:OSCkJYFBFHA.2156@TK2MSFTNGP10.phx.gbl...
    > Hi
    >
    >
    > "Kelly" <kelly@mvps.org> wrote in message
    > news:uxoSV0EBFHA.2192@TK2MSFTNGP14.phx.gbl...
    >> Pretty much normal. What does System Idle read?
    >
    > 100% - SvcHost% - taskmgr%(~4%) - RemainingProcesses%(~2%...3%), i.e.
    > something between 70% and 0% mostly, average will be somewhere between
    > 30%-40%, I think, but ~10% of time it's less than 10% System Idle CPU -
    > with
    > only Task manager opened.
    >
    >> http://www.google.com/search?hl=en&q=SvcHost&btnG=Google+Search
    >>
    >> In the meantime, run this combo:
    >>
    >> Run Ad-Aware SE, Spybot and HijackThis:
    >> http://www.majorgeeks.com/downloads31.html
    >
    > Runned both Ad-Aware and Spybot (both updated). I didn't use HijackThis,
    > because I have tried it once only on my own computer, and I was not sure
    > about results it returned. There was a bunch or registry entries which
    > were
    > defined as changed, but I didn't have such entries in my registry at all
    > !?
    >
    >
    >>
    >> Note: Update each program, once installed, before running.
    >>
    >> Free Online Virus Scan
    >> http://housecall.trendmicro.com/housecall/start_corp.asp
    >
    > It was one of 3 various antiviruses I used to scan the computer with. It
    > was
    > too late for me yesterday to try the second another online scanner, I use
    > sometimes (www.bitdefender.com).
    >
    >
    > --
    > When sending mail, use address arvil<at>tarkon.ee
    > Arvi Laanemets
    >
    >
    >
  4. Archived from groups: microsoft.public.windowsxp.basics,microsoft.public.windowsxp.general (More info?)

    Hi

    Thanks! I downloaded it. I'll give it a try today or tomorrow evening.

    I agree that this don't look like virus. Maybe something is trying to
    connect to somewhere outside, but can't. P.e. some trojan or spyware
    component, which was partially removed. Or firewall doesn't let it to
    connect. It look like some process is desperately trying to connect at
    start, and when convienced that this isn't possible, runs some check after
    every 20-30 seconds.

    --
    When sending mail, use address arvil<at>tarkon.ee
    Arvi Laanemets


    "PaddyBob" <PaddyBob@discussions.microsoft.com> wrote in message
    news:ON63usGBFHA.3336@TK2MSFTNGP11.phx.gbl...
    > Hi Arvi,
    >
    > It would come in handy to know exactly which process of the SVCHost is
    > giving you problems, as svchost is controlling loads and loads of
    processes.
    > (Just to name a couple: DNSCache, Eventsystem, Seclogon, WinMgmt, etc...
    > there's more than 20 on a normal Domain Networked XP-Pro machine. On a HE
    > machine, there will be a couple less, but still an impressive amount)
    >
    > Check if you're able to download the process explorer from
    > http://www.sysinternals.com
    > Let us know what you finally find out which exact SVCHost process is
    giving
    > you trouble. To be quite honest with you, I don't think this is a virus,
    > however, it might be malware or a rogue service...
    >
    > Cheers,
    >
    > Robert
    >
    >
    > "Arvi Laanemets" <garbage@hot.ee> wrote in message
    > news:OSCkJYFBFHA.2156@TK2MSFTNGP10.phx.gbl...
    > > Hi
    > >
    > >
    > > "Kelly" <kelly@mvps.org> wrote in message
    > > news:uxoSV0EBFHA.2192@TK2MSFTNGP14.phx.gbl...
    > >> Pretty much normal. What does System Idle read?
    > >
    > > 100% - SvcHost% - taskmgr%(~4%) - RemainingProcesses%(~2%...3%), i.e.
    > > something between 70% and 0% mostly, average will be somewhere between
    > > 30%-40%, I think, but ~10% of time it's less than 10% System Idle CPU -
    > > with
    > > only Task manager opened.
    > >
    > >> http://www.google.com/search?hl=en&q=SvcHost&btnG=Google+Search
    > >>
    > >> In the meantime, run this combo:
    > >>
    > >> Run Ad-Aware SE, Spybot and HijackThis:
    > >> http://www.majorgeeks.com/downloads31.html
    > >
    > > Runned both Ad-Aware and Spybot (both updated). I didn't use HijackThis,
    > > because I have tried it once only on my own computer, and I was not sure
    > > about results it returned. There was a bunch or registry entries which
    > > were
    > > defined as changed, but I didn't have such entries in my registry at all
    > > !?
    > >
    > >
    > >>
    > >> Note: Update each program, once installed, before running.
    > >>
    > >> Free Online Virus Scan
    > >> http://housecall.trendmicro.com/housecall/start_corp.asp
    > >
    > > It was one of 3 various antiviruses I used to scan the computer with. It
    > > was
    > > too late for me yesterday to try the second another online scanner, I
    use
    > > sometimes (www.bitdefender.com).
    > >
    > >
    > > --
    > > When sending mail, use address arvil<at>tarkon.ee
    > > Arvi Laanemets
    > >
    > >
    > >
    >
    >
  5. Archived from groups: microsoft.public.windowsxp.basics,microsoft.public.windowsxp.general (More info?)

    "Arvi Laanemets" <garbage@hot.ee> wrote in
    news:Oxr7JcHBFHA.3908@TK2MSFTNGP12.phx.gbl:

    > Hi
    >
    > Thanks! I downloaded it. I'll give it a try today or tomorrow evening.
    >
    > I agree that this don't look like virus. Maybe something is trying to
    > connect to somewhere outside, but can't. P.e. some trojan or spyware
    > component, which was partially removed. Or firewall doesn't let it to
    > connect. It look like some process is desperately trying to connect at
    > start, and when convienced that this isn't possible, runs some check
    > after every 20-30 seconds.
    >

    a good port monitor program is DiamondCS Port Explorer. there's a time
    limit demo at their website. with this you can be able to tell if
    something's trying to phone home.

    www.diamondcs.com.au/portexplorer/
  6. Archived from groups: microsoft.public.windowsxp.basics,microsoft.public.windowsxp.general (More info?)

    Exactly why you need to trust HijackThis! I use this program daily in my
    shop here and have never been led wrong. You can look over the config if
    you like to be sure of setting your defaults and/or send the report to:

    Browser Hijack and Malware Removal Forums
    http://forums.net-integration.net/index.php?c=19

    How to obtain the most effective support
    http://www.net-integration.net/tools/procedure.html

    Spyware, Thiefware, Browser Hijackers, etc. Parasites Forum
    http://forums.spywareinfo.com/index.php?s=7dc481729338294fb5d64090b77ef364&showtopic=9882


    --
    All the Best,
    Kelly (MS-MVP)

    Troubleshooting Windows XP
    http://www.kellys-korner-xp.com


    "Arvi Laanemets" <garbage@hot.ee> wrote in message
    news:Oxr7JcHBFHA.3908@TK2MSFTNGP12.phx.gbl...
    > Hi
    >
    > Thanks! I downloaded it. I'll give it a try today or tomorrow evening.
    >
    > I agree that this don't look like virus. Maybe something is trying to
    > connect to somewhere outside, but can't. P.e. some trojan or spyware
    > component, which was partially removed. Or firewall doesn't let it to
    > connect. It look like some process is desperately trying to connect at
    > start, and when convienced that this isn't possible, runs some check after
    > every 20-30 seconds.
    >
    > --
    > When sending mail, use address arvil<at>tarkon.ee
    > Arvi Laanemets
    >
    >
    > "PaddyBob" <PaddyBob@discussions.microsoft.com> wrote in message
    > news:ON63usGBFHA.3336@TK2MSFTNGP11.phx.gbl...
    >> Hi Arvi,
    >>
    >> It would come in handy to know exactly which process of the SVCHost is
    >> giving you problems, as svchost is controlling loads and loads of
    > processes.
    >> (Just to name a couple: DNSCache, Eventsystem, Seclogon, WinMgmt, etc...
    >> there's more than 20 on a normal Domain Networked XP-Pro machine. On a HE
    >> machine, there will be a couple less, but still an impressive amount)
    >>
    >> Check if you're able to download the process explorer from
    >> http://www.sysinternals.com
    >> Let us know what you finally find out which exact SVCHost process is
    > giving
    >> you trouble. To be quite honest with you, I don't think this is a virus,
    >> however, it might be malware or a rogue service...
    >>
    >> Cheers,
    >>
    >> Robert
    >>
    >>
    >> "Arvi Laanemets" <garbage@hot.ee> wrote in message
    >> news:OSCkJYFBFHA.2156@TK2MSFTNGP10.phx.gbl...
    >> > Hi
    >> >
    >> >
    >> > "Kelly" <kelly@mvps.org> wrote in message
    >> > news:uxoSV0EBFHA.2192@TK2MSFTNGP14.phx.gbl...
    >> >> Pretty much normal. What does System Idle read?
    >> >
    >> > 100% - SvcHost% - taskmgr%(~4%) - RemainingProcesses%(~2%...3%), i.e.
    >> > something between 70% and 0% mostly, average will be somewhere between
    >> > 30%-40%, I think, but ~10% of time it's less than 10% System Idle CPU -
    >> > with
    >> > only Task manager opened.
    >> >
    >> >> http://www.google.com/search?hl=en&q=SvcHost&btnG=Google+Search
    >> >>
    >> >> In the meantime, run this combo:
    >> >>
    >> >> Run Ad-Aware SE, Spybot and HijackThis:
    >> >> http://www.majorgeeks.com/downloads31.html
    >> >
    >> > Runned both Ad-Aware and Spybot (both updated). I didn't use
    >> > HijackThis,
    >> > because I have tried it once only on my own computer, and I was not
    >> > sure
    >> > about results it returned. There was a bunch or registry entries which
    >> > were
    >> > defined as changed, but I didn't have such entries in my registry at
    >> > all
    >> > !?
    >> >
    >> >
    >> >>
    >> >> Note: Update each program, once installed, before running.
    >> >>
    >> >> Free Online Virus Scan
    >> >> http://housecall.trendmicro.com/housecall/start_corp.asp
    >> >
    >> > It was one of 3 various antiviruses I used to scan the computer with.
    >> > It
    >> > was
    >> > too late for me yesterday to try the second another online scanner, I
    > use
    >> > sometimes (www.bitdefender.com).
    >> >
    >> >
    >> > --
    >> > When sending mail, use address arvil<at>tarkon.ee
    >> > Arvi Laanemets
    >> >
    >> >
    >> >
    >>
    >>
    >
    >
Ask a new question

Read More

Microsoft CPUs Windows XP