svchost sucking up cpu time

[valis]

For the rare instances I'm forced to boot into windows I'm having problems.

I literally just reinstalled windows (about 20 or 30 minutes ago) because it got to the point it was unusable. I should note I have a rather strange setup: I run as a normal user in a group I setup so I can use runas, I also add \bin and \cygwin\bin to my PATH and use linkd to make a bearable file structure. I also use xoblite.

Now, after a fresh install, svchost seems to be using 99% cpu time. Here's it's process list:
svchost.exeA
AudioSrv, CryptSvc, Dhcp, dmserver, ERSvc, EventSystem, helpsvc, lanmanserver, lanmanworkstation, Netman, Nla, Schedule, seclogon, SENS, SharedAccess, ShellHWDetection, srservice, Themes, TrkWks, W32Time, winmgmt, wscsvc, wuauserv, WZCSVC

My audio device is AC'97, I have an AX4SPE-Max motherboard which as a Realtek ALC850 chipset. Audio works fine in linux.

Anyone have any idea what could be causing the issue or experienced a similar issue?

Thanks

[SlyMaelstrom]

The only time I experienced those svchost issues was because of viruses. This wouldn't appear to be the case for you considering you just reinstalled. Regardless, you might as well try a virus scan since there are several viruses with that symptom.

[valis]

I had forgotten I shutdown the svchost that was using all the cpu so my changes to my user account (taking me out of administrator) didn't have effect until I restarted. The cpu usage problem is now gone (presumably because I'm not an admin anymore as that's the only thing that changed and many reboots had taken place prior with no effect). In any case, just to document a problem and a solution I did run accross this. I also ran a system scan which found nothing, I hadn't expected to find a virus because I started iexplore with http://opera.com and installed it right away, then svg free, so I didn't even visit google or msn with ie; although you're right, might as well try.

http://www.experts-exchange.com/Oper..._20947897.html
Comment from sugarstevie
Date: 08/08/2004 10:43AM PDT Comment

Mike,
I finally got the bottom of what was causing System Restore Service running under SVCHOST to saturate the CPU at 100%. I'll document it here for any unlucky soles who may encounter the same problem.
Svchost runs a whole slew of services on behalf of the system – so the trick was to find which one was running away. I downloaded a tool called Process Explorer from http://www.sysinternals.com/ntw2k/fr.../procexp.shtml. It will report the process ID of each process in memory, and in the case of the svchost process, all services attached to it. At Control Panel - Admin Tools – Services, I selectively stopped each service to see which one was causing the load (then later started it again if stopping had no effect). In my case, I found that the System Restore Service (srservice – srsvc.dll) was running away at 99%.
Next I opened a support case with Microsoft. We used numerous tools to troubleshoot the service. One of the more valuable tools was FILEMON, available at http://www.sysinternals.com/ntw2k/source/filemon.shtml. It shows all files that are touched during the monitor period. We also used the proprietary USERDUMP tool from Microsoft, which is not available for download, and for which I had no tool to analyze the results.
Microsoft determined that the latest restore point in the SRService database was corrupt, and the service was getting hung when it tried to delete one of its files. The restore points comprising the SRService database are stored on my machine at the following location: C:\System Volume Information\_restore{2EDE8FBE-CD64-4AC6-BB82-21229910E44C}
The solution was to manually remove all restore points in the SRService database, using Windows Explorer. Here are the steps to accomplish this.
1. Boot the machine with SRService disabled (Select Start / Control Panel / Administrative Tools / Services. Double click System Restore Service, and set Startup Type to Disabled, then click OK. Re-boot. You may have to rename srsvc.dll, even in the DLL cache, to keep it from starting - it's fairly persistent.)
2. You must grant access to the System Volume Information folder on C: (Article 309531).
2a. Get a command prompt and type the following, including quotes:
cacls "C:\System Volume Information" /E /G username:F
2b. (To undo these permissions later when finished, type the follwing)
cacls "C:\System Volume Information" /E /R username
3. Move the offending folder, in my case C:\System Volume Information\_restore{2EDE8FBE-CD64-4AC6-BB82-21229910E44C}\RP140", to a temporary location
4. reboot
5. Right click My Computer, and select Properties. This automatically starts SRService and changes its startup from disabled to automatic
6. Click the System Restore tab
7. Select “Turn Off System Restore” and click apply. Notice the _restore… folder disappears in the System Volume Information folder. Warning: all restore points are deleted.
8. Go back and uncheck “Turn Off System Restore” then click apply. Notice the _restore… folder appears in the System Volume Information folder (No, the previous restore points don’t re-appear.)
9. SRService should no longer hog the CPU!

Regards,
Steve

edit:
I figure I should probably not just ignore this issue, I attempted the above but it did not fix my problem.
I downloaded filemon from sysinternals and there was a lot of activity inside some updates directories, turning off updates completely has fixed the problem so far.

[Driver]

It depends on where svchost.exe is being run from as to whether it's the real thing or not .... C:\WINDOWS\system32\svchost.exe will be the legitimate one, but anywhere else will indicate the presence of a virus or some other malware.

Hop over to an ASAP (Alliance of Security Analysis Professionals) forum for a check-up with HijackThis and other tools that are designed to flush out malware. At least it will eliminate that possibility.

[Mario F.]

svchost has caused me problems before too. The fact it "hides" the actual culprit doesn't help. Process Explorer is a must and it is free.

System Restore and Automatic Updates are usually the ones causing the fuzz. But I never experienced this problem from when SP1 started to ship with installation CDs. Are you installing from a non service pack copy?

Regardless, I'm pretty sure once you have the SPs in place, all will be well.

[valis]

I installed with an sp2, some major update caused svchost to "help out" windows update, this is why it disappeared when I was running as a user. Once I turned off the updates completely I no longer had the problem, I searched around google and it seems others have had the same problem and same solution.

[Driver]

And did you get the update done? It might be worth going down the malware route to make sure it isn't some evil piece of malicious code that's preventing you from updating.

I've seen systems get attacked while downloading from Windows Update, and when the installation process started it failed partway through because a malicious running process had got there

[valis]

Two installs in a row? I'd be impressed (although it's possible). I ran svv, virus scan (avg free), spybot, hijack this, and darkspy and found nothing.

[cboard_member]

Right now I've got 6 svchosts running, some system, some network service and one local service. Damn things.

[joeprogrammer]

Maybe that's why Oblivion runs so slow.

[Driver]

It is normal and typical to see multiple instances of svchost.exe - a quick check in many people's HJT logs show 6 or 7 running. It controls WinNT services, so handles multiple things.

Unfortunately, the name has been used by many a malware maker. If it's running from C:\Windows\System32 and is made by Microsoft, then you're OK. Any other location will be bad news.

Some malware require special fix tools to get you clear: gone are the days when an Ad-Aware, Spybot S&D, and HJT scan was all it took. Now we've got the delights of Winfixer and Virtumondo to cope with. These require special fix tools in combination with the standard scanners. Developers at the anti-malware forums are constantly working on custom fixes for malware as they come out - it's a real war.

For a list of good and bad scanners, take a look at this list.

If you have been hit by malware, then complain about it

[jdbellwa]

I had the same problem with svchost kicking off and using up to 99% of my CPU time. This was happening 3-4 times a day at work and making it difficult to get things done. Once it started it would be 15 mins or more before it would stop by itself. I started killing the process in taskmgr but I'd have to do it each time. Finally I called my company's helpdesk (I work for a large computer software company). Their first suggestion was to run virus and spyware checkers to eliminate that as a probable cause. And yes, they found nothing. So then they sent me instructions that could fix the problem. Lo and behold, it worked. I'm not saying this will work for everyone as it seems there are several reasons this could be happening. However, it won't hurt your system so it's worth giving it a shot. I would still recommend backing up for your system before trying.

1) Open a dos shell window.
Click “Start/Run”, type in “cmd.exe” and hit enter.
2) Stop the Windows Management service
"net stop winmgmt"
3) Delete the Repository folder
"rd /s /q c:\windows\system32\wbem\Repository\"
4) Restart the Windows Management service
"net start winmgmt"
5) Recompile all the "Managed Object Format" files (*.mof,*.mfl)
a) "cd /d c:\windows\system32\wbem\"
b) "for %i in (*.mof,*.mfl) do Mofcomp.exe %i"
6) Verify the folder "c:\windows\system32\wbem\Repository\" has been recreated. If not, restore your system and try again or look for another solution. :-)

It only takes 5 mins to do. I hope this does the trick for you.
Dean

[valis]

There seems to be a number of ways this problem can come about. Mine was caused by svchost trying to help out with the windows update, once I turned off automatic updates it went away.