Main Menu

svchost madness

Started by bertie97, April 01, 2016, 04:02:40 PM

Previous topic - Next topic

bertie97

On a laptop I have, I am seeing some crazy svchost activity.
Basically this process will eat as much cpu as possible, & hold it at 100% load 24/7. 
No idea why - it was a clean OS install on a new SSD.

I put PL on to track down the process parameters/restrain it.
I would love to be able to copy & paste the data from the PL window (can this function be added?) but have taken a couple of screens. It's PID 1208.

Does anyone recognize this as malicious?  Or know why its hogging the pc?  I know svchost  functions can be a problem but I've not seen anything as crippling as this before.

As it is I am just forcing it to shut down via PL & have it set to idle only (& it still takes every spare cycle it can!!) when it autostarts on boot - I'm letting it load just in case it's legit.

Any ideas?

edkiefer

The only thing I can think of is to go through each service listed in that data line, and stop one by one until you find which is causing the high cpu%.
Only problem some of them I don't think you can close w/o losing a lot function.

I was going to say check with few AV, but you say its clean install.
Bitsum QA Engineer

bertie97

thanks for reply Ed.
I have got AV & FW on there & haven't found anything at all.
Looking at the FW logs I can see no dubious IPs.

It always starts on a boot; if I shut it down everything seems OK (no apparent loss of PC functions); it will restart sometimes mid-session, it gets more & more greedy of cycles even with it forced to idle.
Nothing I can see in registry or startup.  I am now going to start searching thru the reg more deeply tho...
& theres this I will be looking at
http://appuals.com/high-cpu-usage-by-svchost-exe-netsvcs/


& if you're reading JC pls is it possible to add a copy function to the PL main process listing window ??

edkiefer

Quote from: bertie97 on April 02, 2016, 09:21:21 AM
thanks for reply Ed.
I have got AV & FW on there & haven't found anything at all.
Looking at the FW logs I can see no dubious IPs.

It always starts on a boot; if I shut it down everything seems OK (no apparent loss of PC functions); it will restart sometimes mid-session, it gets more & more greedy of cycles even with it forced to idle.
Nothing I can see in registry or startup.  I am now going to start searching thru the reg more deeply tho...
& theres this I will be looking at
http://appuals.com/high-cpu-usage-by-svchost-exe-netsvcs/


& if you're reading JC pls is it possible to add a copy function to the PL main process listing window ??
Bertie97: Maybe I wasn't clear, what I meant is to stop each service till you find which one an associated exe.
Looking for example at my netsvrc the ones that don't match are Aelookup.svc , browser, Eaphost, IkEEXT . Not that that maters, but try stopping each of them first in services.

Edit: Ok guess you did understand my reply as I didn't read your link first.
Bitsum QA Engineer

bertie97

Ed, yup I've been looking at the non-malicious factors (Tho MS can't be considered entirely non-malicious esp given they now seem to be pushing all non w10 users to the bottom of the auto-update queue - 48hrs of 'checking' before I see anything listed... It was bad enuf when w8.1 was released but now it's just plain rotten.)

I can disable some services but it is counter-intuitive/crippling to utterly disable all listed services.
I found this page & tried a few of the listed updates - these actually solved it - for about 10 minutes on a cold boot then it started again.
http://www.wintips.org/how-to-fix-svchost-exe-netsvcs-memory-leak-or-high-cpu-usage-problems/
I've concluded it is an OS fault in this case & am trying to find a patch that will actually solve this & I appear to be one of many
Priority given to w10 really makes this a problem
:(

BenYeeHua

Well, did you tried to use Process Explorer?
It will list out the threads (inside the process) with their service name, then you can narrow down by searching just the service name. :)

bertie97

Thanks BYH.
My problem is some of the services seem too routine/important. 
e.g. I can disable the browser service but as soon as I start a browser I am on 100% cpu .......

It also looks like the svchost.exe is being forced into this condition by a flaw MS may or may not have properly patched.  The problem goes back a looong way & there have been several attempts to fix it.  A number of w7SP1/8/8.1 users have the issue.  (I have read it also exists in some w10 configs).
I guess it is directly linked to some mismatch on laptop hardware. 
Bottom line - I can manually stop & start services but what good is that when if I am just browsing I need 100% cpu with all the related heat & stress? + its a pain ;)

PL is at least able to push it to idle but thats not a long term fix :(

edkiefer

The process of finding which service was not to have it not running all the time, but to find were the problem is so you can maybe find a fix.

Once you narrow down which is causing the issue, I think you will have much better chance of finding a fix.

FWIW; when I boot for first time in morning I get a somewhat high cpu% (around 20-25%) but it only lasts maybe few mins and the processes shutdown on there own.
Bitsum QA Engineer

bertie97

Hey Ed.
Yeah I get that. 
What I'm saying is it looks like its the way W7 interacts with svchost that is a problem on some hardware.
So I patch etc, reboot & its all OK, cpu initial boost fades & everything looks OK.  Then e.g. I open the browser & bang 100% from 12%.  (the browser is fully updated & what it is IE, Chrome etc doesn't make a difference).
Look at the procs list & there is svchost (netsvcs) at the top again.
Close the browser & svchost (netsvcs) is still at max, & will stay there until halted manually.
Same occurs with any of the procs in the above screen.  Stuff like BITS which I don't need are disabled in services.msc.

So I am currently left with the issue of having to manually stop services depending on what I do.
I am nonetheless still trying  ::) to find a combo of allowed procs that works but I am also seeing commentary to the effect that I am p_ssing into the wind as its something that needs a core M$ patch.

If I figure it out I'll post my findings.

bertie97

After a week of trying it is finally updated....
Patching eliminated some of the fault generators.  This allowed me to properly isolate single services. 
The fault had affected multiple services which couldn't all be disabled without drastically impacting functionality. 
The remaining offenders were marched out to the firing squad.

Killed -
wuauserv
wudfsvc


& now the laptop runs more or less right   ::) ;)

edkiefer

Ok, but you need wuauserv to update windows.

Maybe some of these will help
http://answers.microsoft.com/en-us/windows/forum/windows_vista-update/windows-update-service-wuauserv-hangs-on-starting/ba28d84f-d6cf-4cdd-b24f-28cb11e841ce?auth=1

I know you didn't mention but make sure that service is not getting restraint ,IMO you should have enabled "exclude system services from restraint" in Probalance settings.
Bitsum QA Engineer

bertie97

Thanks for the link Ed. 
I know this is disabling win update.  Only way I could even open a browser was restrict to idle & then to hard throttle the svchost (netsvcs) instance.  PL made it possible to actually try to fix the thing, as the 100% load just crippled it.
So I repartitioned the ssd & did a clean install, then <100hrs @100% waiting for the current updates - which was enuf updating for me. 
The upside was most of the services called on now work without overloading the system. 

Formerly I could'nt even complete the install of 'magic cure' manually downloaded KBs 99% of the time (one would install, the next wouldn't, then rolling back to try a different install order the same files would then not install at all etc etc); I could disable wuauserv & still have the problem; I could do the off-line install of the update service & get nowhere, but, after forever, the 2nd clean install did eventually update....

The one entry on your link is about an Acer which this laptop is - which reinforces my findings that certain hardware esp laptops are an issue that MS hasn't fully addressed.  (+both Acer & MS are always more enthusiastic about selling new products).

So my 'fix' has been a combination of all the solutions listed there in that thread, none of which ever actually solved the problem but which got me far enough to be able to use the laptop without frying it. 
The machine is EOL as far as the industry is concerned so I guess I have to be glad I got this far!

BenYeeHua

Well, Windows Update is a mess on Windows 7 as there is too much update/patch in the system.
(on my parent's laptop, it keep downloading something about Office each time the laptop boot)
And I guess for Windows 10, their solution is bump the version and upgrade the windows 10 with new ESD(similar to ISO that has high compress rate), so it minimized the Windows Update history that need to be scan and reduce this issues. ;)

tberty

#13
Sorry for digging this old post, however, I'm getting this svchost.exe issue and after restarting Windows Update, it doesn't go away.

Is there any way I can diagnose and troubleshoot it easier?

Updated: I found this one, which helped me and there were some other solutions for other situations and cases.

https://usefulpcguide.com/18385/svchost-exe-netsvcs-high-cpu/


edkiefer

try clearing out the SoftwareDistribution folder in windows, or try running control panel>troubleshooter>WU which should do same.
More info on it here

https://usefulpcguide.com/18487/fix-wuauserv-high-cpu-usage/
Bitsum QA Engineer

tberty

Thank you for your suggestion. It seems the issue is now resolved. I don't know whether it will come back or not. So far so good :)

jessica951

#16
While playing the game on my PC I was facing the same issue of high cpu usage. Actually svchost.exe (netsvcs) causes this issue. After trying many solution I followed this tutorial on the web and successfully resolved the issue

Jeremy Collake

#17
Keep in mind that service is active because it is doing something ;). So, the question is - are you happy shutting it down or otherwise throttling it in any way? The source of the issue should always be addressed first, if possible.
Software Engineer. Bitsum LLC.

Turpen

Svchost is a fickle 'issue.' It seems to come and go on its own. Every time I get annoyed by it and start to research where the problem might be, it all of a sudden disappears lol.