performance - SVCHost using 100% CPU in Windows 7

20
2014-04
  • Synthoras

    I am having a problem with Windows 7. When I boot up, the CPU jumps to 100% execution for about 10-15 minutes. During this time, it is really slow, and if I play any music, the songs play slowly and sound distorted.

    I tried to scan my computer with different antivirus programs, I used Spybot, HijackThis, and CCleaner, but I didn’t find anything of note.

    I watched the process list in Task Manager and saw that there are two processes that are to blame. There are two copies of svchost.exe, one using ~48% CPU, the second (under the Network Service account) using ~37%. For the first 15 minutes, the CPU runs at about 70-80%, then eventually drops to 30-40%.

    I don’t know what to do. I could not find a way to stop the services, and if I try to kill them, sometimes the system crashes.

  • Answers
  • Synetech

    You are on the right track with your investigation. The problem is that you got stuck at svchost.exe. The catch is that svchost is a generic process that hosts multiple services. What you need to do is to figure out which service that it is hosting is sucking cycles.

    1. Get Process Explroer (and run it; of course)
      1. Right-click on the column header and select Select Columns…
      2. Under the Process Performance tab, make sure that CPU and CPU History are selected
    2. For each instance of svchost.exe with high CPU usage,
      1. Double-click it
      2. Switch to the Services tab
      3. Click one of the services and click Stop
      4. Look at that CPU graph of that instance of svchost to see if it has gone down
      5. Goto 2.3 until you see a statistically significant drop in CPU usage for that instance
      6. Note down what the last service you stopped was
    3. Examine the service(s) that were causing high CPU usage to see if they can be disabled, updated, removed, etc.
    4. Figure out why the system idles at 30-40% CPU usage

  • Related Question

    windows xp - SvcHost is taking 100% of CPU. It appears to be either DcomLaunch or TermService - virus?
  • Cory Charlton

    So my SvcHost is all of a sudden taking 100% of my CPU, and I'd like to figure out which service is responsible for this. Is there any way to differentiate the load being generated by the multiple services running in a single SvcHost?

    I have run a virus scan and it came up clean my tool is old and outdated so it found nothing.

    I tried stepping through the services, stopping them one by one, but I couldn't find the culprit (note some services also auto restarted and I didn't want to disable them).


    Update: I used Process Explorer last night but there were many services, some of which couldn't be stopped, in the offending SvcHost. Today I checked again at heavyd's suggestion and got lucky because only two services are in the offending SvcHost today.

    DcomLaunch - DCOM Server Process Launcher

    TermService - Terminal Services

    Neither of which are stoppable. I am up to date on Windows updates. Going to run another virus scan for the heck of it although nothing turned up last night. Maybe it's time for a fresh start (this install is from sometime in 2004).


    Update: Definitely a virus. After the last reboot the CPU usage dropped, but I got some odd "Security Software Installed" messages at boot, oddly named processes running (for example, 555573478785.exe), and suspicious keys added to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run that were not there last night.

    Symantec AntiVirus Corporate 8.1.0.825 presented some warnings, but it doesn't seem to be catching everything :-(


    Malwarebytes' Anti-Malware results:

    Malwarebytes' Anti-Malware 1.44
    Database version: 3763
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702
    
    2/19/2010 12:12:58 PM
    mbam-log-2010-02-19 (12-12-58).txt
    
    Scan type: Full Scan (C:\|D:\|)
    Objects scanned: 290960
    Time elapsed: 1 hour(s), 23 minute(s), 54 second(s)
    
    Memory Processes Infected: 0
    Memory Modules Infected: 1
    Registry Keys Infected: 25
    Registry Values Infected: 1
    Registry Data Items Infected: 1
    Folders Infected: 1
    Files Infected: 6
    
    Memory Processes Infected:
    (No malicious items detected)
    
    Memory Modules Infected:
    C:\WINDOWS\kbabjtm.dll (Trojan.Hiloti) -> Delete on reboot.
    
    Registry Keys Infected:
    HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    
    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Quarantined and deleted successfully.
    
    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: kbabjtm.dll  -> Delete on reboot.
    
    Folders Infected:
    C:\Documents and Settings\All Users\Application Data\55533526 (Rogue.Multiple) -> Quarantined and deleted successfully.
    
    Files Infected:
    C:\WINDOWS\kbabjtm.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\Temp\~TM17.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\~TM466.tmp (Trojan.Hiloti) -> Quarantined and deleted successfully.
    C:\Documents and Settings\mach\Local Settings\Temporary Internet Files\Content.IE5\2WE7TOVW\load[1].exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Documents and Settings\mach\Application Data\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.
    C:\Documents and Settings\mach\Start Menu\Programs\Startup\monnid32.exe (Trojan.Bredolab) -> Delete on reboot.
    

    Second scan results:

    Malwarebytes' Anti-Malware 1.44
    Database version: 3763
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702
    
    2/19/2010 1:54:07 PM
    mbam-log-2010-02-19 (13-54-07).txt
    
    Scan type: Full Scan (C:\|D:\|)
    Objects scanned: 290753
    Time elapsed: 1 hour(s), 18 minute(s), 34 second(s)
    
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 2
    
    Memory Processes Infected:
    (No malicious items detected)
    
    Memory Modules Infected:
    (No malicious items detected)
    
    Registry Keys Infected:
    (No malicious items detected)
    
    Registry Values Infected:
    (No malicious items detected)
    
    Registry Data Items Infected:
    (No malicious items detected)
    
    Folders Infected:
    (No malicious items detected)
    
    Files Infected:
    C:\System Volume Information\_restore{0D9A148D-2E7E-411F-8807-407114206A75}\RP2138\A0129104.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{0D9A148D-2E7E-411F-8807-407114206A75}\RP2138\A0129105.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    

    Update: After a couple more scans it looks like my PC no longer has a virus.

    Thanks everyone!


  • Related Answers
  • heavyd

    I would suggest grabbing Microsoft/SysInternals Process Explorer. With process explorer you can open the specific svchost process and see which services are being run from that process. You can then use the "Services" tab in the process details to stop individual services to find the culprit.

  • Peter Mortensen

    As long as the multiple services are running in a single svchost.exe you can't differentiate the load. But there is an easy and safe way to split them out in separate svchost.exe's:

    SC Config Servicename Type= own
    

    Do this in a command-line window or put it into a BAT/CMD script. Requirements for this to work are:

    • Administrative privileges when the SC commands are executed.
    • Restart of the computer. It does not takes effect before.
    • The space after "=".

    The original state can be restored by:

    SC Config Servicename Type= share
    

    Example: to make Windows Management Instrumentation run in a separate SVCHOST.EXE:

    SC Config winmgmt Type= own
    

    I have used the following sequence on a Windows XP system. It can be pasted directly into a command-line window.

    rem  1. "Automatic Updates"
    SC Config wuauserv Type= own
    
    rem  2. "COM+ Event System"
    SC Config EventSystem Type= own
    
    rem  3. "Computer Browser"
    SC Config Browser Type= own
    
    rem  4. "Cryptographic Services"
    SC Config CryptSvc Type= own
    
    rem  5. "Distributed Link Tracking"
    SC Config TrkWks Type= own
    
    rem  6. "Help and Support"
    SC Config helpsvc Type= own
    
    rem  7. "Logical Disk Manager"
    SC Config dmserver Type= own
    
    rem  8. "Network Connections"
    SC Config Netman Type= own
    
    rem  9. "Network Location Awareness"
    SC Config NLA Type= own
    
    rem 10. "Remote Access Connection Manager"
    SC Config RasMan Type= own
    
    rem 11. "Secondary Logon"
    SC Config seclogon Type= own
    
    rem 12. "Server"
    SC Config lanmanserver Type= own
    
    rem 13. "Shell Hardware Detection"
    SC Config ShellHWDetection Type= own
    
    rem 14. "System Event Notification"
    SC Config SENS Type= own
    
    rem 15. "System Restore Service"
    SC Config srservice Type= own
    
    rem 16. "Task Scheduler"
    SC Config Schedule Type= own
    
    rem 17. "Telephony"
    SC Config TapiSrv Type= own
    
    rem 18. "Terminal Services"
    SC Config TermService Type= own
    
    rem 19. "Themes"
    SC Config Themes Type= own
    
    rem 20. "Windows Audio"
    SC Config AudioSrv Type= own
    
    rem 21. "Windows Firewall/Internet Connection Sharing (ICS)"
    SC Config SharedAccess Type= own
    
    rem 22. "Windows Management Instrumentation"
    SC Config winmgmt Type= own
    
    rem 23. "Wireless Configuration"
    SC Config WZCSVC Type= own
    
    rem 24. "Workstation"
    SC Config lanmanworkstation Type= own
    
    rem End.
    
  • SoftwareGeek

    I suggest you give AVIRA AntiVirus a try. It has a higher detection rates than any major antivirus out there. I definitely recommend it.

  • Peter Mortensen

    The same condition with me. This is virus on my side. But there is no doubt that NO ANTIVIRUS can cure it because SvcHost itself was being injected and infected. SvcHost can never be deleted or terminated then.

    • Use the Sysinternal's Process Explorer

    • Then, find which SvcHost service is running without a parent. Because each svchost.exe must be loaded by services.exe. OR you can figure out the Parent of a process by: Double Clicking on it >> "Image" Tab >> "Parent" Label.

    Additionally, if the virus you got is the same as the one with me (infecting from all html files with VBScript), you should do the following steps.

    • Clear all .html files (or) remove the code from each .html file.

    • After cleaning the .html files, for me in this situation, I surely replaced the SVCHOST.EXE from the Windows XP installation CD, by using Recovery Console from boot.