I'm trying to understand why my Windows 7 machine is constantly reading/writing to the HDD, making everything go slow. As you can see in the screenshot, resmon reports that there is a lot of disk activity originating from svchost.exe (pid 756). But in Process Monitor, process 756 doesn't seem to do anything at all, except the periodical profiling. How is this even possible? They seem to contradict each other?
I'm dumbstruck. How can I look further into this problem?
There are a couple of things that Windows does in the background:
Installing updates is done by TrustedInstaller.exe so that is not your problem. I do see prefetch showing up so I'm going to assume that Windows is looking for frequently used files and load them in available memory. This way, most of your applications will start faster.
When you install updates you might notice a slight hiccup with your pc's performance but indexing, prefetching and defragmenting are all executed using low priority i/o which means you won't notice it. The moment you do an action that requires something from the hard drive, the low priority stuff will be halted.
Several sub process with the same PID can run inside of svhost.exe
You can see what they are in task manger by right clicking on the svchost process and select go to services, this will list all the services running under that particular instance of svchost. It will highlight them for you, you may have to scroll for them to show. These are all the services running under that specific PID. Another method is to go directly to the Services Tab in Taskmanager and then click the PID column header and this will sort them, then look for your PID's
Tracking down which service is causing the writes will require other software such as process monitor to sort that out. It is very powerful software and you would need to study up on how to use it
this looks like the Superfetch service. It runs with low IO priority and doesn't impact performance of other applications.
I'm having a problem with Windows 7 64-bit. I thought it was slow and all, but then I saw that the CPU usage was always around 80% and started searching for a solution.
There are two svchost.exe's consuming around 30% each and in the resources monitor there's a system interrupts consuming 45% all the time. I tried closing the applications, but it makes no difference.
I tried some other things that I've found on Google, like disable system updates, but it didn't work.
I don't know if it will help but here's my specifications:
Core 2 Duo 4400
ATI Radeon 4850
4 GB DDR2 RAM
I ran the suggested program and got this information; did I get it right?
As you asked here it is, did I get it right now? The other TCP/IP there's nothing.
I ran msconfig and took the services that one of the svchost.exe processes was using out of the startup and now my CPU is around 50%, but I still would like to improve it further. I can't lose that much CPU power just because of Windows...
Yeah, there's nothing I can do here. I am going to reinstall Windows XP soon, it's really weird...
Use a program like Process Explorer to determine which svchost.exe is consuming the resources. Is the svchost being run from services.exe? What are the commandline arguments for that particular svchost? There are several svchost run via Windows, you will need to isolate which one is consuming those resources. Process Explorer will display which services are associated with that process, as well as display which TCP/IP ports it is using.
Click on the Process tag so the processes show in a tree format to confirm it is being run via services.exe.
Although from looking at your Services tabs, they look legitimate.
First svchost looks like `svchost.exe -k LocalServiceNoNetwork`
Second svchost looks like `svchost.exe -k LocalServiceNetworkRestricted`
Do you have anything aggressively hitting your Windows Firewall? What do the TCP/IP and Threads tabs show? The threads tab will display CPU information for the threads within each process. Have you tried to restart the services specified or checked your eventlog to see a lot of errors?
Are you running any indexing of media files or have anything on your LAN attempting to access those media files?
That's a lot of EtwTraceMessageVa calls. Have you checked your eventlog? At the rate it's using CPU there has to be something in WMI writing to ETW. Better question, did this start recently and do you have a restore point before it happened?
I think you'll find Svchost Viewer to be useful.
You can use it to determine which program is doing most by viewing the amount of data written and such. It should help in some way to determine which process is doing what.
A number of viruses can run under the name of svchost, so it's best to check you've got decent anti-virus running and updated. It's just as likely to be a non virus-related Windows problem though.
Svchost.exe is a generic host process name for services that run from dynamic-link libraries (DLLs) and you can analyse what these particular svchost processes are using Svchost Process Analyzer
I just had one of the svchosts processes, out of nowhere, start to cripple my Win7 32bit PC for the last 2 days, with the (Dual Core) CPU stuck on 100%. This particular svchost process was responsible for over a dozen net services process threads, all of which appeared to be standard necessary network services.
Using a combination of new admin alerts in the EventVwr, Sys Internals Process Explorer and svchost analyser, I narrowed it down to the main culprit being:
Windows Live Mesh Remote Desktop service
Disabling this in services got me back about 60% of my CPU, and this particular svchost service then dropped off in task manager.
It was then replaced by another, utilising some 35 - 45%. By right clicking in Task Manager and going to the service, the only service attributed was Windows Defender.... (and we've all heard of that one before).
As many don't realise it's installed with Windows 7 by default (you can't see it in your programs list), this link show a nice tuorial on how to disable it.
I also have had an issue with svchost.exe causing 100% CPU usage. The services in question related to svchost are NLASvc, LanmanWorkstation, Dnscache, and CryptSvc. My problem ended up being Firefox. In the latest version they added plugin-container.exe which runs as a process separately from Firefox. The idea behind it is if a plugin crashes it won't crash Firefox or your browsing session. But it made surfing on my system unbearable.
The solution: Disable plugin container process.
You are done, restart Firefox and open up Windows task manager to see that the plugin container process is disabled..
The crash protection feature in Firefox 3.6 is enabled for certain plugins only. The four preferences that we modified here specifies four different out-of-process plugins. They are the NPAPI test plugin, Adobe Flash, Apple QuickTime (Windows) and Microsoft Silverlight (Windows). These plugins are specified in a separate dom.ipc.plugins.enabled preference by default is set to true. We can disable them by changing their value to false. And thus plugin-container.exe will not run. By default, the preference dom.ipc.plugins.enabled is already set to “false”. So, no need to touch it. The dom.ipc.plugins.timeoutSecs is also not important here as other values are false.
I hope this helps somebody.
I had the same thing , killed Windows Defender and now i'm fine. Best of luck to you.
From your screenshots, it seems like the audio service is involved.
There might be a connection with the problem described in
win 7 high cpu usage on 2 services
(see last answer).
Try to disable the integrated audio and see if this helps.
Use the Sysinternal's Process Explorer
Then, find which SVCHOST service is running without any parent, because each svchost.exe must be loaded by services.exe. Kill all of them if found. (You can figure out the parent of a process by double clicking on it >> "Image" Tab >> "Parent" Label.)
Additionally, if the virus you got is the same one as with me, you should do the following steps.
Check if there is a process named Watermark.exe under the ..\Program Files\Microsoft folder. Then delete it. (You also better LOCK that folder by using the Security tab of it.)
Watermark.exe is injecting VBScripts code into every .html file. Then these infected .html files are injecting into SVCHOST.EXE. So check a few .html files from different places by opening with some text editor. * Don't run *. If you find VBScript code at the bottom of your file, the condition is worse than we hoped.
So if this is happening too, you better clear all .html files (or) remove the code from each .html file.
After cleaning the .html files, for me at this situation, I surely replaced the SVCHOST.EXE from Windows XP installation CD, by using Recovery Console from boot.
Could be the "Power" service run by one of the svchost processes causing high CPU usage.
Try changing the Power saving mode from the Balance (default) to Performance and set the sleeping mode to "Never".