svchost.exe resource hogging (not the usual problem)

[plasticknives]

I know usually when people have an svchost problem, its causing 100% cpu usage and is usually caused by auto updates. Thats not the issue I'm having. When I boot up my computer, everything works fine. After having it on for a day or so, svchost.exe (the one handling RPC) has a spiking cpu usage (jumps from 0% to 40% (the % increases the longer my computer is on) over and over). The memory also gradually increases (Starts at around 4000k, after a day its at 70000k+). This causes choppy games and videos and sometimes when the cpu usage gets higher, it causes my speedstep to keep hopping between 800 and 1.86. Has anyone had this problem or does anyone have a remedy for it? I've searched google to no avail.

 

[montag451]

Hi,
Could try disabling RPC.

Control panel - Administrative tools - Services.
Look up RPC, Just 'stop' the service.
Don't 'disable' it just yet. If you 'disable' the service, then when you reboot, it will still be disabled.
How do you know it is related to RPC?

 

[plasticknives]

Yea I'm not about to disable RPC. It's required by windows. I know its RPC cause I used processXP to find out.

 

[montag451]

Are you on a network?
If not, just 'STOP' the service.

As i said, this isn't permanent, so if something does go wrong, when you reboot, it will be back on.

 

[plasticknives]

but even if I stop it, that's not going to help anything. I'm looking for an answer to the cause of it or a solution.

 

[montag451]

As a troubleshoot, see if svchost uses less resources.

Do you want someone to just use a magic wand from faraway and make everything better, or do you want to fix the bloody thing?

 

[Bradtechonline]

Try setting the Priority to below normal or low on the svchost. Also check out thread usage by the svchost, and see if you find anything unusual. You also might run a Malware/Spyware, and anti-virus scan with an alternative program than you are currently using.

You also might look and see if the svchost is spawning wuauclt.exe. If so, it's the windows update checking your windows for updates *i know you said it isn't it just thought I'd be complete*. Disable automatic updates if you haven't done so already which I assume you have.

I've also had systems do this, and I had to disable remote registry service along with windows updates. You may find black vipers services guide, and follow what he recommends.

 

[plasticknives]

Originally posted by: montag451
As a troubleshoot, see if svchost uses less resources.

Do you want someone to just use a magic wand from faraway and make everything better, or do you want to fix the bloody thing?

Well what I'm saying is, of course svchost will use less resources if RPC is not running. It's only that particular instance of svchost (you know how there are 5 or so) thats the problem, which is RPC. Unless one instance of it can affect another. I do appreciate your help though.

Originally posted by: Bradtechonline
Try setting the Priority to below normal or low on the svchost. Also check out thread usage by the svchost, and see if you find anything unusual. You also might run a Malware/Spyware, and anti-virus scan with an alternative program than you are currently using.

You also might look and see if the svchost is spawning wuauclt.exe. If so, it's the windows update checking your windows for updates *i know you said it isn't it just thought I'd be complete*. Disable automatic updates if you haven't done so already which I assume you have.

I've also had systems do this, and I had to disable remote registry service along with windows updates. You may find black vipers services guide, and follow what he recommends.

I do have wuauclt.exe running under a separate instance of svchost, but thats not the one causing the problem. I've used Symantec Corp Anti-Virus and Adaware. Ill try out some other ones and see.

The only problem is every change I make I have to wait at least a day to see if the resources will rise again.

 

[montag451]

Could you post a HijackThis log (copy/paste).
Exactly what proggies are starting up at boot? Dl STRun and let us know (doesn't install itself to registry).
http://www.nirsoft.net/utils/strun_setup.exe

 

[plasticknives]

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:47:07 PM, on 6/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Notebook Hardware Control\nhc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\brian\Desktop\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NotebookHardwareControl] "C:\Program Files\Notebook Hardware Control\nhc.exe" -quiet
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.co...site.cab?1182223170218
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.co...site.cab?1182223205609
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5965 bytes





==================================================
Item Name : SunJavaUpdateSched
Type : Registry -> Machine Run
Command : "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
Disabled : No
Product Name : Java(TM) Platform SE 6 U1
File Version : 6.0.10.6
Description : Java(TM) Platform SE binary
Company : Sun Microsystems, Inc.
Location : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
File Created Date : 6/25/2007 3:10:20 PM
==================================================

==================================================
Item Name : NotebookHardwareControl
Type : Registry -> Machine Run
Command : "C:\Program Files\Notebook Hardware Control\nhc.exe" -quiet
Disabled : No
Product Name : Notebook Hardware Control
File Version : 1.8.9.6
Description : Notebook Hardware Control
Company : http://www.pbus-167.com
Location : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
File Created Date : 5/3/2007 8:33:22 PM
==================================================

==================================================
Item Name : Adobe PDF Conversion Toolbar Helper
Type : Browser Helper Objects
Command : C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
Disabled : No
Product Name : Adobe PDF Toolbar for IE
File Version : 8.1.0.0
Description : Adobe PDF Toolbar for Internet Explorer
Company : Adobe Systems Incorporated
Location :
File Created Date : 6/20/2007 7:59:57 PM
==================================================

==================================================
Item Name : Adobe PDF Reader Link Helper
Type : Browser Helper Objects
Command : C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
Disabled : No
Product Name : AcroIEHelper Library
File Version : 8.0.0.2006102200
Description : Adobe PDF Helper for Internet Explorer
Company : Adobe Systems Incorporated
Location :
File Created Date : 10/22/2006 11:08:42 PM
==================================================

==================================================
Item Name : SSVHelper Class
Type : Browser Helper Objects
Command : C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
Disabled : No
Product Name : Java(TM) Platform SE 6 U1
File Version : 6.0.10.6
Description : Java(TM) Platform SE binary
Company : Sun Microsystems, Inc.
Location :
File Created Date : 6/25/2007 3:10:20 PM
==================================================

==================================================
Item Name : SynTPEnh
Type : Registry -> Machine Run
Command : C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
Disabled : No
Product Name : Synaptics Pointing Device Driver
File Version : 8.3.4 19May06
Description : Synaptics TouchPad Enhancements
Company : Synaptics, Inc.
Location : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
File Created Date : 6/18/2007 11:46:19 PM
==================================================

==================================================
Item Name : Hcontrol
Type : Registry -> Machine Run
Command : C:\WINDOWS\ATK0100\HControl.exe
Disabled : No
Product Name : ATK0100
File Version : 1043, 2, 15, 51
Description : HControl
Company :
Location : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
File Created Date : 6/19/2007 7:43:22 PM
==================================================

==================================================
Item Name : MSConfig
Type : Registry -> Machine Run
Command : C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
Disabled : No
Product Name : Microsoft® Windows® Operating System
File Version : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Description : System Configuration Utility
Company : Microsoft Corporation
Location : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
File Created Date : 6/18/2007 10:37:24 PM
==================================================

==================================================
Item Name : ctfmon.exe
Type : Registry -> User Run
Command : C:\WINDOWS\system32\ctfmon.exe
Disabled : No
Product Name : Microsoft® Windows® Operating System
File Version : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Description : CTF Loader
Company : Microsoft Corporation
Location : HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
File Created Date : 8/4/2004 8:00:00 AM
==================================================

==================================================
Item Name : High Definition Audio Property Page Shortcut
Type : Registry -> Machine Run
Command : HDAShCut.exe
Disabled : No
Product Name : Microsoft® Windows® Operating System
File Version : 5.10.01.5013 built by: WinDDK
Description : High Definition Audio Property Page Shortcut v1.0a
Company : Windows (R) Server 2003 DDK provider
Location : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
File Created Date : 1/7/2005 5:07:16 PM
==================================================

==================================================
Item Name : nwiz
Type : Registry -> Machine Run
Command : nwiz.exe /install
Disabled : No
Product Name : NVIDIA nView Wizard, Version 110.91
File Version : 6.14.10.11091
Description : NVIDIA nView Wizard, Version 110.91
Company : NVIDIA Corporation
Location : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
File Created Date : 6/18/2007 11:30:51 PM
==================================================

==================================================
Item Name : NvCplDaemon
Type : Registry -> Machine Run
Command : RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
Disabled : No
Product Name : Microsoft® Windows® Operating System
File Version : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Description : Run a DLL as an App
Company : Microsoft Corporation
Location : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
File Created Date : 8/4/2004 8:00:00 AM
==================================================

==================================================
Item Name : WIAWizardMenu
Type : Registry -> Machine RunOnce
Command : RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu
Disabled : No
Product Name : Microsoft® Windows® Operating System
File Version : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Description : Run a DLL as an App
Company : Microsoft Corporation
Location : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
File Created Date : 8/4/2004 8:00:00 AM
==================================================

==================================================
Item Name : NvMediaCenter
Type : Registry -> Machine Run
Command : RunDLL32.exe NvMCTray.dll,NvTaskbarInit
Disabled : No
Product Name : Microsoft® Windows® Operating System
File Version : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Description : Run a DLL as an App
Company : Microsoft Corporation
Location : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
File Created Date : 8/4/2004 8:00:00 AM
==================================================




I don't know why it's saying the Acrobat stuff and HDAshcut are loading, because I disabled those and they are not loaded in the services.

Oh and I tried lowering the priority but it wouldn't let me, I'm guessing since its so vital to the system.

 

[montag451]

Seems ok.


Can you run msconfig and stop Adobe, msmsgs, fnplicensing, sun java console, HDAShCut.exe, utorrent.exe, pidgin.exe, ATKOSD.exe

Run for a day, or whatever takes your fancy, and see if you still get the memory leak.

If good result, then you will be spending a few days seeing which one of these is the problem - although my money is on utorrent if you are doing a lot of dl.

 

[chazzzer]

ProcessXP is a good tool, but it doesn't show you all of the dlls that are running under an instance of svchost.exe.

If you have an nVidia graphics card, do this:

Right-click on your desktop and select Properties from the menu. Click the Settings tab. Click the Advanced button. Click the tab that says "GeForce xxxx." In the pop-up menu that appears next to the main window, click on "Desktop Management." In the main window, it should say "nView" at the top and just below that it will talk about the nView Desktop Manager. If the button there says "Disable," click on it. Then OK of all the windows and reboot.

I had a similar problem that drove me nuts for a long time. Turned out that nView was the resource hog. You can get a list of all of the dlls that are running under an instance of svchost.exe by opening a Command Prompt and typing "tasklist /SVC"

On my system it currently shows this for svchost.exe:

svchost.exe 1588 DcomLaunch, TermService
svchost.exe 1676 RpcSs
svchost.exe 1812 AudioSrv, Browser, CryptSvc, Dhcp, dmserver,
ERSvc, EventSystem, helpsvc, HidServ,
lanmanserver, lanmanworkstation, Netman,
Nla, RasMan, Schedule, seclogon, SENS,
SharedAccess, ShellHWDetection, srservice,
TapiSrv, Themes, TrkWks, W32Time, winmgmt,
wscsvc, wuauserv, WZCSVC
svchost.exe 1964 Dnscache
svchost.exe 328 Alerter, LmHosts, RemoteRegistry, SSDPSRV,
WebClient

Look for the PID that's consuming the resources, then look for what's listed under it. Those are either .exe or .dll files (I think ProcessXP only shows the .exe files), and many times they don't seem to have much to do with each other. They are all running as services, and Windows seems to randomly (?) group them together under different instances of svchost.exe. In my case, I noticed a number of names starting with "nv" (as I recall) were running under the PID that was consuming the resources. Trial and error led me to discover that it was nView that was causing the issues, and disabling it solved the problem.

Even if nView isn't your issue, the "tasklist /SVC" command might help you locate where the problem really is.

 

[plasticknives]

It's RpcSs causing the memory leak and cpu spike. I'm wondering what could cause RpcSs to do this. All the other services are fine. I'm thinking maybe its a certain windows update or my bios.

I had installed vista and upgraded my bios at the same time, then reinstalled XP the next day and that is when it started happening. The XP install previous to Vista worked fine. I would rollback the bios but WinFlash doesnt allow that and my bios doesn't allow flashing from USB or NTFS.