CPU usage by unknown service (please help to track problem)

[Quark Fusion]

At my quad-core 3GHz Vista X64 system the "svchost.exe -k LocalSystemNetworkRestricted" process using 15% CPU (which results to 60% of single core or 2 gigacycles per second) resources from time to time like runnung some scheduled task.

Task is running in thread, which have priority lowered by 1 (which still interfered with my background processes at bellow normal priority) started from "ADVAPI32 ! unsigned long ScCheckServiceSids(void) + 0xf7".

Search for "ScCheckServiceSids" yelds no results, maybe this is undocumented function?

To relocate that system time to my applications I lowered svchost priority to bellow normal and afraid that this can hurt some system-critical tasks.

P.S. sorry if my english is bad.

Edited June 14, 2008 by Quark Fusion

[cluberti]

Would it be possible for you to take an adplus -hang dump of the process, following the guide here?

First, download / install the debugging tools, as per the guide. Then:

1. Create a directory called c:\adplus

2. Open a command prompt and change to the directory where you installed the debugging tools. By default, this is "C:\Program Files\Debugging Tools for Windows"

3. Type the following command in the command prompt:

cscript adplus.vbs -hang -p <PID> -quiet -o c:\adplus

(where <PID> is the process ID of the svchost.exe that is consuming the CPU, and you can see process IDs on the Processes tab of task manager after adding the column - View > Select Columns > PID)

4. Once the debugger has finished (this can take some time), the command prompt window(s) will close, and you will have data in your C:\adplus folder that can be analyzed.

[Mr Snrub]

Also, it might be useful to check which services you have running in that svchost.exe instance.

From a command prompt, enter:

tasklist /svc /FI "PID eq XXX"

(Where XXX is the PID of the process.)

It should give something like this as output (PID was 536 on my PC):

C:\Windows\system32>tasklist /svc /FI "PID eq 536"

Image Name					 PID Services
========================= ======== ============================================
svchost.exe					536 AudioEndpointBuilder, hidserv, Netman,
								   PcaSvc, SysMain, TrkWks, UxSms,
								   WdiSystemHost, WPDBusEnum, wudfsvc

How frequently does that process consume CPU time, and for how long?

Is it something like every N minutes, or at 18:00 every day, for example?

If the total CPU usage is only 15% across your system, then it's not stealing time from other processes - is there a large amount of disk access at the same time?

[Quark Fusion]

Also, it might be useful to check which services you have running in that svchost.exe instance.

AudioEndpointBuilder, EMDMgmt, hidserv, Netman, PcaSvc, SysMain, TrkWks, UxSms (that all)

Thread view most time traps process in (SysMain + 18xxx) thing, althrough i don't sure if that means dll name or symbol name.

How frequently does that process consume CPU time, and for how long?

Is it something like every N minutes, or at 18:00 every day, for example?

If the total CPU usage is only 15% across your system, then it's not stealing time from other processes - is there a large amount of disk access at the same time?

Is it something like every N minutes, but N isn't fixed. I was spoting this load at evening and at night mainly, maybe because I don't care at day. Sometimes that process runs again several mins after it finish previous task. The task (continous cpu usage) is like 10-30 mins, I don't remember exactly. But one pass time seems like constant.

I have idea that it's scheduled task, that should run at evening only when computer is idle and delay start if not, but not sure about that.

15% may seems low across system, but system has 4 cpu cores, so if recount that to one core it will be high. What if my system were dual-core? single-core? (I actually have one single-core system, but it's now off and don't have vista installed, but I want to power it on some day and under control of Vista for some reason)

I don't care if it's run only once a week, but when I spot it at random time, consuming non-idle resources — I think that something is wrong. Especially when it's rerun like 2 mins after it's done.

And last that bothering me is memory used by services, just this one process allocated 270MB and has 240 in use, but it was like that from very begining, maybe it's Vista way and x64 contributed to it.

P.S. run background task at thread priority -1 from process sucks, as user's background processes have thread priority -2. (Norm=8, BNorm=6)

Edited June 14, 2008 by Quark Fusion

[Quark Fusion]

cluberti, I don't know what "adplus" thing is, so I will look at your guide and think afternight about it.

[Quark Fusion]

Also I want to add, that if EMDMgmt is ReadyBoost, that I just plug usb-drive about two weeks ago and also don't remember if that loads was before that (but think it was)

It's likely that ReadyBoost feature don't gain any notable benefit to my system with 8GB ram, so if you think it can be reason for that i can disable service

Another thought is that it can be SuperFetch process, but most likely that is different story (as I can see when system actively access files).

As more information there is start addresses of other threads:

svchost ! _BuildServiceArray@8() + 0xb5
ntdll ! _RtlAddAtomToAtomTable@12() + 0x152
audiosrv + 0xBA00
MMDevAPI ! public: virtual long CRegistryPropertyStore::GetValue(struct _tagpropertykey const &,struct tagPROPVARIANT *) + 0x241
uxsms ! private: static unsigned long CPortBase::PortThread(void *) + 0x0
emdmgmt ! unsigned long EcSvcWorkThread(void *) + 0x0
ole32 ! private: static unsigned long CRpcThreadCache::RpcWorkerThreadEntry(void *) + 0x0
ntdll ! __woutput_l() + 0x244
pcasvc ! unsigned long PcapProcessChainThread(void *) + 0x0
ntdll ! __woutput_l() + 0x244
hidserv ! HidThreadInputProc() + 0x0
hidserv ! HidThreadProc() + 0x0
hidserv ! HidThreadProc() + 0x0
ntdll ! __woutput_l() + 0x244
sysmain + 0x462D0
SSDPAPI ! unsigned long GetNotificationLoop(void *) + 0x0

[Quark Fusion]

That thing just finish it's task (as encode ended and system become idle), again don't know if it was first time or second, but thread's consumed cpu time is 21:56 and uptime is 3:01:07:xx

[Mr Snrub]

Well, you have the list of services that run in that process, and if the CPU usage is high for a few minutes then I would try the high-level approach of simply stopping services one at a time in that list and observing the CPU load.

When it drops, you have identifed the service.

Also, if it is not a worker thread (that is created, consumes CPU time and then dies), but is present all the time accumulating CPU time, then it should also vanish when the service involves is stopped, so you may not have to wait for the next occurrence.

[Quark Fusion]

Hmm, how I don't think about that?

[Quark Fusion]

Ok, I catched it, after hitting restart button for all affected services one didn't restart at short and it was SuperFetch service. Also after some time at witch that thread finish it's task svchost's consumed memory go down to around 20-40Mb, thread terminated and SuperFetch reach stopped state.

For now system have 1Gb memory free and task manager shows 1-2Mb as "free" (I think correct term should be "not used"). (SuperFetch is restarted)

Now the question, what SuperFetch service was doing? There was some times when system access prefetch files, but I think it was ReadyBoot feature that consolidates it's trace files (the process take 10-20 secs). Also when SuperFetch loads files in the background it's not show any cpu load (and load files to free memory, not self).

P.S. SuperFetch service has SysMain as it's internal name.

Edited June 15, 2008 by Quark Fusion

[Quark Fusion]

It's run that again, also when it's working it calls some thread in System process that uses additionally 3% of cpu (3% of 4 cores). At task's start time cpu load was 100% by my background tasks.

Memory usage: SuperFetch stopped — 35Mb, started — 166Mb (was 270Mb).

Update: task started around 10 mins after service start.

Edited June 15, 2008 by Quark Fusion