Jump to content

Svchost.exe 100% CPU consumption on Vista

Nightly

By Nightly
in Windows Vista

 Share

Recommended Posts

Nightly

Nightly

Posted
Posted

I've newly installed same Vista Ultimate X86 to my new Hard Drive. It is not first install - because I've done it 3-4 times in the last 4 days. The last time laptop wouldn't go sleep mode. I couldn't find any solution for this so at last decided to reinstall the system.

On this install everything was OK, until the next day - when I discovered that Svchost.exe uses 100% CPU. (I have two cores, and process uses 100% of one Core)

In CMD Tasklist command it gave N/A about this particular SVCHOST process.

cmdsvchost.png

Also looked up in used modules by this process.Basing on this, I suspect Avira. But I checked also another Svchost processes and found Avira is also in used modules of Svchost PID:2560, 1188, 1168 and some others (But not in all of them)

usedmodules.png

Here is also PE Threads information.

pesvcthreads.png

So, what is your conlusion about this issue?


Nightly

Nightly

Posted
  • Author
Posted

Thank you. I've read and did it. But unfortunately no useful information I could see on this data. What do you think about it?

xperf1.png

Nightly

Nightly

Posted
  • Author
Posted (edited)

I've already installed Symbols and I also realized that it shows only question marks instead of names. But this issue was on some threads including this one. And as you see below, while symbols are loaded it shows up some thread names, but when it is not loaded, then none of the thread names are shown...

Symbols are loaded:

symbol1.png

Symbols are not loaded:

symbol0v2.png

Edited by CoffeeFiend
Nightly

Nightly

Posted
  • Author
Posted

It has been sent to you

Update 1

And also interesting point is, when I click to "Threads" for this process in Process Explorer the Svchost process shuts down silently without any error.

Update 2:

It seems found useful information about this particular issue: the command line is -k netsvcs. I stopped and disabled services SENS , BITS . Though stopping this services didn't kill the Svchost process, I will check the result after restart. Hope this helps

Nightly

Nightly

Posted
  • Author
Posted

OK, so, disabling those services, didn't help - it is still using CPU as high possible (Sometimes 1 core, sometimes both of them )

As I indicated before, 90% when I click to thread information "SVCHOST" get killed by itself . This time I could see againg "ntdll.dll" though it was killed. I tried to access "Stack" I got an error "Error accessing thread".

MagicAndre1981

MagicAndre1981

Posted
Posted

ok, I think it is Avira AntiVir which causes the issues.

I still can't see the DLL which causes it:


0:000> !runaway
 User Mode Time
  Thread       Time
   0:14c0      0 days 0:00:44.725
   2:24c       0 days 0:00:21.730
   1:134c      0 days 0:00:00.078
   3:126c      0 days 0:00:00.015

eax=88c1dc3f ebx=776641b8 ecx=00000073 edx=75e64268 esi=7ffd3028 edi=0010f3cc
eip=00071a62 esp=0010f070 ebp=0010f078 iopl=0         nv up ei ng nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000286
00071a62 8945f8          mov     dword ptr [ebp-8],eax ss:0023:0010f070=88c1dc73
ChildEBP RetAddr  Args to Child              
WARNING: Frame IP not in any known module. Following frames may be wrong.
0010f078 000602c5 75e64257 75e62898 75e64257 0x71a62
0010f0b0 0006047c 75da0000 68807354 00000000 0x602c5
0010f0d0 0006bcd2 00000000 00000001 68807354 0x6047c
0010f0e8 0006bb4c 0005745b 00000000 0010f108 0x6bcd2
0010f0f8 00052b44 0000000c 002bd508 0010f150 0x6bb4c
0010f108 000557b2 002c2ad0 002bd508 ffffffff 0x52b44
0010f218 77608b2c 77608752 00000059 00000068 0x557b2
0010f30c 00055caa 002bed30 0010f31c 0010f390 ntdll!RtlpAllocateHeap+0xe2f (FPO: [Non-Fpo]) (CONV: fastcall) [d:\rtm\base\ntos\rtl\heap.c @ 5793]
0010f3b8 775f995d 00000000 00000000 00000000 0x55caa
0010f3bc 00000000 00000000 00000000 00010017 ntdll!KiUserApcDispatcher+0x25 [d:\rtm\base\ntos\rtl\i386\userdisp.asm @ 198]

Next I listed the loaded DLLs and saw this:

76880000 76946000 advapi32 advapi32.dll Sat Jan 19 08:27:07 2008 (4791A64B)

10000000 10047000 avsda avsda.dll Thu Jul 21 09:46:31 2011 (4E27D957)

74b10000 74cae000 comctl32 comctl32.dll Sat Jan 19 08:31:30 2008 (4791A752)

75520000 75555000 dhcpcsvc dhcpcsvc.dll Sat Jan 19 08:27:29 2008 (4791A661)

75490000 754b1000 dhcpcsvc6 dhcpcsvc6.DLL Sat Jan 19 08:27:30 2008 (4791A662)

75a50000 75a7c000 dnsapi dnsapi.dll Sat Jan 19 08:28:14 2008 (4791A68E)

75eb0000 75efb000 gdi32 gdi32.dll Sat Jan 19 08:28:37 2008 (4791A6A5)

76690000 76879000 iertutil iertutil.dll Sat Dec 18 07:22:49 2010 (4D0C5339)

75e90000 75eae000 imm32 imm32.dll Sat Jan 19 08:30:29 2008 (4791A715)

75560000 75579000 IPHLPAPI IPHLPAPI.DLL Sat Jan 19 08:30:51 2008 (4791A72B)

75da0000 75e7b000 kernel32 kernel32.dll Sat Jan 19 08:31:57 2008 (4791A76D)

776d0000 776d9000 lpk lpk.dll Sat Jan 19 08:29:45 2008 (4791A6E9)

764f0000 765b8000 msctf msctf.dll Sat Jan 19 08:30:40 2008 (4791A720)

77750000 777fa000 msvcrt msvcrt.dll Sat Jan 19 08:30:47 2008 (4791A727)

75270000 752ab000 mswsock mswsock.dll Sat Jan 19 08:30:55 2008 (4791A72F)

6f4c0000 6f4cf000 NapiNSP NapiNSP.dll Sat Jan 19 08:30:30 2008 (4791A716)

74680000 7468f000 nlaapi nlaapi.dll Sat Jan 19 08:31:18 2008 (4791A746)

75e80000 75e86000 nsi nsi.dll Sat Jan 19 08:32:52 2008 (4791A7A4)

775a0000 776c7000 ntdll ntdll.dll Sat Jan 19 08:32:54 2008 (4791A7A6)

75c50000 75d94000 ole32 ole32.dll Sat Jan 19 08:31:24 2008 (4791A74C)

77510000 7759d000 oleaut32 oleaut32.dll Sat Jan 19 08:31:27 2008 (4791A74F)

6f3a0000 6f3b2000 pnrpnsp pnrpnsp.dll Sat Jan 19 08:32:00 2008 (4791A770)

75c40000 75c47000 psapi psapi.dll Thu Nov 02 10:42:49 2006 (4549BD99)

745f0000 745f6000 rasadhlp rasadhlp.dll Thu Nov 02 10:42:58 2006 (4549BDA2)

75f00000 75fc3000 rpcrt4 rpcrt4.dll Sat Jan 19 08:31:29 2008 (4791A751)

74ff0000 7502b000 rsaenh rsaenh.dll Sat Jan 19 08:31:32 2008 (4791A754)

75ae0000 75af4000 secur32 secur32.dll Sat Jan 19 08:32:07 2008 (4791A777)

76a00000 7750f000 shell32 shell32.dll Sat Jan 19 08:31:11 2008 (4791A73F)

776f0000 77748000 shlwapi shlwapi.dll Sat Jan 19 08:31:40 2008 (4791A75C)

000a0000 000a8000 svchost svchost.exe Sat Jan 19 06:32:57 2008 (47918B89)

76220000 76353000 urlmon urlmon.dll Sat Dec 18 07:26:54 2010 (4D0C542E)

76450000 764ed000 user32 user32.dll Sat Jan 19 08:32:03 2008 (4791A773)

76610000 7668d000 usp10 usp10.dll Sat Jan 19 08:32:06 2008 (4791A776)

754c0000 754c7000 winnsi winnsi.dll Sat Jan 19 08:33:11 2008 (4791A7B7)

6f4b0000 6f4b8000 winrnr winrnr.dll Thu Nov 02 10:45:03 2006 (4549BE1F)

765c0000 7660a000 Wldap32 Wldap32.dll Sat Jan 19 08:33:50 2008 (4791A7DE)

76950000 7697d000 ws2_32 ws2_32.dll Sat Jan 19 08:32:40 2008 (4791A798)

74ed0000 74ed5000 WSHTCPIP WSHTCPIP.DLL Sat Jan 19 08:33:10 2008 (4791A7B6)

this is the only non Vista DLL loaded. And bing tells me this is Avira AntiVir. Update it or try a different tool.

i hope this helps.

Nightly

Nightly

Posted
  • Author
Posted

I am so thankful to you for your assistance on this. As you mentioned about dynamic libraries - actually avsda.dll is Dynamic-link library, maybe for that reason it is not seen in Xperf trace. I will try to make sure this by disabling AntiVir on the next start.

Nightly

Nightly

Posted
  • Author
Posted

I suppose for that reason it was not visible - because avsda.dll is dynamic.

So, after restarting I disabled on demand, Mail and Webguard services. I was a little bit late - Svchost started to hang up. I killed the process. During the 10 hours, there was no sign of highcpu usage. after 10 hours, started Webguard, and Mailguard. for several minutes it was ok. I turned off them and turned on On demand scanner, just after it Svchost bumped again to 100%. Which tells me that with 99% probability the issue is because of Ondemand scanner.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...