Jump to content

Svchost.exe is continously accessing disc

Jorolat

By Jorolat
in Windows XP

 Share

Recommended Posts

Jorolat

Jorolat

Posted
Posted

About 4 or 5 days ago I changed my hard drive and reinstalled Windows XP Home. I think the problem described below has been there since day 1 but I only took notice of it yesterday (btw I installed SP2 & McAfee firewall before connecting to the net).

On Windows Task Manager I currently have 5 instances of svchost.exe listed and one of them, with a PID number of 956, is continuously reading & writing to the disc. Today it has so far read 670,000,000 bytes and written about a million less.

From its PID number I've been able to establish that this instance of svchost is associated with:

956 AudioSrv, CryptSvc, Dhcp, ERSvc,

EventSystem, helpsvc, lanmanserver,

lanmanworkstation, Netman,Nla,RasMan,

Schedule, seclogon,SENS,SharedAccess,

ShellHWDetection, srservice, TapiSrv,

Themes, TrkWks, W32Time, winmgmt,

wscsvc,wuauserv

All this is new to me, if anyone can tell me which of the above may be causing the problem (I'm a single-user on a single computer), and how I go about disabling it, I would be very grateful! :)

Jorolat

Link to comment
Share on other sites

hadrick

hadrick

Posted
Posted

First of all tell me are you connected with other computer like on lan. If then svchost.exe will work there. Although it is an essential element for the Network. But the exe file is also reasonable for attacking by the blaster worm. Blaster worm attack the svchost.exe and also the rpc system. i think you know about the rpc shutdown as you are using windows xp you should know. And yes blaster worm also make attacks with svchost.exe

For the solution read the following topic:

http://www.nibbleguru.com/probs/100/399

Link to comment
Share on other sites
Jorolat

Jorolat

Posted
  • Author
Posted
First of all tell me are you connected with other computer like on lan. If then svchost.exe will work there. Although it is an essential element for the Network. But the exe file is also reasonable for attacking by the blaster worm. Blaster worm attack the svchost.exe and also the rpc system. i think you know about the rpc shutdown as you are using windows xp you should know. And yes blaster worm also make attacks with svchost.exe

For the solution read the following topic:

http://www.nibbleguru.com/probs/100/399

Hi Hadrick & thankyou for replying! :)

Thanks also for the link - I am a single user with just one computer connected to the internet. I ran my antivirus and stinger with no result.

I'm rather a newbie and I've got part of tasklist to work but in the link it says:

To view the list of services that are running in Svchost:

Click Start on the Windows taskbar, and then click Run.

In the Open box, type CMD, and then press ENTER.

Type Tasklist /SVC, and then press ENTER.

Tasklist displays a list of active processes. The /SVC switch shows the list of active services in each process. For further information about a process, type the following command, and then press ENTER:

Tasklist /FI "PID eq processID" (with the quotation marks)

The PID number of svchost I'm interested in is 956 but I can't get the Tasklist /FI part of the above to work. Here are the combinations I've tried:

C:\Documents and Settings\John Robert>TASKLIST /FI 956 eq SENS

ERROR: Invalid Argument/Option - 'eq'.

Type "TASKLIST /?" for usage.

C:\Documents and Settings\John Robert>TASKLIST /FI PID eq 956

ERROR: Invalid Argument/Option - 'eq'.

Type "TASKLIST /?" for usage.

C:\Documents and Settings\John Robert>TASKLIST /FI PID eq SENS

ERROR: Invalid Argument/Option - 'eq'.

Type "TASKLIST /?" for usage.

What dumb thing am I doing wrong?

Jorolat

Link to comment
Share on other sites
Zxian

Zxian

Posted
Posted
To view the list of services that are running in Svchost:

Click Start on the Windows taskbar, and then click Run.

In the Open box, type CMD, and then press ENTER.

Type Tasklist /SVC, and then press ENTER.

Tasklist displays a list of active processes. The /SVC switch shows the list of active services in each process. For further information about a process, type the following command, and then press ENTER:

Tasklist /FI "PID eq processID" (with the quotation marks)

The PID number of svchost I'm interested in is 956 but I can't get the Tasklist /FI part of the above to work. Here are the combinations I've tried:

C:\Documents and Settings\John Robert>TASKLIST /FI 956 eq SENS

ERROR: Invalid Argument/Option - 'eq'.

Type "TASKLIST /?" for usage.

C:\Documents and Settings\John Robert>TASKLIST /FI PID eq 956

ERROR: Invalid Argument/Option - 'eq'.

Type "TASKLIST /?" for usage.

C:\Documents and Settings\John Robert>TASKLIST /FI PID eq SENS

ERROR: Invalid Argument/Option - 'eq'.

Type "TASKLIST /?" for usage.

What dumb thing am I doing wrong?

Jorolat

You're missing quotes... :P

Also, does the problem occur when you run in Safe Mode?

Do you have an anti-virus running as well as the McAfee firewall? Try disabling both of them (after disconnecting from the internet) and see if the problem persists.

Do you have all the latest drivers for your hardware? Motherboard included?

Link to comment
Share on other sites
Jorolat

Jorolat

Posted
  • Author
Posted (edited)
To view the list of services that are running in Svchost:

Click Start on the Windows taskbar, and then click Run.

In the Open box, type CMD, and then press ENTER.

Type Tasklist /SVC, and then press ENTER.

Tasklist displays a list of active processes. The /SVC switch shows the list of active services in each process. For further information about a process, type the following command, and then press ENTER:

Tasklist /FI "PID eq processID" (with the quotation marks)

The PID number of svchost I'm interested in is 956 but I can't get the Tasklist /FI part of the above to work. Here are the combinations I've tried:

C:\Documents and Settings\John Robert>TASKLIST /FI 956 eq SENS

ERROR: Invalid Argument/Option - 'eq'.

Type "TASKLIST /?" for usage.

C:\Documents and Settings\John Robert>TASKLIST /FI PID eq 956

ERROR: Invalid Argument/Option - 'eq'.

Type "TASKLIST /?" for usage.

C:\Documents and Settings\John Robert>TASKLIST /FI PID eq SENS

ERROR: Invalid Argument/Option - 'eq'.

Type "TASKLIST /?" for usage.

What dumb thing am I doing wrong?

Jorolat

You're missing quotes... :P

Also, does the problem occur when you run in Safe Mode?

Do you have an anti-virus running as well as the McAfee firewall? Try disabling both of them (after disconnecting from the internet) and see if the problem persists.

Do you have all the latest drivers for your hardware? Motherboard included?

Good grief - I read with quotes as without quotes, its been a long day...

I installed XP Home a second time & the problem wasn't there. Added SP2 and the problem wasn't there. Connected to the net & downloaded updates, got distracted and then noticed the problem had come back.

The services using the svchost.exe I'm interested in are:

svchost.exe PID=956

AudioSrv, CryptSvc, Dhcp, ERSvc,

EventSystem, helpsvc, lanmanserver,

lanmanworkstation, Netman,Nla,RasMan,

Schedule, seclogon,SENS,SharedAccess,

ShellHWDetection, srservice, TapiSrv,

Themes, TrkWks, W32Time, winmgmt,

wscsvc,wuauserv

I appreciate what you're saying about latest updates - I've been advised to leave any mobo updates alone. Bearing in mind my very limited knowledge I would like to work backwards from the above list to see if the problem area can be identified that way.

Any help would be very appreciated!

BTW After using the quotes properly I just got something like "svchost.exe" so I think I'm still doing something wrong. Can tasklist be used to 'interrogate' each of the above services to identify the problem?

Jorolat

Edited by Jorolat
Link to comment
Share on other sites
Zxian

Zxian

Posted
Posted

Did you have an anti-virus and firewall installed before connecting to the internet? (key thing here, anti-virus - you mentioned McAfee firewall)

Who advised you to not install the latest mobo drivers? With my computer, unless I install them, I get strange behaviour from my hard drives as well since the IDE contoller is non-standard.

And always as a first step, go to Safe Mode. If that's working fine, then you can start putting the pieces back together.

As for the services themselves, write down a list of all the services and their startup types. This way, you can change things back to the way they were if you want to.Then you can alter your services configuration to cut out any potential problems. Here are the services I have listed as Automatic:

-Computer Browser
-Cryptographic Services
-DHCP Client
-Event Log
-Network connections
-NOD32 Kernel Service (This is my anti-virus)
-Plug and Play
-Remote Access Connection Manager
-Remote Procedure Call (RPC)
-Security Accounts Manager
-Server
-Shell Hardware Detection
-Sygate Personal Firewall (my firewall... duh)
-Task Scheduler
-Telephony
-Windows Audio
-Wireless Zero Configuration (only because I use a laptop with wifi... if you're running a desktop, disable this)
-Workstation

Here are my services listed as Manual:

-Logical Disk Manager
-Logical Disk Manager Administrative Service
-Office Source Engine
-PDEngine (PerfectDisk)
-PDScheduler (PerfectDisk)
-Print Spooler (you'll probably want to keep this one Automatic)
-Remote Procedure Call (RPC) Locator
-Windows Installer

Everything else is disabled. To access the list, go to Start->Run, and type in services.msc. Double click on an item to change its startup type. Try disabling some of the unnecessary services (like Distributed Link Tracking Client) and reboot to see if the problem goes away.

That should keep you busy for a while... ;)

Link to comment
Share on other sites
Jorolat

Jorolat

Posted
  • Author
Posted
Did you have an anti-virus and firewall installed before connecting to the internet? (key thing here, anti-virus - you mentioned McAfee firewall)

Who advised you to not install the latest mobo drivers? With my computer, unless I install them, I get strange behaviour from my hard drives as well since the IDE contoller is non-standard.

And always as a first step, go to Safe Mode. If that's working fine, then you can start putting the pieces back together.

As for the services themselves, write down a list of all the services and their startup types. This way, you can change things back to the way they were if you want to.Then you can alter your services configuration to cut out any potential problems. Here are the services I have listed as Automatic:

-Computer Browser
-Cryptographic Services
-DHCP Client
-Event Log
-Network connections
-NOD32 Kernel Service (This is my anti-virus)
-Plug and Play
-Remote Access Connection Manager
-Remote Procedure Call (RPC)
-Security Accounts Manager
-Server
-Shell Hardware Detection
-Sygate Personal Firewall (my firewall... duh)
-Task Scheduler
-Telephony
-Windows Audio
-Wireless Zero Configuration (only because I use a laptop with wifi... if you're running a desktop, disable this)
-Workstation

Here are my services listed as Manual:

-Logical Disk Manager
-Logical Disk Manager Administrative Service
-Office Source Engine
-PDEngine (PerfectDisk)
-PDScheduler (PerfectDisk)
-Print Spooler (you'll probably want to keep this one Automatic)
-Remote Procedure Call (RPC) Locator
-Windows Installer

Everything else is disabled. To access the list, go to Start->Run, and type in services.msc. Double click on an item to change its startup type. Try disabling some of the unnecessary services (like Distributed Link Tracking Client) and reboot to see if the problem goes away.

That should keep you busy for a while... ;)

Someone on a microstar forum advised me to leave things alone when I asked if I should update my bios.

I had McAfee firewall enabled before I connected to the net but had to download Avast cos my disc copy wouldn't work. I only went to Avast & Windows Update. "nd time around I downloaded stinger & ran that as well as Avast.

I take it that it would be best to disable those services associated with the svchost I'm interested in first? (I'll probably do this at the weekend cos I'm shattered now & will be busy til then).

Jorolat

Link to comment
Share on other sites
Zxian

Zxian

Posted
Posted

Yeah, whenever you get a chance, try playing with the services.

I'm not saying update your BIOS. Some motherboards have drivers to allow the system to properly access hardware.

Link to comment
Share on other sites
Jorolat

Jorolat

Posted
  • Author
Posted (edited)
Yeah, whenever you get a chance, try playing with the services.

I'm not saying update your BIOS. Some motherboards have drivers to allow the system to properly access hardware.

Okey-doke Zxian - but I got a feeling this thing might take the rest of my life...

Jorolat :)

Edited by Jorolat
Link to comment
Share on other sites
  • 2 weeks later...
Jorolat

Jorolat

Posted
  • Author
Posted

Today I installed XP slipstreamed with SP2 onto a new hard drive (but I'm back on the old OS & HDD now) and as soon as I installed the modem drivers the svchost disc activity started. I uninstalled the drivers & the problem went away.

I ain't gotta clue why this is so & it'll be a few days before I can spend some time on it. In the meantime, if anyone has any ideas I'ld be glad to hear them!

Jorolat

Link to comment
Share on other sites
Zxian

Zxian

Posted
Posted

Hello again...glad to hear you've been doing some digital detective work.

A couple of questions:

What is the make/model of your modem?

Is it a PCI card, or an external modem?

Is it a phone modem? or a DSL modem (which isn't really a modem...)?

Have you looked through the manufacturer's website regarding issues with their drivers and XP-SP2?

I'm not entirely sure (since I've never actually used them), but if it's a PCI card, you might want to look at Bâshrat the Sneaky's driver packs and see if you can slipstream a modem driver into your Windows installation.

We'll get to the bottom of this...eventually.

Link to comment
Share on other sites
Jorolat

Jorolat

Posted
  • Author
Posted

Hiya Zxian,

Its an external "BT Voyager 105 Modem" for broadband which I guess has been modified in some way by AOL because the BT website re-directs me to the link below for drivers:

http://www.aol.co.uk/about/help/faqs/broad...rs_install.html

I downloaded the latest drivers a couple of weeks ago but when I get time I'll check they're completely up to date.

There's no info on the BT website (tech help costs 50p per minute) so I'll be better off posting to the AOL message boards - although AOL is my ISP I connect direct & don't use their software unless I need to.

I'm busy for a few days but thanks for giving me the idea of looking for driver/XP-SP2 issues :)

Jorolat

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...