MS fixes SVCHOST 100% CPU bug

[TravisO]

I run a tight setup, NOD32, Windows Defender, always apply updates the day they come out, run IE & FireFox in a non admin mode, I don't visit shady sites and I use a special hosts file via HOSTS SECURE to block known bad urls/banners/frames as well as run a NATing router.

But since I did a fresh install of XP with SP2 integrated in Dec 2005 I've was unable to visit Microsoft Update and one of my SVCHOSTS.EXE would randomly kick up to 100%, about 2 or 3 times a day. It would only happen while using the PC, it wouldn't kick up when I was away (as far as I can tell).

The most obvious reason is malware, but considering how tight my setup is, I know it wasn't. Then in Jan 2007 MS released a patch to Windows Installer that would fix a bug that kicks SVCHOST to 100%, sadly it didn't help. Well two days ago MS released an update to that patch and after I installed it, I was cured instantly. I was able to go to Microsoft Update and download any patches I hadn't manually installed (mostly just drivers for my printer and some non critical office ones) and SVCHOST stopped randomly acting up.

I'm just posting this because it's a problem I've suffered from for an entire year and just letting anybody know if they have the same problem, this new updated patch will fix it.

http://support.microsoft.com/default.aspx?...b;EN-US;Q927891

I know this bug is probably pretty niche, but it turned my PC from a pain in the arse to a usable box again. For my case, this update is worthy of a sticky in this forum as it's a problem that's been misclassified as malware by people for years. A quick Google search shows some people were complaining as far back as 2002, and while it might have been malware, in some cases (mine) it wasn't.

PS: if you think this is something more people need to know about, please digg it

Edited February 22, 2007 by travisowens

[Stevens]

I have seen problems with "svchost.exe" in all sorts of situations. Most common is spyware. I had a workstation just the other day with CPU topped out from svchost.exe. Ran every spyware/malware tool available. Ran the Hotfix posted here. Nothing... Ended up ripping out an old memory stick for s***s and giggles. Eureka!

So, when you're banging your head against the monitor over the svchost.exe, keep in mind that it could even be a sign of bad RAM.

Cheers,

Stevens

[RJARRRPCGP]

I have seen problems with "svchost.exe" in all sorts of situations. Most common is spyware. I had a workstation just the other day with CPU topped out from svchost.exe. Ran every spyware/malware tool available. Ran the Hotfix posted here. Nothing... Ended up ripping out an old memory stick for s***s and giggles. Eureka!

So, when you're banging your head against the monitor over the svchost.exe, keep in mind that it could even be a sign of bad RAM.

Cheers,

Stevens

Are you sure about that being your RAM. It's more likely to be a motherboard issue with more than 1 DIMM used.

Bad RAM usually causes Windows to give you to get the dreaded STOP: 0x00000050 PAGE_FAULT_IN_NON_PAGED_AREA and/or STOP: 0x0000004E PFN_LIST_CORRUPT BSODs.

Also, Windows likely would complain about a file being corrupted. Sometimes, even a file not found error!

[erpdude8]

Microsoft has posted a revised KB927891 patch for XP SP2. If you installed an older KB927891 patch, remove it and install the newly revised edition which is now V3 of KB927891 for XP SP2.

http://support.microsoft.com/kb/927891/en-us

[erpdude8]

and for those users having the SVCHOST/MSI/WU problem, install version 3.0 of the Windows Update Agent here:

http://download.windowsupdate.com/v7/windo...Agent30-x86.exe

also try deleting the %WINDIR%\SoftwareDistribution folder and let Windows Update re-create the folder from scratch.

[cluberti]

also try deleting the %WINDIR%\SoftwareDistribution folder and let Windows Update re-create the folder from scratch.

Wow is that not a good idea. You delete that, and you potentially lose the ability to patch installed applications (if you do this, you WILL lose the ability to patch Office 2007 any further, for instance).

[Mïthräńdîr~2ÖÖ7©]

Thanks a lot. Helped me a lot.

[bizzybody]

Are these in the last update to Autopatcher?

[CypherBit]

also try deleting the %WINDIR%\SoftwareDistribution folder and let Windows Update re-create the folder from scratch.

Wow is that not a good idea. You delete that, and you potentially lose the ability to patch installed applications (if you do this, you WILL lose the ability to patch Office 2007 any further, for instance).

Is this really the case, can anyone else confirm this? I've deleted the SoftwareDistribution folder everytime the patches wouldn't apply and never had any problems with it. We're not using Office 2007, does the above only apply to that? Any other information, URLs, experiences are greatly appreciated.

How do you solve a problem when some patches just don't want to apply?

[LordWarlock]

There is no problem with deleting this folder, even Microsoft suggests to delete it if can't get WU to run as it gets sometimes corrupted. Just open the WU site after you delete it, and it will recreate it.

[Modifidious]

HALLELUJAH!!!!! iT'S BEEN "BUGGING" ME FOR 2 YEARS NOW. I know alot of it had to do with services running and i elemenated alot of useless ones from running, but still svc still grew to p*** me off. Thank you man. This solves it all.

[chiners_68]

easy fix.

endtask the Svhost.exe running at 99% in task manager

1. Stop the 'Automatic Update' service

2. Delete the folder %WINDIR%\SoftwareDistribution\DataStore

3. Start the 'Automatic Update' service

reboot & all should be ok.

Edited December 18, 2007 by chiners_68

[Fungus]

This can be caused by a large HOSTS file also. Like with Spybot Search & Destroys Immunize function. When HOSTS get large, svchost can peg CPU at 100% for quite some time... it's most annoying.

[Stevens]

An easy solution to the Windows Update issues that have been occurring is Dial A Fix. A simple tool that does all the Windows Update fixes that take way to long to do manually. Dial A Fix knocks it out in about a minute or two.

Check it out at http://wiki.djlizard.net/Dial-a-fix

It has saved me a lot of time when I run into clients with Win Updates issue. I hope it helps you.

Cheers,

Stevens

[e3opian]

I don't know if this information even belongs here, but I've had this problem with SVCHOST and it didn't have anything to do with Windows Updates. It turned out to be the Wireless Zero Config, which was not shutdown properly by the Intel PROset Wireless tools as it should have been. For the sake of those stumbling across this later via a search I'd like to add my solution:

1. Open up taskmgr (Ctrl + Shift + Esc) and show the PID (Process Identifier) column. (View -> Select Columns...)

2. Locate the offending instance of SVCHOST and the corresponding PID.

3. Start -> Run... -> cmd /k tasklist /svc /fi "imagename eq svchost.exe"

4. Match the offending PID to possible services. In my example there's a lot it could be.

5. Start -> Run... services.msc

6. Start playing process of elimination... I haven't figured out a better way to do this part...

-Aaron