Jump to content

Workstation SVCHOST.EXE process believed to be corrupting HTTP traffic


Recommended Posts

Has anyone had any wifi issues specifc to svchost.exe with the newest nlite 1.3 final and there current drivers for there card?

I have.

What happens is my cards (USB, pci & cardbus orginally thought it was just pci & cardbus) gets errors back or nothing 90% of the time instead of packets. I send out packets but only get back errors or nothing. Some pages work and others do not. The pages that wont load are any pages where I have to submit data to the internet specifically. This issue does NOT affect other types of traffic. Like port 21 traffic, or p2p traffic. That all goes fine just specifically port 80 sent traffic. This also does not affect other types of internet connections. Like wired DSL, or cable. There was an issue with dial up but that does not happen anymore.

I have narrowed the problem down and it has nothing to do with the following:

Services -- chose default everything and still happens

Any specific reg entry done by me (could still be nlite doing a reg entry I dont know about)

Any app that I add to the system (I removed all apps from my nlite disc to find this out)

Any driver I'm using. I use the same drivers on vanilla windows and everything works.

So whats on the list still:

Nlite 1.3 final and something it does

A windows update sometime between sp2 and feb 2007

Something else I have not thought about, suggestions would be helpful.

Whats strange is that I see a number of svchost.exe running under processes. Some run by local service, network service and system. If I kill the right one the http traffic will work with all pages. Usually there are 2x run by services, 1 or 2 by network services and 1 or 2 by local service. The ones I have killed and gotten responses out of are the ones that are using a lot of ram. I killed one using 19k of memory to get on to msfn just now.

UPDATE: I just installed windows with only updates and removed nothing. I used my base sp2 disc and updated with ryans pack from feb 2007. I installed and tested the wireless. Everything is working perfect. This means it can not be an update. Only two possibilities left. Help me figure out what one it is?

I have checked pcmica compatability and I dont know what I could have removed in nlite that could be so specific to affect only wifi & svchost.exe.

My last session file is attached. PLEASE HELP ME


Edited by Madhits45
Link to comment
Share on other sites

Dexter you mentioned that before. From what I know about wireless traffic. ARP packets are the packets sent that have the security keys as a part of them (WEP, WPA). I know I am not losing just those packets or getting those. I have not done a packet anaylisis but no other traffic is affected by this. How can I check for that? Do you know a good app? One interesting thing is that once I have a large download going like a torrent file. Then my http traffic will work for the most part but this is not an absolute. The pages affected are NOT just SSL websites. I thought this issue was orginally because of SSL traffic. I found out through some more testing that it is not that either. It affects this site and ebay the most. I have the most trouble submitting into those sites.

I know its nlite due to all my tests. I had a very strange issue with nlite a while back (1.0 timeframe). When I used the remove list to remove notepad. It effected the services settings. Nlite removed some services I wanted kept, if I left notepad in services were untouched.

What suggestions do you have for ways I can find out whats wrong? I am leaning toward it being something that nlite does to my system but worsened by something I do. So some kind of specific setting or remvoed item. I do install my drivers using a watch for driver signing method that is not typical. Maybe there is something there.

Any ideas?

Edited by Madhits45
Link to comment
Share on other sites

I use TCPDUMP.EXE, get it from my site

Watch carefully this picture:


Notice the 9 incoming arp who-has packets that got received almost instantaneously. As this is only a minor problem on my Intel 10/100/1000 Pro on Windows 2003 CCS, because it is designed to handle much more traffic. But i'd say on a standard Realtek 100 Mbps LAN that could cause a lot of stress for Windows XP. I have no ingoing/outgoing traffic to those IPs. My svchost just keeps informing me of their existence in the same area (most are neighbors using the same ISP) for no apparent reason. The network is specifically configured so that none of those computers is discoverable, but, as you can see... my windows is discovering them.

At a first glance, I'd say the network equipment from my ISP gateway is erroneously configured. But, the interesting point is that on the underlying VMware ESX Server 3 they do not occur. For some strange reason, the nLited Windows 2003 CCS gets these sent through the infrastructure's simulated network address translation. Neither does this happen on TCP/IPv6.

There is no reason for those IPs to constantly poll me with their existance through ARP. But it seems it does. So, the logical explanation would be that one of the svchost processes is causing them. And it is bugging me for some time (psychologically), because I can't find any apparent reason for the TCP/IPv4 stack to behave this way other than svchost gone haywire.

Edited by dexter.inside
Link to comment
Share on other sites

Dexter this is really interesting. I had not thought of this as a possibility. All of the connections I use are DSL based same ISP and 3 of the 4 I use are the exact same kind of router. I did have one router a netgear that I connected to at a friends with no svchost.exe issues (comcast cable). One interesting thing about that configuration was that he had no wired machines connected. All the connections were wireless on that connection which was interesting. Maybe this only occurs over DSL? What about the wired machines connected to the router theory. I know it is not exactly where you were going but seems interesting. Also there could be something in the router that copensates for this (unlikely though).

I will have to wait till I get home to test your app under better conditions. One interesting thing is my girlfriend has a PC hooked to her campus network (wired). Someone in the building also broadcasts the same connection wirelessly. She has no issues using that wireless connection. The university itself also broadcasts a wireless connection. Whats different about the campus broadcast is she can not connect to it without getting a bunch of errors. This would most likely be because of the ARP issue (number of machines on the network). I tried to kill svchost.exe and it appeared to work for a short time. I was not aware her pc (also nlited) had this issue at all till today. It does appear that this is an nlite caused problem but what can it be? I hope nuhi can add to this discussion.

I'll report back with my findings using your app.

Link to comment
Share on other sites

At this point, my intuition would say that there's an undocumented bug in the network stack running on NT 5.x kernel, that gets enabled somewhere along the operations nLite performs. There are too many coincidences for it to be hardware-related. On TCP/IPv6 this does not happen.

Link to comment
Share on other sites

Interesting. If nlite can cause it there should be a way to stop it. I swear this did not happen before 1.0 of nlite.

Also I could not find that app at the link you gave (TCPDUMP.EXE). I was able to find it somewhere else though. I am going to give it a try sometime tonite. I would bet at this point my results will be the same as yours.

About IPv6. Is there a way I can use that in XP at least for my port 80 traffic? From what I have read its still preliminary and not ready for widespread use. ISP's and the internet as a whole need to be upgraded to work with IPv6. If I can get around this bug by using it I will.

Also have you been able to make a nlite XP config that is not subject to this bug? Like I patch the TCPIP.SYS file. Maybe that patching causes this? I'm so sick of testing things and having this issue over and over again. I'll take any solution at this point.


Link to comment
Share on other sites

no idea whatsoever about what is causing it. Unless you use the DHCPv6 Server in Windows Server 2008, v6 functionality for normal TCP/IP operations is what you see in Vista as "Limited". If you have one on your network, you should remove TCP/IPv4 entirely and rely only on v6.

Link to comment
Share on other sites

Dexter.. Ok I cant figure this thing out. I run TCPDUMP.exe and it does nothing I ran it for like a hour and nothing changes on the screen. Says listening to device <bla bla bla> but nothing happens. How does this thing work?

I read the instructions and it seems like you dont have to do much if you have only one network connection running.

Link to comment
Share on other sites

1) yes, I do have the latest drivers & stuff

2) I just run TCPDUMP and it outputs what happens on my network connection. You might have removed something that prevents it to do that job. You don't have to do something to make it work, it just does. I presume you do have network activity...

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Create New...