Solved: Svchost.exe high memory usage

cosmokramer · 16-Apr-2008, 02:41 AM #1

I have recently become annoyed at the high memory usage of the svchost.exe process. I have 8 of these services running at the moment. I havent had reason to complain until recently when they seem to be using more memory than necessary. I might just be over reacting here but perhaps someone can verify it for me. I have included a hijackthis log at the bottom.
my system is running WindowsXP SP2, Asus K8VSE deluxe, Athlon 64 3200, 1.75 GB RAM, updated via drivers and windows updates (except one that just came in and I havent done yet).
These just seem like too much memory for these. I have check at blackviper and didnt really see a lot of things I could turn off. I could be wrong though.

svchost.exe Username: system mem usage: 33, 240 k
- DCOM server process launcher
- terminal services

svchost.exe Username: network service mem usage: 28,828 k
- remote procedure call

svchost.exe Username: system mem usage: 74,020 k
- 18 services registered to this process.

svchost.exe Username: network service mem usage: 25,776 k
- dns client

svchost.exe Username: local service mem usage: 36,832 k
- alerter
- tcp/ip netbios helper
- ssdp discovery service
- universal plug and play device host
- webclient

svchost.exe Username: system mem usage: 30,988 k
- windows image acquisition

svchost.exe Username: system mem usage: 50,436 k
-automatic updates

svchost.exe Username: system mem usage: 27,060 k
- http ssl

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:20:57 AM, on 4/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
G:\Program Files\BinarySense\HDDlife 3\hldasvc.exe
G:\Program Files\BinarySense\HDDlife 3\hldasvc.exe
F:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
f:\program files\common files\mcafee\mna\mcnasvc.exe
f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
G:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
F:\WINDOWS\system32\wbem\wmiapsrv.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Canon\CAL\CALMAIN.exe
F:\WINDOWS\System32\svchost.exe
F:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
F:\PROGRA~1\McAfee.com\Agent\mcagent.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\wuauclt.exe
F:\WINDOWS\system32\dllhost.exe
F:\WINDOWS\system32\ctfmon.exe
G:\Program Files\RealVNC\VNC4.2\winvnc4.exe
G:\Program Files\FlashGet\flashget.exe
F:\WINDOWS\system32\taskmgr.exe
Q:\ProcessExplorerNt\procexp.exe
Q:\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - J:\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - F:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - F:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar3.dll
O2 - BHO: Acronis Popup Blocker - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - F:\PROGRA~1\Acronis\PRIVAC~1\POP-UP~1.DLL
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - F:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [DiskeeperSystray] "F:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [mcagent_exe] F:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [OutpostMonitor] G:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKCU\..\Run: [AlcoholAutomount] "G:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Customize Menu - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download All by FlashGet - G:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - G:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Fill Forms - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - F:\PROGRA~1\Acronis\PRIVAC~1\POP-UP~1.DLL
O9 - Extra 'Tools' menuitem: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - F:\PROGRA~1\Acronis\PRIVAC~1\POP-UP~1.DLL
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Outpost Security Suite Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - G:\Program Files\Agnitum\Outpost Security Suite Pro\ie_bar.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommo...ad/tgctlcm.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by120fd.bay120.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1126128245015
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O18 - Protocol: hddlife - {BD758015-47D9-477A-8873-4B688A2BC0E2} - "G:\Program Files\BinarySense\HDDlife 3\hlAPP.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: g:\progra~1\agnitum\outpos~1\wl_hook.dll
O21 - SSODL: Notadpol - {46DB9B18-6350-475F-9038-9E0D59B2A077} - (no file)
O23 - Service: McAfee Application Installer Cleanup (0136681207900384) (0136681207900384mcinstcleanup) - McAfee, Inc. - F:\WINDOWS\TEMP\013668~1.EXE
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - F:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - G:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - F:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Diskeeper - Diskeeper Corporation - F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - G:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe (file missing)
O23 - Service: Eset Service (ekrn) - Unknown owner - G:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe (file missing)
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - F:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: HDDlife HDD Access service - BinarySense, Ltd. - G:\Program Files\BinarySense\HDDlife 3\hldasvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - f:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - F:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - f:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - F:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - F:\Program Files\WinPcap\rpcapd.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - G:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - F:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - G:\Program Files\RealVNC\VNC4.2\winvnc4.exe

--
End of file - 11340 bytes

cosmokramer · 06-May-2008, 11:11 AM #2

still getting this problem. any suggestions?

cosmokramer · 10-May-2008, 05:57 PM #3

last bump before i give up.

raybro · 10-May-2008, 07:42 PM #4

NEVER GIVE UP!!!

Take a look at this thread started by yours truly. Not exactly the same problem, but you may find the thread helpful. Particularly, the link provided for Process Explorer. The little utility provided some insight to the question I had.

BTW... The memory usage you show does seem somewhat excessive. I looked at mine again and still have 7 incidents of svchost running. Memory usage is no where near what yours is. Most are in the range of 2K to 4K with one at 24K. Of course, that's not a very compeling arguement and only a sample of one

Raybro

cosmokramer · 10-May-2008, 08:22 PM #5

Thanks for the reply raybro. I have process explorer and used it to figure out what services were running and verified they were all valid services running under svchost.exe. To add to this, a reboot and check of the svchosts shows they are running at "normal" memory usage immediately after login. So something must be occurring to make them use more memory.

raybro · 10-May-2008, 09:35 PM #6

I'm no expert on system files, but if you get no further constructive input on this thread, I suggest you go to the M$ Knowledge Base and run a search there regarding svchost.exe and see what you can find that may apply to your situation.

Good Luck... Raybro

jasaiyajin · 10-May-2008, 11:20 PM #7

Could the problem be McAfee related? Try running your system after removing software one by one and looking at the memory consumption.

In process explorer, there's a physical memory section and a virtual memory section that pertains to each running process. Could you list an example for us of virtual and physical memory consumption for a single running svchost with it's services?

oshwyn5 · 11-May-2008, 11:59 AM #8

Okay lets start with a simple explanation of SVCHOST , what it does and why you have so many. Just as a dll (dynamic link library) is a program (not an application) which does a specific task as part of a larger application but can be run all by itself by the application rundll32.exe (or dllhost.exe) ; a service is a component of a larger application which cannot run itself, but it can be run by the windows service host svchost.exe even if the application in question (the one which installed and created this service) is not running.
In windows XP the registry is built from scratch each time your computer boots from several files called hives. The exact number varies depending on your configuration , but generally speaking there are at least five one for each section in the registry. Now each time during the construction of the registry when any services are loaded, if their supporting application is not running an instance of svchost.exe is launched to host them. Each instance of svchost.exe can host many different services.

So, having eight instances of svchost.exe running is not unusual or bad.
As you have found out you can see that they are running , to some extent what launched them (the system account, network account, your user account....) and how much cpu usage they have in Task manager.
Process Explorer and CodeStuff Starter both allow you to get more information as to the specific services running under each svchost entry, although this information is often of little use and overwhelming to the average user. None the less, it is worth installing one of these to have a closer look.

If you go to start/ run and type services.msc and hit enter you can see many of the services which are installed and their status. Do not mess around in here unless told to do so. There are guides like Black Vipers
to aid in tweaking these, but the default settings are adequate.
http://www.blackviper.com/WinXP/servicecfg.htm

Now as to what causes high CPU usage by svchost.exe.
In my experience; the most common cause on a properly maintained machine is a problem with an automatic updater. Windows update, and most antivirus or internet security suites run their updaters as services.
Often if there is a problem, the automatic updater service just keeps running full throttle. The simple solution in most cases is to disable automatic updates for windows (control panel / security center/ manage settings for / automatic updates => turn off.) and your antivirus/ internet security suite (inside the application itself.).
If this solves it, the next step is to manually go to the windows update site for windows updates and get all the critical updates one at a time. I also recommend checking the custom/ recommended software updates to see if anything like the .net framework which may be required by other applications are not up to date as this can cause the problem too.
Repeat for your antivirus ,manually run the antivirus updater and again get updates one at a time. This may require many runs of the updaters, but it will identify if one is out of sequence and jamming the update process (if it fails to download / install proceed to the next and then come back for that one).
Once all updates are installed and you have restarted, return the updaters to automatic status and see if the problem is solved.

The second most common cause of this problem that I encounter is when someone disables an application improperly. They use MSCONFIG and do not realize that they are disabling the startup entry for the applicaiton, but not its service entries. The services are loading and searching for another component which is not running, so they keep checking. Proper management of applications is a must in the XP and Vista environment. Sure many people still disable things with MSCONFIG and have no problems but this is not safe.
If you have been using MSConfig as a startup manager please read this.
http://forums.majorgeeks.com/showthread.php?t=149804
http://support.microsoft.com/kb/310560

The third most common cause I see is an improper / incomplete uninstall of an application which leaves behind a service entry after the application is removed.
I see two of these in your HJT log
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - G:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe (file missing)
O23 - Service: Eset Service (ekrn) - Unknown owner - G:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe (file missing)

You should go to start / run and type services.msc
hit enter
Locate Eset HTTP Server
Double click it to open its options, click stop service if it is running , change startup behavior to disabled.
Repeat for Eset Service

Go to start / run and type
sc delete EhttpSrv
hit enter
type
sc delete ekrn
hit enter
(Or you may do this in the command prompt window if you want to- go to start/ run and type cmd and hit enter. Type the sc commands in the black box and hit enter after each)

Restart your computer and run hijackthis and those two entries should be gone.

The fourth most likely cause is a virtual drive (like Alcohol 120% ) which is running as a service. Sometimes these develop problems over time sometimes they just are not properly compatible with your hardware configuration. So you may want to try disabling the virtual drive (burn its contents first if there is anything mounted)

I will leave it to a malware guy to tell you what to do with this.
O21 - SSODL: Notadpol - {46DB9B18-6350-475F-9038-9E0D59B2A077} - (no file)
It appears to be a leftover ShellServiceObjectDelayLoad entry which is not on any of the master databases of approved applications. This means it is most likely a leftover from an incomplete cleaning of malware. Did you have one of the smitfraud infections recently ? Anything popping up warnings about your being infected and prompting you to buy a removal product?

However this is something you can deal with now
F:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
This is a very old version of java runtime environment with over 300 security exploits. Please go to control panel => add/remove programs and uninstall all versions of java and java runtime environment listed. Best to start with the oldest.
When done please go to one of these sites and get one of the latest versions 1.6.0_05 or 1.6.0_06
http://majorgeeks.com/Sun_Java_Runti...ent_d4648.html
http://www.java.com/en/download/index.jsp
It may also be worth running the secunia online software inspector scanner
http://secunia.com/software_inspector/
to see if you have any other software with major security holes.

Finally
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
Unless you are a web page designer or software author (VBS or java) no need to have this running.
Please go to Internet Explorer => Tools => Internet Options => advanced=> browsing
Check "Disable script debugging Internet Explorer"
Check "Disable script debugging other"
Uncheck "notify me of every script error"

Apply and restart.

cosmokramer · 11:47 PM

Quote: