1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

SVCHOST.EXE Using up all Resources

Discussion in 'Windows XP' started by n1ml, May 23, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. n1ml

    n1ml Thread Starter

    Joined:
    Jan 9, 2005
    Messages:
    131
    There is a process called svchost.exe using up almost 100% of my resources and making the computer almost useless. What is causing this or how do I find out what is causing this problem? I am running Windows 2000 Pro.
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    When did this begin? Have you added hardware , installed programs or updates just prior?

    This is hard to troublehsoot in Win2K due to the lack of a System Configuration utility, but you could install the XP version of msconfig.

    Does the problem occur in Safe Mode or under a different User Profile?

    Go to Start > Run, enter cmd and then copy/paste the following command into the command window:

    cd %userprofile%\desktop
    tlist /svc /fi "imagename eq svchost.exe" >> taskservlist.txt


    That should create a text file on your desktop. Copy/paste that here.

    You might want to try installing msconfig to assist in troubleshooting:

    http://www2.whidbey.net/djdenham/Msconfig.htm
     
  3. n1ml

    n1ml Thread Starter

    Joined:
    Jan 9, 2005
    Messages:
    131
    I did get the msconfig and it works OK. I tried to do the start, run and CMD. A DOS window opened. I copied the new text commands and did a right click but it keeps saying error. Do I have to backspace the default directory it opens up?
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
  5. n1ml

    n1ml Thread Starter

    Joined:
    Jan 9, 2005
    Messages:
    131
    I got the new file and put it in. Here is the txt file tht was generated:

    AdjustTokenPrivileges failed with 1300
    -2 Idle.exe
    8 System.exe
    172 SMSS.exe
    196 CSRSS.exe
    216 WINLOGON.exe MM Notify Callback
    244 SERVICES.exe
    256 LSASS.exe
    444 svchost.exe
    468 spoolsv.exe
    500 blackd.exe
    512 Brmfrmps.exe
    532 cvpnd.exe
    544 DefWatch.exe
    564 svchost.exe
    584 mxtask.exe Fix-It Task Manager
    636 InCDsrv.exe
    712 Rtvscan.exe ACTION
    804 nvsvc32.exe NVSVCPMMWindowClass
    816 pctspk.exe
    848 regsvc.exe
    864 mstask.exe SYSTEM AGENT COM WINDOW
    888 stisvc.exe
    948 WRSSSDK.exe
    1132 explorer.exe Program Manager
    1160 ULCDRSvr.exe
    1192 WinMgmt.exe
    1204 mspmspsv.exe
    1220 svchost.exe
    1244 MsMpEng.exe
    1484 VPTray.exe Symantec AntiVirus Corporate Edition
    1516 jusched.exe
    1540 pptd40nt.exe PaperPort Print Driver
    1616 PropelAC.exe AT&T Worldnet Accelerator
    1644 brctrcen.exe ControlCenter2.0
    1180 shwicon2k.exe Card Reader Monitor For 6362 4.5 Slot
    1664 rundll32.exe Hidden Main Window Modify
    1676 PDVDServ.exe CL RC Engine2 Dummy Winidow
    1704 InCD.exe PNPNOTIFICATIONRECEIVER_8F22F0
    1740 qttask.exe QTPlayer Tray Icon
    1648 MSASCui.exe GDI+ Window
    1840 NkbMonitor.exe PictureProject Monitor
    1572 blackice.exe A security content update is available.
    Click here
    1892 BrMfcWnd.exe Brownie (Installation report)
    1900 MHPRMIND.exe Microsoft Graphics Studio Reminder Service
    1964 BrMfcMon.exe Brother MFC-420CN USB Printer on USB001
    924 MSIMN.exe Outlook Express
    1508 msnmsgr.exe MSNUnnamedWindow
    1120 firefox.exe XPCOM:EventReceiver
    1984 svchost.exe
    1824 calc.exe Calculator
    1936 WINZIP32.exe WinZip - kill-tlist(2).zip
    2312 CMD.exe C:\WINNT\system32\cmd.exe - tlist /svc/fi"imagename eq svchost.
    1580 TLIST.exe
    -2 _Total.exe
     
  6. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Wow, that wasn't what I was expecting; I'm not sure if the command executed correctly or it just works differently than the XP version.

    That looks more like a process list than what is specifically running under Svchost.

    Yet, from the number and obscurity of some of those processes I'm not surprised there is an overload.

    Did you manually type or copy/paste that command line? If you left out the quotes, that might explain what you got there.

    This is what I'm looking for:

    -----------------------------------------------------------------------
    I think Tlist works differently than tasklist, so try this command instead:

    cd %userprofile%\desktop
    tlist pid >> taskservlist.txt

    You may need to enter each line manually and separately.

    http://support.microsoft.com/Default.aspx?kbid=890188

    Maybe you should post a HijackThis scanlog.

    Download and install HijackThis using the "self extractor". Run it and select "do a system scan and save the log file". Then copy/paste the contents of the log to a reply

    http://www.thespykiller.co.uk/files/hijackthis_sfx.exe

    --------------------------------------------------------------------------

    I'd like to be able to give you specific suggestions, but if I'm unable to do that you are going to have to try using msconfig to "clean boot" troubleshoot. I believe you should be able to carryout the same procedure in Win2k as you would here in XP:

    Run msconfig and select the "Services" tab. Check "Hide Microsoft Services" and then disable the rest. Also uncheck "load startup group" on the general page.

    See this link for detailed information:

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;310353

    Now restart and test the issue at hand

    If no problems, run msconfig and recheck half the disabled items on the Services tab. Test again. If the problem recurs, UNcheck half the items you just checked to narrow down the culprit.

    If the problem didn't occur, check the other half, so all the Services are enabled -- proceed to do this on the startup tab as well.

    Get the idea? You want to isolate the problem to a specific startup if possible.

    Note: if you already have items unchecked under msconfig > startups and are in “selective” startup mode – you should note what these are before beginning. They will need to be de-selected again.
     
  7. Gunsguy

    Gunsguy

    Joined:
    May 24, 2006
    Messages:
    6
    Can you please confirm the file in question, is it as you typed it? or is ther another letter in it? if there is you have virus

    svchost is normal, svcrhost etc aint..


    Gunsguy
     
  8. n1ml

    n1ml Thread Starter

    Joined:
    Jan 9, 2005
    Messages:
    131
    I was careful to be exact in my typing. Here is my hijackthis log

    Logfile of HijackThis v1.99.1
    Scan saved at 8:52:45 PM, on 5/24/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
    C:\WINNT\system32\Brmfrmps.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\WINNT\System32\svchost.exe
    C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\pctspk.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\MsPMSPSv.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\Program Files\AT&T Worldnet Accelerator\PropelAC.exe
    C:\Program Files\Brother\ControlCenter2\brctrcen.exe
    C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    C:\WINNT\system32\RunDll32.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
    C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
    C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
    C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\calc.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\AT&T Worldnet Accelerator\trayctl.exe" /STARTUPLAUNCH
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
    O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
    O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.dll,CMICtrlWnd
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
    O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
    O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\AT&T Worldnet Accelerator\pac-page.html
    O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\AT&T Worldnet Accelerator\pac-image.html
    O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6C6A77C7-B4CC-4792-BB9D-5B50A211F69E} (ProductInformation Control) - http://www.iolo.com/app/ocx/ProductInformation.ocx
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
    O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
    O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINNT\system32\Brmfrmps.exe" -service (file missing)
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Fix-It Task Manager - Ontrack Data International - C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
    O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
    O23 - Service: W2K PCtel speaker phone (pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe
    O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    O23 - Service: System Commander MBR check (WinMBR) - Unknown owner - C:\SC\WINMBR.EXE
     
  9. n1ml

    n1ml Thread Starter

    Joined:
    Jan 9, 2005
    Messages:
    131
    I also did the pid >> thing and got the following

    AdjustTokenPrivileges failed with 1300
    -2 Idle.exe
    8 System.exe
    172 SMSS.exe
    196 CSRSS.exe
    216 WINLOGON.exe MM Notify Callback
    244 SERVICES.exe
    256 LSASS.exe
    444 svchost.exe
    468 spoolsv.exe
    500 blackd.exe
    512 Brmfrmps.exe
    532 cvpnd.exe
    544 DefWatch.exe
    564 svchost.exe
    584 mxtask.exe Fix-It Task Manager
    636 InCDsrv.exe
    712 Rtvscan.exe ACTION
    804 nvsvc32.exe NVSVCPMMWindowClass
    816 pctspk.exe
    848 regsvc.exe
    864 mstask.exe SYSTEM AGENT COM WINDOW
    888 stisvc.exe
    948 WRSSSDK.exe
    1132 explorer.exe Program Manager
    1160 ULCDRSvr.exe
    1192 WinMgmt.exe
    1204 mspmspsv.exe
    1220 svchost.exe
    1244 MsMpEng.exe
    1484 VPTray.exe Symantec AntiVirus Corporate Edition
    1516 jusched.exe
    1540 pptd40nt.exe PaperPort Print Driver
    1616 PropelAC.exe AT&T Worldnet Accelerator
    1644 brctrcen.exe ControlCenter2.0
    1180 shwicon2k.exe Card Reader Monitor For 6362 4.5 Slot
    1664 rundll32.exe Hidden Main Window Modify
    1676 PDVDServ.exe CL RC Engine2 Dummy Winidow
    1704 InCD.exe PNPNOTIFICATIONRECEIVER_8F22F0
    1740 qttask.exe QTPlayer Tray Icon
    1648 MSASCui.exe GDI+ Window
    1840 NkbMonitor.exe PictureProject Monitor
    1572 blackice.exe A security content update is available.
    Click here
    1892 BrMfcWnd.exe Brownie (Installation report)
    1900 MHPRMIND.exe Microsoft Graphics Studio Reminder Service
    1964 BrMfcMon.exe Brother MFC-420CN USB Printer on USB001
    924 MSIMN.exe Outlook Express
    1508 msnmsgr.exe MSNUnnamedWindow
    1120 firefox.exe XPCOM:EventReceiver
    1984 svchost.exe
    1824 calc.exe Calculator
    1936 WINZIP32.exe WinZip - kill-tlist(2).zip
    2312 CMD.exe C:\WINNT\system32\cmd.exe - tlist /svc/fi"imagename eq svchost.
    1580 TLIST.exe
    -2 _Total.exe
    AdjustTokenPrivileges failed with 1300
    -2 Idle.exe
    8 System.exe
    172 SMSS.exe
    196 CSRSS.exe
    216 WINLOGON.exe MM Notify Callback
    244 SERVICES.exe
    256 LSASS.exe
    444 svchost.exe
    468 spoolsv.exe
    500 blackd.exe
    512 Brmfrmps.exe
    532 cvpnd.exe
    544 DefWatch.exe
    564 svchost.exe
    584 mxtask.exe Fix-It Task Manager
    636 InCDsrv.exe
    712 Rtvscan.exe ACTION
    804 nvsvc32.exe NVSVCPMMWindowClass
    816 pctspk.exe
    848 regsvc.exe
    864 mstask.exe SYSTEM AGENT COM WINDOW
    888 stisvc.exe
    948 WRSSSDK.exe
    1132 explorer.exe Program Manager
    1160 ULCDRSvr.exe
    1192 WinMgmt.exe
    1204 mspmspsv.exe
    1220 svchost.exe
    1244 MsMpEng.exe
    1484 VPTray.exe Symantec AntiVirus Corporate Edition
    1516 jusched.exe
    1540 pptd40nt.exe PaperPort Print Driver
    1616 PropelAC.exe AT&T Worldnet Accelerator
    1644 brctrcen.exe ControlCenter2.0
    1180 shwicon2k.exe Card Reader Monitor For 6362 4.5 Slot
    1664 rundll32.exe Hidden Main Window Modify
    1676 PDVDServ.exe CL RC Engine2 Dummy Winidow
    1704 InCD.exe PNPNOTIFICATIONRECEIVER_8F22F0
    1740 qttask.exe QTPlayer Tray Icon
    1648 MSASCui.exe GDI+ Window
    1840 NkbMonitor.exe PictureProject Monitor
    1572 blackice.exe A security content update is available.
    Click here
    1892 BrMfcWnd.exe Brownie (Installation report)
    1900 MHPRMIND.exe Microsoft Graphics Studio Reminder Service
    1964 BrMfcMon.exe Brother MFC-420CN USB Printer on USB001
    924 MSIMN.exe Inbox - Outlook Express - Wireless
    1508 msnmsgr.exe MSNUnnamedWindow
    1120 firefox.exe XPCOM:EventReceiver
    1984 svchost.exe
    1824 calc.exe Calculator
    1936 WINZIP32.exe WinZip - kill-tlist(2).zip
    2236 notepad.exe hijackthis.log - Notepad
    1976 CMD.exe C:\WINNT\system32\cmd.exe - tlist pid
    1880 TLIST.exe
    -2 _Total.exe
     
  10. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    There are a few things I'd be suspicious of, such as Webroot or your VPN program, ....

    Hold on, make the command:

    tlist -s
     
  11. n1ml

    n1ml Thread Starter

    Joined:
    Jan 9, 2005
    Messages:
    131
    I ran that command in the DOS window and it looks like the other runs. I do not know how to cut and paste from the DOS window.
     
  12. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    just substitute here and you should get a text file:

    cd %userprofile%\desktop
    tlist -s >> taskservlist.txt

    You can copy/paste from the cmd window by right clicking and select "mark" then drag the highlight over the text you want to select and then right click -- the text gets copied to the clipboard.
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/469645