Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost process using 50% CPU


  • Please log in to reply
7 replies to this topic

#1 niio

niio

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 30 December 2009 - 06:47 AM

Hi,

Recently a svchost process on my dual core machine started hitting 50%. (maxed out core) Using PID and Tasklist I found DcomLauncher and Term Services were using this process. Disabling Term Services did nothing. When I disabled DcomLauncher and rebooted, Tasklist showed RPCss as the only process in the pegged svchost. I cannot disable RPCss using the control panel and am reluctant to edit the registry. How do I find out what is constantly using RPCss?

I am using XP home with a Sygate firewall and a router. AdAware and AVG both come up blank for infections. I had a PDF (named) infection a few weeks ago, but AVG cleaned it and I updated Adobe reader to the most current. Windows Update is disabled, as are all other auto updates I can find.

Any help would be greatly appreciated.

Edited by elise025, 30 December 2009 - 09:36 AM.


BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,247 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:10:19 PM

Posted 30 December 2009 - 11:10 AM

FWIW: It's normal for any Windows process...to elevate to high CPU cycles...when it's busy.

The processes you named...appear to be valid Windows processes.

http://www.softwaretipsandtricks.com/neces...DCOMLaunch.html

http://technet.microsoft.com/en-us/library...399(WS.10).aspx

If you want to investigate svchost processes running on your system, How to determine what services are running under a SVCHOST.EXE process - http://www.bleepingcomputer.com/tutorials/list-services-running-under-svchost.exe-process/ .

Louis

#3 niio

niio
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 30 December 2009 - 12:54 PM

Thanks.

Using process explorer I found that RPCss was spending all its time in kernel32.dll!CreateThread+0x27. Killing or suspending this thread fixes the problem until I reboot, then the same thing occurs again. I still do not know what starts this process. There is no I/O, but the TCP/IP tab shows epmap listening and gateway.2wire.net:1028 close_wait. 2wire is an ATT UVerse router, so maybe there is something going on there. I'll give UVerse a call.

#4 niio

niio
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 30 December 2009 - 02:13 PM

No help from UVerse, as I expected. There is no I/O so I don't blame them.

The CreateThread dll generates a milllion context switches in less than 30 minutes, so this is the culprit. I still don't know what starts it. The other threads in the svchost all look like system dlls, like rpcrt4 and termserv, so they don't give any clue either. Any other suggestions?

#5 hamluis

hamluis

    Moderator


  • Moderator
  • 55,247 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:10:19 PM

Posted 30 December 2009 - 02:30 PM

I've suggested all that I know :thumbsup:.

Louis

#6 niio

niio
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 19 January 2010 - 05:44 AM

Found the problem. There was a virus siszyd.exe that was launched by some other unintelligibly named trojan which had attached itself to wmiprvse.exe. I ran freefixer which identified and allowed me to remove both. (not wmiprvse) My normal antivirus didn't catch this.

#7 joseibarra

joseibarra

  • Members
  • 1,083 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:11:19 PM

Posted 19 January 2010 - 05:57 AM

Would you please elaborate regarding your normal antivirus that did not catch this?

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.


#8 niio

niio
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 19 January 2010 - 08:17 PM

From the initial post: AdAware and AVG.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users