Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost maxing cpu


  • Please log in to reply
20 replies to this topic

#1 HeadMelter

HeadMelter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 09 May 2011 - 03:17 PM

About two weeks ago I started noticing that my audio was crackling whenever I tried to play anything (mp3, youtube, games, etc.). I ran a scan from MSE and Malwarebytes, which both turned up nothing. My school's tech support told me that svchost was maxing out the CPU and that when they disabled Application Manager it dropped back to normal levels. They changed Application Manager from automatic to manual, since I have nothing to do with Group Policy, and Application Manager never should have been on to begin with.

Now, svchost maxes out the CPU whenever I turn the computer on or wake it up from sleep. It'll linger at 100% for about 5 minutes, drop to 50%, and then eventually everything goes back to normal.

I'm running Windows 7 Ultimate 64-bit on a two year old HP Pavilion dv7, Intel Core2 Duo 2 GHZ, 4GB RAM, NVIDIA GeForce 9600M GT

BC AdBot (Login to Remove)

 


#2 Layback Bear

Layback Bear

  • Members
  • 1,880 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern Ohio
  • Local time:11:59 AM

Posted 10 May 2011 - 06:52 AM

Do you have any program turned on to scan you system on start up? Like anti virus, or anything that checks for updates on start up. If you have a bunch of programs calling home on start up at the same time it will slow things down. Check msconfig/startup and see what programs starting on boot. I have 3 checked and my pc boots fine.
Welcome to Bleeping Computer!

Edited by Layback Bear, 10 May 2011 - 06:53 AM.


#3 HeadMelter

HeadMelter
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 10 May 2011 - 10:34 AM

I have a lot turned off, so here are the ones running:

Synaptics Pointing Device Driver
Microsoft Security Client
IDT PC Audio
Chromium Updater
HP Wireless Assistant
hpwuSchd Application
Microsoft Office 2010
Launchy

(I know that it is neither Chromium Updater nor Microsoft 2010 because I had both of these uninstalled and it made no difference.)

#4 NicciAdonai

NicciAdonai

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 10 May 2011 - 12:11 PM

Here is a great article on svchost.exe processes and how to troubleshoot them.

If you don't want to read the article, you might, as a first step, try Process Explorer from Microsoft's Sysinternals to try to nail down what services/programs the offending instance of svchost belongs to. Click or hover over the process and that should give you a list of services and/or programs.

I also recommend Autoruns, also from Sysinternals, as a better alternative to msconfig. Just remember that in Vista and 7 you must right-click on the program and choose "Run as Administrator" to make any changes to your startup config.

#5 HeadMelter

HeadMelter
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 10 May 2011 - 03:09 PM

According to Process Explorer the svchost with the most CPU usage is running:
Application Experience
Background Intelligent Transfer Service
Computer Browser
Extensible Authentication Protocol
Group Policy Client
IKE and AuthIP IPsec Keying Modules
IP Helper
Server
Multimedia Class Scheduler
User Profile Service
Task Scheduler
System Event Notification Service
Shell Hardware Detection
Themes
Windows Management Instrumentation
Windows Update

The next one is running:
Cryptographic Services
DNS Client
Workstation
Network Location Awareness

How do I tell which is the one that is maxing my processor?

#6 NicciAdonai

NicciAdonai

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 10 May 2011 - 05:03 PM

Process Explorer should display CPU usage alongside each process. You can sort the processes by CPU usage as well. You can double-click an svchost process and then click the Services tab to stop the services it is, um, servicing, from within Process Explorer. It looks like you are running Vista/7 based on the "Network Location Awareness" service, so you may need to right-click the program and choose "Run as Administrator" to do this.

Note: the following suggestions may come a bit fast and furious. You may want to read the entire post and then pick and choose what you want to do first.

In Process Explorer, ensure that you are not getting hit by lots of DPCs and Interrupts. These are under the System Idle Process umbrella and don't show up in Task Manager. You will get some but just ensure that they are not spiking very high.

If you are sure that a svchost.exe process is causing the problem, try this: http://support.microsoft.com/kb/929135
The article is a bit confusing. Simplified steps are as follows:

1. Open msconfig.
2. On the General tab, select "Selective startup," then uncheck "Load startup items."
3. On the Services tab, tick "Hide all Microsoft services," then click "Disable all."
4. Click OK, then restart.
5. When the PC boots up, ascertain whether the problem is still occurring.
6. If not, re-enable services one by one, restarting each time, until the problem does occur.
7. Once the problem occurs, disable all services except for the one you enabled last.
8. If it still occurs, you have found your offending service.

If the problem still occurs on step 5 then you should, of course, disregard the other steps and set everything back the way it was unless you want to troubleshoot further on your own.

Here is something else I would try. Click Start, type Event Viewer, then hit Enter. Browse to Windows Logs, then scan the "Application" and "System" sections for any errors that seem to be related. One clue might be the timestamps: check for things that seem to happen on boot. If nothing obvious pops out, create a custom view to check for performance degradation and boot degradation. To do this:

1. Right-click on "Windows Logs" in the left-hand pane and select "Create Custom View..."
2. Tick all the "Event level" boxes.
3. Under By log / Event logs, expand "Applications and Services Logs," "Microsoft," "Windows."
4. Tick the "Diagnostics-Performance" checkbox.
5. Click OK.
6. Name it Diagnostics-Performance and put it under a folder named Custom Views.

Repeat steps 1-4, but this time click the text box that says "All Event IDs" and type "101-110" without the quotes. Then repeat steps 5 and 6, naming it Boot Degradation.

Browse your new custom views, starting with the boot degradation one. I believe this one works best if you can find the date on which you started experiencing symptoms. If you find no leads there, browse the other one (which btw will include all the events from Boot Degradation). For example, my Diagnostics-Performance custom view tells me that my USB driver caused a delay in resuming from standby while servicing a device. If the delay were major (in this case it was less than 200 ms, so not major), I might be more careful about unplugging devices before going to standby. If no devices were present, I might think about updating my chipset drivers and/or BIOS.

Some other suggestions:
- Update drivers. Your PC manufacturer's website is a good place to start, but sometimes these are not updated very frequently and old computers are generally forgotten. For audio and video I would try the website of your respective audio and video manufacturers.
- Update your BIOS. Your PC manufacturer should have this in the same place as drivers. Use care when doing this, but don't be afraid to do it. After downloading the file I would definitely wait until your PC hit normal speed after booting before running it. (Anecdote: a BIOS update once fixed a strange slowdown problem for me after upgrading a laptop from XP to Windows 7.)
- Are you mapped to any network resources that are possibly trying to reconnect every time you turn your computer on?

#7 MilesAhead

MilesAhead

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 10 May 2011 - 07:50 PM

Disable Indexing. In default programs disable Windows Media Player. It will open and close every file on your system looking for media files to stick in the library. If you have a file monitor program look to see if every file is being opened. That happened to me on both Vista and W7 although 7 wasn't as bad. I use Everything Search instead of indexing. Cuts way down on HD hogging and cpu usage.

"I don't want to belong to any club that would have me as a member."
- Groucho Marx


#8 HeadMelter

HeadMelter
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 10 May 2011 - 11:00 PM

Unfortunately, disabling everything didn't help, the CPU still ran to 100%. I'm starting to think that it is a built in windows service.

The only real degradation is coming from some instances of svchost and, a lot more from, Background Prefetch Time errors. The other view, Diagnostics-Performance, is showing errors for WMI and Load Pref. I can't make any sense of it:

"Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected."

The start up always takes roughly two and a half minutes, but for some reason svchost varies between 100 and 50% for the next 6-10 minutes.

#9 MilesAhead

MilesAhead

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 11 May 2011 - 01:14 AM

You have to look in the svchost entry and see what it's running. svchost is just a carrier to run a service. It's meaningless unless you get the service that's hogging the cpu.

Also I would try opting out of Consumer Experience Program or whatever they call it. Even if you opt out of the program using control panel, they keep gathering stats in Task Scheduler. You have to manually go through task scheduler and turn all that crap off. I forget the name of the performance gathering stats tasks for the program. You'll prolly need to google each one you don't recognize. Unfortunately MS will hog most of your resources doing what it wants unless you go down through all the Microsoft task stuff in Task Scheduler and disable what you don't need.

Edited by MilesAhead, 11 May 2011 - 01:16 AM.

"I don't want to belong to any club that would have me as a member."
- Groucho Marx


#10 HeadMelter

HeadMelter
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 11 May 2011 - 11:46 AM

Had replaced Windows Media Player a long time ago and clears all of its defaults. Opted out of ceip, disabled the tasks it logs in task scheduler, and used this (http://forum.sqlsentry.net/topic1950-why-monitor-windows-task-scheduler.aspx) to find out what else I could kill. Only ones I couldn't find an answer to where HotStart and SystemSoundsService. My startup list is also now down to 4 items, but svchost still runs at either 100 or 50% for roughly 6 minutes before returning to normal. As far as I can tell it made it return to normal faster, but didn't really fix anything.

Oh, and thanks for the help guys.

#11 MilesAhead

MilesAhead

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 11 May 2011 - 03:47 PM

You keep saysing "svchost runs at 50%" and I'm trying to get across that you need to look one level deeper to see what svchost is running. It's like Rundll32. It runs a dll. If you don't know which dll then it's not conveying any information.

"I don't want to belong to any club that would have me as a member."
- Groucho Marx


#12 HeadMelter

HeadMelter
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 11 May 2011 - 04:27 PM

That's the problem. I can tell you the services it is running, but I can't pinpoint which one it is or how much resources it is taking, at least I don't know how to figure that out.

This is what it is running:
Application Experience
Background Intelligent Transfer Service
Computer Browser
Extensible Authentication Protocol
Group Policy Client
IKE and AuthIP IPsec Keying Modules
IP Helper
Server
Multimedia Class Scheduler
User Profile Service
Task Scheduler
System Event Notification Service
Shell Hardware Detection
Themes
Windows Management Instrumentation
Windows Update

#13 HeadMelter

HeadMelter
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 11 May 2011 - 07:49 PM

Ok, I think this is the issue, Security-SPP runs every time on start up, and ends just before the CPU usage drops down to single digits. Everything I could find makes it seem like some process is calling SP API, turning on Security-SPP. Does anyone know what this does or is there someway I can safely turn it off?

#14 NicciAdonai

NicciAdonai

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 12 May 2011 - 05:15 PM

http://technet.microsoft.com/en-us/library/ff716103(WS.10).aspx

Nice job on narrowing it down, btw! Now that you've done it, the way you've done it seems like common sense.

As for fixing it, I am dubious as to whether I can be of any help from afar, but I do have a few suggestions.

It seems like this process should only run when a new PC or newly cloned OS first comes online. It is used to reset activation keys, etc back to their clean state, "rearming" Windows as a brand new machine after a PC reseller makes any changes such as installing Norton 30-day trials or changing the background to a nice-looking ad.

- Do ensure that you have validated both Windows and MS Office.
- Run the Autoruns program that I posted a while back. Remember to run it as Administrator. After it is done scanning, uncheck "Hide Windows Entries" under the Options menu and refresh. Wait for it to finish scanning again (it will likely take longer this time), then do a search for sysprep. From what I can tell from some brief Binging (I'm short on time), sysprep.exe is what Security-SPP is called by. One ehow.com post I found indicated that sysprep.exe could be found under the Startup tab in msconfig; maybe he was using a different version of windows. Perhaps Autoruns, which is much more exhaustive, can find something.
- Also in the Autoruns program while you still have "Hide Windows Entries" unchecked, do a search for riprep.
- If you find either of the above, disable all the entries you find.
- Do some internet searching for "disable sysprep ???" and "sysprep running slow" etc where ??? is your flavor of Windows. I don't remember you disclosing which one you have? Not gonna vouch for anything you find. Just a suggestion.

Edited by NicciAdonai, 13 May 2011 - 01:17 PM.


#15 HeadMelter

HeadMelter
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 13 May 2011 - 07:10 PM

I thought I was at the end... I looked for both and found neither. I can't think of anything else I can do.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users