Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost.exe sometimes a hog


  • Please log in to reply
8 replies to this topic

#1 JohnnyTwoSticks

JohnnyTwoSticks

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 28 January 2014 - 12:48 PM

Every now and then (once a week, two weeks) I hear the harddrive working and all gets very slow. Process Explorer shows that a svchost is taking up 50% or more of CPU resources. I don't know why it starts doing this or what its doing. In our times of the NSA I fantasize that it has opened a direct line to Langley. I use Firefox, with NoScript; ZoneAlarm and periodic checks with MalwareBytes and SpyBot and I haven't seen any other kind of sign that my PC might be infected somehow. It is more of an annoyance: when it starts up it means I can't do much in the way of anything else. If I use Process Explorer to suspend the service I can work but as I just discovered I could not click on a file (mp3) so that it would actually open/play. Resuming the process didn't help, so as I have been doing, I had to restart my PC.

 

In short, my concerns: is this annoying but benign? If malign, then what?

 

Would appreciate ideas/solutions. Thanks.

 

Attached File  svchost1.JPG   22.5KB   0 downloadsAttached File  svchost2.JPG   31.28KB   0 downloads



BC AdBot (Login to Remove)

 


#2 Netghost56

Netghost56

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:13 AM

Posted 28 January 2014 - 12:53 PM

What we need would be a Speccy snapshot.



#3 Greg62702

Greg62702

  • Banned
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:13 AM

Posted 28 January 2014 - 04:08 PM

Svchost.exe can also be a virus.  Download SysInternals Process Explorer and look at what the Sub-Process is, that is hogging the CPU.  Then we can go from there.  Speccy will only do a snapshot of what your machine hardware is, or installed software, not what is causing this issue.  Speccy is intended to be used for Advanced troubleshooting, and will not show why this is going on.



#4 JohnnyTwoSticks

JohnnyTwoSticks
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 28 January 2014 - 04:08 PM

will this be it: http://speccy.piriform.com/results/TRXDKBEsLHkbyEKnrhbZbKa



#5 JohnnyTwoSticks

JohnnyTwoSticks
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 28 January 2014 - 04:12 PM

Thanks. I posted a screen shot from Process Explorer, showing what is running under the svchost.exe. It is on my original post above. Is that what you mean?



#6 Netghost56

Netghost56

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:13 AM

Posted 28 January 2014 - 04:19 PM

You're aware that you have Dropbox running, correct?

 

You also have Google Drive Sync running (twice actually) which is going to use some bandwidth.

 

Do you use Magic Jack? I assume for your printer??

 

IMO, I wouldn't use Spybot S&D. It's taking up alot of resources as well. It's outdated and no longer the best anti-spyware app.

 

My .02 is that you could benefit from some hands-on optimizing. Don't use a optimizer app!

 

I wouldn't rule out a virus either.



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:13 AM

Posted 28 January 2014 - 05:42 PM

Svchost.exe is a generic host process name for a group of services that are run from dynamic-link libraries (.dll's) and can run other services underneath itself. This is a valid system process that belongs to the Windows Operating System which handles processes executed from .dll's. It runs from the registry key, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost where details of the services running under each instance of svchost.exe can be found. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. It is not unusual to find multiple instances of Svchost.exe running at the same time in Windows Task Manager in order to optimize the running of the various services.
  • svchost.exe SYSTEM
  • svchost.exe LOCAL SERVICE
  • svchost.exe NETWORK SERVICE
Each Svchost.exe session can contain a grouping of services, therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging. The process identifier (PID)'s must be checked in real time to determine what services each instance of svchost.exe is controlling at that particular time. The PID is not static and can change with each logon but generally they stay nearly the same because they are always running services.

Determining whether a file is malware or a legitimate process usually depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a legitimate or critical system file like svchost.exe. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there. The legitimate Svchost.exe file is located in the C:\WINDOWS\system32\ folder. In Windows 7 64-bit the file may be located in the SysWOW64 folder.

Another technique is for the process to alter the registry and add itself as a startup program or service so that it can run automatically each time the computer is booted. If svchost.exe is running as a startup (shows in msconfig), it can be bad as shown here. Always make sure the spelling is correct. If it's scvhost.exe, then your dealing with a Trojan.

How to determine what services are running under a Svchost.exe process
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 JohnnyTwoSticks

JohnnyTwoSticks
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 28 January 2014 - 07:46 PM

Thanks Netghost65 and quietman7... will do some research on the links and tips.



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:13 AM

Posted 28 January 2014 - 07:48 PM

You're welcome and good luck.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users