|
svchost uses 70-100% CPU |
Post Reply 
|
Page 123> |
| Author | |||||
eaglehorse 
Newbie 
Joined: 23 September 2007 Location: United States Status: Offline Points: 21 |
 Post Options
 Thanks(0)
 Quote Reply
 Topic: svchost uses 70-100% CPUPosted: 07 November 2007 at 3:58pm |
||||
|
I don't believe it is a virus but I an baffeled why Svchost (NETWORK Service) is using 70-100 % of my CPU for the first 3-4 Minutes of startup. After that it drops to normal
It is a verified Micrsoft Process and here is the info from Process Explorer Image Generic Host Process for Win32 Services (Verified) Microsoft Windows Publisher Version: 5.01.2600.2180 Time: 8/4/2004 7:00 AM Path:C:\WINDOWS\system32\svchost.exe Command line:C:\WINDOWS\system32\svchost.exe -k NetworkService Current directory:C:\WINDOWS\system32\ Parent: services.exe(780) User: NT AUTHORITY\NETWORK SERVICE Started: 2:32:04 PM 11/8/2007 Thread 1676 kernal32.dll!createThread+0x22 svchost.exe+0x22 dnsrslvr.dll!ServiceMain+0x537 dnsrslvr.dll+0x464b kernel32.dll!createThread+0x22 RPCRT4dll!_RpcBDCacheFree+0x5ea ADCAPI32.dll!RegDeleteKeyW+0xfd Stack ntkrnlpa.exe+0x69c02 ntkrnlpa.exe!ZwYieldExecution+0x1900 ntkrnlpa.exe!ZwYieldExecution+0x196c ntkrnlpa.exe!NtConnectPort+0x1cc8 ntkrnlpa.exe!KeReleaseInStackQueuedSpinLockFromDpcLevel+0xb14 ntdll.dll!KiFastSystemCallRet RPCRT4.dll!I_RpcBCacheFree+0x61c RPCRT4.dll!I_RpcBCacheFree+0x43e RPCRT4.dll!I_RpcBCacheFree+0x604 kernel32.dll!GetModuleFileNameA+0x1b4 TCP/IP Protocol UDP Local Address (computers name) Remote Address *.* State (is blank) Every DLL is verified Microsoft otherwise I would be concerned about a possible Virus. AV picks up nothing same for Spyware Programs. Any thoughts. I am just curious to find out more about this.  Edited by eaglehorse - 07 November 2007 at 3:59pm |
|||||
 |
|||||
|
molotov
Moderator Group 
Joined: 04 October 2006 Status: Offline Points: 17506 |
Post Options
Thanks(0)
Quote Reply
Posted: 07 November 2007 at 4:17pm |
||||
|
Hi Russ,
You've posted a bunch of information, but to be sure...
Usually, one course of action for dealing with this type of issue is to configure symbols in Process Explorer. Then, when the problem is happening, inspect the properties of the process in question (svchost.exe, in this case, it would seem) and look at the Threads tab. Sort by the "CSwitch Delta" column and note the full stack of the topmost thread.
|
|||||
|
Daily affirmation:
net helpmsg 4006 |
|||||
|
|||||
|
eaglehorse
Newbie
Joined: 23 September 2007 Location: United States Status: Offline Points: 21 |
Post Options
Thanks(0)
Quote Reply
Posted: 07 November 2007 at 4:59pm |
||||
|
I think the info you led me to is a little ahead of me in the power curve. I am just beginning to understand the basics of process explorer(want to understand more). I am not following what you mean exactly about the debugger.
|
|||||
|
|||||
|
molotov
Moderator Group
Joined: 04 October 2006 Status: Offline Points: 17506 |
Post Options
Thanks(0)
Quote Reply
Posted: 07 November 2007 at 6:33pm |
||||
|
1) Download and install the Debugging Tools For Windows
2) Go to PE's Options | Configure Symbols, and in the "Dbghelp.dll path" box enter the path to DBGHELP.DLL (by default, X:\Program Files\Debugging Tools for Windows\dbghelp.dll)
3) In the "Symbols path" box, enter srv*C:\Symbols*http://msdl.microsoft.com/download/symbols
Note: for symbol resolution to work, you must change the "Dbghelp.dll path" to point at the copy of dbghelp.dll that was installed with the Debugging Tools for Windows. Edited by molotov - 21 May 2008 at 5:31pm |
|||||
|
Daily affirmation:
net helpmsg 4006 |
|||||
|
|||||
|
eaglehorse
Newbie
Joined: 23 September 2007 Location: United States Status: Offline Points: 21 |
Post Options
Thanks(0)
Quote Reply
Posted: 08 November 2007 at 3:28am |
||||
|
Thank you for you patients and help. I have really appreciated it .The simpler something is the harder of a time I have with it. That part makes sense now but how will this help me determine what is going on.
|
|||||
|
|||||
|
eaglehorse
Newbie
Joined: 23 September 2007 Location: United States Status: Offline Points: 21 |
Post Options
Thanks(0)
Quote Reply
Posted: 08 November 2007 at 3:31am |
||||
|
|||||
|
|||||
|
molotov
Moderator Group
Joined: 04 October 2006 Status: Offline Points: 17506 |
Post Options
Thanks(0)
Quote Reply
Posted: 08 November 2007 at 3:41am |
||||
Configuring symbols will allow PE to display the names of functions that are in the stack of the thread that is consuming CPU. From those function names, one may be able to infer what the thread is doing, and that information may guide one's investigation.
|
|||||
|
Daily affirmation:
net helpmsg 4006 |
|||||
|
|||||
|
eaglehorse
Newbie
Joined: 23 September 2007 Location: United States Status: Offline Points: 21 |
Post Options
Thanks(0)
Quote Reply
Posted: 08 November 2007 at 8:17am |
||||
|
Thank you for your patients with me. I am interested in learning more amd I am a twiddler by nature so I have the need to inderstand as much as humanly possible.If I am irritating you I apologize.You hace been great.
 
This would be the offending stack that is using the cpu. kernel32.dll!BaseThreadStartThunk (CSwithch Delta 109) ntkrnlpa.exe!KiDispatchInterrupt+0x7f dnsrslvr.dll!Dns_RecordCompare+0xd dnsrslvr.dll!Cache_RecordSetAtomic+0xdf dnsrslvr.dll!Cache_RecordList+0x74 dnsrslvr.dll!LoadHostFileIntoCache+0x5f dnsrslvr.dll!InitCacheWithHostFile+0x7 dnsrslvr.dll!Cache_Initialize+0xa4 dnsrslvr.dll!Cache_Lock+0x2e dnsrslvr.dll!Cache_GetRecordsForRpc+0x1d dnsrslvr.dll!R_ResolverQuery+0xbd RPCRT4.dll!Invoke+0x30 RPCRT4.dll!NdrStubCall2+0x297 RPCRT4.dll!NdrServerCall2+0x19 RPCRT4.dll!DispatchToStubInC+0x38 RPCRT4.dll!RPC_INTERFACE::DispatchToStubWorker+0x113 RPCRT4.dll!RPC_INTERFACE::DispatchToStub+0x84 RPCRT4.dll!LRPC_SCALL::DealWithRequestMessage+0x2db RPCRT4.dll!LRPC_ADDRESS::DealWithLRPCRequest+0x16d RPCRT4.dll!LRPC_ADDRESS::ReceiveLotsaCalls+0x310 RPCRT4.dll!RecvLotsaCallsWrapper+0xd RPCRT4.dll!BaseCachedThreadRoutine+0x79 RPCRT4.dll!ThreadStartRoutine+0x1a kernel32.dll!BaseThreadStart+0x37 I did notice after I updated me JRE and uninstalled the old one is when this started. What would the environment tab and how would I use it to help trouble shoot.? Also would it be safe to set the priority lower to help use less of the cpu or would it just drag out the time it takes to load the dll's. |
|||||
|
|||||
|
molotov
Moderator Group
Joined: 04 October 2006 Status: Offline Points: 17506 |
Post Options
Thanks(0)
Quote Reply
Posted: 08 November 2007 at 8:57am |
||||
109 isn't very high - I can't see how this would be causing significant CPU usage. Currently, procexp.exe has one thread that pretty consistently has a CSwitch Delta of 2200, and overall system CPU usage is < 10%.
Per the PE help file:
Every process has an environment block that contains a set of environment variables and their values. These variables can influence or be used by the process. A relatively "famous" environment variable is the "PATH".
If you suspected a problem that was related to the environment of a process, you could inspect the environment to determine the variables and their values.
SVCHOST hosts many services; lowering the priority of the process will impact all services in the process. This may or may not be desirable or have substantial performance implications. Edited by molotov - 08 November 2007 at 8:57am |
|||||
|
Daily affirmation:
net helpmsg 4006 |
|||||
|
|||||
|
eaglehorse
Newbie
Joined: 23 September 2007 Location: United States Status: Offline Points: 21 |
Post Options
Thanks(0)
Quote Reply
Posted: 08 November 2007 at 9:16am |
||||
|
Is it possible because I have an older CPU that it is the host file loading. I know you gave the link to the book on internals but in the meantime (until) I have the extra money is there anywhere I can start looking to learn more info about windows internal?
|
|||||
|
|||||
|
Post Reply
|
Page 123> |
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
Topic Options
molotov wrote: