Svchost and Svchost.exe - Crashs, CPU maximization, viruses, exploits and more.

Read the article that everyone's commenting on.
Subscribe to the RSS Feed for comments on this article.

Leo - Thanks for the response. Actually, I am behind a router firewall, and I doubt any attack would only be successful when SP2 is installed. Some MS Development Team members have indicated the SP2 bugs now number more than 800. If true, I suspect one of your contributors will solve this problem long before MS does. Good luck.

Leo,

I've been having a problem with _svchost.exe_hogging_my_CPU_(98-100%)_ ever since I installed SP2 on my Win XP Pro machine. (Strangely, the problem did not seem to occur immediately after the install. The system has not been modified at all since the SP2 installation however.) Along with svchost.exe consuming nearly all my CPU, I would also like to note that my_internet_connectivity_has_been_comprimised. Packets are being sent, but none are being received. This is true whether I am connecting by wire (NIC) or wirelessly (USB adapter).

My initial steps to combating the problem are as follows: (1) Using another machine, I checked to see if the modem and router were working properly. They both were fine. (2) I then proceeded to do two different viruse scans (NAV and AVG) with the latest definitions. No viruses were found. (3) Using the latest definitions for Ad-Aware and Spybot, I then scanned for spyware. I found a few pieces, but nothing that solved my problem. (4) I turned to Microsoft and they told me to remove SP2 through the Add/Remove Programs feature. As you might imagine, this did not solve my problem either.

I have found a partial solution to my problem however. I systematically went through the services started by svchost.exe -k netsvcs at boot time and found the the RIP Listener (Iprip) service was the root of my CPU hogging problem. I disabled this so that it would not start at boot time and my computer is now close to its former performance.

The problem that remains is that of my internet connectivity. After booting my computer up and before logging in, I believe there is traffic in both directions. (I can check this activity after logging in.) After logging in though, I believe packets are still being sent, but none are being received.

Any ideas on how to remedy this situation?

You're behind a router that's providing NAT? (I want to make sure you;re behind a firewall). I'd be tempted to fire up tdimon or tcpview and see if you can identify the process that's sending. (http://ask-leo.com/how_can_i_tell_what_internet_activity_is_happening_on_my_machine.html has more info.)

Yes, I am behind a hardware firewall. (I had been using a software firewall (Zone Alarm) as well.)

I took a look at tcpview and tdimon and it seems that all the network traffic is local -- on my machine alone. Interestingly, the only failure notices I get with tdimon is with receiving data over UDP. UDP transmission and TCP transmission/receiving seems to be fine. Also, all transmissions (TCP and UDP) appear to be over ports 137-139. (I'm not sure if that is significant or not.)

Using ipconfig I found that my IP address is being auto-assigned by Windows and not by DHCP as is supposed to happen.

And just to reiterate, I know my NIC, modem and router are working. I happen to be writing you from the same troublesome box on the same network; I am just running a different OS (Suse Linux) currently.

Hi Leo, Once internet explorer is launched svchost.exe runs using 97/99% and cannot connect to internet. Even when I exit, with nothing else open, svchost still running at same level. Once I reboot the PC works perfectly normal as long as I stay away from internet.
Sounds similar to problem RAMAN posted 9 sept.
MUCH OBLIGED IF YOU CAN HELP
Slaite

tisdawg: I'd be tempted to turn off zone alarm and see if you get a DHCP assigned address.

Multiple svchosts is normal: http://ask-leo.com/archives/000030.html

Andrea: sounds like you're being attacked from the outside. I'd make sure to follow the steps in the article: get updated, get behind a firewall, and scan for viruses and spyware regularly.

Had the same problem. Used Spy-bot and found a few tracking cookies, nothing major. Removed them and it didnt change still using 100% cpu. However when I removed Gamespy Arcade everything suddenly went back to normal. Hope this helps.

Well… problem solved! I followed the instructions on the article but there was no virus to blame. My problem was that my computer was very slow and popping up messages of “virtual memory too low” (online and offline). Eventually programs would close on their own. I would have to restart the computer to have at the most half an hour of a not-quite-trouble-free-but-bearable working computer.

One of my SVCHOST processes was working at 80,000K of memory usage as a “local service”… when I first noticed. After I restarted I noticed that it would start at about 40,000 and then grow nonstop from there (offline) until it would obviously occupy 100% of my memory and good-no-more have to restart again. (You can check this by pressing ctrl+alt+del and check “Processes”).

Diego (posted April 2004) posted something about disabling the SSDP Discovery Service Process… his symptoms seemed very familiar to mine… so I tried. The status of this process was "start pending" and pending it remained. I disabled it and problem no more!!! Nevertheless, Leo, please let me know how disabling SSDP will affect my computer.

Just so you know… My problems started after I downloaded through Windows Automatic Updates the "Update for Background Intelligent Transfer Service (BITS) (KB883357)". I uninstalled it but it didn’t fix the problem… what does this have to do, if anything, with the SSDP??

Well… THANK YOU VERY MUCH Leo and Diego… I had been going crazy for over a month now.

To post a comment on "Svchost and Svchost.exe - Crashs, CPU maximization, viruses, exploits and more.", please return to that article's main page.