Svchost and Svchost.exe - Crashs, CPU maximization, viruses, exploits and more.

Read the article that everyone's commenting on.
Subscribe to the RSS Feed for comments on this article.

Very helpfull site. Hope this helps someone else.
Had to reinstall OS after a hardware failure on a firewalled and regularly virus checked machine. Decided to dump ME as had copy of W2K (first release version), so had to apply SP4 and set up windows update etc. Got the svchost.exe using 99% of CPU from the first time W2K ran after applying SP4!
Next I set up Windows update, and was surprised there were only 2 updates, but applied them anyway. It took 2 hours to install them, because of the hogging by svchost.
After carefully checking for Blaster type worms killed the svchost processs (1 of 4) that was hogging. I immediately got a message from the firewall that ntoskrnl.exe had been sent a broadcast from an IP within my ISPs auto assigned IPs (ie users) domain, which I disallowed. I don't know how realavent that was. Next I applied the MS DCOM/RPC exploit patch, which apparently had not been installed by SP4 or windows update. I then Deleted mobsyc.exe, osa.exe and internat.exe from the startup items mainly as unwanted services, but possible culprits.
So far, touch wood, the problem has gone away, and windows update has now produced 31 more updates to install. It is quite possible that windows update itself caused some of these problems, maybe getting something bound up in an endless loop.

Ok, initially my problem was that svchost was taking up 50%ish of my cpu usage (probley not 100 couse of hyperthreading) when ever i would end the task the sound would stop working and it would say that i have no 'audio mixer device', in my n00bishness i thought it would be a good thing to delete svchost that was causing all my problems, omg! big mistake. So i used the windows repair function from the setup on the cd and then my windows was working fine...except svchost still ran 50% and now i have no sound at all, it constantly says that i have no audio mixer drives. Device manager says my sound card drivers, "This device cannot start. code (10)" (i have onboard by the way). To find the sourse of the cpu usage i used the process explorer to look inside of the svchost that was taking my cpu usage, the thread that was taking it all was a thread called 'kernel32.dll!RegisterWaitForInputIdle+0x4a' to solve the cpu prob temparaly i suspend that thread evertime i start up buit there is still no sound. I have tried every 'solution' on everysite i could find that has any information even slightly relating to my problem but 50+ 'solutions' later still no better. Please Help Me!!!

used symantec's FixWelch and FixBlast an they said that i'm virus free.

this svchost is using 100% CPU when i'm offline also, so i doubt that someone is attacking me.

and i've got a new problem! my system is generating an error witch shuts down my system in 1 min.

Thanks for the great article, Leo! I've had the problem where svchost.exe suddenly starts using 99-100% of the CPU once or twice a week for nearly a year now, and this is the first site I've found that really addresses it.
Unfortunately, in my case, it didn't seem to help. My system runs Windows XP, and I've kept up-to-date with all of the latest Windows Updates and service packs. I scan regularly with McAfee Virus Scan and automatically update with the latest virus updates. I also scan regularly with Microsoft AntiSpyware (and keep it updated). After reading your article, I also installed, updated, and scanned with AVG Free and Spybot Search and Destroy. No viruses or spyware were found by any of these.
I also checked my firewall (McAfee Personal Firewall Plus) and it was already set to block ports 135, 139 and 445.

However, I did notice that ports 20 and 21 were enabled (for some FTP file transfers I needed to do). I went ahead and blocked them because I didn't need them anymore.
Is it possible for some sort of attack that causes the svchost.exe problem to come through these ports?

Leick: I'm not aware of any issues directly related to ftp ports, but of course blocking them if you don't need them certainly makes sense.

I don't have any specific answers for you beyond the article at this time. You *might* try unplugging your network the next time you see usage spike ... that might be an indication of an external something that the svchost process is attempting to react to. You might also use process explorer to see which svchost is being affected, and then which services that instance is attempting to provide. This may provide clues.

Thanks, Leo. I forgot to mention that I had tried that, too. However, in my case, every time svchost.exe takes over the CPU, it never lets it go again (until I reboot), even if I quit every application, end every task listed (under the applications tab) in the Windows Task Manager, disconnect from the network, and disable wireless networking (I've even tried waiting a couple hours).

After reading your article, I downloaded Process Explorer and I've been keeping it running in the background so I can switch over and diagnose next time it happens - svchost has been good for the last few days, so I don't have any new info yet.

One other note: it seems to only occur when the system is fairly loaded with several applications open and running, although that may be a coincidence because that's true the majority of the time.

THE FIX. For me, running Windows 2000 and IE6 w/ SP1, the fix was not with svchost.exe, it was with "services.exe". Basically, the two are related somehow and Windows has a fix for it.

Here is the link: http://www.microsoft.com/downloads/details.aspx?familyid=722f11f1-6505-444a-92bb-9985ab3697e8&displaylang=en

I'm pretty sure this will work in a lot of cases similar to mine. Basically, svchost.exe was using the majority of my CPU usage. Hope this helps!

Also, try turning off your Automatic Updates.

Winpatrol will help nail down what the issue might be as well. Download that from: www.winpatrol.com

Hope this helps more!

I have some strange things going on with access to the internet. I have taken off just about everything except Panda Antivirus, Zone Alarm firewall, Spybot Resident tea-timer (anti-spyware), and HostsMan. Frequently, I'll go to a new URL in firefox and it will sit there trying to load the page. If I go to a DOS box at this time, I can do a "nslookup www.yahoo.com" and get a valid IP address. I can then do a "ping 68.142.197.83" or whatever the IP address given for yahoo, and this works fine and gets a ping back. When this happens, svchost"network service" is taking about 50% of the CPU. It does this for several minutes and then things start to work.

Might also be the services of the Fingerprint reader hardware. I have the Protector Suite QL on my Toshiba, brand new laptop and running antivirus nOD32 and i know i am virus free. As soon as I am using the ProcessExplorer and monitor it and start closing update service, the Fingerprint software has a popup error, closes itself down and the CPU goes from 99 to less than 10. After my firefox, gives me a C++ error and shuts down.. I still have to look deeper, I might end up removing and reinstalling the fingerprint software vs repair.

To post a comment on "Svchost and Svchost.exe - Crashs, CPU maximization, viruses, exploits and more.", please return to that article's main page.