Svchost and Svchost.exe – Crashes, CPU maximization, viruses, exploits and more.
I’ve discussed Svchost, aka Svchost.exe, in previous articles on Ask Leo!. Many people are witnessing a svchost.exe crash and it’s actually quite amazing. Unfortunately, there’s no single point of reference for svchost related problems. Rather than answering one single question, I’ll try to cover a theme that can best be summed up as:
What’s The Deal with SVCHOST?
Become a Patron of Ask Leo! and go ad-free!
Symptoms
Do any of these symptoms sound familiar?
- Your system becomes sluggish and you find that something called svchost or dllhost is taking nearly 100% of your CPU.
- Your system reports that svchost has performed an illegal operation and will be terminated. After that, various things fail to work properly, if at all.
- After you log in, your system automatically reboots in one minute.
If so, then it’s almost certain that you either have a virus or your system is currently vulnerable to a particular type of exploit known as the “RPC buffer overflow”. We’ll look at addressing both.
But just what is svchost?
Let me tell you what it is not: On Windows XP and later svchost is not a virus. On those systems, svchost is a required system component. If you happen to successfully delete it, your system will not run. You’ll be much worse off than before. (Win95, 98, and Me users, see Note 1.)
Do not delete svchost.exe. Don’t even think about it. [Important: do not confuse svchost, which we are discussing here, with scvhost, which has two letters transposed. They are not the same thing. The presence of scvhost may indicate a virus.]
Svchost, which is short for “service host”, is a core part of the operating system that provides support to many of the required services that are Windows. You can see all the copies of svchost and what services they are running by typing “tasklist / svc” in a command window. If you don’t have tasklist, or just prefer not to use the command shell, you can use SysInternals Process Explorer instead. (Check out my previous article “What is Tasklist.exe, and why don’t I have it?” for details.) On my machine, one copy of svchost is responsible for 30 separate services, another is hosting 4, and the remaining 3 host one service apiece.
What about this “RPC” thing that has vulnerabilities?
Same story. RPC, for Remote Procedure Call, is a core operating system service. Windows won’t run without it. If you happen to successfully disable it, you’re in deep trouble.
Do not disable the RPC service. Don’t even think about it. (If you already did, see Note 2.)
So what do you do?
First, we have to understand that there are two possible problems:
- You could be infected with a virus.
- You could be under “attack” from an outside source attempting to exploit the RPC vulnerability.
It’ll do you no good to get things all cleaned up only to get hit again the moment you connect to the internet, so we’ll deal with the second point first.
Block the Vulnerability
The very first thing we have to do is plug the vulnerability. This will prevent some forms of re-infection, as well as some forms of attack, both of which can cause the problems we’ve been talking about.
If you’re running Windows XP, you can turn on the Internet Connection Firewall. In Control Panel, select Network Connections, select the connection that corresponds to your internet connection, right click on that and select Properties, select the Advanced tab, and make sure that Protect my computer and network by limiting or preventing access to this computer from the Internet is checked.
If you’re running behind a NAT router, you’re probably already safe, but make sure that ports 135, 139, and 445 are not being forwarded to any computer on your network.
If you have some other kind of firewall, ensure that those same ports are blocked.
Update Your System
Install all of the latest service packs and patches. For Windows 2000, that means getting the latest service pack, as well as any additional patches. For Windows XP, that also means getting the latest service pack and any additional patches. (Note: If you’ve installed Windows XP Service Pack 1, Microsoft now recommends installing Service Pack 1a that corrects a couple of problems.) The whole process can be simplified to this: visit Windows Update, let it analyze your system, and then download and install all the updates suggested.
The single, most important update relating to our svchost / RPC problem is this one: A Buffer Overrun in RPCSS Could Allow an Attacker to Run Malicious Programs. Make certain that the patches listed there have been installed.
You’re not done.
Scan for Viruses
To put it more completely, update your virus signatures to the latest possible and then scan for viruses. In fact, experience is showing that not all virus scanners are catching all viruses, so it would be in your best interest to use a second virus scanner as well.
You may not have a virus. But you may have contracted one as a result of the vulnerability.
There are several viruses that may result from this vulnerability. Some cannot be removed by the virus scanners’ traditional mechanisms. If that happens to you then you’ll need to download a special tool to remove that particular virus. Take the name of the virus identified by your scanner, visit the Symantec Anti-Virus Center, and search on that virus. Chances are, if there’s a tool to remove they virus, they have it.
Scan for Spyware
There is anecdotal evidence that Spyware can also be associated with svchost related problems. Even if that’s not accurate, it’s a good idea to scan regularly anyway. Grab a copy of a tool such as Spybot Search and Destroy, or Ad-Aware.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Footnotes & References
Note 1: Windows 95, 98, and Me users: Most of this article does not apply to you at all. You shouldn’t be seeing the symptoms described here. If you do, or if you find svchost.exe on your machine, then you likely have a virus and should scan and clean immediately.
Note 2: If you’ve already disabled the RPC service, then Black Viper has a possible way to restore it. He also has instructions for stopping the 60 second shutdown as well.
Note 3: If you have a firewall such as ZoneAlarm, it may ask if it’s ok for svchost to access the internet. It’s probably ok to allow it. There is at least one legitimate service that svchost supports that does need to access the internet: the time service. It connects to time servers on the internet to ensure your clock is correct.
Updates
Finally, check back here for updates. SVCHOST has been the source of a lot of frustration for people, and I’ll try to update this article as new information becomes available.
- 09-May-2004: Added note on scvhost misspelling, and the related link to the LSASS article.
- 12-May-2004: Added notes relating to Windows Service Pack 1a.
- 03-Dec-2005: Added a new article: Where is it alright for svchost.exe to be?.
- 10-May-2007: Added a new article: “How do I fix this high CPU usage svchost virus or whatever it is?”
Dear Sir,
I keep getting the following Error message.
Programme Error
” sychost.exe has generated eroors and will be closed by Windows.You wll need to restart the program. An error log is being created”
Once this message appears, I cannot reply any Email nor copy and paste anything. Everything is disabled. Earlier this use to appear once in a way, but now it appears every 10 minutes . I even tried to reload my operating system, XP-2000 , but nothing changed. It has changed from bad to worse. Can You help me..What shud I do to overcome..Pl help
Best Regards
B.G.Rama Mohan Rao, India
Your question is exactly what this article is all about. Have you followed the steps in the article?
Leo
Hello
All this makes a lot of sense relating to my problem, but the svchost on my system is failing at start-up, making it impossible to connect to internet to update windows, norton, etc.
I have internet connection on another system that works fine. Is there anyway I can use this system to fix the corrupted one?
Please help
Yours
Kez
Me again,
Just to clarify the extent of the problem, task manager will let me end the offending svchost but the system does not complete its boot, therefore the start menu does not open (mouse pointer turns ‘busy’ when in taskbar area) and no applications will start, although you can open windows and use win explorer.
Thanks again.
Kez
Can you boot if you are not connected to a network?
Can you boot in safe mode? If not, can you boot using the recovery console?
Leo
What is System Idle process in task manager of windows Xp.
Thank you… for your website.
I’ve been having problems with sluggish computers and added an anti-spyware program…
(so I’ve 1 more thing running) and your website gave me info on svchost… which I will NOT remove…
Thanks.
Hi leo, I ve been having problem on my win Xp sp1, with the svchost.exe (75% to 100% always). Trying to see what was wrong with the computer and following the posts in your site, I finally see in the event viewer / system, that the SSDP Discovery Service service was (The SSDP Discovery Service service was successfully sent a start control.)was always trying to do something, and then stops.
So Ive disable de SSdp discovery service, and my CPU usage finally got stable.
Thank u
Hello
once i connect to the internet the svchost.exe got most of the CPU usage …
also another application generates an error , its something like NT AUTHORITY/.. and the system reboot.
i aslo found out the sapisvr.exe is always running with about 50%.
any suggestions please and thanks alot
The instructions in the article still apply. Have you tried them? Sapisvr is speach recognition software, which can be processor intensive. If you don’t use it, turn speech recognition off.
Leo
Hi,
I’m from an embedded world.
Over-all it appears dependency/x-coupling of one protocol depending on another is becoming more ambiguous between RTOS’ (worse in development OS’ i.e. WinNT/XP/2K/..)platforms. Using memory maps was an easy way of finding out what was sucked in by the tornado (VxWorks is a good example of giving specs. of what comes IN when builds are done).
Do you have any suggestions in finding the same in conventional OS’s as describe before (i.e. WinNT/XP/2K/..)?
thanks,
charles
If you truly mean build time, then that information is typically available from the build tools themselves. The linker with Visual Studio, for example, can be instructed to output a map. These days runtime is just as, sometimes more, impactful, and I recommend something like Process Explorer (http://ask-leo.com/d-31017a ) to see what DLL’s are in use when an executable is running.
Leo
IF svhost.exe is not a virus, why are Symantec saying it is?
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sdbot.n.html
They’re NOT.
They say “The existence of the file Scvhost.exe is an indication of a possible infection.” CHECK THE SPELLING … the c and the v are reversed, it’s a different file.
Later in that same article they also say: “This should not be confused with the legitimate system file Svchost.exe.”
Leo
Have a SVCHOST.exe on XP corrupted with the welchia B virus. Screwing my machine up. Have tried running the symantac welchia removal tool but it will not take it out. Can I replace the svchost.exe with another one from another XP machine through dos?
Thanks,,,Rich
THEORETICALLY yes. But it would be VERY easy to render your machine un-bootable if a mistake is made. Make sure it’s from the same version of Windows, and make sure that you also update the version in XP’s system file cache as well. If you succeed, then I’d immediately run System File Checker to ensure proper versions are in place, AND then hit Windows Update for latest patches and such.
Good luck!
Leo
Thanks Leo. Followed your suggestions and sure enough a second free virus scan produced a trojan virus and one other i’ve seen before “safesearch”. I think that this is the one that gums up SVCHOST. After deleting the two viruses everything was back to normal. Firewall is now on again. Thanks!!
Bernard
Hi Leo,
Your comments on the svchost are interesting, I’ll follow through with them.
Do you have any info on bartshell.exe or avserv.exe? Both of these are initiating errors and sucking up cpu usage.
Thanks, Bill
Bartshell: on references I’ve seen are viral related. Have you run a virus or spyware scan lately? I’d recommend it.
Avserv: I’ve come up empty on that one.
Good Luck!
Hi Leo,
Thank you for all the info so far. I was wondering if you can help me with my problem. My computer doesn’t boot well the first time when I put my pc on. Also sometimes it’s shut down and my pc says it’s: TreuVector Service (that’s ZoneAlarm isn’t it).
Do you know why my firewall shuts it down and won’t boot right the first time? I have checked for a virus and there where 2 but after scanning a lot of times there not here anymore so that’s not the problem.
Sorry for my not so good english,
Thanks, Peter from Holland
Hello to Holland (home of my parents as well as my current house guests :-).
I located this thread on truevector issues out on DSLReports: http://ask-leo.com/d-40502b – does any of it describe or help resolve your issue?
Hello I have done everything in the directions you have suggested and am still having the svchost.exe running at 99 or 100% is there anything else i can do to stop this from happening?
Also there seems to be some discrepencies on the name of the file in your website as I have seen it refered to as scvhost.exe and svchost.exe which one is ok?, and which is a potential virus?
If you’ve done everything described here, I don’t have more suggestions at this time. Check back, because as new information becomes available, I will add it to the article.
And sCVhost is probably a virus. sVChost is a system component.
Good luck!
Hi again Leo (and others),
It looks like the pc is not rebooting any more automaticly. But the computer does not start up in one time… again it “hangs” when it starts up, sometimes I have to start it up 2 or 3 times at one time.
Does anybody have any other suggestions? Thanks for the info so far.. I will try to shut down ZA tonight and see if it’s starting up right tomorrow.
Peter from Holland
hello,
i got win xp with 2 users and in one of them the usage of svchost.exe is 99% en in the other one its 00% do i got a virus?(my scanner doesnt locate any virus) what now??
tnx in advance
Silly question, but is everyone remembering to disable System Restore BEFORE running the Blaster or Welchia removal tools?
Yes I did scan with the tools and yes I did put of the System Restore before I started running them. Funny and all but my computer is still not working right and scanning everyday!
Anybody?
Peter from Holland
Niels: quite possibly. I’m hearing again and again that not all scanners are always catching all viruses. Sad, but apparently true. Try another scanner and see what it shows.
ALSO, it’s possible you DON’T have a virus, but that you are being attacked (or probed) from outside. Make sure you have a firewall of some sort.
Good Luck.
I’m having a problem similar to this, but different. My computer works fine at all times, EXCEPT when I try to download items from windowsupdate.com. Some will update, but a couple (the latest Win Media Player update, and the update for DirectX9.0b), when I run them, will download the files fine, but once the program begins installation, the svchost.exe file (User Name: SYSTEM in the Win Task Manager/Processes) goes to near 100%, and the updates will not install. I’ve let one run for 5+ hours trying to install, another for 3+ hours. I close the programs (they crash, and I need to close them by using Win Task Manager/Applications/End Task, hitting that multiple times, and then closing the “Not Responding” popups), but the svchost.exe will continue to show 100% until I reboot. And, I can surf the net and do other programs at the same speed as before, while this svchost show 100% CPU usage. I’ve checked for Blaster and it appears I do not have that worm/virus. Any help would be app
Sorry, I forgot to mention above that I cannot install DirectX9, even from game CDs that come with DirectX9 on the CD. This has happened on two different games, one I purchased recently and I cannot play due to the games requirement I have to have DirectX9, but the same things happen as described above whether I try to upgrade DirectX with either a game CD or via windowsupdate.com. I don’t think it’s a DirectX problem specifically, as the same thing happens trying to update Win Media Player from MS windowsupdate.com page, and it’s not an internet problem specifically, as I cant’ update my DirectX from a game CD. The results described above are the same. Any thoughts appreciated.
Hate to make this “War and Peace”, but I opened Win Task Manager/Processes to show me more information, after another failed attempt to download an update from windowsupdate.com. While svchost.exe shows 97-99% CPU usage, the “I/O Reads” and “I/O Read Bytes” for this process is ticking up exponentially, like the national debt. After about 10-15 minutes, the “I/O Read Bytes” is at 2.2 BILLION. The “I/O Reads” is at 2.6 million. But I’ve also noticed that lsass.exe and services.exe (both User Name – SYSTEM) are acting the same way in the “I/O Reads” and “I/O Read Bytes”, though at a much slower pace. Lsass.com usually shows 0-3% for “CPU” usage, and services.com always shows 0%. I know the Sasser virus recently has done some things, but this problem has been with me since late last year – I’m just trying to correct it now, as I want to get DirectX9, and these Windows Updates are building up over time. Thanks again.
Carl: It’s possible you’ve been affected by the *very* recent sasser worm. Even if not I would make absolutely sure your virus signatures are up to date, and do that virus scan again. Essentially I’d have you follow my most recent advice to Niels: a very up-to-date virus scan or two, and ensure that you have a firewall in place.
Good luck.
Hey there,
I am actually having a weird problem. Not all the symptoms are happening to my machine as everybody else’s, the only one I have is when I first boot up, svchost is taking up to 98% usage on only my account (not SYTEM or others like that) and I can’t go view anywebsite or anything. It’s as if I’m not online at all. When I End Process of svchost.exe, everything works just fine and I can go online and everything. My PC doesn’t reboot or anything when I shut it off. Maybe you can help me with this…I also have a problem with turning the firewall built into XP off, because when I do, my server won’t work. (I am hosting from my PC) I do, however have a firewall through my router, and it’s turned on, but only the port that I am hosting through is open.
Please help if possible, thanks.
-Wayne-
What AV software have you run lately? Your router should be enough of a firewall that you shouldn’t need XP’s. The svchost running in your account is really suspicious … is it svc or scv?
Leo, This problem has been with me since Oct/Nov of 2003, so I don’t think it can be the very recent Sasser worm. I have checked the box on the WinXP firewall, and I have NAV, I use LiveUpdate, I use NAV to scan all incoming and outgoing emails, and I run scans on my computer with NAV, Spybot and Ad-Aware regularly. This is strange as it only affects updates trying to make changes to WindowsXP (and the very related DirectX) from MSoft updating. I can download/load all other programs, both downloaded as well as purchased programs from CDs. Also, my computer downloads the updates fine with no 100% CPU usase from svchost while downloading the updates – but the svchost CPU usage goes to 100% when the updates start to apply themselves. Thanks again.
Have you tried a system file check? (http://ask-leo.com/archives/000074.html )
Sir,
My pc (Win XP)has recently been affected by the W.sasserworm but i have deleted the virus by updating the MS-0411 MS bulltein and running the patch.But now the PC has become little slow and if i look at the process the CPU performance is showing 80% but the system idle process is showing 82% why is this so.There is no RPC.exe running in my PC.I am using the windows firewall
and using norton corporation with latest updates.
How can i increase my PC speed?
regrads
Tamal
Leo, I tried the system file check (SFC) as you suggested, and the exact same thing happened as when I try to download and process an update – the “File Signature Verification” box says “Building File List…” and has just hung up there, and the svchost.exe file is at 100%. So, it’s not just the Windows Update files, I presume there’s a “larger” problem. So, I basically can’t run SFC. Any other ideas?? At this point, would a repair or re-install be a wise course of action now?? Thanks again for your suggestions.
I am running Windows XP with service pack. I used to be able to network my three home computers but have not been able to for several months. I now know that the following error messages are related to the problem but can’t find a fix anywhere. Help!
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 5/6/2004
Time: 10:36:32 AM
User: N/A
Computer: ATHLON2200
Description:
The Computer Browser service and The Messenger service depend on the Workstation service which failed to start because of the following error:
The service has returned a service-specific error code.
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7026
Date: 5/6/2004
Time: 10:36:32 AM
User: N/A
Computer: ATHLON2200
Description:
The following boot-start or system-start driver(s) failed to load:
MRxSmb
Rdbss
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7024
Date: 5/6/2004
Time: 10:36:32 AM
User: N/A
Computer: ATHLON2200
Description:
The Workstation service terminated with service-specific error 2250 (0x8CA).
Tamal: I’m confused by your post. You’re saying that your processor is both 80% idle AND 80% busy, which of course isn’t possible. Can you maybe clarify a little?
Carl: well, SFC basically *is* a type of repair, so you’ve already attempted that. I think that yes, my next approach would be to attempt to reinstall XP on top of your existing installation. That would also be a type of repair.
Before you do that, have you checked the event log for any interesting information that might relate to the times the installs or SFC fail?
http://ask-leo.com/archives/000095.html
David: I don’t have anything very specific for you yet. The 2250 indicates that the workstation couldn’t find a network … so I supposed one possibility is that your network card has a problem. Seems unlikely, but that could be ruled out by swapping it out (or just adding another).
I’d also take a run at the System File Checker, just to see if something gets repaired as part of that process. http://ask-leo.com/archives/000074.html
is it normal to have 5 svchost.exe processes running at one time?
I’m having seriously weird slowdown/hang problems. I *think* it has to do with SVCHOST, as Zone Alarm is noting outgoing attempts by “Generic Host Process for Win32 Services” to access 255.255.255.255:67. The count on these attempts varies anywhere from 14 to 42. These seem to correlate with “beeps” I hear when the system hangs for a minute and cpu usage upspikes sharply. This (whatever “this” hang is) also causes a delay in mouse response, which has become increasingly common. I’ve also noticed Explorer spiking up to 70% cpu usage. Does this sound like anything familiar??? Thanks for any help you can provide.
John: absolutely, yes. Check out this article: http://ask-leo.com/archives/000030.html
JYW: Nothing *specifically* familiar, other than the host of viruses and spyware that seem to be abundant. Have you gotten the absolute latest virus signatures downloaded and run scans for both?
Hello Leo
I have XP pro installed and I am unable to “change the way user log on or off”. I get the following message
“Client Services for netware has disabled the welcome screen and fast user Switching. To restore these features you must uninstall client services for netware”
I have disabeled this .EXE with not much luck. Can you help please?
Go to Start > controle panel > user accounts > “change the way user log on or off”.
I don’t have actually any comment but i want more information about that svchost coz it is taking 100% of my cpu.i wonder why and how can I overcome this problem.Thanx foryour help.
Di.
Yarub: Netware is incompatible with fast user switching. Here’s the Microsoft Knowledgebase article on it: http://ask-leo.com/d-40507a
Diane: that’s what this article your commend was posted on was all about. How did it not help?
hello,
regading my earlier post it is like this when i see the processes in the Task manager it shows system idle as 90% but when i go to performance it shows the CPU usage around 60-70%.
Is it ok?..
regards
Tamal
i run windows xp home edition and i have the problem that one of the svchost.exe in task manager is running at 100%cpu which is making computer slow and crash..i have run my anti virus and nothing is picked up ..despite no virus i have used the removal tools for blaster and welchia and nothing nada..what is also strange is that my norton gets edited where the automatic live update gets turned off and i have to renable it ..at times it disables it…im at the end of my tether i dont even know if this message will post…since i use xp i dont have task list and at the moment i feel very paranoid downloading anything…does this mean i have to reformat
ps forgot to mention that when i start up and check task manager i have an application called findows running in applications and when i check to see which process its running on it goes to rund32.dll file…i have no clue what findows.
I am highly suspicious of findows. Have you run any anti-spyware software lately? I can certainly recommend Spybot Search & Destroy. You might also try the Sasser removal tool (this article discusses: http://ask-leo.com/archives/000114.html ). You didn’t indicate what AV software you’re running (sounds like Norton, though) … you might try one of the free ones as a second-level test: recommendations here: http://pugetsoundsoftware.com/recommend.html
Good luck!
Tamal: it does seem a little odd. In task manager when you’re looking at performance, select “View” and “Kernel Times” – is the resulting bar mostly red or green? Also … how fast and old is your machine?
hello sir,
i have a PIII 500 MHZ 192 SDRAM…with WIN XP when i do as you have said -the kernel times is mostly red.
My pC is four years old now.
tamal
Hello
just a couple of days ago, my svchost has been acting kinda weird. Only one, the “local service”, is using more and more of my CPU Usage. When i first restart my computer, it’s normal, but the longer it’s on, the more CPU Usage it uses. I’ve done everything you say on this page, and nothing. I am still having the same problem. I’ve scanned for viruses, and i have none, my definition of viruses are always up-to-date. I have Windows XP home, and i have Norton. I’ve gone into “command”, the pressed netstat, and i have no viruses i’m almost certain.
Hi there,
I’m running into problems similar to those described here… svchost.exe is hogging my CPU and my internet connection isn’t working. I am using Windows 2000, and Ad-Aware found nothing, and Norton found nothing (though my definitions are from late April). I found that when I disabled the ‘RIP Listener’ service, svchost.exe stopped hogging my CPU. However, my internet connection is still gone. My two home machines connect through the same router, and my other machine (older, running Windows 98) is still working fine with no problems.
I can’t check windowsupdate or anything else for updates, because my internet connection is gone on that machine.
Any suggestions to how I can get my internet connection back?
Daron
Both Gummo & Daron: do you have a firewall in place and enabled? I also keep hearing of AV software that isn’t always catching the virus, so you may try another brand (a couple of free ones are listed on http://pugetsoundsoftware.com/recommend.html ). Naturally you do need to make sure your AV software has the latest virus definitions.
Good luck…
Tamal: nothing obvious comes to mind. I’m not sure why your performance measure should look different one way than another. Since you were infected with sasser, I’ll point you at this article: http://ask-leo.com/archives/000114.html but it sounds like you may have already taken the steps listed there. It’s worth reviewing, though.
Leo thank you for the response, I have run various spywares…first i ran spy bot when i scanned it didnt run it stopped half through…then i downloaded adaware…and i ran it , it removed a massive amount of spyware ..but findows still runs when i first start…. i run norton antivirus…i have run a number of online scans at different sites …one sites was the trendmill site where the scan said that one of the systems files was infected with the backdoor cirebot.A virus…norton is not picking it up it is updated always is im very paranoid about viruses so i do ensure that it is updated and run daily …I have run the removal tool from symantec site …it said doesnt have the virus…
i have got to the stage where im thinking I Hate the hackers spywares and viruses and also machines:) i take it reformatting is the only solution for me???
further there are four users on the win xp home what is also interesting is that my daughters account is hidden when i go to “my computer” and the local C drive…when i try to access it from the documents and settings it says access denied…and her account is not passwored…none of us have passwords on our accounts …
dear leo
i have a problem in one of PC IN Network.i try to ping it to out of network it pinging delay time is more then 2000 ms. and when i end process one of the svchost it ping under 100 ms.so pls advice me what could me the matter. is this behaviour is because of virus or what.pls reply as soon as possible
Hi Leo,
Yes, I have a firewall on my router (D-Link DI-604); I’ve just set it up to block the ports you specified. However, while my router recognizes that I have connected my machine to it via the CAT-5 cable, my machine cannot actually connect to the router and out to the internet. Since I am unable to connect to the internet (the current problem I am trying to fix) and I don’t have a CD Burner on my other older machine, I don’t really have a way to get an additional virus scanner onto that machine and installed.
Daron
Ashraf: certainly could be virus related. Have you followed all the steps in this article?
Daron: Can you connect to anything on the internet? For example are you using that computer to visit this site? If so, I just posted an update to the Sasser article that might apply: http://ask-leo.com/archives/000114.html
Leo,
I’m having some I guess you could call them hiccups with my computer and I think it may have something to do with svchost. When I do a Ctrl Alt Del to check my programs that are running, I have anywhere from 4-10 instances of svchost running at the same time. What does this mean and how do I fix it if it is an error like I believe it is? I did the above steps in the article and it found no viruses or errors anywhere. I can’t seem to find anything wrong except that all these svchosts are running. Any assistance is appriciated.
What are the hiccups? As described in this article: http://ask-leo.com/archives/000030.html having multiple svchosts is normal, and not a sign of a problem, in and of itself.
Well its just that my computer is acting odd lately. Mainly when I try to install things it’ll either freeze halfway through the install (the progress bar and install shield that is) and when I press cancle my computer crashes or after the install is “complete” the program partially works, the uninstall won’t work, and I can’t reinstall it any better than the previous attempt. I thought that maybe the svchost was the source of the problem but I suppose not (not much of a computer expert on those things).
Ah. Yes, I wouldn’t point at svchost or anything specific just yet. You might try the system file checker, for a start – http://ask-leo.com/archives/000074.html
Alright, I used the system file checker and it said that I had 4 files unsigned (the modified dates were 2 years or more old so I don’t think they have anything to do with my current problems).
Leo,
I am not viewing this page on the affected computer. I am using a different computer that is working fine… this working computer is able to connect to the internet… and my nonworking one is connected to the same router, so I know the problem isn’t with my actual internet connection.
Any ideas?
Daron
Brian: well what remains for me are general trouble shooting steps … visited Windows Update lately? Make any changes to your system about the same time the problems started? Might be worth checking whatever is starting automatically (http://ask-leo.com/archives/000025.html ). Perhaps even a memory test would be in order (http://ask-leo.com/d-memtest ). If you have any other details or reproducible cases, that might help.
Good luck!
Dear All,
as I write this one my svchost.exe processes is running at 98%. Also I get an rpc shutdown when on the internet after about 5 – 10 mins. If not online everything works just fine. So it seems to be with being online. Norton has found no viruses with the latest scan … although it did delete welchiaB a couple of weeks ago. But I was PARTICULARLY interested in what Carl said because I can date all my problems almost exactly to when I tries a windows update and windows told me I needed to download windows SP1 was downloaded with some other stuff. Since then it’s been svchost and shutdowns galore? Is there a problem with SP1? I suspect there is.
Also I found a file called svchost.exe-3530F672.pf which was apparently only created yesterday eveinign when I was trying to virus scan etc. and sort out my problems – is this a bogus file???
Thanks in advance
Are you behind any kind of a firewall? SVCHOST can go to 98% (or whatever) if you are under attach from an outside source. A firewall can protect you.
AND: yes, there was a problem with SP1. There is now an SP1a that I recommend you install: http://ask-leo.com/d-xpsp1a
Hi first time on the site. Have had the same probs with svchoste.exe as most. increased CPU usage etc however I have gone into Tastk Manager. Processes. and on svchost.exe with mem usage some times 300000 or above have high lighted and and then End Process. the at the promp YES and this will bring svchost.exe back to arount 1580 and the pc then behaves. Unfortunatly this is not a permanent fix so my question is do I have a virus and if so what will sort it out?
***** A message for Daron ****
I too have a D-Link router/firewall, and on odd occasion find that i am unable to connect to the internet, or even the router/firewall itself.
Releasing / renewing the IP on the network card works fine (Proving connectivity to the DHCP software on the router) but i’m still unable to ‘HTTP’ to the router? Does this sound about right?
Well, firstly try powering off the router, then release the IP on your network card.
Then power router back on again, then renew IP on NIC (if it doesn’t automatically) and see if you can HTTP to the router interface.
If you can, try the Internet… see if it works.
If you can’t get to the internet, release the DHCP address on your router and renew that…
See if that solves your problems….
Daron,
Sorry i missed a post in here… the one that reads you’re using another PC connected to the same router.. ;)
So, can you release/renew IP on your network card of non connecting machine?
If your NIC card is allocated a DHCP IP of *172.16.0.1* can you ping that address? from a CMD prompt?
Can you ping 127.0.0.1?
You might have a faulty network card.
have you tried removing the network from the machine and inserting it again?
Tried removing it from the Device Manager and re-installing the drivers?
Everytime I run a game or a operation that requires alot of power, my PC crash.
It says it was a device driver, or else it says it is being researched. I don’t get any other info on the device driver so I have no idea whats wrong. The problem have been there before but not to this extend. I have formatted the harddrive but it didn’t work, now it’s just worse! I don’t know where to get help, so I thought that maybe you could help me, please!
Hi Leo. I use Win XP Pro, at startup I have five svchost.exe services running and I cannot access the internet. One of them consumes a high level of processor usage. When my cursor is placed on the start button, I get a busy sign and I cannot click the start button to access the programs. I am thinking about Welchia or so… I can stop two svchost.exe via the services.msg command (the plug and play related I stopped) and than I can reboot and I can access the start button but not the internet. My virus definitions where one week old maximum before it happened. I use Norton 2004 Antivirus and NIS 2004 as well. One of the last things that happened was the installation of Xlink by my brother, some kind of chat program he says, so think that had something to do with it perhaps. Now, I cannot access the internet so I cannot use online scanners or patches. I tried adaware 6 but found nothing, Spybot same thing and Norton same thing. At first I had a service called netinfo running, but I was
PS I had the latest windows patches and everything, messenger service from windows disabled.
Thx in advance!!
About the only thing I can think of right now is to get the latest set of virus definitions for Norton on to the machine somehow, presumably using a floppy or CD-ROM. It certainly *sounds* like the various viruses discussed in this article.
Hey Leo,
I am having similar problems with the Internet that others are having. Everything works fine on my computer but when I look at systems processes there are 4 or 5 svchost.exe running. I use to live in a different state and had wireless Internet. They gave me a CD that had 4 programs to run that would take care of it. Since I have moved I returned the CD to the Wireless Internet Company. When I moved I just got dialup for a little while but now I have switched to DSL and my Internet is doing the same thing. (This is because I have reformatted my computer) My Internet goes slower than 56K and the ping is like 4000. I remember 2 of the programs on that CD were Windows XP Service Pack 1 and fixwelcha removal tool so I installed both of them. After running FixWelcha it said that the Welcha Virus was removed but my Internet Connection is still very slow (slower than 56k) and there are still 4 or 5 svchost.exe’s running. Can you please help me? Thanks
hi leo.
i have 15 comp. in my class. every time after formatting i see this message. i use xp pro and win 2000 pro . i have this problem each comp. formatting not solution i can understand.i have one switch and each comp. connect that network.what can i do for solution thank you.
Okay, I read the article, I tried the steps listed in it and about 15 other articles simmilar to it. Here’s what is happening….
I have Win 2K, SP4. I run Ad-Aware 6 about once a week along with Spybot S&D. I update my virus defs daily. I updated the Windows install about a week ago.
Somehow my wife got a couple spyware programs on the PC. One was 180 something one was Lycos SideSearch. I removed them with Ad-Aware. I rebooted. It started giving me SVCHOST.exe errors. I restored all the files and key entries. Still getting them.
I have reinstalled SP4 (but it was intigrated on my install in the first place), I have run the various patches to correct the exploits. I have ZoneAlarm as my firewall, and AntiTrojan Guard on watch as well. She runs NetRatings from Neilson (tracks websites she surfs to, like the Neilson Ratings on TV) which I have disabled. I have replaced the svchost.exe file with one from another PC that is not having this problem. I have checked for files that are named similarly or different sizes, hidden in folders and so on. Nothing.
I cannot connect to the Internet with this PC anymore. Now copy/paste/move is disabled completely now. I have backed all this data on the C drive to another to preserve it as it was before I started making changes. I can’t see the contents of WINNT folder or any subfolders. I can’t see the contents of the Control Pannel. I ran Windows 2K repair program from the original disk. I have not used the recovery console yet, and I don’t see any reason that it would help when the other solutions offered are not.
THis is my last plea before I format C and loose almost a year’s worth of data and installations for myself, my wife and my daughter. This is time critical, I only have a half an hour left here at work.
Thank you.
Matt: Pretty much all the advice I have at this time is in the article that you’ve just added your comment to (http://ask-leo.com/archives/000105.html ). It is normal to have several SVCHOSTs running (see this article: http://ask-leo.com/archives/000030.html )
firat: I’m having trouble understanding your description problem. Taking a guess: if one computer in your class is infected, it could be reinfecting the other computers immediately after they’ve been reformatted. I would take all the computers off the network, clean, virus scan, reconnect and patch each one in turn so that you know only clean machines are connected to the network.
I reformatted and reinstalled everything. I ghosted the C:\ partition to another partition to preserve my data. Nevermind on the post I made.
Sorry we weren’t able to come up with a less severe solution for you. I’m glad you were able to save your data. :-)
I ran an online Virus test and found out I had 724 Viruses. Alot of them were Bagle.N and stuff like that. I used that removal tool 4 times but they just keep coming back. I have alot of other viruses to. Im just going to format my whole computer, Including the D Drive which all my stuff I really want to keep is saved on. I pray this works. Thanks for the help though.
Wow! Yes, that much could be very hard to clean up. Be sure to set up safety measures after you reformat to avoid problems in the future. This article might help: http://ask-leo.com/archives/000011.html
Hi Leo,
I believe my computer is suffering from a Svchost problem. I run XP Home ed. and I’ve been worried for some time that my dialup connections have been missing from the Network Connections folder. I can still connect, but only the Windows Task Manager actually acknowledges the connection. Everytime I create a new connection it just suddenly disappears. This started about 5 months or so back, and I was wondering if this has anything to do with Svchost problems, since I have a Svchost.exe at 21,200-21,400K ‘spiking’ every 10 seconds or so. I’d not really noticed it because it had hardly every caused any massive problems until now.
It’s certainly possible you’re infected, but the symtoms sound just a little more like an attack to me. Of course you should update and virus scan, but are you behind a firewall of any sort? I’d recommend that too.
Yeah I think it might have just been an attack too now. I downloaded ZoneAlarm Basic and I think that has fixed it. I have Norton Antivirus and ran some worm fixes but nothing showed up.
I also have a problen with svchost. It is using up 100% of my c.p.u. I’ve tried a lot of solutions from the web, but I’ve had no luck.
down loaded xp pac 1, symantec is up dated and still nothing. Any help I get will be well received. If you know of any web sites that can help me..There has got to be something I can do.
Rick
Well, be sure and read my article here, if you haven’t already (http://ask-leo.com/archives/000105.html ). Are you behind any kind of firewall? Sometimes the CPU usage can be in indication of attack.
The svchost.exe file is located in the c:\windows\System32 folder. In other cases, svchost.exe is a virus, spyware, trojan or worm!
You can check this in additional:
http://www.neuber.com/taskmanager/process/svchost.exe.html
hi
after connection of internet this porblem will accure and i not able to discvonnect the connection and it is to be restart the system
Well, I visited a simple web page and Norton came up with 3 viruses – 2 notepad.exe files and the third file was called svchost[1].exe. Stupidly, since I couldn’t clean them, I deleted them. Now, IE doesn’t load up (I get “Microsoft Internet Explorer had an error, so it’s closing”), and I can’t get Microsoft updates to download. Virus or deleting nice file? Note that I still have a file in my system 32 folder called svchost.exe, and I’m working on Win 2000. Thanx for any insight y’all may have. – C
Can you get an IE update to download? Or do you have something downloaded already that would allow you to re-install IE? That might repair it and allow you to move forward.
Hi
My windows 2000 advanced server is connected to net . As soon as i connect to net lsass.exe taking 100% of cpu time and machine bacame slow. What to do? Please help
I have a whole article dedicated to LSASS and the Sasser worm here: http://ask-leo.com/archives/000114.html
Dear Leo,
I had the same problem on my computer ie. svchost error..I searched on the net and came upon your forum..I saw on reading various responses that this is caused due to vulnerabilites in windows itself through which viruses can enter….So heres what i did….
1] Installed Windows2000-KB823980-x86-ENU.exe Update… Immediately..
Just installing this solved 90% of the problem..
2] Installed Firewall NORTON INTERNET SECURITY..
3] Installed all the critical updates from the microsoft website http://windowsupdate.microsoft.com/
I am just amazed that how vulnerable my system was.I had to install 17 Critical updates for my Win2k SP4..each update says of a possible attack..
so the best precaution is to install all the updates..
4] Installed F-PROT antivirus for DOS ..It has all latest virus defnitions but runs in dos mode.So when system starts up Press F8 and select dos mode and run the program.Advantage here is that as most people expirence that most AV programs for windows fail to detect viruses of this nature in windows environment.tHis dos version does detect viruses like MsBlast,Sasser etc.. So new viruses are unable to touch this..
http://www.f-prot.com/download/home_user/download_fpdos.html for the main program….http://www.f-prot.com/cgi-bin/get_randomly?fp-def for latest virus definitions…and ..http://www.f-prot.com/cgi-bin/get_randomly?macrdef2 for macro virus definitions…Unzip all the three files in the same directory say c:\FP\ and run the program in dos mode…. If there is a virus it will detect it..
Doing the above Solved my Problem completely and I had no system crash till now..Thats 2 days and wow!! my system speed has improved..
So I hope my post will help other people with this problem….. Cheers :)
I would like to say here that I was not able to update windows before installing
Windows2000-KB823980-x86-ENU.exe .It always gave some errors… But after installing this update things went smoothly…
Happy Computing
Thanks for your report, Gaurav. The DOS mode FProt technique is particularly useful.
Leo, help , i have svchost.exe error, and everytime i connect to internet , my modem is going wild, it sends data (and receivs but less) constantly , even if i don’t ask him to do so ( i even don’t start mirc) …. I have win 2000, service pack 3 , avast antivirus with all updates…… He had found several viruses (trojans) and removed all of them…. I have even tried to sfc /scannow but it didn’t help. I would be thankfull if you solve this puzzle…. Please contact me on my e-mail rdx@net.hr so i can see if you wrote something…
Thx
The article you just commented on has my recommended approach.
Hi Leo,
er.. I forgot to mention that one should go into dos mode from a dos bootable floppy.. or much better win98 startup diskette…we dont want the win2000 os to startup even a bit before virus scanning so…
Thankx
For a while now I’ve been having problems with IE – I can’t open two IE windows at once without it crashing and there’s a lot of slowdown even with one window open. I’ve noticed an extra copy of svchost.exe using up about 95% of my cpu, and if I try and end the process I get the one minute shutdown. Are my Internet Explorer problems connected to svchost?
I’ve scanned for both spyware and viruses (using AdAware and Norton AntiVirus respectively) and installed all avaliable updates from Microsoft.
Thanks for any help.
My Windows 2003 server is giving a svchost.exe application error
Steph: killing svchost is obviously the wrong thing to do. As the article outlines, there are supposed to be multiple copies running. It does sound like you may be infected. Have you followed the article’s instructions?
Aziz: same question: have you followed the article’s instructions?
I have a similar problem with svchost and crashing. svchost was continually taking >25% CPU, and I was getting intermittent crashing. I took all the precautions listed above, and the crashing seems to have stopped. However, svchost is still taking >25% CPU. It appears to be the Windows Management Instrumenation service that is doing it. When I shut this down the CPU goes back to normal. When I restart, or access the internet, the usage goes back up. Any idea what is going on here, and how to resolve it?
Regards,
Rupert
hayhey leo!
You should do something about the text colors on this page, you should have another color for your answers so that it will be easier to see what’s the question and what’s the answer.
Great article Leo!
Hi Leo
It’s an excellent resource your site. I have a query reference this article.
Above you say “…. make sure that ports 135, 139 and 445 are not being forwarded ….”
I am running XP Pro – how do I check this out?
That has to do with your NAT router, and how to check it will vary based on which brand of router you have. Normally there’s a web interface to the router that will allow you to configure these settings.
Thanks – I was looking inside out whereas I should have been looking outside in and then I would have understood.
I had no end of trouble with svchost.exe crashes and read everything on the damned net to help with it, to no avail. Most resources assumed I had a virus, which I did not (unless 4 virus checkers were wrong). I was also behind a hardware firewall with no infected machines on the LAN. I was completely patched and up to date as of April 2004 on win2k sp4. When the crashes were happening, Event ID 4097 was not uncommon in the application log, I was also getting i8042prt errors periodically (Event ID 28) though those may not be related at all, but the usual annoyance was the Event ID 26:
Event Type: Information
Event Source: Application Popup
Event Category: None
Event ID: 26
Date: 4/8/2004
Time: 6:08:10 PM
User: N/A
Computer: BLAH
Description:
Application popup: svchost.exe – Application Error : The instruction at “0x1000e765” referenced memory at “0x00000000”. The memory could not be “read”.
Click on OK to terminate the program
Click on CANCEL to debug the program
What ultimately seems to have fixed my frequency (up to 3x per day) crashes of svchost.exe which required reboots to restore copy/paste functionality in all programs…. was disabling the Server service in Control Panel> Admin Tools > SErvices and setting Server to disabled.
I was able to do this because the computer I was having this problem on (an IBM Thinkpad T23) wasn’t sharing out any printers or folder. Server service also disables computer browser, so really the only change I needed to make in my usage was to reference file shares by IP address rather than by netBIOS computer names. In my usage, the affected machine had no shares of its own, but it accessed shared files and printers of other windows machines on my home LAN.
So, in summary, try disabling the Server service. Seemed to work for me.
I hope this helps someone!
Todd H
http://www.toddh.net/
MY SERVER IS SUFFERING FROM SVCHOST.EXE 100%CPU MAXIMIZATION PROBLEM. WHEN INTERNET IS NOT RUNNING ON IT THEN IT WORKS NORMALY AND SHOWS 2% CPU USAGE. BUT AS SOON AS IT CONECTS TO THE INTERNET IT AGAIN SHOWS IN TASK MANAGER THAT SVCHOST.EXE USING 100% CPU USAGE. AFTER THAT MY SYSTEM SOON GET HANGED. AND THEN I UNABLE TO DISCONNECT THE SYSTEM FROM INTERNET. IN THIS CASE I HAVE TO REBOOT MY SYSTEM AGAIN AND AGAIN BY DIRECLTY SWITCHING OFF THE POWER SUPPLY.
AS THIS IS SERVER IT IS NOT GOOD TO REBOOT THE SYSTEM AGAIN AND AGAIN.
SO SIR , I WANT PROPER SOLUTION FOR IT. SO, PLEASE HELP ME . AS MY IMPRESSION BEFORE MY BOSSES IS FALLING DOWN.SO, I NEED YOUR HELP.
ONE THING MORE I WANT TO TELL YOU THAT MY SYSTEM IS FREE FROMM VIRUSES. BECAUSE I HAVE SCANNED IT REGULARLY WIHT NORTON ANTIVIRUS (LATEST EDITION).
AS I AM UNABLE TO PURCHASE THE ANY SOLUTION IN DOLLARS OR RUPEES. IF YOU CAN HELP ME WITH FREE SOLUTION THEN I WILL BE VERY THANKFULL TO YOU.
THANKING YOU
URS FAITHFULLY
ANI KUMAR
Many people swear up and down they are not infected, only to find later that they ARE infected – I would certainly sugggest a scan with a different anti-virus package just to be sure. All AV packages miss *some* viruses. I have recommendations here: http://recommend.pugetsoundsoftware.com
If you’re *positive* you’re not infected, then the symptoms sound like you are being attacked from the outside as soon as you connect. The solution is to enable or install a firewall. This article could help: http://ask-leo.com/archives/000119.html
My cpu suffers the fate of 100% useage. Although only due to re-installing XP Pro. I removed the problem months ago and it never came back (until now). There was a easy description on how to get rid of it. It did include deleting it from the registry. Damn, I should have saved it.
If you are still using 98/me, make a text file with notepad in c:\windows and rename it SVCHOST.EXE and give it System and Readonly attributes so nasty websites can’t replace it with their spyware.
I do this sort of thing to block recurring mal/spy/ad ware.
Hey Leo…
Great website. Thanks for putting so much time and effort into helping out total strangers.
My XP desktop has had the above problems with svchost using 50% of my cpu as soon as I boot the machine. I also have very slight, very regular network traffic. After an Ad-Aware/S&D scan and a good NAV exam, I used Proc Exp and found that the cpu usage was coming from hardware interrupts, but Proc Exp doesn’t give info for them. I also used a network sniffer and it looks like my computer is sending packets to my router and trying a different port each attempt. From the sniffer, it looks like a trojan running smack into my firewall. But I would like to know if the interrupts are indicative of the same thing. I haven’t installed anything new recently, and it started a month or so after a fresh C: drive format. I haven’t found a site that addresses my problem with interrupts, so I’m just curious if you have an opinion. I want to avoid another format so soon, but if it has to be done, I will.
That’s a hard call. It certainly smells like a trojan, but like you, I’ve never heard of symptoms that manifest as high CPU usage within interrupts. I assume you’ve run virus and spyware scans?
I am having the svchost.exe at max cpu problem on a new network i installed. it is a windows 2003 sbs server network, with a few winxp clients. everything was fine it appeared until i changed the users to roaming profiles, and suddenly they had the svchost problem on each xp pro machine (server is fine). i ran all the usual things – spybot s&d, virus scan, etc etc, went through each profile and checked for scripts that might be running, couldnt really find anything that might be causing it. changed back to a NON roaming profile, and has been fine for weeks now, but as soon a different user with a roaming profile logs in the svchost problems rears its ugly head again! and its driving me mad!!!, any ideas Leo?
I haven’t been able to locate anything specific to a svchost related problem when roaming profiles are in use. Does the CPU usage stay pegged for a long time? Like hours? One thing that comes to mind is that roaming profiles do copy a lot of information, and it may simply be doing just that. But of course I could be wrong.
hi there
I am facing some problem in Win2000 server the problem is following as below:
I have installed fresh Win2k server in new hard disk,after that when i am installing SQL server 2000, Its giving the message :”setup has detected that the following tasks are using files that setup needs to install.in order to avoid rebooting the machine at the end of setup,it is recommended that you stutdown the folliwing task(svchost.exe)”
I think this problem is related to svchost service.Even i have read most of tips from microsoft site and installed antivirus from http://www.Free-av.com.
after more efforts problem is still persist. I do’nt know what should i do.
Pls reply me to resolved this problem asap
Thanking You Waiting for your reply
I have been working on a friends computer that I thought had a virus but I noticed that the svchost kept overrunning the buffer. I have tried looking everywhere but here. Hopefully now I can fix the problem. THANK YOU!! ~:o)
umakant: I interpret that not as a problem. Essentially it’s just telling you that you may have to reboot your machine after setup finishes. You should not terminate any svchost process. I don’t see this as related to any virus, and as I said, it doesn’t seem like a problem to me.
I’ve run a few different scans for trojans, mal-ware, and viruses, all coming up clean. Since posting above I have found a quick fix, and aside from the fact I have to do it everytime I turn the computer on, it works rather nicely. I just kill the offending svchost and get into my services and start Windows Audio again, which runs on the same svchost instance. The sound was the reason I wasn’t just shutting it down before. Thanks to you and Proc Exp I am now playing games again without HUUUGE lag times. Great site.
I tried to update my sytem, but am having problems. I constantly get the svchost.exe error. I can’t seem to download sp4 from microsoft. I don’t know if my computer is too old or what. Any suggestions would be appreciated.
Richard
I’d get SP4 downloaded and burned onto a CD-ROM using another computer and install it while not connected to the network. Make sure you’re behind a firewall also.
I’ve recently experienced a constant ntermittent interruption in my connection. Covad repairman came to my place to test it and did not find anything wrong with its Covad DSL connection. He said that one or more of my software program(s) is in conflict with my Windows XP Professional, or causing the trouble. Can you recommend a good technician to fix my problem? Pls. reply asap.
There are so many things that could cause that, it’s hard to say. I’ll have you start here though: http://ask-leo.com/archives/000047.html
Hi,
I recently just reinstalled Windows 2000. (A completely new copy of it from a CD that is dated April 2000)
My computer boots up and starts ok, but once in a while, a dialog screen will appear saying that “SVCHOST.exe has caused an error and will be terminated. Please restart this program”
What should I do about that? My computer has NO viruses according to my virus scanner and after SVCHOST.exe crashes, stuff like windows media player won’t run.
Another thing… once in a while, when i check my system using the task manager, sometimes it says that svchost.exe (only one of them) takes up 99% of the computer CPU and my computer runs extremely slowly. What should I do about that?
Please reply.
Thanks,
Mike.
You should get yourself behind a firewall. You’re probably under attack from another machine that has a virus. And even if you’re virus free, be positive you’re up to date on patches and updates for Windows 2000 and your virus signature files.
Hey Leo,
Thanks for the information. My Virus Scanner has the latest update files already. I’ll be sure to check microsoft’s website for windows updates. I don’t think I’m under attack but maybe i am. I’m using a 56K Modem and I don’t think…
Well we’ll see. I’ll get more help here if I need. Thanks so far.
Mike
HI all I encontered allmost the same problem yesterday. All cpu processes are eaten up System stop responding.There were 5 scvhost.exe runing.when i tried to delete the last one it gives me the message “System Resart In 60 SEC”. Nortan Antivirus was unable to detect any virus on the system. So formated the primary parition and reinstalled the XP.As soon as installed Nortan interet security software it dispalyed the message ‘D:\Windows\svchost.exe “path created for some application.pls help !!!!
Did you read the article? Many steps to take there that should resolve the issue for you.
Hey Leo whats up!
Bro i have a problem when i connect to the internet the error message is shown that svchost.exe has an error and had to be closed ( Some Thing Like That ) and all my things were starting to work weard so what should i do plz help me.
Hi Sam. Did you read the article at the top of this page? A bunch of information there to help you.
Yes Brother i have done all this but the problem only appears when i connect to the internet although my system is alright but after connecting to internet i received the message which i tiold you before so what should i do.
Install a firewall. Chances are that even though your system may be clean, you’re under attack from outside. A firewall will prevent that.
Ok Bro i will do that are you sure it will properly remove the problem.or can i download th file svchost.exe from the site or copy it from the cd again.
If you’re not having a problem with your system while you’re not connected, then there’s nothing to replace. Naturally I would *definitely* recommend the standard stuff: making sure your Windows is up to date, running up-to-date anti-virus software, and so on. But that’s all stuff I assume you’re doing already since it was covered in the article. Good luck!
Thanks Bro, I will done that now thanks for ur help.God bless you.
Yes here i have a problem,i jus ran a antivirus check in my system it detected a svchost.exe virus, i cleaned my system still its slow…..HElp me out in case of solution mail me2 chanakyan_4u@yahoo.co.in
Don’t you get exasperated by all the fools who post questions without actually bothering to read your article?
Actually, I keep trying to find the path that leads people to comment on an article without actually being presented with the article. There used to be a couple of ways to get to comments without having seen the article, but I fixed that a couple of weeks ago. I can only believe that there’s still some reason I don’t understand or some path I haven’t found such that people aren’t seeing the article before asking questions that are clearly answered in it.
thx for the above.
however, still don’t quite get what to do – are you able to point me to something related to the bleow svchost issue?
many thanks in advance, barnaby.
(i use XP on a new machine, with current Adaware, spybot, antivirus software all running) i have a svchost.exe process ‘NETWORK SERVICES’ that starts whenevcer i connect to my new optusnet provider on a D-link DSL modem, and it normally stays running at about 99% cpu for some time. email and some webpages get thru eventually, when the cpu is free, yet it then clogs up again (it seems to run OK for a bit once it has actually loaded a web-site). if i end the process, it lets a bunch of email or whatever thru (the modem link shows as active), and yet then is erratic in connecting … yet the network services process doesn’t restart unless i reboot / restart the modem. extremely frustrating.
Are you behind a firewall? It sounds to me like you might be under attach from a different, infected, machine.
please send me svchost.exe remove tools
Please see the article above and follow the instructions and links therein.
Hi everybody,
For those of you who are running windows 2000 on their PC or Laptop…
I have found that after installing service pack 3, the SVCHOST.EXE error is FIXED.
Just to be sure, after installing SP3 successfully, I suggest that you go to the microsoft windows update and get the latest stuff.
Hope it works for you,
Mike.
Actually that’s mentioned in the article, and the latest Win2k service pack is SP4.
Yeah, I know that. This information is just for all those people who just post and don’t bother reading the article.
Mike
Didn’t seem to see this in the above discussion. I continue to have the warning/error: cannot find the file “svchost.exe” (or one of its components). Make sure the path and filename are correct and that all requried libraries are available. I have found the svchost file. I have done the tlist -s and noted the services that run for each of the svchost sessions(?). Now how do I know which one is the one that is causing the error and then how do I eliminate (delete it)? Any help would be great.
When does that happen?
Thank you Leo, my problem wasn’t quite like the ones described in your article, but since it was quite similar, I gave it a shot… And it seems to be working. Here is what was happening:
I’ve been using Windows XP Pro on my primary workstation for at least one year without a problem. Recently I configured another PC in my personal LAN with Windows 2000 Server and began to use its log-in on all PCs (98se and XP). Then, most of the times I tried to log-off on my XP, the svchost process running RPC service would go to 100% and stayed there until a reboot. It din’t happen everytime, but most of them. I visited the link in your article to Microsoft’s hot fix, read it and, following it’s instructions, my registry reported that it had already been installed. As the article posted that it would not harm to install it again, so I did. After a manual reboot, the problem appears to have disappeared. Recalling: My Windows XP started to go 100% svchost rpcss during log-off after it entered a Windows 2000 domain. I use ZoneAlarm on every PC, a proxy and Norton Antivirus.
Thank you.
In response to your question of when does my warning/error occur; during restart or startup only. After that it never occurs again.
I did a search on my C: drive for any instance of the services identified when I review svchost:RpcSs, EventSystem, NtmsSvc, RasMan, SENS, TapiSrv, and wuauserv. All had DLL files except for EventSystem. So I deduce that the non-existence of EventSystem is the reason I am receiving the warning/error at re-start and startup. So now how do I get back EventSystem DLL(?) or the appropriate file? Thanks for the help.
Interesting. The eventsystem may not have it’s own dll. However if you’re running XP, system file checker should restore missing items. http://ask-leo.com/archives/000074.html
What I first suspected is either spyware or a rogue startup entry. I’d use a spyware scanner to see if that cleans anything up (recommendations: http://ask-leo.com/d-recommend) and if not, I’d examine what’s being started automatically
when you log in: http://ask-leo.com/archives/000025.html
I ran the Process Explorer for SCVHOST.exe and upon opening the details for the SVCHOST.exe taking up 100% usage, I find about 200+ programs. I know this is not normal. There about 100 HKLM or HKCR or some kind of variation. So I’m not sure which to get rid of. And does Process Explorer find them for me?
I ran the Process Explorer for SCVHOST.exe and upon opening the details for the SVCHOST.exe taking up 100% usage, I find about 200+ programs. I know this is not normal. There about 100 HKLM or HKCR or some kind of variation. So I’m not sure which to get rid of. And does Process Explorer find them for me?
I ran the Process Explorer for SCVHOST.exe and upon opening the details for the SVCHOST.exe taking up 100% usage, I find about 200+ programs. I know this is not normal. There about 100 HKLM or HKCR or some kind of variation. So I’m not sure which to get rid of. And does Process Explorer find them for me?
If you’re looking at the lower pane, those are NOT programs. Thw lower pane lists resources that this instance of SVCHOST has open. (HKLM and such indicate registry entries that are in use.) This is *normal*.
Dear Leo,
I have had a problem with this svchost.exe program for a while now. It is some kind of global dialer for a stupid porn site that was downloaded onto my cpu. I have no idea how it got on there, but I have uninstalled the program many many many times, but it keeps coming back. I am on the Windows 98 SE system. You said that it is probably a virus, I did a scan of the program and it is saying that no viruses were found. What can I do about this and how do I get it off permanantly? I would really appreciate any help you can give me.
Actually this sounds like spyware. Get a copy of spybot or adaware (or both, they’re free) and scan. They should clean it up. Links over on my recommendations page: http://ask-leo.com/d-recommend
Hey thax a lot 4 this damn info…this svchost has been screwin my brains 4 a long time…I guess My whole College Lab is affectected by somee virus which provokes svchost…Thax man
Before I found this site, I found what seemed to be a reliable site that told me to delete svchosting.exe because it was like a virus. Now I see that was a mistake. Is there any way I can get it back?!
Do you really mean “svchosting.exe” and not “svchost.exe”? The difference is important.
I’ve lost my svchost file. Is there anyway to download a new one?
(WIndows ME)
HELP!
Another machine with Windows ME, or on your installation CD (probably in one of the .CAB files).
To workaround this problem go to :
Services-> Network Location Awareness
and disable the service.
You must reboot the computer afterward..
good luck !
To workaround this problem go to :
Services-> Network Location Awareness
and disable the service.
You must reboot the computer afterward..
good luck !
Thank you for the information here. On my XP machine svchost.exe asks to connect to http://www.windowsupdate.com rather than http://www.windowsupdate.microsoft.com. Is this a spurious site indicating I have a virus/trojan on board?
It’s valid. Visiting that site manually takes you to the same place.
Very nice info, but if a program like AdwareSpy detects it and asks me if I want to remove it, should I remove it? Cause in this document you state that you should not remove svchot.exe. But in a wee comercial add on the side of it it says: “Remove svchot.exe”, Complete Adware/Spyware Removal Huge database Clean you’re system, http://www.AdwareSpy.com.
So should I remove with that program?
If you are running WIndows NT, 2000 or XP … NO –
http://ask-leo.com/archives/000140.html
You should not delete svchost.exe. But be careful of the spelling … you typed “svchot.exe” which is different – no idea what that is.
Spelling, even a single character difference, is important.
i saw someone above mention “svchosting.exe.” I had a computer giving errors dealing with svchosting.exe at startup. Can anyone confirm that svchosting.exe is evidence of a virus. I’ve seen online that it may be an sdbot variant, but the info i have seen is only starting around 8-1-2004.
The computer that reported the problem with svchosting.exe did seem to have symptoms that could be caused by a virus — lots of extra memory usage, with not many programs running and cpu usage was jumping around erratically from as low as 2% to around 55%.
any info is appreciated.
I found this on it out at Trend Micro: http://ask-leo.com/d-40805a
Looks like the culprit. Includes removal instructions.
I run Win98se and I woke up to this:
whenever I try to run any application or internet browser othet than IE I get this message –
“Windows cannot find svchost.exe. This program is needed for opening files of type ‘Application'”. I ran two full on-line virus scans – I still suffer. Can’t run ‘regedit’ nor ‘msconfig’. After the boot Windows calls for missing ‘SMSSxe.exe’ and then serves me the message about ‘svchost.exe’. I am stuck!
Any Ideas how to fix this?
Thanks.
i keep getting this warning pop up the last few days>> “generic host process for win32 services (svchost) is being contacted
from a remote machine 172.16.5.188 using local port 135 EPMAP location
service dynamically assign ports for RPC do you want to allow this
program to access the network” what does this mean, is someone trying to attack my computer?
Probably. It’s probably someone who’s infected with a virus and doesn’t even know it’s going on.
Guess there are many instances of this svchost.exe problem
bought a TV capture card. installed software.
after i log off, svchost.exe consumes 95% CPU.
doesnt consume CPU when i restart the system. only after i log off.
Followed instructions from this website:
windows xp home, so no tasklist. Installed ProcessXP. Noticed that the one of the svchost.exe is consuming the resource. The service tab shows only the RPCSS service.
Installed the patch from one of leo’s links to microsoft. Ran Antivirus, Spyware and Ad-aware.Nothing useful.
Uninstalled the TV card software, didnt have the problem. Installed the software again, log off and logged in. The problem is just there.
Thanks for any ideas how to solve.
should I go for XP sp2 but I dont want to install it now after all the reviews, all remaining updates have been installed.
Click Start on the Windows taskbar, and then click Run.
In the Open box, type CMD, and then press ENTER.
Type Tasklist /SVC, and then press ENTER.
Try this
Hi, one of the system svchost.exe’s on my computer is using a very large amount of memory. In addition, my computer can’t connect to the internet but when I connect the ethernet cable to the computer it detects it. The taskbar is also not loading properly and explorer keeps freezing. What do I do?
I disabled the SSDP (might have spelled it wrong) service that other people mentioned. Explorer now loads properly but I still can’t access the internet. Any suggestions?
This article may help: http://ask-leo.com/aboutblank_hijacked_my_homepage_how_do_i_fix_it.html
Leo – Great job of explaining svchost, but unfortunately I think this service may be negatively impacted by xp sp2. I’ve installed sp2 7 times, from both the download and from the MS CD, and the results are always the same. The computer takes 10 minutes to boot, and then you wait 3 minutes every time you push a button (My Computer, Word, etc.). I can immediately gain my lost speed by using Task Manager to delete the second listing of svchost (Network Service). Unfortunately, this soon generates a RPC error and shutdown. This second listing of this file doesn’t appear in sp1, only after installing sp2. Disabling the sp2 Security Center doesn’t help. Microsoft’s canned response is “you have a worm”. Norton Anti-Virus 2004 (definitions up to date, MS’s own Blaster removal tool, and Symantec’s own stand alone
Blaster removal tool all say I don’t. I’m not the only person who has installed sp2 to experience this problem. Aside from waiting for sp3, do you have any suggestions? Thanks
My first reaction is that perhaps you are not behind a firewall, and are under attack from the outside. It’s hard to say, though. I did Google for “SP2 slowdown” and there are several instances, some which might apply to your situation.
Leo – Thanks for the response. Actually, I am behind a router firewall, and I doubt any attack would only be successful when SP2 is installed. Some MS Development Team members have indicated the SP2 bugs now number more than 800. If true, I suspect one of your contributors will solve this problem long before MS does. Good luck.
Leo,
I’ve been having a problem with _svchost.exe_hogging_my_CPU_(98-100%)_ ever since I installed SP2 on my Win XP Pro machine. (Strangely, the problem did not seem to occur immediately after the install. The system has not been modified at all since the SP2 installation however.) Along with svchost.exe consuming nearly all my CPU, I would also like to note that my_internet_connectivity_has_been_comprimised. Packets are being sent, but none are being received. This is true whether I am connecting by wire (NIC) or wirelessly (USB adapter).
My initial steps to combating the problem are as follows: (1) Using another machine, I checked to see if the modem and router were working properly. They both were fine. (2) I then proceeded to do two different viruse scans (NAV and AVG) with the latest definitions. No viruses were found. (3) Using the latest definitions for Ad-Aware and Spybot, I then scanned for spyware. I found a few pieces, but nothing that solved my problem. (4) I turned to Microsoft and they told me to remove SP2 through the Add/Remove Programs feature. As you might imagine, this did not solve my problem either.
I have found a partial solution to my problem however. I systematically went through the services started by svchost.exe -k netsvcs at boot time and found the the RIP Listener (Iprip) service was the root of my CPU hogging problem. I disabled this so that it would not start at boot time and my computer is now close to its former performance.
The problem that remains is that of my internet connectivity. After booting my computer up and before logging in, I believe there is traffic in both directions. (I can check this activity after logging in.) After logging in though, I believe packets are still being sent, but none are being received.
Any ideas on how to remedy this situation?
You’re behind a router that’s providing NAT? (I want to make sure you;re behind a firewall). I’d be tempted to fire up tdimon or tcpview and see if you can identify the process that’s sending. (http://ask-leo.com/how_can_i_tell_what_internet_activity_is_happening_on_my_machine.html has more info.)
Yes, I am behind a hardware firewall. (I had been using a software firewall (Zone Alarm) as well.)
I took a look at tcpview and tdimon and it seems that all the network traffic is local — on my machine alone. Interestingly, the only failure notices I get with tdimon is with receiving data over UDP. UDP transmission and TCP transmission/receiving seems to be fine. Also, all transmissions (TCP and UDP) appear to be over ports 137-139. (I’m not sure if that is significant or not.)
Using ipconfig I found that my IP address is being auto-assigned by Windows and not by DHCP as is supposed to happen.
And just to reiterate, I know my NIC, modem and router are working. I happen to be writing you from the same troublesome box on the same network; I am just running a different OS (Suse Linux) currently.
Hi Leo, Once internet explorer is launched svchost.exe runs using 97/99% and cannot connect to internet. Even when I exit, with nothing else open, svchost still running at same level. Once I reboot the PC works perfectly normal as long as I stay away from internet.
Sounds similar to problem RAMAN posted 9 sept.
MUCH OBLIGED IF YOU CAN HELP
Slaite
tisdawg: I’d be tempted to turn off zone alarm and see if you get a DHCP assigned address.
Multiple svchosts is normal: http://ask-leo.com/archives/000030.html
Andrea: sounds like you’re being attacked from the outside. I’d make sure to follow the steps in the article: get updated, get behind a firewall, and scan for viruses and spyware regularly.
Had the same problem. Used Spy-bot and found a few tracking cookies, nothing major. Removed them and it didnt change still using 100% cpu. However when I removed Gamespy Arcade everything suddenly went back to normal. Hope this helps.
Well? problem solved! I followed the instructions on the article but there was no virus to blame. My problem was that my computer was very slow and popping up messages of ?virtual memory too low? (online and offline). Eventually programs would close on their own. I would have to restart the computer to have at the most half an hour of a not-quite-trouble-free-but-bearable working computer.
One of my SVCHOST processes was working at 80,000K of memory usage as a ?local service?? when I first noticed. After I restarted I noticed that it would start at about 40,000 and then grow nonstop from there (offline) until it would obviously occupy 100% of my memory and good-no-more have to restart again. (You can check this by pressing ctrl+alt+del and check ?Processes?).
Diego (posted April 2004) posted something about disabling the SSDP Discovery Service Process? his symptoms seemed very familiar to mine? so I tried. The status of this process was “start pending” and pending it remained. I disabled it and problem no more!!! Nevertheless, Leo, please let me know how disabling SSDP will affect my computer.
Just so you know? My problems started after I downloaded through Windows Automatic Updates the “Update for Background Intelligent Transfer Service (BITS) (KB883357)”. I uninstalled it but it didn?t fix the problem? what does this have to do, if anything, with the SSDP??
Well? THANK YOU VERY MUCH Leo and Diego? I had been going crazy for over a month now.
hello all maybe you can help.
ok my computer will boot fine, but when it comes to scvhost MS C++ runtime keep coming up with errors saying that it has asked it to terminate in an unexpected way. my system is clean when it comes to viruses (Avast, Norton, f-prot and the vrius scanner in Sytem suite 5 (ss5), no viruses)and the last thing installed was system suite 5, as a last ditch effort to get my sytem running, as the taskbar and *only* the taskbar would freeze as i logged in to the system. causing me to have to kill explorer and restart it or another shell (Litestep) now since i installed SS5
i get the error and have to wait five minutes untill i can hit hte ok button and the error goes away.
can anyone tell me whats going on?
heres whats in the error box:
Svchost.exe has asked microsoft VC++ runtimes to terminate it in an unexpected way. please contact the applications suport team
it goes away after explorer stablizes and clicking “ok” removes the message box but i have to restart the computer to allow anyone else the chanse to use it and they have top go thru the same thing
i could realy use a fix , or suggestion besides : REINSTALL, because its to much of a pain to backup 60 gigs on a unstable tempermental system.
thanks
Seth
Hello! I found this page while searching in google. I think its a lil bit repetitive, but i just have the same problem :/ I got installed the service pack 4 for win 2000 pro but i dont know why this app gave me problems (while installation and after). When the program is terminated by windows, my lap does NOT crash at all, but i cant go paste and all the problems metionated up there. With the only difference that it works like “normal” no sys crash, no internet or network connection problems, and no automatic restart… I dont know what to do, i was trying to uninstall the SP4 that i just downloaded and then re-install it once again, but in the control pannel/ software is a bug, i cant see whats in my lap installed, or the programs that i can use (and so on) why? how can i uninstall and reinstal this sp4??? I was thinking to reinstall all the OS but its a lil bit… u know… burrying :-P
hey ya’all! ..dude i got a serious problm here..i have this “svchost.exe”(network service) running and hogging up all my cpu processing speed..and im totally aware of the scvhost virus and adaware..i use norton 05 with updated definitions and im using spybot,adaware and spysweeper..now i have nothing detected!..and i dont know why it does that..but when i kill that process the service restarts again and everything is normal but when its running i cannot even open a single program..i can really use some advice here guys cuz i re-formatted and i still got the same probs..do u think its created by the windows sp2 firewall maybe?,or msn 6.2? cuz i get that thing stuck sometimes too, anyways help is appreciated ,thankx
problem – cpu 100%
solution – go to “run” – tipe there “msconfig” – than go to “services” – turn off “DNS Client” – restart comp and that’s all
Hi,
I have had similar problems with SVCHOST.EXE Network Services hogging cpu at 100%, cleaned out all spyware trojans etc, but no better.
Then read Damir’s advice here, and Bingo, problem solved, many thanks
Leigh
No dice on the `DNS Client’ shut off in my case. You cannot disable that when you have to use IPSEC. The system I see the problem on runs VPN client software, therefore needing the IPSEC functionality. Any other ideas?
Guillermo, put msconfig , not msconfig. .
Ok I disabled the DNS Client and the number of running SVCHOST.EXE went from 4 to 3 but 1 of them (the one that runs 20 odd services) STILL takes up 99% of my CPU.
Do you really mean svchost? You DO NOT delete it. It’s a required system component. This article addresses that: http://ask-leo.com/can_i_delete_lsassexe_svchostexe.html
I had trouble with maxed out CPU due to svchost and lsass processes. the box (which is a pretty slow one anyway) was taking up to 15mins to log in, and was running like a dog before I killed the svchost instance that was causing the lag. In my case it turned out to be a remote assistance request that was trying to reconnect at boot and being blocked by security policies (hence the lsass). Disabling remote assistance through ‘my computer->properties->remote’ solved the problem for me. Just thought I’d post here as it’s not something I’d normally of thought of, I got onto Microso… no I can’t say it, and they were actually helpful! Bless ’em…
I’m posting this comment just to thank you for the excellent article on this “svchost cpu overuse” problem, and especially for LeighB pointing to Damir’s simple and elegant solution, which fitted perfectly in my case, where there was no spyware or virus problem but a buffer overrun kind of problem. It has been a braincracker for me this past days and you all really supplied the help so much needed, thanks again.
I seem to have the exact same symptoms as John (posted 4/10/05).
> My system is very sluggish
> The Start/Task bar is missing
> When I try to run some system programs (e.g. System Restore) a window opens, but then hangs.
Checking the running processes, shows the svchost.exe process that is supporting RPC is constantly using 99% of the CPU.
I’ve run all the anti-virus & spyware tools, and I am no longer connected to the internet. Still no improvement.
Hoping you might have some thoughts on how to fix my problem. Thanks.
Wade
Well, it certainly SOUNDS like the viruses discussed here. I *assume* you are runnign Windows XP. I would try the system file checker (rebooting into safe mode, if need be, to do so), updating your virus databases, and perhaps even running an additional virus checker.
ok. i resolve it!!!!, in my computer this problem start when i had a problems with my sound card and i remove it, then i cannot shut down my computer because every time hangs saying “saving your settings” that was terrible. well, i search all over the forums in internet and someone said that he took of his sound blaster card, and when he place it back everything were just fine. i do the same, i install my sound card again and when my computer starts it still with the cpu ussage problem but when i restar it, this problem was solve. Thanks God!!!
it wasn’t a virus or trojan, its a problem with your computer hardware or software.
Posilutely my svchost.exe file was corrupted by the malware “SecureiMaster”. While we’re at it, block cookies from doubleclick.net and advertising.com ; I did not do so and had to delete IE6!! Went to: http://www.lawyersandsettlements.com , signed on to class-action suit against Doubleclick, Inc.
Svchost.exe is not dangerous itself. I had the same problem, svchost.exe used 99-100% CPU. However I just found the solution. The reason for the cpu usage is a virus, whenever I opened iexplorer.exe, the virus tried to initilize the TFTP (trivial file transfer protocol), after which the CPU usage for svchost.exe went up to 100%. This you have to block with the firewall. Next, go to the run menu, type msconfig. In the startup tab, go through every file, and double check with http://www.bleepingcomputer.com/startups/ , to check if the file is dangerous. You will most likely find several trojans or parasites.
Remove these from the startup menu in msconfig.
Restart, and the computer runs fine :-)
PS! Would be a good idea to remove these files from your comp. aswell ;-)
I have had several different problems. svchost.exe.mdmp comes up at startup. I have sent report, then my modem thinks it is connected still and I restart. Sometimes doing this twice before the svc behaves. My dial up connection (netscape which is no help) gets connected then it takes from 5-15 min. to open IE also stalling the computer from doing anything else. My sound (Audio Excel) only plays some sounds like the windows opening and you can faintly hear the quicken sounds. I didn’t try taking it out and reinstalling. I ran virus and adware checks. All clean. I have updated with microsoft, just today. I don’t know if all these are related, they just seem to happen at the same time. I do have one question, you know where the window updates are in the add/remove programs? Should they all show the date they were added? Hey thanks for being here. There is alot to read here.
Sounds like quite a bit of a mess. I’d make sure that your anti-virus and anti-spyware databases are up to date, and perhaps even use a second one of each (not all scanners catch all problems). I’d also try a system file check, http://ask-leo.com/what_is_the_system_file_checker_and_how_do_i_run_it.html and possibly review what’s getting started automatically: http://ask-leo.com/whats_all_this_stuff_running_after_i_boot_windows.html
Good luck!
So after commenting last night I checked the config. Unchecked a few items, one of which was blank and bad according to bleepingcomputer. I am now down to four items. When starting today I did not receive the svchost.exe. blah blah blah, but I did get a confirmation of change and yes/no box from config sys. Is this going to come up at every startup? I have since reading your response ran SFC, which found nothing wrong. I did run two adware programs but only one virus all of which are up to date. Sound is the same, haven’t tried anything there and it took 20 min to open netscape. Ugh! I do appreciate the help. Is French Roast your favorite? thank you
svchost.exe is doing the same thing for me… Only the system get soooo sluggish, I cannot even run the Win2000 sp4!! Any suggestions ? (it ran last night for 5.5 hours, because once you startit, it needs to connect the the net to get its full install kit, that’s when svcohst starts to hog the CPU).
~AS.
Be careful with svchost.exe file. Its a system file but its widely used by parasites to deceive the user. there are various similar filenames which looks similar.
Detailed explanation and exploits read here:
http://www.2-spyware.com/file-svchost-exe.html
After I have booted the pc (XP SP2 Home edition up to date from Microsoft) sometimes 1min sometimes 5min the the message comes up win32 got an error and have to close, mod svchost.exe submod ntdll.dll and when this happens I loose the direct sound the rest works ok. I have re-booted without starting anything (msconfig and disable all startup pgms) and the same hapens. can you help.
Make sure you’ve run up to date virus scans. I sounds like a virus.
I’m sorry I should heve included that I’m running Norton Antivirus 2005 updated with latest virus definitions and running Spybot with latest signature file and have Sygate personal firewall installed but to no help. Before the problem occurs sounds and audio devices in control panel looks ok, after the problem have occured it tells me no audio devices, going through all hardware checks I have found, all hardware device are working ok but no sound (including CheckIt Diagnostic from Symantec)
I’m ot of ideas,
Leif
My next step would be the system file checker: http://ask-leo.com/what_is_the_system_file_checker_and_how_do_i_run_it.html
You *might* have to run it after booting into Safe Mode, I’m not sure.
I’d also grab a second free Anti-Virus scanner from somewhere. I keeping hearing mixes results from and about Norton.
I experienced the crash too, until I configured the Norton Internet Security Firewall to BLOCK ALL of the Programs that were unnecessary on a day to day basis.
The default was AUTOMATIC, which says that Norton will consider what is safe and what is not safe. Once I changed everything to BLOCK, the crashes disappeared. Now, if I wish to allow a program to access the internet (such as a browser) the BLOCK POPS UP and asks me for a one-time approval.
Other features allowed me to always accept certain IP addresses or domain names. I am still learning about the Norton Tools, but I was crashing before. (This was all after a clean bill of health on viruse scan).
I would like suggestions on excellent spyware programs to run.
And I also would like to know if running more than one virus will have a conflict.
My anti-spyware recommendation: http://ask-leo.com/recommendation_microsoft_antispyware.html
You can install more than one anti-virus program, but you should NOT enable real time checking in more than one at a time – that WILL cause problems.
I had a problem with svchost.exe using up all cpu ussage. I found the answer by locating the PID number in the task manager, then using the Start> Run> cmd> “c:\>tasklist /svc” I found out the PID number of the “wirus, spyware or combonent” using the svc shell. I didn’t find any file named “dnscache” so I opened the registry editor “Start> Run> regedit.exe” I searched through the whole registry for dnscache which was causing the cpu to run at 99% IN MY CASE! deleting everything I found connected to dnscache or setting the value to 0 if possible. This was a desperat act, and I was ready to format If it wouldn’t work.
My computer works 100% normal,, also on the internet and the lan..
Hope this helps.
Johann
I had a problem with 100% CPU usage because of svchost and I had the 60s restart. If this sounds familiar you should do the following:
-Get a good antivirus and scan(BitDefender 9+ updates)
-Get a good anti-spyware and scan (Spyware doctor)
-Get the windows security patch (http://support.microsoft.com/?kbid=824146)
-Configuer your firewall to block the UDP/TCP ports:
135, 137, 138, 139, 445 and 593
-Thank Leo and Black Viper for the help :)
PS. svchost should stop hogging the CPU after you install the microsoft security patch.
If the reboot starts when you try to repair the program use this command in the start/run “shutdown -a”.
Hope this helps anyone in this situation.
Alex
I would grab process explorer – http://ask-leo.com/d-procexp – right click on the svchost instance that is using all the CPU, hit properties, and see if you can tell which Windows service it’s attempting to run that’s doing that. That may at least provide a clue.
One quick question: I’m using Sygate’s Personal Firewall Pro, and would like to know if I should select local, remote, or both when it comes to blocking the above-mentioned ports.(I understand that I need to select both the TCP and UDP protocols.) TIA
skay: I’d be tempted to block both directions.
doyle: you’ll have to restore from your installation disk, or copy it back from another system.
Just one further clarification, Leo. I understand the need to block both directions – incoming and outgoing. As well as blocking for UDP and TCP. What I was asking about was whether or not I needed to block both LOCATIONS – remote and local ports. Maybe that’s what you meant when you said you’d be tempted to block both directions. But I wasn’t sure. TIA again. :-)
Ah… local. You’re protecting yourself from incoming connections.
I installed the security updates, in safe mode and in normal but svchost still took up 50% of my processing power. (I’m thinking it probably would take up 100% but I have a hyperthreading processor, maybe that’s why)
Then I used the awesome process explorer program and I went to the properties of the svchost that was taking up 50% of my processing power and found that there was a thread with the start address of kernel32.dll!RegisterWaitForInputIdle+0x4a or something like that. In fact there were two of those threads with that start address (at least they were very similar). Only one of them was taking up 50$ of the cpu. I killed the thread because I was so impatient to use the computer and now it seems to work, but of course this is a temporary fix. Do you know anything about that thread or what I should do about it?
Look at the properties for that instance of svchost and see what system service it’s providing.
It’s providing a lot of system services, and they all look pretty legit.
AudioSrv, BITS, Browser, CryptSvc, Dhcp, ERSvc, EventSystem, FastUserSwitchingCompatibility, helpsvc, lanmanserver, lanmanworkstation, Netman, Nla, RasMan, Schedule, seclogonSENS, SharedAccess, ShellHWDetection, TapiSrv, TermService, Themes, TrkWks, W32Time, winmgmt, wuauserv, WZCSVC
I’m running windows sp1. The only service without a description in Process Explorer is ShellHWDetection.
Thanks
Any particular reason you’re not at sp2? That’s one of the highly recommended approaches to dealing with these issues. This article has the steps to take for a successfull install: http://ask-leo.com/will_sp2_crash_my_machine.html
SP1 slowed down my machine, and I’m fearing that SP2 will slow it down further. Also, that security center seems pretty annoying.
Like most people who haven’t installed SP2, I’m scared that some of my programs won’t work, especially the multiplayer components of older games, like Red Alert 2 (even when the firewall is turned off).
I’m pretty sure the reaon I got this… malfunction… is because I was online without my ZoneAlarm firewall on (I just ugpraded and I didn’t want to restart the computer).
So I tried to install service pack 2, and it failed so I eneded the task (normally, without end process) and when I restarted the computer it was trying to roll back the cahnges, then after the next restart after logging in, it said that Service Pack 2 did not install successfully and that the system was in an unstable state and that I had to uninstall SP2 using add/remove. After I clicked ok the computer crashed and restarted before the start menu appeared (or anything else)…
Fortunately, I was able to uninstall service pack 2 in safe mode, and then I remembered the winternals administrator’s pak. I ran the crash analyzer and it told me the driver that caused the failure (when my half sp1/sp2 crashed) was bdguard.sys. A search on google led me to only chinese sites that (with rough translating tools) said that BDGaurd.sys was a new virus no antivirus product on the market was able to fix.
After i followed the procedure to delete system32\dirvers\bdguard.sys (I also deleted system32\bdguard.dat for good measure), the computer seems to have been fixed.
Wow. Well done… and thanks for sharing all that information!
The #1 reason for SP2 failures is pre-existing spyware and viruses on the machine being upgraded. (That’s why I pointed to that list of things to do first.) I expect you’re gun shy at this point, and I can certainly understand that.
Problem: svchost.exe was maxing out the CPU (under user name of Network Service) preventing connection to internet.
Culprit: using very large hosts file from Supertrick suite to block ads in brower while DNS Client service is running.
Resolution: do ipconfig /flushdns to clear dns cache. Then, disable DNS Client service. Browser connected to internet perfectly, blocking ads with host file, and Svchost.exe not causing CPU maximum usage.
Read on further if needed…
In my case I was using a very large hosts file from the Supertrick suite to block ads from my browser. For the longest time the hosts file caused no problems. But one day I loaded my browser and couldn’t connect to the internet.
The Task Manager showed svchost.exe with CPU usage of 99% and user name of Network Service. If I killed the task I could connect. But this was a pain in the ass. If I deactivated the host file I did not have the problem but got the ads in my browser.
The culprit wound up being the DNS Client service being on automatically and apparantly keeping cache of entries in very large hosts file. When I flushed the cache and disasbled the DNS Client the problem went away.
I inform about successful solution of problem with SVCHOST.EXE big (80%) resources usage:
Use ProcessExplorerNt ! Using it, I have found the consumer of resources (SVCHOST), and in its Properties/Services – such consumer as tapi services (someone can have others) consuming formally small resource (1-3 %), but probably twitching SVCHOST constantly. Therefore I have killed totally ugly made fax service of Windows XP – now silence!
One of the programs you recommend for cleaning up the registry is PConPoint. I bought this program, but it has not gotten rid of the error message I get after startup. Repeated emails to their support have become circuitous and we are now back to stage one. All their email replies appear to be canned messages with no personal response. It appears no one speaks English, or at least there is no attempt at a personal reply. I feel I have been cheated by purchasing this software because nothing has changed in my computer.
To be clear, I’ve not recommended that program – I’m not even familiar with it. Perhaps it was displayed in an advertisement – the contents of which I don’t control.
Hello there!
Thanks for the great article about the svchost problems, I had this problem and the microsoft fix did patch it. However I must say that I am a little disappointed, as none of my virus scanners and anti spyware programs were able to detect and remove it ( I have used AntiVir XP, Panda Active Scan, LavaSofts Ad Aware, Pest Patrol, Mc Afee Anti Spyware and PAL Spyware remover, all with no luck so I am probably still infected. )
It would be interesting to know how exactly to fix the problem. I am assuming that the virus / trojan modified one of the DLL files, or added its own DLL files to one of the services. I compared my services list with the one of an uninfected machine and found no difference, so I dont think the trojan adds a new service.
Also it seems to me that svchost is required to have internet access – as soon as I prohibit access of it in zone alarm, my whole machine was unable to load any webpage or use any internet application. With my router’s DMZ disabled, as you said in your ( great ) article, the baddies remained quiet and didnt cause any trouble. Its a highly annoying thing and at the same time it would be interesting to find out even more about it, and how to permanently kill the remaining ad and spyware and virus programs. I also found it to trigger other malware – a “bleh.exe” , the mentioned “scvhost” aswell as the usually windows-normal “tftp.exe”. Anyway, great article, helped me out! two thumbs up!
zone alarm keeps prompting me that svchost is attempting to access the internet when i block it and check the alerts and logs section of zone alarm indicates this ip and url that is causing the problem 209.244.0.4:53 resolver1.level3.net .
I have been unable to trace this ip other than that it is originating from Aurora Colorado.
What is it? Is it legit? Should I permit access. Sometimes it make four attempts for every one denial then after that I can no longer connect to the internet. Usually closing my browser, then restarting it enable me to once again get access to the internet.
I believe *that* ip is just doing a DNS lookup (mapping some name to an IP address). I’d be more interested in what accesses followed that.
I think this is one of the best articles I’ve ever read. But what to do in our case?
My company is using aplication with DCOM technology, and on client machines we installed XP SP2. After that our application could not run.
One of the reasons was Firewall which is On by default. To solve this problem, we made exceptions
for application, but also for port 135 which is used by DCOM(it is not running without that port). Now our application is running but what about vulnerability of port 135???
Leo thanks mate for running this thread. 28 pages long and going. Wow! Just shows that this is a major problem.
Well thanks to you and Eric, I got my svchost sorted. Yippee.
Like others here, I run and up to date virus checker, AVG7 and firewall ZA. I also use process guard and wormguard, spyware guard, spywareblaster, TDS-3 with the last update, was using free version of ewido, scan regularly with Adaware and Spybot Search and Destroy and Acronis Privacy Expert. Despite all this I ended up with this problem. So maybe not a virus or spyware issue here.
To sort it I cleared my dns cache and disabled the DNS client.
To do this I did clicked start, run and type ipconfig /flushdns to clear dns cache. Then I clicked on start and run again. This time I typed in services.msc. I found the DNS client, right clicked and selected properties. I changed the startup type to disabled, clicked ok and exited services.msc. Rebooted and connected to the net with no delay and no freeze. :)
So thanks folks for your help.
Whoa! Almost as bad as packing a parachute with no D-ring:
svchost.exe at this end has been disabled (!) accidentally via System Mechanic. Now SM itself won’t run–plus a “host” (no pun here) problems attending the tragic absence of this module.
CAN YOU HELP US RESTORE THIS GENERIC PROCESS?
Best regards
Leo:
Thanks for this thread. I tried everything that you have up here:
* Firewall is on
* I have two anti-virus (AVG Free and Windows OneCare Beta)
* Two anti-spyware (SpyBot SD and Microsoft Antispyware)
The problem I have had is that the svchost.exe (by the SYSTEM) is taking 100% CPU processing. This usually happens when I am trying to play a game from Jigzone.com. But, I get around it by disabling the process and then restarting afterwards. It is very annoying.
What I wanted to say though is that none of the virus scan or anti-spyware detected a problem and the firewall is on all the time. So, what else can I do to fix this problem?
Hi Leo,
Excellent article – most informative. I have a new twist. I have the 100% CPU occupancy problem, like everyone else. However, I don’t quite have the latest Windows 2000 update – the reason: when I log onto the Mirosoft site and try to download it, it hits me with Error 0x80244024 – “Server does not support HTTP protocol used for request”. When I did a Google search on this, I came across a discussion about this error. I have checked for all the recommended settings in the browser (IE), but no luck. I can’t seem to convince Microsoft to let me have the update! Any suggestions would be MOST welcome!
George G in sunny Sydney Aus.
Might see if a different browser like firefox will let you download the fix. (Though I do realize that MS might require IE).
You should be able to order the most recent Win2000 service pack on CD – that might be an option.
Leo, I think you’re missing something fundamental about svchost. Unfortunately, I don’t know exactly what it is, but I have some data that don’t match your assessment of the problem.
I see the same problem as everyone else: periodically, svchost.exe will chew up all the CPU cycles and everything else slows down.
In my observation, when this happens I’m also waiting for a network operation to complete. Now, the network services may be starved by svchost taking all the cycles, but it sure looks to me like it’s the network operation that is causing the slowdown.
I’m certain that the problem is not a virus. I have a deskside and a laptop, both firewalled (the laptop uses ZoneAlarm), both with NAV updated daily. Yesterday, I got a new laptop for my wife and after I connected to the network, I started seeing the svchost bottleneck quickly.
It could be a port sniffing attack, but all three systems are behind a router, so that’s what should be getting hit, not the computers.
So, my theory is that the problem lies in network caches being flushed, name servers or gateways getting jammed, or something along that line. Svchost is probably designed with the expectation that it can do a busy wait because it will always get an answer quickly, so if it does have to wait, it chews up the CPU. I think that svchost going to the peg may be a symptom of another problem, not the root of the problem.
Does that ring any bells for you?
By the way, the Task Manager says the user name of the svchost process is “NETWORK SERVICE”. There are other instances running under my user name, but they’re not the ones that are hogging the CPU. Hence, I suspect network issues.
Hello
Interesting! I am a complete novice. Have had problem for long, long time. After using my laptop for sometime, the cpu goes mad and then the computer shuts down and will continue to do so after restart. I can help the problem with a usb fan directed onto the intake vent? Anyway, when this happens,I have noticed in task manager that Sychost.exe (Network) is showing CPU use as 50 or thereabouts.This is zero when the problem is not active. I have mcafee and have tried numerous other spyware, virus programs but nothings show a virus. However, Microsoft Antispyware shows a reoccuring problems of c?window/hosts (2 signatures) which I regularly delete. I suspect this may be connected to the problem. Regard & Thanks John
am running Windows 2000 Professional with Internet Explorer 6. I have installed Windows Service Pack 4. I am getting the error “Svchost.exe has generated errors . You will need to restart the program”. After this I can’t open a link in a new window. I can’t see contents of the WINNT folder. I can’t copy paste anything. Everything becomes ok if I restart. I have scanned with AVG Antivirus but it detects no virus. What Shall I do to solve this problem?
Problem: svchost consuming 50% cpu constantly.
Setup: XP Pro SP2,Win Update (prompted), behind FW, NAV/Symantec with LiveUpdate, running Webserver, local network connection, lots of s/w
Solved: Reading the article, 300 comments, ….
Ran additional AV (Panda, AVG scan), SFC, Downloaded and installed the suggested Process Explorer. Found which service (SSDPSRV) was consuming. Changed this service to only start ‘manual’. It was doing many many context switches and heap-alloc … Killed that process, and now all seems quiet. Remainder of functions are operative in a normal way.
Thanks for the detailed detailed info. This thing was pestering me for quite a while !!
Very helpfull site. Hope this helps someone else.
Had to reinstall OS after a hardware failure on a firewalled and regularly virus checked machine. Decided to dump ME as had copy of W2K (first release version), so had to apply SP4 and set up windows update etc. Got the svchost.exe using 99% of CPU from the first time W2K ran after applying SP4!
Next I set up Windows update, and was surprised there were only 2 updates, but applied them anyway. It took 2 hours to install them, because of the hogging by svchost.
After carefully checking for Blaster type worms killed the svchost processs (1 of 4) that was hogging. I immediately got a message from the firewall that ntoskrnl.exe had been sent a broadcast from an IP within my ISPs auto assigned IPs (ie users) domain, which I disallowed. I don’t know how realavent that was. Next I applied the MS DCOM/RPC exploit patch, which apparently had not been installed by SP4 or windows update. I then Deleted mobsyc.exe, osa.exe and internat.exe from the startup items mainly as unwanted services, but possible culprits.
So far, touch wood, the problem has gone away, and windows update has now produced 31 more updates to install. It is quite possible that windows update itself caused some of these problems, maybe getting something bound up in an endless loop.
Ok, initially my problem was that svchost was taking up 50%ish of my cpu usage (probley not 100 couse of hyperthreading) when ever i would end the task the sound would stop working and it would say that i have no ‘audio mixer device’, in my n00bishness i thought it would be a good thing to delete svchost that was causing all my problems, omg! big mistake. So i used the windows repair function from the setup on the cd and then my windows was working fine…except svchost still ran 50% and now i have no sound at all, it constantly says that i have no audio mixer drives. Device manager says my sound card drivers, “This device cannot start. code (10)” (i have onboard by the way). To find the sourse of the cpu usage i used the process explorer to look inside of the svchost that was taking my cpu usage, the thread that was taking it all was a thread called ‘kernel32.dll!RegisterWaitForInputIdle+0x4a’ to solve the cpu prob temparaly i suspend that thread evertime i start up buit there is still no sound. I have tried every ‘solution’ on everysite i could find that has any information even slightly relating to my problem but 50+ ‘solutions’ later still no better. Please Help Me!!!
used symantec’s FixWelch and FixBlast an they said that i’m virus free.
this svchost is using 100% CPU when i’m offline also, so i doubt that someone is attacking me.
and i’ve got a new problem! my system is generating an error witch shuts down my system in 1 min.
Thanks for the great article, Leo! I’ve had the problem where svchost.exe suddenly starts using 99-100% of the CPU once or twice a week for nearly a year now, and this is the first site I’ve found that really addresses it.
Unfortunately, in my case, it didn’t seem to help. My system runs Windows XP, and I’ve kept up-to-date with all of the latest Windows Updates and service packs. I scan regularly with McAfee Virus Scan and automatically update with the latest virus updates. I also scan regularly with Microsoft AntiSpyware (and keep it updated). After reading your article, I also installed, updated, and scanned with AVG Free and Spybot Search and Destroy. No viruses or spyware were found by any of these.
I also checked my firewall (McAfee Personal Firewall Plus) and it was already set to block ports 135, 139 and 445.
However, I did notice that ports 20 and 21 were enabled (for some FTP file transfers I needed to do). I went ahead and blocked them because I didn’t need them anymore.
Is it possible for some sort of attack that causes the svchost.exe problem to come through these ports?
Leick: I’m not aware of any issues directly related to ftp ports, but of course blocking them if you don’t need them certainly makes sense.
I don’t have any specific answers for you beyond the article at this time. You *might* try unplugging your network the next time you see usage spike … that might be an indication of an external something that the svchost process is attempting to react to. You might also use process explorer to see which svchost is being affected, and then which services that instance is attempting to provide. This may provide clues.
Thanks, Leo. I forgot to mention that I had tried that, too. However, in my case, every time svchost.exe takes over the CPU, it never lets it go again (until I reboot), even if I quit every application, end every task listed (under the applications tab) in the Windows Task Manager, disconnect from the network, and disable wireless networking (I’ve even tried waiting a couple hours).
After reading your article, I downloaded Process Explorer and I’ve been keeping it running in the background so I can switch over and diagnose next time it happens – svchost has been good for the last few days, so I don’t have any new info yet.
One other note: it seems to only occur when the system is fairly loaded with several applications open and running, although that may be a coincidence because that’s true the majority of the time.
THE FIX. For me, running Windows 2000 and IE6 w/ SP1, the fix was not with svchost.exe, it was with “services.exe”. Basically, the two are related somehow and Windows has a fix for it.
Here is the link: http://www.microsoft.com/downloads/details.aspx?familyid=722f11f1-6505-444a-92bb-9985ab3697e8&displaylang=en
I’m pretty sure this will work in a lot of cases similar to mine. Basically, svchost.exe was using the majority of my CPU usage. Hope this helps!
Also, try turning off your Automatic Updates.
Winpatrol will help nail down what the issue might be as well. Download that from: http://www.winpatrol.com
Hope this helps more!
I have some strange things going on with access to the internet. I have taken off just about everything except Panda Antivirus, Zone Alarm firewall, Spybot Resident tea-timer (anti-spyware), and HostsMan. Frequently, I’ll go to a new URL in firefox and it will sit there trying to load the page. If I go to a DOS box at this time, I can do a “nslookup http://www.yahoo.com” and get a valid IP address. I can then do a “ping 68.142.197.83″ or whatever the IP address given for yahoo, and this works fine and gets a ping back. When this happens, svchost”network service” is taking about 50% of the CPU. It does this for several minutes and then things start to work.
Might also be the services of the Fingerprint reader hardware. I have the Protector Suite QL on my Toshiba, brand new laptop and running antivirus nOD32 and i know i am virus free. As soon as I am using the ProcessExplorer and monitor it and start closing update service, the Fingerprint software has a popup error, closes itself down and the CPU goes from 99 to less than 10. After my firefox, gives me a C++ error and shuts down.. I still have to look deeper, I might end up removing and reinstalling the fingerprint software vs repair.
Not sure if my problem is caused always by svchost.
My computre is always attached to the Internet, but quite often when I am not doing anything with the internet I am receiving a lot of very long delays.
Software packages I have run for tears will now always take ages to load, coming up with either server is busy, or another program is using the resource I require, giving me a retry or switch option. When I select Switch it always calls up the Start menu. Eventually the program will load, then it runs fine.
Also whenever I use the file open, save options etc it takes ages to load the details(, often displaying the search icon).
Any help would be much appreciated
regards
Jim Hope
Thanks Leo for all you do for the computing public. I have been reading all day about the SVCHOST issue where folks are experiencing 100% cpu activity for a while as soon as connecting to the internet. My fix is limited to the situation outlined below and does not include the 60 second shutdown issue or crashing.
Some websites and forums suggested that SVCHOST is being exploited by a worm or trojan, but most people find their virus scans come up empty as do the spyware checkers. So your computer is mostly OK except for this cpu drain that seems to last only a short time.
I have had the problem for about a week and I have tried five different virus scans (including on line McAfee, AVG, PC Security Shield, and Symantec) and two spyware programs (Adaware and Xoftspy) but found nothing of import. My Hijack this has not changed. It started after a recent Microsoft Automatic Update to my Windows XP SP2 system.
Using Process Explorer (from SisInternals —
http://www.sysinternals.com/Utilities/ProcessExplorer.html
I could see that one of the many SVCHOST copies was running (1144) which was attempting to assist Microsoft Automatic Updates (3108 and 2720). My Automatic Updates was set for “Notify Me but do not download or install”. Apparently the cpu usage is caused by the Updates program attempting to determine if there are updates which it of course only does when you connect to the internet. I simply set my Automatic Updates to OFF and the problem disappeared. I did not experiment with allowing it to be ON full automatic mode, but I suspect that would be OK too. Appears to me that Windows is not playing nice with the Notify me but do not download option.
Wanted to let you know cuz lots of folks are suffering. I suspect this is something MS will be fixing in a future update…. When you start your machine, immediately start the Process Explorer, and watch the cpu usage as your internet connection is established. If you see that the SVCHOST that is causing the CPU load has underneath it (below the minus sign associated with it) one or two Automatic Update listings, then try my fix by either shutting off Automatic Updates in Control Panel (Automatic Updates).
Regards, Dan
hi im running server 2003, i keep getting LSA.exe errors which cause restarts. i wanted to know if that has anything to do with svchost. i also have a firewall which logs dropped packets, after looking at it i found lots of packets dropped to ports 1026, 1027, 445, 1025, 135 and some random others. could this mean im under attack, i’ve done all the scans ect to clean the system and fitted full new hardware and full reinstall of OS. i have a static wan ip and wanted to know if i change it will it stop the problem?????
please help as i just cant get past this!
many thanks raj
Look at this article referenced by the article you just commented on: http://ask-leo.com/what_is_svchost_and_why_is_there_more_than_one_copy_running.html
if open add/remove windows components window, it does not open, but only one empty dos window titled svchost loads and disappears.
Same thing also happen if i try to view the source code of webpages. Pls give me a solution
thanks in advance
After reading about the Windows Update post, I checked the computer that I was having the same svchost.exe problems with and udpates were set to automatic every night at 3:00 am. Once I turned this off, the svchost.exe CPU went down to 0. I manually connected to the Windows Update site and during the check for updates, svchost.exe went up to near 100 utilization again. After waiting nearly 30 minutes it finally gave me the option to get the latest windows update software. I installed this, downloaded all the latest updates, set it back to automatic updates every evening and now everything is working fine again. It could be that you have the older version of Windows update, that seemed to be the problem on this computer.
Should SVCHost.exe be constantly accessing the net? Because my network symbol is on all the time even when no net apps is running such as IE?Mathon or Yahoo Messenger and MSN etc.
The light is constantly on, does this indicate a violation of the svchost file? Or a modification for a possibel spyware or malware?
I have read the articles on svchost.exe and by using Process Explorer I found that the CPU is being hogged by WIAFBDRV.DLL When I kill this process the CPU unclogs, but my system still seem sluggish. I have run Norton AV, and Trend along with spybot and System Mechanic 6. No luck. Any suggestions?
I have a similar problem to what answered above, but I have used 3 different virus scanners, an ad-aware software, and a registry cleaner. Yet I still get this problem:
I connect to the internet normally, and I don’t get any overloads of cpu usage or whatever. Everything is fine.
However, after a while (length is pretty random), I get a “Generic Host Process for Win32 Services has encountered an error and must shut down” After this, my internet connection just freezes. The internet connection icon stays in the taskbar, but no internet actions work (can’t get to any web page, MSN Messenger can’t connect, etc.) I can’t “disconnect” my internet connection, and when I try to view the status, the window pops up for a fraction of a second but dissapears right after, no matter how often I try to do it. My only way to reconnect to the internet is by rebooting my computer.
And everything that isn’t internet related works fine (I tested extensively). I can still play games, work, listen to (offline) music, etc.
I’m getting desperate, as my last option as of right now is a full format of my C: drive
I don’t know what else to do (and I’m no computer expert, although I do know quite a bit)
Please help,
Thank you,
Dominic
Dominic, I had exactly the same issue. Must be something fresh – all the posts on it I found were from the last few days. But I finally found the solution – here it is:
http://www.microsoft.com/technet/security/Bulletin/MS06-040.mspx
Just install the patch and enjoy a no-more-interrupted connection ;]
regards2all
Marek
Dan – My OS is XP Pro. When I boot-up, the startups load and then one copy of SVCHOST.exe begins to hog the CPU until it takes 100% and the computer cannot be used. If I end the process, it fixes the problem until I boot-up again. I have the McAfee suite of antivirus and firewall applications. I have scanned the computer for viruses with none found. Any suggestions?
Thanks,
Russ
im having the same probs – my internet goes off after 5\10 mins with tht genric host problem
that microsoft link doesnt work with me i dont know why… pls help (mobali70@hotmail.com) pls help needed…
send me a link or sumtin pls – thanks to all \ for ur help!!
Thanks Dominic and Marek. I had the exact problem Dom. had. I re-installed win.xp twice and same problem. Went to the link Marek posted, downloaded the patch and have been surfing for the past two hours with no problems. Very grateful. Almost bought a new computer last night becasue of this problem. Joe. Student at UTEP.
I was experiencing 100% CPU usage while attempting to use Windows Update with a fresh install of Windows XP Professional off of an older MSDN CD.
Dan’s solution (manually install the update located at http://www.microsoft.com/technet/security/Bulletin/MS06-040.mspx) was what worked for me. It took long enough to find it!!!
Thanks, Dan!
Erk. I’m an idiot.
That link was what Marek posted. Dan’s suggestion (to shut off Windows Updates) made the computer boot without 100% CPU usage but did not resolve the issue when visiting Windows Updates.
So, thanks, Dan AND Marek!
I have a problem when booting my computer. The first time it happened, i got lucky by deleting one of the svchost.exe process using task manager. after that, my computer loaded, but then it started the one minute countdown, because ‘rpc was terminated unexpectedy’.
So i went in safe mode, and it booted fine! i followed bv’s steps on stopping the countdown, and tried to boot regularly. Same problem, only if i erase the svchost, the computer boots and doesnt start the countdown. (i know which one to erase because its always the second to last one towards bottom)
what do i do? i tried last known good config, and it worked once, then the problem started again.
i can’t imagine how to fix this, becuase at the same time, my internet is not working. that may be a good thing, since i cant be hacked or infected by anything else, however now i cant update norton or use windows update.
also, about a week ago i had to use system recovery, because of another problem( in which it got to the background, and then logged out immediately).
os is windows xp home edition, so i cant use tasklist….and i cant download any substitutes because internet is down.
Well i have a diffrnt solution to the NEW bug which has been going around.
well the solutions are well either one – i applied the 2nd theory to use
1 = Turn on the windows firewall (Sp2) – it had to so something with the ports or sumtin or the other – but this should work
2 = my way – i went to my temp folder and deleted everything and my system returned to normal – no freezing internet\sound card dupes – goodluck everyone :)
My laptop kept freezing for about 5 minutes after bootup with SVCHOST.EXE utilizing 99% CPU. Completely turning off Windows Update fixed this problem, see this article http://searchwinit.techtarget.com/originalContent/0,289142,sid1_gci1207419,00.html which mentions a bug with Windows update affecting older/slower systems.
Turn off Windows Update. That’s it :)
This procedure worked well. I used AVG and Zone alarm along with the updates. It worked well. I found that if I hit ctrl-alt-delete as the computer came up I could see if svchost.exe was dominating the process time. If I waited too long though I could not get ctrl-alt-del to work. It also gave me the ablility to kill the process in order to shut the computer down naturally without using the 10 second off button. My computer is running great. I appreciate you taking the time to post this article. You saved me a lot of time. Thanks, Tom
After installing the latest Creative drivers my system began to become slow. I noticed svchost.exe pegging the CPU 99%. After rebooting again it seems ok now. Could this be a driver problem? Thanks in advance! (:
At last…..turning off completely Windows Update has fixed the problem. My question is why does MS not make this issue more public so people know about it.
It took me over 5 hours to find this post.
Grrrrr
Surf
Hi, I was wondering if svchost.exe could be responsible for my computer disconnecting from the internet. when windows first boots up my internet connection is fine, but after a while I loose complete internet connection (however my computer still claims to be connected) The more bandwith I use the faster it looses its connection. I am running a computer with a decent amount of memory (1gb) and sp2. I have had the problem with my other computers as well.. my ISP says that the modem is connects just fine, so somewhere between the modem and my computer there is a problem.. do you think svchost could be the problem?? if not, what do you think it might be?
I’ve ran virus scans a few times over with different programs, it won’t detect the SVCHost as a virus. Seems that when I close this nasty svc that runs my cpu at 100%, my sound devices go dead. No more audio for me. :(
It would be nice to know exactly what programs would detect viruses infecting/using the SVCHost.
Remove the composant Windows Update in Internet Explorer and restart. It works for me on two computer !
Bye
Hello Leo,
I checked my system with anti virus 3 times i formatted my hard disk. There was no virus. i dont know what is wrong with my system. SVCHOST.exe starts running after 5 mins the systems boots and after that it utilizes 100% of my CPU. i am not even able to shut down my system
Please help
Thanks
David
Same here, I formatted my harddrive and re-installed XP 3 times now and in about 5 minutes svchost.exe has taken up 100% of my processor and I can’t do anything. Not even CTRL-ALT-DELETE!
It seems to be related to Windows Update, which I want to use. If I end task this particular svchost before it goes crazy, and then try to use windows update again, it runs svchost AGAIN and then hangs. (There are other svchost’s running, but they don’t seem to be related.) No Windows updates ever show up to install. It just sits there like dummy. (Microsoft update does the same thing…)
It can’t be much cause it’s a fresh Windows XP install, so what gives? I need Windows Update but I also need it not to hang after 5 minutes…
There’s got to be a solution!
Same here, I formatted my harddrive and re-installed XP 3 times now and in about 5 minutes svchost.exe has taken up 100% of my processor and I can’t do anything. Not even CTRL-ALT-DELETE!
It seems to be related to Windows Update, which I want to use. If I end task this particular svchost before it goes crazy, and then try to use windows update again, it runs svchost AGAIN and then hangs. (There are other svchost’s running, but they don’t seem to be related.) No Windows updates ever show up to install. It just sits there like dummy. (Microsoft update does the same thing…)
It can’t be much cause it’s a fresh Windows XP install, so what gives? I need Windows Update but I also need it not to hang after 5 minutes…
There’s got to be a solution!
Hey, surf, how do you turn off Windows Update? I wanna try that and see if it works. LEO HELP me!!!
SVCHOST is killing me. Usually it’ll start taking up all of my CPU usage for about 5-10 minutes then it’s done. I’ll be fine for a while, then out of no where, (i could be in the middle of playing video games or surfing the web, and it starts up again) for about 5-10 minutes.. it’s so frustrating… Is there ANY solution? I’m not a computer geek, so i dont know about all of that tech stuff? Isnt there a product i can buy or something to fix this? I dont want to go re-formatting stuff, and deleting things, when i dont know what i’m doing….. :( HELP?
Oh, and is this a safe thing to try? or is it a Scam? http://fix-pc-errors.com/svchost.htm
I have the same issues with svchost as posted by Jeff on 9/15. After you delete the offending svchost process, the sound goes dead. Removing the sound card driver and reinstalling clears the sound problem. Full virus scan with 2 products and 4 different spybot/adware products come up clean. Problem appeared 9/15. Running XP home SP1 on dialup line.
If you are getting repeat attacks it is possible if you persevere to get into task manager >processes
look for the instance of svchost running at over 98% end process the processor goes back to 4% the system remains stable for several reboots or longer works for me hope this helps
At first, the svchost was just slowing me down, but now, I have no desktop when I log in; just an empty screen, and I can only use task manager to get things done. None of this is any help to me, because I can’t access Control Panel through task manager. I can’t use the internet, so I can’t update Norton Antivirus, which may be why I got a virus in the first place. I put a program called AntiVir on a flashdrive. It detected 5 viruses/suspicious files, which are in quarantine, but i can do nothing with. This still didn’t help, and i may have to re-install XP, but I’d like to know if there are any alternatives.
I was having the same problems with svchost and .exe maxing out cpu usage…. then
it seemed to disapear from the svc and the system idle was around 80 to 90 % but the cpu usage was still maxed out… after further investigation it seemed to be a hardware interupt issue… I removed un nessasary pci cards from the computer.. additional nic card, linksys pci wifi adapter and also my ATI all in wonder video card and now all seems to be fine… I plan to re-install them one at a time and find the culperate…
What assisted me with this is using
Process explorer
http://www.sysinternals.com
and following the hardware interupts that were sucking the life from the CPU usage…
its worth a try guys !
hey leo….i have a similar problem…i get the svchost.exe error after shutdown..asks me to debug by clicking cancel and all…doest come everytime though but yeah sometimes…also sometimes my cpu gives me weird beeps after shutdown…a set of two beeps of diff scale repeats twice..and then the comp turns off….
i have an AMD athlon 2400, i use NOD32 antivirus system, i have tried spybot, adware, windows defender…
is there anything else ic an do if the problem persisted?
please reply…
thanx
for svc host issues pls look on this
http://fix-pc-errors.com/svchost.htm
svchost.exe cpu 100% fix
I had this problem, checked the web, looked for viruses and called microsoft. Finally, I hypothesized that the problem was not something faulty or corrupt about svchost.exe — it just had limitations. This elminated the problem.
1. Made sure that my bios was OK — set it to a default state.
2. Defragmented my registry. (I used a program by uniblue registry booster which came with speedupmypc $29 total)
3. Defragmented my hard drive (which did need it)
4) just too be sure that the problem wasn’t triggered by an outside hacker, put the windows firewall and my zone alarm firewall on max –I now use both firewalls despite recommendations that I should use only one of these firewalls.
5) I had been using goback (symantec’s backup program) and windows system restore. I turned off ms system restore. Maybe the two backup program were trying to back up each other and creating an “infinite loop.”
In short, I decided that cpu technology had not really evolved that much since the pentium 2 and that I would treat my celeron processor with some kindness.
Best to all.
Barry
3.
I actually found an even simpler way to fix this problem it was driving me crazy. All you have to do is
1.Go 2 the start menu
2.Right click “my computer”
3.Click “properties” then the “automatic updates”
tab
4.Choose “turn off automatic updates”
5.Reboot your computer
6.Go back to start menu and in all programs go to “windows update” you have to be connected to the internet.
7.Manually update windows.
8.Turn your automatic updates back on.
Thats it im running windows XP and after days of research thats what worked for me i actually found it on a website that makes you pay for answers to problems but my friend had a subcription that was years old but still worked.
Im no computer expert but i figure if this helps one person it was worth it for me to write this hope it helps c-ya bye!!!!
Leo,
I have a CPU usage problem. There are only 31 processes running at maximizes to 100% then of course it slows everything down! I have called and talked with a techie at the PC store (He is familiar with my system) He told me to boot up into safe mode then run spybot search and destroy and and an antivirus scan (AVIRA guard red symbol with an umbrella on it) I did all that and it temporarily took care of the problem. NOW its back again. 100% CPU usage almost immediately from the start up.
Any suggestions? I’m getting frustrated!
Thanks for your help.
Dan
I recently developed a problem with my computer continually restarting. As it boots, before the desktop comes up, I get several error messages, and then the computer reboots. I have been watching this process, and through frantic writing, I have a few of the errors that pop up: Run.DLL: Error loading MVMCTRAY.DLL – Invalid access to memory location. Also, CTDVDDET.EXE – Application Error – The application failed to initialize properly (0xc000001d). Also, svchost.exe – svchost.exe has experienced a problem and needs to close. Any ideas? Thanks!
This is a great site and your identification of this problem is right on. I’ve identified a particular svchost.exe which runs on startup and if allowed to continue hogs bunches of resources and eventually crashes the system. My problem is in trying to fix the problem, I can get the system stable by stopping the process, but whenever I try to do a windows updates the system almost instantly crashes. I can do almost anything else on the internet and download or run almost anything else. Any suggestions?
Hi Jeff.
I had the same problem then an error about some Generic32.dll or something kernel crash, which when you report the error to Mircosoft, sends you to a (legit) site to downlaod their patch fix. But it had effect for me, the svchost “hog” continues on startup.
First i found that you can go into Task Manager and just end that process – and continue gaily along OK. I have since found ti doesn;’t happen any more if i turn off Windows Automatic updates. Don’t know why. One site suggested this means there is a trojan oin the MS Update process. But i have run virus and spyware scanners and found nothing.
So I can avoid it, but don’t know why! Hope this works for you.
Hi,
When ever I restart my labtop it move really slow. Eventually I am able to get the task manager to pop up and it says that svchost.exe is using around 100 %of my processor. When I end it, the computer unfrezes, but I dont get any audio. So I run msconfig and under services it says that my windows audio has been stopped. I eventually reallized after a few rebbots that ending svchost was the cause of my audio stopping.
If I dont stop the svchost thats running up my processor, then my computer moves slower that can be described. How do I fix the svchost problem, if thats even what it is.
(No relation to D above on the same day)
Mine also seems to be audio related. In the past, I have stopped svchost and find no audio. Today, I have just gone into services and re-started Windows Audio (while svchost was running at 100%). svchost then calmed down.
It is a dell inspiron 6000 laptop if that is of any help.
I also find that my svchost problem is audio related. Ending it stops almost all audio and i have to reboot to get it back. If it’s any help.. this problem only occurs 75% of the time I load up my computer. I have to update my system though.. hope it solves it and good luck to others with this problem
-Mine also seems to be audio related. In the past, I have stopped svchost and find no audio. Today, I have just gone into services and re-started Windows Audio (while svchost was running at 100%). svchost then calmed down.
It is a dell inspiron 6000 laptop if that is of any help.-
Response to DC post.
Hey i have dell inspiron 6000 laptop and mine will jump to 100% then down again and sometime my adio goes out. Wonder If it a dell audio bug?
when I scan my PC for viruses I get a message stating that there is a threat named “infostealer.satkey” located at svchost.exe, it cannot be cleaned nor anything, I use Norton AntiVirus and it is up to date, please help
http://www.tek-tips.com/viewthread.cfm?qid=1254559&page=1
Same problem with my Gateway notebook, my computer runs really slow, svchost.exe is taking almost 100% of the CPU, I end the process and then lose ALL audio except Windows Media player. I tried turning off the auto updates for a few days, but my audio is still gone!!
okay…I haven’t actually read ALL(372) of the comments yet, so my apologies if this issue has been stated or address previously…but my computer is getting old(laptop purchases in 2001, but not used until 2004, so this may be the problem)however, whenever I start my comp, it’ll start just fine but once xp loads…the svchost.exe process takes between 86 and 100% of my cpu and between 32,000k and 99,999k mem usage and within the first 5 minutes the computer will completely crash and shutoff (no restart)…so that kinda removes my ability to run scans or check my registry or system integrity(my computer knowledge is not very deep) any assistance please…
Oh and in addition…don’t know if this matters or not but I’m runnin at 1.3 ghz pentium III Windows XP service pack 2 all required updates should be installed unless some new ones have come about in the last month…I also recently attempted to use the firewall supplied by windows,(it was proviously disabled by my old AV software), this was unsuccessful…I will update with exact wording of the code if ever get my computer running long enough to find out…
I had that problem in my son’s laptop and it was a trojan/malware. Antivirus s/w didn’t find it because it is not a virus. Best guess was a subscription service he signed up for, decided not to use, and didnot pay for. Ba$tard$. I had to run in Safe mode with a anit-malware s/w downloaded from another PC and run on a memory stick. I recommendation is try other anti-malware s/w’s, maybe even several, to be SURE it is not a bug. I was running fully updated Norton and it did not find it. Adaware caught several, but not all. Avast found more, but not all.
Good luck. Now i am getting the svchost crashes related to my VPN tunnel (Cisco)…
30 or so seconds before i am sending this, i ended SVCHOST.EXE in the processtree from the task manager. Nothing happend. Nothing is happening. As in eveything is fine. I am starting to wonder the importance of SVCHOST. I run on a dell inspiron 8600 Widescreen Microsoft Windows XP pro.
Many of the viruses that infect svchost are network borne… make sure to install your OS, and turn on a firewall on the machine *before* connecting to your network. If not, you can be infected frighteningly fast.
Check also your Internet connection. A very slow/crap connection can cause a service running under svchost to loop as it waits for replies causing the CPU usuage to peg out.
This article resolved the issues I had with SVCHOST.EXE and is an absolute lifesaver. In my case the problem was caused by a user error. On Friday of last week I shut down my computer because I was having a network problem. The machine began installing Microsoft updates but after half an hour I decided it must have hung and switched off the power. Clearly it hadn’t hung (or if it HAD, it hadn’t completed the update process) and I ended up with the SVCHOST error as described in this article.
I was about to re-install everything when I happened across this article. Heart-felt thanks to the author. Keep up the good work!
This sure equals what I’m experiencing: 100% CPU utilization. I narriwed it to svchost, axed the one using the most memory, and we’re back to normal. Course lots of stuff doesn’t work, but it “solved” the problem. BUT my firewall is always on. multiple virus checkers are not finding anything amiss. still puzzled
It’s misleading to suggest that viruses and worms are the only cause of this problem. On a virus and worm-free system, svchost.exe can consume all the CPU if the WBEM registry is corrupted. In this case, it’s necessary to stop the winmgmt service, rebuild the WBEM registry, and restart the service. This turned out to be the true problem and solution in my case. See:
http://www.hanselman.com/blog/SvchostexeSucksCPUAndRebuldingTheWMIWBEMRepository.aspx
No one ever said it was the only cause. There are many ways that svchost can exhibit problems – malware is simply the most common.
Leo, your original article suggests that there are only 2 possible problems, both related to malware. While some people may be bitten by malware, the WBEM repository hang will definitely crop up with people with clean XP installs. Consider updating your article.
>>I have had all 3 of my computers exibit this same behavior, and all within the last week. Nothing has changed on the computers except that i used window’s update. Upon startup whenever i access the internet, explorer or other, svchost gobbles up my cpu, eventually it releases, but i cannot get anything done for those 5 minutes.
I fixed my problem (fingers crossed) by rebuilding the WBEM registry as per http://www.hanselman.com/blog/SvchostexeSucksCPUAndRebuldingTheWMIWBEMRepository.aspx and then also stopping windows automatic update. Even after I rebuilt the WBEM registry I had problems and using the Process Explorer utility I identified Windows Update as grabbing all my CPU. I set this to notify me only and so far so good.
Just wanted to get this out.
If you run Symantec products and if you are getting svchost crashing soon after boot with a Generic Host Process error pointing to msi.dll, then I think I might have an hint.
This error was beginning to show up all over campus. Even applying MS’s patch KB894391 failed.
It turns out that it is caused by Symantec’s setting to “Scan Network Drives” Turn this feature off. The svchost error should vanish on next boot. You may still get the Generic crash once more.
Hope this might help someone, I can’t tell you how many hours I spent on this one…
grrrr
dan
you can find out what scvhost is running by clicking on start then click on run and type cmd (windows xp) or type command (all versions of windows) then max the window (it will be half screen) and type tasklist /svc and you will see the list of what each item is running and what it is running.
Leo, please help with the following annoying problem, related to svchost, that no other ‘expert’ seems to understand. Since a couple of month svchost started a life of its own scanning all of the ports on my modem/router for days at an end. It did not do this before and takes up CPU-time, is visible in de Zone-Alarm firewall window (no check anymore on in/outgoing processes).
System XP-SP2, firewall, virus scan in place (AVG) and performing several full-system checks without succes. Also hitman-pro brings no relief. How to stop this irratic behavior.
Thanks for your attention, Bob.
I have the svchost taking from 70 to 90% cpu resources, and I use the task manager to end it and work fine through the session. But lately it’s happening all the time. I have the latest Anti virus protection updates from Mcafee, I have the firewall enabled for all my connections. System is xp with sp2 and the update page shows no necessary updates are available for my system. I ran a registry mechanic software to make sure no problems are in the registry. I use the tweaks to speed up user clean up and shutting down. I use Boot vis from Microsoft to speed up system boot. In spite of all this, svchost loads and takes all my CPU time. please any solution?
thanks , sally
me@sallyahmed.com
http://www.sallyahmed.com/
Leo: I’ve been meaning to thank you for the hint about Svchost.exe issue on W2K. Now, after having updated my pc to XP, one of the copies of svchost.exe turned back to it’s malaware tendences, taking over the 100% of my cpu AGAIN. Microsoft support helped me to hunt and fix this problem: now I pass this through to you all.
Although the following steps maith be a particular case, I hope it helps the same way that helped me.
– log on the pc as administrator
– Download SysInternals Process Explorer and run it
– Identify which one of the svchost copies is causing the issue
-Click on start, and run “msconfig”
– over the “services” tab, click on “hide all microsoft services”
– Disable the rest of services
– click on the “start up” tab
– click on “disable all”
– Reboot the system
– Make sure the svhost.exe is not taking over the 100% of the cpu (for now)
– Run process explorer again
– run “msconfig” again
– Enable one by one the process and services until the problem shows up again. Don forget reboot the pc with every service enabled.
– Once the svchost copy takes the cpu resources again, you’ve just found the “guilty” service, so scan it or put it on quarantine.
For my case, a process that controls a HP printer spool was the root cause. Once disabled, the problem was solved at last.
Good Luck Riders…. Thanks again LEO.
ALex
Following is what I tried and didn’t work:
1. Patches from MS.
2. Looking for the svchost instance causing problems. The one for RPC seemed like an culprit always.
4. Then saw MSWord and Google Toolbar running in SVCHOST. Thought about uninstalling MS Office before I tried this.
What worked for me:
1. I saw mdm.exe intermittently would take up a part of the processor usage. I disabled the mdm.exe using ProcessExplorer and everything is nice and easy. No more trouble.
Please let me know if someone can confirm that suspending MDM.exe worked for you guys.
Regards
KM
Wierd. When we configure a system at our office for a client there is no problem. They get the brand new computer and boot onto their network they get the svchost.exe error. They have an automatic installation routine setup in the login.bat file for symanatec, I’m wondering if something is going on there, but it only seems to be for one specific user, and it’s a brand new machine, but this user has had trouble with another notebook before! It only happens on this one client’s network and only this user!!
I have found that if you turn off automatic updates in the security centre you don’t get the SVCHOST problem, I realise I now will have to manually check for updates, but who cares, this problem has been really getting on my nerves.
Once you are logged on to your pc and svchost.exe starts to use the cpu, wait for two min, then do the Ctrl+alt+del key combo, and just kill the process, if you don’t have a NT based pc, kill the process from Command promp just insert Kill (name of process) and enter, if you have a Win32 inatllation disk, simply if you have XP (CdRoom) press F8 and get into Safe Mode, insert the Xp disk and reinstall, if you donot have a Xp disk you can download the disk via torrent just visit bitlord.com and thepiratebay.org and get yourself some Vkl cd keys and the disk image or Iso the using nero or your tird party cdr software, Svchost is ussually what happens wen you get rid of a Rouge Anti/virus/spyware manually or automaticly by your real antivirus software the your computer start a memmory leak and halts using a blue screen, and my friend Andy found another way to solve this problem, but my piont is reinstall your OS, or even do a system restore, or from comand promp type (safemode) this Chkdsk /f and it will confirm your sys files, also svchost can create a sound malafunction if terminated, fix by reinstalling for device manager, hope my resolutions brin sof much joy, you will march down the streets to legalize Ilegal aliens, other wise go have a cup of teat!
I have that problem as well. I suspect Svchost goes to high CPU for several reasons on my win XP Pro laptop:
1) Automatic updates
2) Norton Anti-virus
3) Windows Defender
All three load as windows services and are big resource hogs. They also heavily engage in HD access with their file scanning. Since I have a laptop with a 5400 rpm HD, the laptop bogs down during these disk scans, and its speed declines from 1.8 Ghz to 5400 rpm. Argh. Argh. Argh. Microsoft and Norton have to optimize their code. Don’t they have enough money to do this? Sheesh.
My Hp laptop runs fine if I am connected to the network at work or connected to my DSL router at home. If I disconnect from either network my processor runs from 0-5% straight 100%. It is svchost.exe taking up most of the resources? How can I fix this? Any ideas?
Just to let you all know; I have this same issue, but did not have this problem until I had to install a new hard drive due to mechanical problems and reformat and install winXP pro again. Prior to this I had all recent updates on winXP pro and ran all kinds of security – but never had an svchost problem. After installing a new hard drive I reformatted the drive, installed winxp pro(and was NOT physically connected to my dsl router in any way). I made a cd from my secure laptop with various winXP updates and AVG anti-virus program. I installed them prior to connecting to my home network which is NATed. Once connected to my LAN, the only web site I visited was windows update ( I remember the days of installing a new copy of win2K, trying to go to win updates web site and instantly getting hit with all kinds of crap). So now my pc is only running winXP pro sp2 with all recent security updates and I still peg 100% when I visit the windows update site. I only have the following software installed; MS office 2003 with all updates, AVG anti-virus, IrfanView, HP deskjet F380 software & drivers, Adobe reader 8, winzip 11, ATI catalyst control center, Widows media player 11 – THAT’S IT AND STILL SVCHOST PEGS MY CPU – COME ON MICROSOFT PATCH THE PATCH THAT CAUSED THIS!!!!!!!!!!!!!!!!!
I experience exactly the same problem with high CPU utilization, high IO Reads all coming from svchost.exe. I’ve used Process Explorer application and it has indicated that the CPU resources are being sucked by wuauclt.exe. This has started happening a couple of days ago, when I performed a Microsoft Update. I hope Microsoft will release an Update which will resolve this issue, ASAP.
Same deal…MS update and svchost runs CPU utilization to 100% – performing a restart, for some reason, svchost drops to “normal”. Does anyone have idea why…and when is MS going to correct this?
The solve for this: Turn off Automatic Microsoft updates in the Security Center on your computer.. Suddenly, everything runs smoothly.. Very nice. And check updates at http://www.microsoft.com instead.
Gratz!
It is a known problem with MS XP, and MS still don’t have a fix that actually works.
To try the fix they have and read all about it go to http://support.microsoft.com/kb/932494
I whish they fix it by now.
Indeed, this is the process that kills my nerves like 10 min. Its svchost.exe -netsvcs aka Windows Automatic Updates. Now disabling may do it, but this is a very important service and you’ll need to run it manual from time to time.
I have also found that if you turn off automatic updates in the security centre you don’t get the SVCHOST problem, I experience the same problem (of svchost takes 99% of CPU usage) whenever i manually check for updates with microsoft website. Can anyone tell me the solution for this?
Well! I turned off automatic updates and I still experience the problem. My anti-virus/anti-spyware are McAfee and up to date.
There is a solution that worked for me at this site:
http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=906329&SiteID=2
(The 4th post, by pati610.)
Be aware, however, that this procedure disabled my USB wireless network adapter. I had to unplug my adapter, then plug it back in, and when my network reconnected I had to reenter my security key.
I have svchost spiking to 100% every few hours and locking up my computer. I then go to the Task Manager, identify the process that’s sucking 90-99% and end it. As soon as the process is ended everything goes back to normal. But it’s so annoying I’m considering reinstalling the OS.
this happens on boot up sometimes i let it do what it needs 2 for maybe 2-3mins then its ok, when it first occured use to end svchost.exe in options this stopped it but the desktop would flicker then change to classic view and icons would disappear almost like a semi safe mode look, then for some reason i couldnt end process, knowing the importance of this file i no longer end process
I’m running XP and it is updated. When I turn on my computer I have over 5 gigs free on my C drive(my drive is partitioned) after a few minutes I get an error message that I have no space left on C. When I checlk I have only 700k free. When I reboot the same thing happens again.
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
I’d point you at this article as a place to start to figure out where the disk
space is going:
http://ask-leo.com/how_can_i_tell_whats_taking_up_so_much_disk_space.html
Leo
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.6 (MingW32)
iD8DBQFGAvlKCMEe9B/8oqERAj4eAJ93bHxmhPKHt7C47dRHeP177/s7igCdH60r
wgn5extUKVxdrYxUhMm0sv0=
=lkja
—–END PGP SIGNATURE—–
My cpu usage runs at 90%-100% without me running any unusual progs. Suddenly it drops to 15% or so, without reason. I doubt some1 is hijacking mp pc from under my nose. SpyDoctor and Spyeraser didn’t find this hijacker. But i got 8 svchost.exe processes running under System, Local services and Network service. Is that normal? could any of these be a hijacker?
If you’re having an svchost error go to this page:
http://swigartconsulting.blogs.com/tech_blender/2006/07/windows_update_.html
It helped me out tons.
I found a stupid patch to fix the problem.
– First thing I do when I start windows is opening my task manager and sort by “Image Name”. I slide down to the list of “svchost processes”. I then run my browser as usual. For sure, soon I get that 100% CPU usage. Task manager is still accessible without any delay. I select the “svchost.exe” at 100% and “END THE PROCESS”. It takes few seconds. Once cancel, that “svchost.exe” leave my computer as long as I stay connected. It’s cumbersome, but it works for me.
NOTE: If I switch user in Window, the same exercise as to be redone.
– It worth a try.
Stephan
when i booted up my PC the svchost.exe would eat up tons of processing power (80-90%).. however i was able to make this stop by disabling atomatic updates… now the problem only returns when i manually try to find updates…
I run Windows XP and I attempted the recommended process for solving the svchost.exe problem, but after I go Control Panel -> Network Connections -> Internet Connection Properties -> Advanced and go to check the “Protect my computer and network by limiting or preventing access to this computer from the Internet” settings button an error message comes up that says: “Windows Firewall settings cannot be displayed because the associated service is not running. Do you want to start the windows Firewall/Internet Connection Sharing (ICS) Service? [Ok] [Cancel].
What does this mean, and do you have any recommended course of action?
Ok,
svchost.exe is at 99% on my laptop. I read all the data/suggestions posted. I followed the usual “règles de guerre” in trying to rid myself of this pest. Updated my antivirus, ran a scan, ran the latest stinger utility, ran “tasklist” with no success, except that the PID was 660. I finally downloaded “process explorer”….http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx
and found out it was a very unlikely source.
windows\system32\1032\dll\projects\setiathome.berkeley\svchost.exe
HA! I laughed myself silly. I have never gone to the SETI site……I did do a search on svchost.exe, but was reluctant to just start deleting anything without any associations…
Bottom line….. Download process explorer and then you will see where this file is associated by PID. Then kill it.
Mike.
Like Stephan above, I end the process in the task manager but then I lose all sound from my machine and end up restarting my computer. The SVCHOST.EXE always grabs 100% and I blame it on static electricity. As long as I walk around barefoot, no problem. I only need to know how to restart the hoggish svchost.exe without resorting to a complete restart.
I too get daily problems with svchost.exe and I have ended the process using Task Manager but like others this merely results in further delays and problems with other programmes so I dont do it anymore.
I have taken all the advice, I already had firewalls, Ad-Aware, Windows Defender and Virus Software, all up to date but it still happens.
My view is that as soon as this programme decides to do what it does it seems best to let it get on with it (whatever it is) go make some coffee and come back when its finished. It takes longer to finish if you muck about so why bother. It just all goes to show how impossibly silly these machines are, give me back my quill pen and parchment please!
I agree, I used to bring the task manager up the first thing when I switched on the computer then stopped the process if it went to 100% but now I just switch on the computer and let it run, go and make myself a cup of coffee then only come back to the computer, I guess we just have to take it easy!
All, the runaway process is most likely “automatic Updates” (ie wuauclt.exe). The fix is to reinstall the file. go to this site for more details (http://www.amset.info/windows/auto-updates.asp). Go to the bottom of the page and skip the restart and fix and go to directly reinstall (make sure all the update processes are off first). Good Luck. MP
I found that the best way to fix this problem is to format the hard drive and install Linux.
Along with the numerous people, I myself has experienced the same problem. First, we turn on the computer. All good. Second we log in and wait patiently as svchost.exe runs SYSTEM runs up to 100%. The only way to take it down and access any kind of program is to shut it down from the windows task manager. This takes out the sound and sometimes messes up the dial-up phone book. I have downloaded countless programs to scan and prevent further happenings, but still the problem consists. Crashing the computer with a baseball bat seems the better alternative to a virus crashing it. What to do?
Morning,
I have the problem listed above, svchost is running when I am connected to the internet. It clogs up all my CPU and if I want to be able to do anything at all I need to end that process (I have numerous svchosts running, of which one is taking up 99% cpu).
anyway, I tried to use your advice and turn on the “Protect my computer and network by limiting…” however I don’t have a check mark for it only a [settings] box. when I click that it asks me if I want to install it and when I click yes it gives me some sort of error.
I first got this problem this morning when I booted up my computer…I have never seen it before to this extent.
Help! =)
thanks much,
~kyle
I am being driven mad by this svchost pest,and followed the step by step procedure hoping to counteract it.like the previous guy i had exactly the same problem with the “Protect my computer and network by limiting” check, and furthermore I had a problem with the “A buffer overrun in RPCSS could allow an attacker to run malicious programs” – basicly I need the 32-bit version ,which seems not to exsist.
Reading comments posted here is reassuring because its apparent this is a serious and common problem. It started for me a month or so ago and I got temporary releif using a program called RegCure but now its back, and I am again deleting the busiest svchost in Task Manager. Before I give up, and swap to my spare hard drive I’ll try the fixes I’ve read here related to killing the Microsoft Automatic updates and also use Process Explorer with hopes of locating a file that its latching onto to. Before I thought the problem would ony arise when connecting to the internet but now it happens whether connected or not.
I found (after many hours) that if you run the windows update when you are not using the PC you can get the updates and return the svchost.exe back to ‘normal’. Youll have to at least wait to get past the ‘Do you want to install these updates’ option, then go to bed. Let it run all night while you are sleepin.
This is sad however, that I can’t find a MS fix for this.
I had problems with svchost hogging cpu that I traced to Windows Update. I found that the Remove and Reinstall of Windows Updates at http://www.amset.info/windows/auto-updates.asp#Reset%20Automatic%20Updates
solved the problem, at least for now. So thanks, Marko!
I just got this problem bad this morning when I restarted my laptop from hibernation. Although, network access had been getting really slow over the last two weeks, so for me at least, it’s been an incrementally worse problem until I got hit hard this morning.
Microsoft thinks they have a fix for this problem. The article is ID 903737 and can be found at:
http://support.microsoft.com/kb/903737#appliesto
But you must contact their phone support to have them email a link to where you can download it from.
I installed their ‘fix’, and it did absolutely nothing initially. However, I had some other pending MS updates that I then installed and rebooted a second time. After the second reboot, svchost only ran wild for 3 minutes after I logged in (quite an improvement from running wild for over an hour before I just gave up and pulled the battery out of the laptop). Who knows, maybe this will help your situation, too.
As a confidence builder, MS has had this fix since July 2006, and has yet to roll it into any of their numerous updates…
Maybe Louis’ fix will work for me and get rid of that initial 3 minute lockup after login? We’ll see
The Remove and Reinstall of Windows Updates really does work. I just tried it, and not only is svchost acting normal again, but my windows firewall is also back an running after it was refusing to turn on.
http://www.amset.info/windows/auto-updates.asp#Reset%20Automatic%20Updates
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
I’m closing comments on this article simply due to the sheer volume.
I’ve created a new article:
http://ask-leo.com/how_do_i_fix_this_high_cpu_usage_svchost_virus_or_whatever_it_is.html
that deals with the current “100% CPU Usage” issue that so many people seem to
be experiencing.
Many thanks to all the commentors here who added value to the thread for others
to come and find.
Leo
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.6 (MingW32)
iD8DBQFGQnIZCMEe9B/8oqERAgFTAJ0Vp60xlHDBO/98voKQqI/6DnnDIACdGjg1
fwzk4RuL2SWWR8HmxMQ47G8=
=LFak
—–END PGP SIGNATURE—–