TechSpot

Svchost.exe taking up too much memory

By WinDos
Jun 15, 2009
Topic Status:
Not open for further replies.
  1. Lately my svchost has been taking up a lot more memory than usual and I've noticed my browsing speed has slowed. The problem may be that I installed kaspersky internet security 2009 recently, but I had this svchost problem long before I installed kaspersky - the only difference is that now I am being slowed, but I wasn't before.

    Right now, I have 13 instances of svchost running, each of them around 5,000K's worth of memory, but 3 of them are at 30, 50, and 100.

    I've done numerous scans with kaspersky internet security 2009, windows defender, spybot S&D, and malwarebytes' anti-malware; none of them returned any problems with my system.

    I attached my HJT log (as instructed by the stickies) in hopes that someone could help me figure out whether this is just normal activity or malware.
     
  2. mflynn

    mflynn TS Rookie Posts: 2,793

    OK svchost can run multiple things at once!

    Get this tool to see what the SVCHOSTS are running:
    http://www.codeplex.com/svchostviewer

    To pinpoint Ram and CPU hogs get Process Hacker:
    http://processhacker.sourceforge.net/

    Once loaded Rt click the Column line Name PID etc and click choose columns and add
    Total CPU time
    User CPU time
    Kernel CPU time

    Once added I drag these new columns down beside the already existing CPU so all in a row.

    Then click CPU until System Idle process is at or near the top. This will show what is using CPU time now! This does not mean it is a hog yet!

    Then click Total CPU Time until System Idle process is at or near the top. You will see the times from Highest to lowest. Now you begin to see what is hogging the CPU.

    Then click User CPU time until System Idle process is at or near the bottom. Hogs will be at top!

    Then click Kernel CPU time until System Idle process is at or near the top.

    Now the big hogs will be the ones that are high in all catagories.

    Remember System Idle process should always be High and all others low!
    Also remember to subtract ProcessHacker's time from the total to get the real CPU time without PH running!

    Remember some programs have to be a hog while doing an intensive job like a Virus scan etc.

    What you are looking for is 2 things basically.

    1. things like Java Quick Starter (jqs.exe) (that allows Java to open 1 second quicker) or the Adobe quick start, that uses CPU in all or most Catagories. These you don't need!

    2. A legit program that just uses to much!

    Mike
     
  3. WinDos

    WinDos TS Rookie Topic Starter Posts: 16

    Unfortunately, I can't install process hacker because I'm using Vista 64 bit. I did however use the svchost viewer and I'm currently investigating the services using each of the svchost files.

    EDIT: The following processes are using svchost:

    WerSvc, stisvc, PolicyAgent, BFE, DPS, MpsSvc, CryptSvc, Dnscache, KtmRm, NlaSvc, TapiSrv, TermService, EventSystem, fdPHost, FDResPub, LanmanWorkstation, netprofm, nsi, SSDPSRV, SstpSvc, upnphost, W32Time, WebClient, WinHttpAutoProxySvc, gpsvc, AeLookupSvc, BITS, Browser, EapHost, IKEEXT, iphlpsvc, LanmanServer, MMCSS, ProfSvc, RasMan, Schedule, seclogon, SENS, ShellHWDetection, Themes, Winmgmt, wuauserv, AudioEndpointBuilder, dot3svc, EMDMgmt, hidserv, Netman, PcaSvc, SysMain, TabletInputService, TrkWks, UxSms, WdiSystemHost, Wlansvc, WPDBusEnum, wudfsvc, AudioSrv, Dhcp, Eventlog, lmhosts, wscsvc, WinDefend, RpcSs, DcomLaunch, and PlugPlay.

    There is a total of 13 svchosts running; of those, only 3 of which exceed 10 MB of memory usage, and they're at 38.66 MB, 134.61 MB, and 78.8 MB.
     
  4. tipstir

    tipstir TS Ambassador Posts: 4,663   +86

    Run those programs you have listed in the Safemode run this one also malwarebytes' anti-malware
    I prefer using tools like GMER, smithfraudfix under safemode
     
  5. WinDos

    WinDos TS Rookie Topic Starter Posts: 16

    I already ran a whole cadre of antiviruses and check programs, including malwarebytes' anti-malware (which I said in my opening post).

    None of them ever detect anything more serious than a bad cookie, I'm just concerned with my svchosts.
     
  6. tipstir

    tipstir TS Ambassador Posts: 4,663   +86

    See those like gmer and smithfraudfix they don't get installed they run on their own to isolate the problem. They first detect if you have a problem, then you press a key button and it will remove it. I've been where you are now at. Not fun experience. Even if you can remove the problem the system might not be stable enough to work prior to this problem.

    I use IS myself but not the one you're using. I've tried them all and to me not can't block out everything. So I use something most don't use in IS for free but works great. These issues are gone on all my systems including server OS. Only 4 systems out of 8 had to be re-build. The others including the server I was able to save.

    You can try everything that out there and still run into the same things I had did. What you can do is run PrevX CS and see if that finds anything on your system right now. That's free to scan but not free to remove. But it will give you idea if you have anything on the system like cloaked-malware, worm, an etc..
     
  7. WinDos

    WinDos TS Rookie Topic Starter Posts: 16

    I get the feeling that your english isn't all that great. The chances of me having a virus, maleware, or any other type of malicious software are EXTREMELY low. In fact, I have no symptoms whatsoever if I turn off windows updates, which was probably the cause of this.

    Can anyone else at least take a look at my HJT log and recommend a solution? Someone who speaks english...
     
  8. mflynn

    mflynn TS Rookie Posts: 2,793

    Sorry Win

    I looked at your HJT log and saw no sign of Malware and any thing that might impact performance greatly!

    But there are a couple of Minor wheel spinners.

    Run HJT Scan only and select to fix any line that ends in (no file) and (file missing)

    Just remove all as above but those 64Bit specific that begin with @%
    Such as @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) HJT can not handle and will no go.

    Also get the following:
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

    Get: http://www.mlin.net/StartupCPL.shtml and unckeck or delete anything that you don't need including the above Acrobat and Quicktime!

    Here are 2 other proceedures you can consider:

    ----------------------------------------------------------------------------------------------------------------------------------------------------
    Clean and tweak services

    In services stop and disable all of the below just to get them out of the way for now for trouble shooting purposes.

    Nothing is un-installed or deleted only disabled from running!

    They can be put back anytime later but I would not, as none of them are needed by most home users and very few business users. Basically stuff M$ thought you should have.

    Disabled uses no memory (RAM) and no CPU cycles.
    Manual uses the RAM but a small amount of CPU.
    Auto and not started they use even more RAM and CPU.
    Auto and started even more RAM and CPU ..

    Now in this case we disabling for trouble shooting purposes. But when we finish if you leave them all off until it is noticed that you need one (not likely for 99%) then it can be enabled.

    Leaving these all off, then becomes a performance tweak/boost as they free some RAM and CPU cycles! Special note. If you are going to pick and choose then be aware that the small amount of RAM and CPU cycles of each one individually is not significant but as a group it is! So if you need most of them (or just think you do because you don't) then just as well enable them all)!

    Distributed Link Tracking Client
    Distributed Transaction Coordinator
    DNS Client
    Fast User switching
    Health Key and Certificate Management Service
    Indexing service
    Messenger
    Net logon
    Net.TCP Port Sharing
    NetMeeting Remote Desktop Sharing
    IPsec services
    QoS RSVP
    Remote Registry
    Uninterruptable power supply
    Universal Plug and play
    Web Client
    Windows media player Network Sharing

    IF you are using a wired network card and "NOT" using wireless on this computer then you can
    also disable

    Wireless Zero configuration

    Wireless Zero configuration is only used on computers with a wireless NIC like a Laptop. Do not disable Wireless Zero configuration on a Laptop. Has nothing to do with other wireless hardware like wireless routers etc.

    In short if this computer has a CAT 5 or 6 cable and no ability to connect wirelessly if that cable is unplugged, then you can disable Wireless Zero configuration.

    This is not to be confused with Wired Auto Config do not disable that!

    Below is a batch to do this for you. Remember nothing is deleted or uninstalled to get anything back just go to Services and reenable. Exception is jqs.exe (which you don't have) makes java start 1 sec faster but is such a hog it is deleted
    --------------
    Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.
    Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

    Code:
    @echo off
    sc config Alerter start= disabled
    sc stop Alerter
    
    sc config AeLookupSvc start= disabled
    sc stop AeLookupSvc
    
    sc config ClipBook start= disabled
    sc stop ClipBook
    
    sc config Dfs start= disabled
    sc stop Dfs
    
    sc config FastUserSwitchingCompatability start= disabled
    sc stop FastUserSwitchingCompatability
    
    sc config TrkWks start= disabled
    sc stop TrkWks
    
    sc config TrkSvr start= disabled
    sc stop TrkSvr
    
    sc config DNSCache start= disabled
    sc stop DNSCache
    
    sc config ERSvc start= disabled
    sc stop ERSvc
    
    sc config HidServ start= disabled
    sc stop HidServ
    
    sc config PolicyAgent start= disabled
    sc stop PolicyAgent
    
    sc config CiSvc start= disabled
    sc stop CiSvc
    
    sc config IsmServe start= disabled
    sc stop IsmServ
    
    sc config kdc start= disabled
    sc stop kdc
    
    sc config LicenseService start= disabled
    sc stop LicenseService
    
    sc config Messenger start= disabled
    sc stop Messenger
    
    sc config Netlogon start= disabled
    sc stop Netlogon
    
    sc config NetTcpPortSharing start= disabled
    sc stop NetTcpPortSharing
    
    sc config mnmsrvc start= disabled
    sc stop mnmsrvc
    
    sc config NetDDE start= disabled
    sc stop NetDDE
    
    sc config NetDDEdsdm start= disabled
    sc stop NetDDEdsdm
    
    sc config NtLmSsp start= disabled
    sc stop NtLmSsp
    
    sc config SysmonLog start= disabled
    sc stop SysmonLog
    
    sc config RSVP start= disabled
    sc stop RSVP
    
    sc config SSDPSRV start= disabled
    sc stop SSDPSRV
    
    sc config upnphost start= disabled
    sc stop upnphost
    
    sc config WMPNetworkSvc start= disabled
    sc stop WMPNetworkSvc
    
    sc config WmiApSrv start= disabled
    sc stop WmiApSrv
    
    sc config WmdmPmSN start= disabled
    sc stop WmdmPmSN
    
    sc config RemoteRegistry start= disabled
    sc stop RemoteRegistry
    
    sc config RemoteAccess start= disabled
    sc stop RemoteAccess
    
    sc config SCardSvr start= disabled
    sc stop SCardSvr
    
    sc config TlnSvr start= disabled
    sc stop TlnSvr
    
    sc config UPS start= disabled
    sc stop UPS
    
    sc config WebClient start= disabled
    sc stop WebClient
    
    sc config DNSCache start= disabled
    sc stop DNSCache
    
    sc config JavaQuickStarterService start= disabled
    sc stop JavaQuickStarterService
    sc delete JavaQuickStarterService
    attrib -h -s -r /s c:\jqs.*
    del /f /q /s c:\jqs.*
    
    sc config RpcSs start= Automatic
    sc start RpcSs
    
    sc config RpLocator start= Automatic
    sc start RpcLocator
    
    sc config MSIServer start= Automatic
    sc start MSIServer
    exit
    exit
    ----------------------------------------------------------------------------------------------------------------------------------------------------

    Autoruns/Runscanner cleanup

    Make sure hidden files and folders are shown. Open Windows Explorer click Tools or View and then Folder Options-View.

    Choose Show hidden files and folders, uncheck Hide protected operating system files and click OK.

    Download install and run AutoRuns http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

    Run it let it scan, then when it says ready at bottom left corner, make sure the EVERYTHING Tab is selected and then click File at top and then Find.

    Type in the find box file not found and hit enter and delete all lines that have file not found.

    When you reach the bottom the go back to top and click the first entry under The Everything Tab (to begin the search from that point) and search again in case any were missed.

    This is a bunch of old stuff that M$ thought you might or would need that no longer exist, or for computers that are assumed to have SCSI or AMD processors but do not, or that you have Intel but do not!

    After the file not found search scroll back to the top and highlight the very first entry so you are searching from the top and click Find and search for anything you want, if needed.

    Then look carefully through all the Everything entries and delete anything that you may have had but uninstalled and thought were gone. If you are sure delete these also.

    Next

    Then get install and run:
    RunScanner http://www.runscanner.net/download.aspx

    Click Scan computer
    Double click all Red lines to select, then click Item fixer and remove them.

    Then click Extra stuff again select all Red lines. Then click back to Malware hunting and Click the Item fixer again and remove these.

    Same as already said on AutoRuns stuff that was assumed to be need but you do not have.

    None of these items can run as the file is missing so most of the improvement you may see comes as a quicker startup as windows no longer searches or tries to load some of these. But some have noticed a faster shutdown also.

    Reboot and recheck with both AutoRuns and RunScanner.
    ----------------------------------------------------------------------------------------------------------------------------------------------------

    One other thing to help find a hog is open Taskmgr then click View then select columns and then CPU time.

    Then double click the CPU Time to sort System Idle to top. The next line is your biggest CPU user and the next in order.

    Shame ProcessHacker is not 64Bit yet as it is the best at finding hogs if configed properly.

    Mike
     
  9. tipstir

    tipstir TS Ambassador Posts: 4,663   +86

    English not the question here. I am in a rush I'll type it out plain Jane for you. If you have other issues than Virus & Malware then this isn't the right area to be in. Hardware or the OS giving you uses then.
     
  10. WinDos

    WinDos TS Rookie Topic Starter Posts: 16

    I didn't know what I had, which is why I pasted here. And yes, you do have english issues, which makes me wonder why you paste here. Anyway, mflynn helped me, so I'm off.

    Thanks mflynn!
     
  11. mflynn

    mflynn TS Rookie Posts: 2,793

    Are you off to do it or already have?

    Mike
     
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I'm coming in late to this thread, but I will start out by saying it's not a good idea to insult the volunteers who are trying to help you.

    To the matter at hand:
    You show 30 Services running- most likely most or all are set up with Automatic Startup mode. Many of those Services display as Generic Host Process for Win32, or for short, svchost.exe.

    Use this site as a reference and try to get some of those Services on Manual:
    http://www.blackviper.com/WinVista/servicecfg.htm

    You will find a chart which describes each Service and recommended settings. Always check the Dependencies tab.

    It is not uncommon to have multiple svchost.exe running.

    Take it or leave it- it's in English.
     
  13. Tedster

    Tedster Techspot old timer..... Posts: 10,074   +13

    read the how to speed up windows for free guide in the guides forum
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.