TechSpot

Why do I have 13 svchosts.exe running

By Akai
Oct 3, 2008
Topic Status:
Not open for further replies.
  1. My computer isn't running as fast as it used to be, my computer is custom built and this thing is beast. Quad core processor, 8GB ram, etc etc. This should not be slow for running Windows Vista x64bit. I've wiped it out once, but yet I'm wondering why I have 13 "svchosts.exe" running in my task manager and how I have 20% cpu usage when I'm running aim and a browser. I would normally have 1 or 2%.

    Just trying to figure out why this thing is slowing down. Picture below.

    http://img411.imageshack.us/img411/4503/svhostpicih6.jpg
     
  2. LookinAround

    LookinAround TechSpot Chancellor Posts: 8,372   +167

    Funny you should ask... was just discussing.. look here

    /************* EDIT *******************/
    Suggest you have a look with Process Explorer as well.. and run HijackThis and see if spoolsv.exe listed (out of curiousity now)
     
  3. Akai

    Akai TS Rookie Topic Starter Posts: 134

    I ran a HJT log (latest version) and I did find spoolsv.exe in it (just find a find search).

    Heres my log, maybe someone can look at it and see whats up.
     

    Attached Files:

  4. Akai

    Akai TS Rookie Topic Starter Posts: 134

    Bump please.
     
  5. LookinAround

    LookinAround TechSpot Chancellor Posts: 8,372   +167

    Hi

    I'm not one of the malware removal experts here and will let someone else provide a "definitive" opinion on your hjt log... (tho i can tell you run a 64 bit machine which is why hjt reports so many "missing" files and not to be alarmed by that alone)

    but based recent malware found in a scenario similar to yours would like to take a bit more info

    Could you
    • Can you start a command prompt (Start->Run, cmd. tho may need a liitle more due to UAC in vista) but would like you to get to a comman prompt and enter and post the results of tasklist /svc /fi "imagename eq svchost.exe"
    • Suggest you try installing Process Explorer as will give more detail for analysis
    • Exactly which version of Vista are you running?
    • As a quick test just to see if your symptoms happen to point to the similar problem found, you can try disabling the Print Spooler Service then reboot. (You won't be able to print anything when it's disabled but see how your machine runs then) Here;s a link that should help show how.

    I gotta run a short while but will look back on yu when i return. see how ur doin and if anyone has joined the thread)
     
  6. Akai

    Akai TS Rookie Topic Starter Posts: 134

    That is what I got when I ran the command you gave me. I'm running Windows Vista Home Premium 64bit. And I can disable the printer spool after you or someone looks at what I posted above and see if it's needed.

    Thanks for your help so far!
     
  7. LookinAround

    LookinAround TechSpot Chancellor Posts: 8,372   +167

    well..

    1. nothing jumps out at me from your HJT (tho you should look at it to confirm what's listed as "your trusted zones"
    2. no indication that spooler should be the issue either
    3. Is normal to have many svhosts (is one reason malware sometimes hides in them). Windows will run one or more services in a single svchost. You can see which services in which svchost from the tasklist output. But no indication here either of bogus services in your svchosts, that i can see.
    4. See if you can get another opinion on your hjt (can be slower around here on weeekends)
    5. And in meantime, note that if click the CPU column header in task manager you can order processes numerically so you put the process taking most CPU at the top of the list. Why don't keep an eye on it while system is running and in particular when running slow to see if any process in particular shows high CPU pattern. (Note: Ignore System Idle Process. A big number there is good. just helps add things up to 100%)
     
  8. tw0rld

    tw0rld TS Maniac Posts: 609   +6

  9. Akai

    Akai TS Rookie Topic Starter Posts: 134

    Okay I followed all the steps and here are the logs.
     

    Attached Files:

  10. Akai

    Akai TS Rookie Topic Starter Posts: 134

    Bump please.

    I have posted the logs as you requested.
     
  11. tw0rld

    tw0rld TS Maniac Posts: 609   +6

    I did not see any threats in your HJT log. SVCHOST.EXE is used to run .dll files, that are associated with various programs or services.

    Suggest that you go along with Looking arounds suggestion about running process explore to determine what is using SVCHOST. My guess is that these are legitimate processes, therefore nothing to worry about.
     
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You have an extraordinary number of Services running and they aren't configured correctly. Many of them display as 'svchost.exe' when running. Please go through Parts 1,2, and 3 of the Vista Services Guide here: http://www.tweakvista.com/articles/38662/vista-service-guide-part-1/

    Make a list of the Services to reset to one of the three Start-up types, but don't do it yet.

    The following entries should be removed and each Service reconfigured correctly according to the information for each. Remember, many Services can be set to Manual so that they only start when needed. Only a few need to be on Automatic, and some can be Disabled. Be sure to check the Dependency tab when re-setting the Service startups.

    Reopen HijackThis and scan. CHECK the following:
    Now close all windows other than HiJackThis, then click Fix Checked.**Close HiJackThis*and*reboot into Safe Mode
    Start> Run> type in 'msconfig' without the quotes> Enter> Selective Startup> Startup menu> UNCHECK ALL processes EXCEPT the antivirus & firewall> Apply> OK.

    Remove all of these sites from the Trusted Zone- your use of the wild card * gives too much permission to these domains:
    Start> Run. type in services msc> look for each of the Services that we removed. Right click on the Service>Properties> Reconfigure them according to the information of their use. You do not need to Start the Service. Those neede will start when you boot.

    Reboot into Normal Mode. You will get a nag message that you can close after checking 'don't show this message again'. You must stay in Selective Staartup.

    Download and install the current Java> v6u7:
    http://java.com/en/download/manual.jsp

    Rescan with HijackThis and attach the log.

    A NOTE per a previous reply: The Print Spooler Service needs to be set to Automatic. Makee sure the RPC Service is also started.
     
  13. Akai

    Akai TS Rookie Topic Starter Posts: 134

    Okay I did these:

    1.) When through that guide and disabled:
    2.) Removed/Fixed those HJT entries.

    3.) Rebooted into safe mode

    4.) When into msconfig>startup and disabled all except firewall anti-virus

    5.) Removed those sites from trusted site.

    6.) Rebooted into normal mode

    7.) Installed Java

    Here is my HJT log. I still have all those svchost.exe running and ridiculous CPU usage.
     
  14. LookinAround

    LookinAround TechSpot Chancellor Posts: 8,372   +167

    Don't change anything till you get a new HJT opinion but in parallel you can monitor your CPU usage (good to do anytime)

    • Install Process Explorer
    • Click Options and set Hide when Minimized, Allow Only One Instance, Confirm Kill, CPU History in Tray Icon
    • Whenever PE is open, you can click CPU column header to see processes sorted by CPU usage. When usage high, check top of the list, OR
    • Minimize PE. Note the red and green waves through its system tray icon
      • Green indicates total CPU usage
      • Red indicates the process using most the most the CPU time
      Hover cursor over the icon to get the info
    Whenever total CPU usage seems high check which process(es) are using up most it.

    Also..install Autoruns and then autoruns.exe Notice its status in lower left corner of window
    • Hit ESC key (your upper left on keyboard) to stop scanning
    • Click Options Check Verify Code Signatures. Other options should be unchecked
    • Click File->Refresh to start scanning
    • Wait for status in lower left says Done.Then click File->Save As, save to a text file and attach back here
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, believe it or not, HiJackThis should only be run if you suspect you have been 'hijacked' by
    malware. Re: Missing Files? Look in your Windows\System32 folder. Do you see the 'missing files' there? If you do, they are not missing.
    Reopen HijackThis and scan. Put a CHECK by these processes:
    Now close all windows other than HiJackThis, then click Fix Checked.**Close HiJackThis*and*reboot.

    Regarding this:
    (WindowsWelcomeCenter is not necessary for startup. It is usually run infrequently and can be started manually if needed.Shows the Welcome Center every time you boot into Windows Vista)
    These are still showing in the Trusted Zone. Suggest they be moved out:
    Regarding the number of svchost.exe processes. I have 11 running, but I don't have any with a memory consumption of the one you have with 133,365K. That is one to be concerned about. The others are within normal limits. See if turning off the Welcome Center stops this one. If it does not, go into the Task Manager> View> set Columns> check the PID column. Give me the PID for THIS svchost.exe only.
     
  16. Akai

    Akai TS Rookie Topic Starter Posts: 134

    Okay, so I looked at HJT and found all the "(file missing)" entries, and checked my System32 folder, and they were all there. I only didn't find one. Here they all are:

    WmiApSrv.exe was the only one I couldn't find in the folder. But if all those above showed up missing, but are in the folder, then why does it say file missing in HJT?

    I fixed those two entries you told me to do, so I'm assuming that turned off Windows Welcome Center? If not, then not sure how to do it. I tried removing those three links from my trusted sites, but every time I do it, I go back and check and they are still there.

    The PID number for the svchost.exe is: 284
    It's still showing 139k usage.

    Oh and LookAround, I'm going to install that program and I'll post the log.
     
  17. etchhh

    etchhh TS Rookie Posts: 28

    i'll reply to this as i've asked this question before to a friend ,,,,
    he answered me saying - svchost.exe stands for service host , this executable runs when u use many files.dll in ur operating system , as long as u using many xxx.dll this svchost.exe gets bigger and bigger , by default it openes in several sessions , thats why u see this svchost.exe is opened in many sessions in ur task manager ...

    but if u r not using any media files or not dealing with .dll yet (like if u just opened ur PC and u see this svchost.exe has many sessions already ...) - u may think there r other programs dealing with ur dlls and making this svchost.exe bigger ?

    yes - u may have some trojans or viruses use ur resources , thats why u have this svchost making nasty sizes and may prevent u from dealing with ur programs - like "not enough memory to run program" message , and if u tried to remove it from the task manager processes , u may not be able to run media files or u may find tough time dealing with ur PC drivers -u wont be able to start a game u sure it was running before- ...

    now , what u have to do ?
    is a full scan for these viruses and search for the nasty trojans that affect ur PC and steal ur PC resources ...

    thats just for u to understand what's going on no more :) - so , have a nice day :))
     
  18. LookinAround

    LookinAround TechSpot Chancellor Posts: 8,372   +167

    Hi etchhh :wave:. Thanks for joining in the thread and offering some info.

    Yes, svchost even when not-malware infected and behaving well can still look suspicious or at least confusing to many users.

    But it really is not so related to your media files as it is related "Windows Services". Windows services are special "helper" type programs that run in the background while your programs run.

    And there are many, many different types of Windows services that can handle error reporting, many help in network communication or Plug-and-Play and device discovery, and many more. And since there are sooooo many, they have been divided into functional groups so services in the same group have some similarities among them.The group of services are combined to allow them to all run within a single process. And that single process is svchost

    An svchost may have one service in it. It may have 10. Is just the Windows programmer decision. But given the nature of svchost - a single process name which occurs multiple times and each contain a different number of things - it's quite a popular target for malware.

    But lukily there are very good tools available to help us recognize
    • if it's innocent, if
    • if it's being used to hide malware
    • it it has no malware... is just behaving badly on its own!

    And then get it all fixed!
     
  19. etchhh

    etchhh TS Rookie Posts: 28

    excellent ^^

    really excellent reply lookingaround :) , u made it easy even for me to understand how does Windows Services work :))

    thanks again u really helped me :)
     
  20. LookinAround

    LookinAround TechSpot Chancellor Posts: 8,372   +167

    glad to help :)

    Feel free to ask questions (relevant to a thread, that is)

    Or start your own if need be.
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Two points to clarify:

    Control Panel> Administrative Tools> Services> do a right click> Properties on each Service> look in the 'path to executable' box and you will see those that will show as svchost.exe. This will give you an idea of how many display that way.

    When you try to identify a process, most sites will tell you where that process "should be" and go on to tell you that malware will sometimes disguise the file as a legitimate entry. Checking the location can verify the file. And because so many svchost run, that is a 'favorite' disguise for malware.
     
  22. LookinAround

    LookinAround TechSpot Chancellor Posts: 8,372   +167

    Excellent point.

    And knowing things about a process and the the physical source of it run-time image is very important. So let me briefly show just a few features of a great tool that quickly puts a wealth of info in front of you and all available from the tool.

    • Install Process Explorer
    • Click Options and set Hide when Minimized, Allow Only One Instance, Confirm Kill, CPU History in Tray Icon
    Now we can do a little, uh, Process Exploring!
    • When it's open, hit the Process Name column header sorts it alpha A-Z, click again it sorts alpha Z-A, or the 3rd time is "hierarchical" view.. gives some idea of who called who and when
    • Also note the little + and - boxes to left of process name. + means it's compacted. Hit it to expand it. Hit all +'s to expand everything
    • Now, alpha sort and hover the cursor over any svchost.exe process you see and you get a small pop up telling you services inside.
    • Now rt click on svchost , select Properties
    Now note the various tabs in Properties
    • Image Tab
      • Version info
      • Path the physical source loaded from disk
      • Command line.. this is the command used to start it up and the parameters (also good to know when catching malware)
      • Parent: also important catching some malware. This is the process which STARTED svchost. If the parent doesn't look right.. is a bad sign
    • Performance Tab
      Will only say you can see quite abit of detail on how CPU, memory and IO used for this process
    • Services - an even better view of services within the procvess
    • TCP/IP - lets you know if the process has any TCP/IP communications open
    One more thing for now. In main process explorer display click View->Show Lower Display then View->Lower Pane View -> DLL
    = .Now when you click svchost.exe you see all the DLLs the process is using. Also, can be helpful in catching malware

    OK. enough typing for now. if u feel like it, play around with Process Explorer. Is way cool tool.
     
  23. Akai

    Akai TS Rookie Topic Starter Posts: 134

    Sorry for the very delayed response.

    So I downloaded and installed Process Explorer, and I checked the svchost.exe that is using the most usage( 139k ) and heres what it showed:


    IMAGE


    SERVICES
     
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

  25. Akai

    Akai TS Rookie Topic Starter Posts: 134

    Okay, I read it. Did the command.

     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.