CSA 4.5.1.639 - svchost.exe and UDP 1900 UPNP

Similar Messages

• Memory leaks- high memory usage svchost.exe

  hello!
  im having a kind of a similar problem. Im using a Q6600 with 4Gb of RAM running on Windows 7 x64. My physical memory usage history is 1.75GB idle but my CPU usage looks good ~ 0%.
  In Windows Task Manager when i arranged the memory column, the process with the highest memory usge is svchost.exe with 116,572K. And i have 14 svchost.exe in my computer! I opened process exporer and check the legitimate of all those svchost.exe
  and they are all legit. When i look at the properties of the highest svchost.exe in process explorer, the services which is running under it is as follows
  AudioEndPointBuilder c:\Windows\System32\Audiosrv.dll
  CscService c:\Windows\System32\cscsvc.dll
  hidserv c:\Windows\System32\hidserv.dll
  Netman c:\Windows\System32\netman.dll
  PcaSvc c:\Windows\System32\pcasvc.dll
  SysMain c:\Windows\System32\sysmail.dll
  TrkWks c:\Windows\System32\trkwks.dll
  UxSms c:\Windows\System32\uxsms.dll
  wudfsvc c:\Windows\System32\WUDFSvc.dll
  All are legit DLLS.
  Is it normal to have 14 svchost.exe running at the same time(system, local service, network service in Task Manager)
  and how can i reduce the memory usage of the svchost.exe?

  Hi,
  There can be multiple instances of Svchost.exe running at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can
  be run depending on how and where Svchost.exe is started.
  If you would like to reduce the usage of this service, I could share the following article with you:
  Getting Started with SVCHOST.EXE Troubleshooting
  PRF: High CPU (SVCHOST.EXE)
  Hope it helps.
  Alex Zhao
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Having problem with svchost.exe/ntdll.dll errors causing GPSVC (Group Policy Client) to crash preventing users from logging into the server.

  Recently (within the past 2 weeks) I have noticed a few of our servers will have problems with the svchost.exe application causing the GPSVC (Group Policy Client) to crash. The only fix at that point is to reboot the server since the GPSVC service is tied
  to svchost.exe and therefore is protected from being manually restarted.
  I noticed the following errors when this occurs:
  Log Name:      Application
  Source:        Application Error
  Date:          7/23/2013 4:35:26 AM
  Event ID:      1000
  Task Category: (100)
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      Server1.xxx.xxx.net
  Description:
  Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
  Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec4aa8e
  Exception code: 0xc0000024
  Fault offset: 0x00000000000cd7d8
  Faulting process id: 0x46c
  Faulting application start time: 0x01ce877f9476ac07
  Faulting application path: C:\Windows\system32\svchost.exe
  Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
  Report Id: d252d26d-f372-11e2-8ad4-005056ac00e8
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Application Error" />
      <EventID Qualifiers="0">1000</EventID>
      <Level>2</Level>
      <Task>100</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2013-07-23T08:35:26.000000000Z" />
      <EventRecordID>158950</EventRecordID>
      <Channel>Application</Channel>
      <Computer>AAW19XM2.agency.nwie.net</Computer>
      <Security />
    </System>
    <EventData>
      <Data>svchost.exe</Data>
      <Data>6.1.7600.16385</Data>
      <Data>4a5bc3c1</Data>
      <Data>ntdll.dll</Data>
      <Data>6.1.7601.17725</Data>
      <Data>4ec4aa8e</Data>
      <Data>c0000024</Data>
      <Data>00000000000cd7d8</Data>
      <Data>46c</Data>
      <Data>01ce877f9476ac07</Data>
      <Data>C:\Windows\system32\svchost.exe</Data>
      <Data>C:\Windows\SYSTEM32\ntdll.dll</Data>
      <Data>d252d26d-f372-11e2-8ad4-005056ac00e8</Data>
    </EventData>
  </Event>
  All of our servers are running Server 2008 R2 Enterprise where we use Citrix to deliver desktop sessions to our users, but some are virtual and some are physical. This seemingly impacts our virtual machines more, and our VMs are hosted through VMWare, however,
  about 5 months ago a similar error fired on a non-virtual machine:
  Log Name:      Application
  Source:        Application Error
  Date:          2/27/2013 6:57:58 AM
  Event ID:      1000
  Task Category: (100)
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      AAW29033
  Description:
  Faulting application name: svchost.exe_gpsvc, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
  Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec4aa8e
  Exception code: 0xc0000024
  Fault offset: 0x00000000000cd7d8
  Faulting process id: 0x6c0
  Faulting application start time: 0x01ce14e1af313fd9
  Faulting application path: C:\Windows\system32\svchost.exe
  Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
  Report Id: ed3d01c4-80d4-11e2-9128-b499baa9e5e8
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Application Error" />
      <EventID Qualifiers="0">1000</EventID>
      <Level>2</Level>
      <Task>100</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2013-02-27T11:57:58.000000000Z" />
      <EventRecordID>286291</EventRecordID>
      <Channel>Application</Channel>
      <Computer>AAW29033</Computer>
      <Security />
    </System>
    <EventData>
      <Data>svchost.exe_gpsvc</Data>
      <Data>6.1.7600.16385</Data>
      <Data>4a5bc3c1</Data>
      <Data>ntdll.dll</Data>
      <Data>6.1.7601.17725</Data>
      <Data>4ec4aa8e</Data>
      <Data>c0000024</Data>
      <Data>00000000000cd7d8</Data>
      <Data>6c0</Data>
      <Data>01ce14e1af313fd9</Data>
      <Data>C:\Windows\system32\svchost.exe</Data>
      <Data>C:\Windows\SYSTEM32\ntdll.dll</Data>
      <Data>ed3d01c4-80d4-11e2-9128-b499baa9e5e8</Data>
    </EventData>
  </Event>
  I've searched and cannot seem to find any information as to what may be causing this, or even really where to start. Would someone be able to help me identify what might be causing this event, specific with the Exception code: 0xc0000024, which causes
  the Group Policy Client service to stop?

  You still out there looking at things? If so I have an update. The issue hasn't stopped, even though it did seemingly die down for awhile, however, it is now back with a vengeance.
  I am able to force it to happen by killing the svchost process that is hosting GPSVC. If I run gpupdate /force, then logout/login it does get GPSVC running again. Furthermore, if I simply start svchost again via the Task Manager GPSVC starts running again.
  When I access the server remotely with KVM it acts just like it does as if I'm logging into it via Citrix/RDP which for Admin IDs gives an error saying "Failed to connect to a windows service. Windows could not connect to the Group Policy Client service...",
  however, normal user accounts just get a message when logging into the server "The Group Policy Client Service Failed the Logon. Access is denied."
  I haven't opened a case with Microsoft yet, but we about ready to because of the increase in these errors.
  If you have any further suggestions that would be great, otherwise I'll provide an update once I get word back from Microsoft.
  **EDIT -- apparently I mistook the the server's SCM's actions as my own. I was able to successfully crash the GPSVC service by killing the hosting svchost process, however, after I crashed it and let it sit crashed for awhile when I attempted
  to restart either by starting a svchost task, or running gpupdate /force it failed. Either that, or there is a timing issue where if we don't restart the svchost process, or run gpupdate /force quickly enough it won't be able to recover without a reboot.

• Expected actions of svchost.exe - what is interesting, in the context of monitoring what svchost.exe is doing?

  Hi,
  I have seen numerous articles explaining svchost, and I think I have a reasonable grasp of it (although basic).  My favourite article so far is
  http://www.bleepingcomputer.com/tutorials/list-services-running-under-svchostexe-process/#advanced, which I think is well written and very handy indeed!
  My current issue is that I am tweaking a security program called McAfee Host IPS, currently running on 2003 R2 and 2008 R2 servers, and getting a lot of events associated with svchost.exe that I believe require exceptions to be configured.  What I do
  not want to do, however, is configure an exception that hides something that may be useful information, however there is a balance required in what I am doing.
  Focusing on my current task at hand, I can confirm I have seen a large number of events associated with the below.  The below is all of the information I have on the Host IPS signature in question, although I am currently digging further.
  IPS Signature Name: CMD Tool Access by a Network Aware Application
  IPS Signature details: This event indicates an attempt by a networked application to access, modify or execute a system program that may be used to modify the configuration of your system.
  IPS Signature severity: Low
  I have seen a large number of events with threat source process = C:\WINNT\SYSTEM32\SVCHOST.EXE, and the following files, either accessed or executed.
  C:\WINNT\System32\tasklist.exe
  C:\WINNT\System32\ipconfig.exe
  C:\WINNT\System32\cmd.exe
  C:\WINNT\System32\route.exe
  As the above reference lists DLLs specifically, and not EXEs, I am not sure if this is expected (but am gathering it is, especially as the IPS signature details refers to 'system programs').
  I am suspecting that my best action here is to configure an exception for threat source process <systemdir>\SVCHOST.EXE and target files <systemdir>\*.*, as my hypothesis is that even if I have not seen it in the tuning phase, there are
  a lot of similar benign actions that could potentially trigger in the day to day workings of the OS.  I am also assuming that I will see similar in later versions of Windows Server OS.
  To throw a slight curveball, we are also integrated with a SIEM solution.  As this signature severity is low, it is mapped to a log action so nothing will actually be stopped, but if there are no exceptions, relevant events would go through to SIEM. 
  They could be filtered there, but potentially used in correlation rules or troubleshooting, but that obviously takes more space in the McAfee (ePO) database and the SIEM solution, which needs to be taken into account.
  Thoughts on this would be greatly appreciated - I genuinely wish I knew more about this subject!
  Cheers,
  Darren

  Hi,
  I am not sure what specific information you are looking for - could you clarify?  I think I have covered the majority of what is happening in my initial post, however if there is a specific bit of information you are after, let me know.
  The above is an article I had stumbled across, with the majority of the information contained in the link included in my initial post.  The final paragraph under 'could this process be a virus' is interesting - I have copied it below - from your perspective
  is this merely anecdotal or is there something behind it (references, if they exist, would be fantastic)?
  "As long as you make sure that the location of the file is in your Windows\System32 directory, you aren’t dealing with a virus. There have been cases of certain viruses trying to mimic the same filename, but they are always located in another directory."
  - source: http://www.howtogeek.com/howto/windows-vista/what-is-svchostexe-and-why-is-it-running/ , 09/01/15

• SVCHost.exe

  svchost.exe, is consuming 200-600mb of memory on start up and does not stop until i kill the process then does it again x2, then the display settings go from the sleek design to a windows 98 look then svchost.exe stops leaking but
  why is svchost.exe leaking in the first place after not doing it for 2-3 years of owning this computer running the same os.
  os: Windows 7 64 bit - fully up-to-date
  thanks in advance

  Hi Huzaifa,
  Please make sure the svchost.exe file is located in the folder C:\Windows\System32. In other cases, svchost.exe is a virus, spyware, trojan or worm. Also check the user name of the process, it should be SYSTEM、LOCAL
  SERVICE or NETWORK SERVICE.
  This process manages system services that run from dynamic link libraries (files with extension .dll). Examples for such system services are: "Automatic Updates", "Windows Firewall", "Plug and Play", "Fax Service",
  "Windows Themes".
  First you need to know what service/dll sys is running by SVCHOST.exe.
  Download Process Explorer from this website
  https://technet.microsoft.com/en-us/sysinternals/bb896653.aspx?f=255&MSPPError=-2147217396
  Information about pool monitor
  https://msdn.microsoft.com/en-us/library/windows/hardware/ff550442%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396
  Open Process Explorer and find the problem SVCHOST.exe and check which service is taking resources.
  Regards
  D. Wu
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• 'svchost.exe has encountered a problem and needs to close.'

  I keep getting this error message  svhost has encountered a problem and needs to close. I am running Windows XP 3,  Does HP have a solution for XP-3?

  Hi,
  the error "svchost.exe" that you get is not necessarily because of your printer. i advice you to scan your computer for any kind of virus or trojan, or trt the following steps:
   Method 1Leave the svchost.exe - Error dialog box open, and then follow these steps.Step1: Check whether settings for the Automatic Updates service and for the Background Intelligent Transfer Service (BITS) are correctTo do this, follow these steps:
  Click Start, point to Run, type services.msc, and then click OK.
  In the details pane, locate and double-click Automatic Updates.
  Click the Log On tab.
  Make sure that the Local System account option is selected and that the Allow service to interact with desktop check box is cleared.
  Make sure that this service has been enabled in the Hardware Profile list. If this service has not been enabled, click Enable to enable the service.
  Click the General tab, and make sure that the Automatic option is selected in the Startup Type list. Under Service status, click Start to start the service if it is not already running.
  Repeat steps 2 through 6 for Background Intelligent Transfer Service (BITS).
  Step 2: Reregister Windows Update componentsTo do this, follow these steps:
  Click Start, click Run, type REGSVR32 WUAPI.DLL, and then press ENTER.
  When you receive the "DllRegisterServer in WUAPI.DLL succeeded" message, click OK.
  Type the following commands in the Open box, one after the other, and then press ENTER after each command:
  REGSVR32 WUAUENG.DLL
  REGSVR32 WUAUENG1.DLL
  REGSVR32 ATL.DLL
  REGSVR32 WUCLTUI.DLL
  REGSVR32 WUPS.DLL
  REGSVR32 WUPS2.DLL
  REGSVR32 WUWEB.DLL
  Step 3: Rename the Windows Update temporary folderThe temporary folder of Windows Update may be corrupted. In this case, you can rename the temporary folder of Windows Update. To do this, follow these steps:
  Click Start, click Run, type cmd, and then press ENTER.
  At the command prompt, type net stop Wuauserv, and then press ENTER.
  Click Start, click Run, type %windir%, and then press ENTER.
  In the folder that opens, locate and rename the SoftwareDistribution folder to SDold.
  At the command prompt, type net start Wuauserv, and then press ENTER to start the Automatic Updates service.

• Svchost.exe with "Dhcp, eventlog, lmhosts" services is generating thousands of page faults and I/O reads per second?

  On one of our Windows 2008 R2 Enterprise (SP1) servers, we're noticing a strange phenomenon.....that the svchost.exe that hosts "Dhcp, eventlog, lmhosts" is constantly generating page faults....a few thousand per second, accumulating to billions of total
  page faults.  I/O reads and I/O other are also rising every second.  Cpu is consistently 2%, and memory is constant. (~40M). 
  I'm guessing that it's the eventlog service because our HP openview log reader (opcle.exe) is also working hard to keep up.  I've searched for others posting a similar problem but am coming up empty handed. 
  This is a MS Analysis Services 2008 server, but we haven't noticed any problems coming from SSAS.  We have other file sharing-related jobs that interact with this server, that sometimes take 30 min and sometimes 6 hours, for the same workload....and
  we're thinking that the 6 hour runs are somehow related to this process's unusual page faults.
  Anyone else seen this eventlog strange behavior?
  Thanks
  -Mark

  Hi,
  The best thing would be downloading the Process Explorer and analyzing the problem.
  Process Explorer
  http://technet.microsoft.com/en-us/sysinternals/bb896653
  For how to use Process Explorer to troubleshoot the performance issue, please refer to the following Microsoft TechNet blogs:
  HIGH CPU – SVCHOST.EXE
  http://blogs.technet.com/b/askperf/archive/2009/04/10/prf-high-cpu-svchost-exe.aspx
  Getting Started with SVCHOST.EXE Troubleshooting
  http://blogs.technet.com/b/askperf/archive/2008/01/11/getting-started-with-svchost-exe-troubleshooting.aspx
  If you find the cause is Automatic update, please also refer to the following Microsoft TechNet blog:
  Automatic Update causes SVCHOST.exe high CPU
  http://blogs.technet.com/b/asiasupp/archive/2007/05/29/automatic-update-causes-svchost-exe-high-cpu.aspx
  Regards,
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• SVCHOST.EXE Overflow and WMI Crash

  Hello, collegues!
  I faced with a problem after deploying SCCM 2012 Agent and SCEP 2012 on clients on Windows 7 SP1.
  The WMI Compent crushes and svchost.exe proccess for netsvc services got overflowed and it uses a lot of RAM Memory and grows and grows.
  I found out that this error appears when the agent tries to ask WMI and recieves an error ".....WBEM_E_NOT_FOUND....."
  Also i found some hotfixes from MS how to solve this problem, here they are:
  KB2492536
  KB2465990
  KB2492536
  KB982293
  KB974930
  Anyway, these help only before installing SCCM 2012 agent, afterwards i need to rebuild WMI Repository for system working correct. By the way there is no log information in Event Viewer, provided by system. I found this error only in log files of SCCM agent
  located localy in the System.
  Did anyone faced with this issue?
  Is there any normal solves provided by MS or maybe is it known?

  Since no one has answer this post, I recommend opening  a support case with CSS as they can work with you to solve this problem.
  Garth Jones | My blogs: Enhansoft and
  Old Blog site | Twitter:
  @GarthMJ

• IPod generates a svchost.exe error and blocks the computer

  Ok, I got an iPod Nano 2GB Silver today and when I plug it in the USB port, a svchost.exe error pops up. The only thing I can do is to press OK, but when I do that, another and another and another... same error pops up. I have to reset the computer in order for the computer to start functioning normally.
  I will try to translate what the Event Viewer says about the error (and this is what the error pop-up also states):
  Opening application: svchost.exe - Program error : Instructions on »0x00000000« reffered to the memory on »0x00000000«. The memory couldn't be written.
  The thing is though, it's working fine on some other laptop, but I don't understand why this is happening on my desktop?! And some of the older mp3 players (not iPods) are working just fine.
  Please, help me!

  I have a similar problem which began a couple weeks ago. Same svchost.exe closure, only I couldn't figure out what was causing the problem. Did the format C: and clean XP install, then gradually reinstalled software. When I got around to installing iTunes again, and about 24 hours goes by, I get the same message again. Both the popup and event viewer tell me that the iPod
  Service caused the failure. Windows would only suggest that the problem was caused by Windows Update.
  Before the fault bucket was generated, there was an Application Information message that states:
  The description for Event ID ( 0 ) in Source ( iPod Service ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.
  So now I am unable to keep my iPod updated, charged, used. Is this what I paid a premium price for?

• Svchost.exe causing CPU usage to go up and down

  Sorry if I have posted this in the wrong forum but I rarely ever post here.  However I have run into an issue that I am unable to find assistance on.  On all of our domain controllers (3) running Server 2008 x64 we see the CPU spiking up and down.  The
  CPU will start out next to nothing then jumps to 100% for a second, then returns to next to nothing for a second, then jumps to 100% for a second.... and so on.  Using Process Explorer we found out it is an svchost process that runs DHCP Client,
  TCP/IP NetBIOS Helper, and Windows Event Log services.  If we kill the process we can start all the services back up without any issues except for the Windows Event Log service.  As soon as we start the Windows Event Log service the CPU starts spiking
  up and down again.  There do not seem to be an unusual # of events being logged and we don't have any auditing turned on so I am not sure what is going on.  I was able to gather a procdump that I have posted below.  I will continue to investigate
  but was just wondering if someone could offer any insight?
  *                        Exception Analysis                                  
  GetPageUrlData failed, server returned HTTP status 404
  URL requested: http://watson.microsoft.com/StageOne/svchost_exe/6_0_6001_18000/47919291/unknown/0_0_0_0/bbbbbbb4/80000003/00000000.htm?Retriage=1
  FAULTING_IP:
  +70de990
  00000000`00000000 ??              ???
  EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
  ExceptionAddress: 0000000000000000
     ExceptionCode: 80000003 (Break instruction exception)
    ExceptionFlags: 00000000
  NumberParameters: 0
  FAULTING_THREAD:  00000000000003d8
  DEFAULT_BUCKET_ID:  STATUS_BREAKPOINT
  PROCESS_NAME:  svchost.exe
  ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION}  Breakpoint  A breakpoint has been reached.
  EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid
  MOD_LIST: <ANALYSIS/>
  NTGLOBALFLAG:  0
  APPLICATION_VERIFIER_FLAGS:  0
  PRIMARY_PROBLEM_CLASS:  STATUS_BREAKPOINT
  BUGCHECK_STR:  APPLICATION_FAULT_STATUS_BREAKPOINT
  LAST_CONTROL_TRANSFER:  from 000000007740616a to 0000000077636eda
  STACK_TEXT: 
  00000000`0010f2f8 00000000`7740616a : 00000000`00000010 00000000`0010f150 00000000`00000000 0000990d`354adee0 : ntdll!ZwReadFile+0xa
  00000000`0010f300 000007fe`ff30fc9a : 00000000`0010f3c0 00000000`00246f28 00000000`0010f430 00000000`0010f3f8 : kernel32!ReadFile+0x8a
  00000000`0010f390 000007fe`ff30fa3b : 00000000`00246f28 00000000`00000000 00000000`00000000 00000000`00000000 : advapi32!ScGetPipeInput+0x3a
  00000000`0010f3e0 000007fe`ff30e00d : 00000000`0000003c 00000000`00000000 00000000`00000000 00000000`000004d3 : advapi32!ScDispatcherLoop+0x9a
  00000000`0010f4e0 00000000`ffa81dca : 00000000`00245310 00000000`00000000 00000000`00000024 00000000`00000000 : advapi32!StartServiceCtrlDispatcherW+0x176
  00000000`0010f780 00000000`ffa824b2 : 00000000`00000000 00000000`ffa85490 01ce990d`38280236 00000000`0d72c90f : svchost!wmain+0x110
  00000000`0010f7b0 00000000`7740b22d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : svchost!ScCreateWellKnownSids+0x301
  00000000`0010f7f0 00000000`77616861 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
  00000000`0010f820 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
  STACK_COMMAND:  ~0s; .ecxr ; kb
  FOLLOWUP_IP:
  svchost!wmain+110
  00000000`ffa81dca 33c9            xor     ecx,ecx
  SYMBOL_STACK_INDEX:  5
  SYMBOL_NAME:  svchost!wmain+110
  FOLLOWUP_NAME:  MachineOwner
  MODULE_NAME: svchost
  IMAGE_NAME:  svchost.exe
  DEBUG_FLR_IMAGE_TIMESTAMP:  47919291
  FAILURE_BUCKET_ID:  STATUS_BREAKPOINT_80000003_svchost.exe!wmain
  BUCKET_ID:  X64_APPLICATION_FAULT_STATUS_BREAKPOINT_svchost!wmain+110
  WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/svchost_exe/6_0_6001_18000/47919291/unknown/0_0_0_0/bbbbbbb4/80000003/00000000.htm?Retriage=1
  Followup: MachineOwner

  Hi,
  SVCHOST.EXE is a generic host process for services. There can be multiple SVCHOST.EXE running on a system and each SVCHOST.EXE can also hold multiple
  services.
  The first step is to identify the Process ID (PID) of the SVCHOST.EXE that is pegging the CPU. 
  This can be done through Task Manager->Processes tab. If the PID column is not present, you can add it by selecting View->Select Columns and check the PID checkbox. 
  Once the PID is identified, the next step is to determine which services are running under the PID. From a Command Prompt, type:
  TASKLIST.EXE /SVC
  TASKLIST.EXE will list all the processes and PID’s running on the system. Look for the PID in question and check the Services column. This will give
  you a list of Services to start investigating.
  For more troubleshooting information, please also refer to the following Microsoft TechNet blogs:
  PRF: High CPU (Individual Process)
  http://blogs.technet.com/b/askperf/archive/2009/04/10/prf-high-cpu-individual-process.aspx
  PRF: High CPU (SVCHOST.EXE)
  http://blogs.technet.com/b/askperf/archive/2009/04/10/prf-high-cpu-svchost-exe.aspx
  Regards,
  Arthur Li
  TechNet Community Support

• Svchost.exe termsvcs eating up memory ?

  Hi,
  On a windows 2012 remote desktop session host I see the svchost.exe (termsvcs) using approx 13 GB of 16 GB available memory .... (Free memory on the host is zero now :-( ). 
  these are the memory figures:
  In use: 16176 MB
  Standby: 150 MB
  Free: 0-40 MB
  what is causing termsvcs process to take so much memory ?

  Hi,
  Are there many RDP sessions on the server?
  You can use command Query Session to query RDP sessions.
  More information for you:
  Query session
  http://technet.microsoft.com/en-us/library/cc785434.aspx
  An Overview of Troubleshooting Memory Issues
  http://blogs.technet.com/b/askperf/archive/2008/01/25/an-overview-of-troubleshooting-memory-issues.aspx
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• How to stop svchost.exe to connect to internet?

  I used a software known as TCPview. I used it to monitor what are the services that are connected to the internet. In this I found out that svchost.exe is always downloading something. It is not the automatic windows update since I changed the windows
  update to manual. So please help me since my internet speed is very slow & in that svchost.exe is always downloading something....

  On a newly setup system svchost.exe is the process that runs a lot of services. This means that some service may be downloading something that is important to it. Or it may always be a different service.
  The resmon.exe can tell you more about which service is downloading stuff. Under network you can look for the PID of the svchost.exe that is downloading and then go to the services tab in the task manager. There you look for the PID again and hopefully find
  a useful description that let's you decide what to do.
  On the other hand svchost.exe is a very loved name by some shady programmers looking for new bots for their networks or for some useful login or credit card data. Meaning is all of your software and especially your windows up to date and have you an always
  watching and updated anti virus software installed? Even if so a virus might be something to consider

• Windows Server 2008 X64 - gpupdate takes 10min - svchost.exe (gpsvc) pid logs 8.5 million events in procmon

  Hello,
  We've seen that on our 2008 x64 servers the svchost.exe that holds gpsvc in it takes up alot of CPU-time. Upon further investigation I saw that when it refreshes policies it holds 1 core for 10 minutes. I setup a procmon and filtered it on the pid off the gpsvc-svchost and saw that it logged 8.5 million events.
  It keeps looping events where it seems to be checking history-data under "C:\ProgramData\Microsoft\Group Policy\History\<GUIDS>".
  We are using GPPreferences. Has anyone seen anything like this before?
  I have the .PML-file from procmon, however its 350MB zipped so I dont know how to attach it to case.

  Hi,
  To better understand the issue, please help confirm the following:
  1.    Do all computers encounter this issue?
  2.    When did this issue begin to occur? Did it coincide with any events, such as the installation of some software?
  Meanwhile, please perform the steps below to see if the issue goes away:
  1.    Delete the contents in the "C:\ProgramData\Microsoft\Group Policy\History\" folder.
  2.    Please perform a clean boot on the server:
  1)    Click Start, type msconfig in the Start Search box, and then press ENTER.
  2)    On the General tab, click Selective Startup.
  3)    Under Selective Startup, click to clear the Load Startup Items check box.
  4)    Click the Services tab, click to select the Hide All Microsoft Services check box, and then click Disable All.
  5)    Click OK.
  6)    When you are prompted, click Restart.
  If the issue continues, please help collect the following information for further research:
  1.    Enable gpsvc.log:
  Please create the following key in Registry Editor:
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
  Type: DWORD
  Value: GPSvcDebugLevel
  Data: 0x30002 (hexadecimal)
  2.    Please run gpupdate /force to reproduce the issue and then collect MPSReport on the server:
  1) Download the MPSReport from the website below:
  http://www.microsoft.com/downloads/details.aspx?FamilyID=CEBF3C7C-7CA5-408F-88B7-F9C79B7306C0&displaylang=en
  2) Double-click the executable to launch the report gathering tool on the computer.
  3) Follow the steps as guided by the Wizard.
  4) On the Select the diagnostics you want to run page, select General, Internet and Networking, Business Networks, and Server Components.     
  3.    After that, please zip the gpsvc.log (%windir%\debug\usermode\gpsvc.log), MPSReport and the PML.file and upload to the following space:
  https://sftasia.one.microsoft.com/choosetransfer.aspx?key=ef4b8b4e-0e6c-4774-a132-2d072f8b77b0
  Password: fQxbhTjUV
  More Information about MPSReport:
  http://blogs.technet.com/askperf/archive/2009/05/01/two-minute-drill-the-new-mps-reports.aspx
  This posting is provided "AS IS" with no warranties, and confers no rights.

• Svchost.exe errors after installing iTunes 7.0.1.8

  I have two computers that starting throwing svchost.exe errors immediately after installing iTunes 7. First it happened on my desktop. In preparation to reinstall Windows XP on my desktop, I prepared my laptop to use while my desktop was out of commision. I installed iTunes 7 and immediately I started getting svchost.exe errors. I don't have the blaster worm on either machine (already checked). My desktop is behind three firewals, runs Norton, and I already did a full virus scan on both.
  This is causing significant problems as my computer can't see the network, outlook can wig out, and in general my machine is unpredicatable. I hate to think that installing iTunes 7.0 leads to the need to reinstall Windows. If anyone has any ideas I would appreciate any help.

  I changed my "Startup Type" for "Terminal Services" from "Disabled" to "Manual". Resolved issue.
  http://docs.info.apple.com/article.html?artnum=304434
    Windows XP Pro  

• Windows Server 2008 R2 - When svchost.exe memory-leaks Outlook does not load properly

  Hi all,
  We have a server which runs Windows Server 2008 R2, fully updated, and acts as a Terminal Server (Citrix XenApp 6.5).
  In the past couple months we have had problems with svchost.exe leaking memory, growing to 2-3GB of RAM usage. Sometimes is occurs with weeks between the incidents, sometimes days. To solve the issue we have to reboot the server.
  When this occurs, Outlook (fully updated) doesn't start for any users at all. Outlook doesn't continue from the "Loading profile.."-stage. The users who already has Outlook started doesn't have any problems, unless they close Outlook ;) . 
  The svchost.exe is the one which runs the services:
  NSI
  WinHttpAutoProxySvc
  W32Time
  Netprofm
  FontCache
  EventSystem
  We've patched the server with KB2847346 but with no result. Patch KB2950358 is not applicable..
  Any ideas?

  svchost is hosting multiple services. when the issue occurs you can use sysinternals procmon (or enable the command line column in task manager process tab) to view to determine which service is using that much memory.
  MCP/MCSA/MCTS/MCITP
  Did you read my whole post, or did you just misunderstand the part were I wrote:
  The svchost.exe is the one which runs the services:
  NSI
  WinHttpAutoProxySvc
  W32Time
  Netprofm
  FontCache
  EventSystem"
  I know that svchost.exe runs ALOT of services, so when the problem occurred I checked which services the specific svchost.exe runs. Everytime it happens the svchost.exe (which leaks and has 2-3GB mem usage) runs this specific services.