Svchost.exe with "Dhcp, eventlog, lmhosts" services is generating thousands of page faults and I/O reads per second?

Similar Messages

• When I open FF it asks me EVERY time which file I want to open firefox.exe with. When I choose FF, it opens a savefile prompt and opens a blank web browser.

  When it opens and I choose FF to open .exe with, it won't let me click the box that says use this program from now on.
  Also it doesn't matter if I save the file or not, it asks every time.
  Then when the screen opens, it is a blank browser. I just click on my bookmarks to get me started, but I've tried setting up my home page, it won't start up there though.
  I've already tried a new shortcut, but the program file does this too.
  I tried updating my version of FF, it's not helping this problem either.
  I also found an article about a web page fixer program that is supposed to help with the box checking that says always use this program, but it hasn't helped either.

  My solution to my original problem of stopping FF from intruding with an erstwhile search doesn't work. Firefox IGNORES my settings to NOT check for updates to addons (letalone disabled and unwanted addons). It continues to check when I reopen FF. What a PITA>
  Further, it gives me no solution. Just takes more than a minute of my time waiting for it to stop.
  grr

• Back arrow does not work with SQL Server Reporting Services Reports. When one pages back from a sub report the back action appears to skip moving to the previous step. IE 8 works fine?

  I have a SSRS report that has a parameter driven drop down list to select a catagory for a report to run a summary for the category in Report Manager. When the report runs there are links to a sub report with more detailed information about the category summary. Firefox runs everything correctly up to this point.
  When I try to back arrow from the sub report Firefox skips the summary report page and reverts to the initial page where the sub category can be selected to run the summary report.
  Can you help? IE8 works well with this but has severe spped issues with reports that contain multiple selection parameters. Firefox handles the multiple parameters very fast but has the page back issue.

  I have a SSRS report that has a parameter driven drop down list to select a catagory for a report to run a summary for the category in Report Manager. When the report runs there are links to a sub report with more detailed information about the category summary. Firefox runs everything correctly up to this point.
  When I try to back arrow from the sub report Firefox skips the summary report page and reverts to the initial page where the sub category can be selected to run the summary report.
  Can you help? IE8 works well with this but has severe spped issues with reports that contain multiple selection parameters. Firefox handles the multiple parameters very fast but has the page back issue.

• I am taking courses online and the newer version of firefox 4.0 isn't compatible with the java, which I use on my web page. And I need to go back to the older version of 3.614. How do I reverse to what I had before?

  I need to get another version of firefox other than 4.0. due to the version not compatible or is unknown to the java I'm using on my web for online classes.

  You might try using the add-on 'NoSquint' which allows numerous zoom options specific to each page you visit & keeps your settings - https://addons.mozilla.org/en-US/firefox/addon/nosquint/
  If you want to go back to 3.6x, you will find it here:
  http://www.mozilla.com/en-US/firefox/all-older.html
  In most cases you can simply "upgrade" (meaning downgrade) directly from the installation. It would be a good idea to save your passwords & bookmarks just to be on the safe side.

• Memory leaks- high memory usage svchost.exe

  hello!
  im having a kind of a similar problem. Im using a Q6600 with 4Gb of RAM running on Windows 7 x64. My physical memory usage history is 1.75GB idle but my CPU usage looks good ~ 0%.
  In Windows Task Manager when i arranged the memory column, the process with the highest memory usge is svchost.exe with 116,572K. And i have 14 svchost.exe in my computer! I opened process exporer and check the legitimate of all those svchost.exe
  and they are all legit. When i look at the properties of the highest svchost.exe in process explorer, the services which is running under it is as follows
  AudioEndPointBuilder c:\Windows\System32\Audiosrv.dll
  CscService c:\Windows\System32\cscsvc.dll
  hidserv c:\Windows\System32\hidserv.dll
  Netman c:\Windows\System32\netman.dll
  PcaSvc c:\Windows\System32\pcasvc.dll
  SysMain c:\Windows\System32\sysmail.dll
  TrkWks c:\Windows\System32\trkwks.dll
  UxSms c:\Windows\System32\uxsms.dll
  wudfsvc c:\Windows\System32\WUDFSvc.dll
  All are legit DLLS.
  Is it normal to have 14 svchost.exe running at the same time(system, local service, network service in Task Manager)
  and how can i reduce the memory usage of the svchost.exe?

  Hi,
  There can be multiple instances of Svchost.exe running at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can
  be run depending on how and where Svchost.exe is started.
  If you would like to reduce the usage of this service, I could share the following article with you:
  Getting Started with SVCHOST.EXE Troubleshooting
  PRF: High CPU (SVCHOST.EXE)
  Hope it helps.
  Alex Zhao
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Svchost.exe slowing down my system terribly

  svchost.exe slowing down my system terribly. I ran the Kapersky program and no virus files came up. I am getting desperate. I am ready to kill my computer. Why is this process such a hog and how can I stop it?

  To find what is causing your computer to use more CPU than it normally does you need to run this. 
  Install the WPT (windows Performance Toolkit) http://social.technet.microsoft.com/wiki/contents/articles/4847.install-the-windows-performance-toolkit-wpt.aspx  , 
  Open a CMD prompt with administrative rights (right click it>run as admin) and run this command for 60 secs to capture the high cpu usage: 
  xperf -on latency -stackwalk profile -buffersize 1024 -MaxFile 256 -FileMode Circular && timeout -1 && xperf -d cpuusage.etl
  The trace will run and give you a warning then revert to a C:\ prompt
  The log will be in C:\windows\system32. 
  It should be called cpuusage.etl
  Please zip the file and upload it to skydrive (or another file sharing service) and put a link to it in your next post.
  Wanikiya and Dyami--Team Zigzag

• Svchost.exe causing CPU usage to go up and down

  Sorry if I have posted this in the wrong forum but I rarely ever post here.  However I have run into an issue that I am unable to find assistance on.  On all of our domain controllers (3) running Server 2008 x64 we see the CPU spiking up and down.  The
  CPU will start out next to nothing then jumps to 100% for a second, then returns to next to nothing for a second, then jumps to 100% for a second.... and so on.  Using Process Explorer we found out it is an svchost process that runs DHCP Client,
  TCP/IP NetBIOS Helper, and Windows Event Log services.  If we kill the process we can start all the services back up without any issues except for the Windows Event Log service.  As soon as we start the Windows Event Log service the CPU starts spiking
  up and down again.  There do not seem to be an unusual # of events being logged and we don't have any auditing turned on so I am not sure what is going on.  I was able to gather a procdump that I have posted below.  I will continue to investigate
  but was just wondering if someone could offer any insight?
  *                        Exception Analysis                                  
  GetPageUrlData failed, server returned HTTP status 404
  URL requested: http://watson.microsoft.com/StageOne/svchost_exe/6_0_6001_18000/47919291/unknown/0_0_0_0/bbbbbbb4/80000003/00000000.htm?Retriage=1
  FAULTING_IP:
  +70de990
  00000000`00000000 ??              ???
  EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
  ExceptionAddress: 0000000000000000
     ExceptionCode: 80000003 (Break instruction exception)
    ExceptionFlags: 00000000
  NumberParameters: 0
  FAULTING_THREAD:  00000000000003d8
  DEFAULT_BUCKET_ID:  STATUS_BREAKPOINT
  PROCESS_NAME:  svchost.exe
  ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION}  Breakpoint  A breakpoint has been reached.
  EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid
  MOD_LIST: <ANALYSIS/>
  NTGLOBALFLAG:  0
  APPLICATION_VERIFIER_FLAGS:  0
  PRIMARY_PROBLEM_CLASS:  STATUS_BREAKPOINT
  BUGCHECK_STR:  APPLICATION_FAULT_STATUS_BREAKPOINT
  LAST_CONTROL_TRANSFER:  from 000000007740616a to 0000000077636eda
  STACK_TEXT: 
  00000000`0010f2f8 00000000`7740616a : 00000000`00000010 00000000`0010f150 00000000`00000000 0000990d`354adee0 : ntdll!ZwReadFile+0xa
  00000000`0010f300 000007fe`ff30fc9a : 00000000`0010f3c0 00000000`00246f28 00000000`0010f430 00000000`0010f3f8 : kernel32!ReadFile+0x8a
  00000000`0010f390 000007fe`ff30fa3b : 00000000`00246f28 00000000`00000000 00000000`00000000 00000000`00000000 : advapi32!ScGetPipeInput+0x3a
  00000000`0010f3e0 000007fe`ff30e00d : 00000000`0000003c 00000000`00000000 00000000`00000000 00000000`000004d3 : advapi32!ScDispatcherLoop+0x9a
  00000000`0010f4e0 00000000`ffa81dca : 00000000`00245310 00000000`00000000 00000000`00000024 00000000`00000000 : advapi32!StartServiceCtrlDispatcherW+0x176
  00000000`0010f780 00000000`ffa824b2 : 00000000`00000000 00000000`ffa85490 01ce990d`38280236 00000000`0d72c90f : svchost!wmain+0x110
  00000000`0010f7b0 00000000`7740b22d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : svchost!ScCreateWellKnownSids+0x301
  00000000`0010f7f0 00000000`77616861 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
  00000000`0010f820 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
  STACK_COMMAND:  ~0s; .ecxr ; kb
  FOLLOWUP_IP:
  svchost!wmain+110
  00000000`ffa81dca 33c9            xor     ecx,ecx
  SYMBOL_STACK_INDEX:  5
  SYMBOL_NAME:  svchost!wmain+110
  FOLLOWUP_NAME:  MachineOwner
  MODULE_NAME: svchost
  IMAGE_NAME:  svchost.exe
  DEBUG_FLR_IMAGE_TIMESTAMP:  47919291
  FAILURE_BUCKET_ID:  STATUS_BREAKPOINT_80000003_svchost.exe!wmain
  BUCKET_ID:  X64_APPLICATION_FAULT_STATUS_BREAKPOINT_svchost!wmain+110
  WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/svchost_exe/6_0_6001_18000/47919291/unknown/0_0_0_0/bbbbbbb4/80000003/00000000.htm?Retriage=1
  Followup: MachineOwner

  Hi,
  SVCHOST.EXE is a generic host process for services. There can be multiple SVCHOST.EXE running on a system and each SVCHOST.EXE can also hold multiple
  services.
  The first step is to identify the Process ID (PID) of the SVCHOST.EXE that is pegging the CPU. 
  This can be done through Task Manager->Processes tab. If the PID column is not present, you can add it by selecting View->Select Columns and check the PID checkbox. 
  Once the PID is identified, the next step is to determine which services are running under the PID. From a Command Prompt, type:
  TASKLIST.EXE /SVC
  TASKLIST.EXE will list all the processes and PID’s running on the system. Look for the PID in question and check the Services column. This will give
  you a list of Services to start investigating.
  For more troubleshooting information, please also refer to the following Microsoft TechNet blogs:
  PRF: High CPU (Individual Process)
  http://blogs.technet.com/b/askperf/archive/2009/04/10/prf-high-cpu-individual-process.aspx
  PRF: High CPU (SVCHOST.EXE)
  http://blogs.technet.com/b/askperf/archive/2009/04/10/prf-high-cpu-svchost-exe.aspx
  Regards,
  Arthur Li
  TechNet Community Support

• Using Excel 2010 with SharePoint 2013 Excel services

  Hello:
  What features are we missing when using Excel 2010 (rather than Excel 2013) with SharePoint 2013 Excel services?
  Regards
  Jeff Gorvits

  Hi Jeff,
  You might want to read the articles below:
  https://support.office.com/en-us/article/Whats-new-in-Power-View-in-Excel-2013-and-in-SharePoint-Server-8e3b4259-421e-41fc-a48e-854388ad14d0?ui=en-US&rs=en-US&ad=US
  https://support.office.com/en-us/article/Version-compatibility-between-Power-Pivot-Data-Models-in-Excel-2010-and-Excel-2013-188f44fd-3cfd-4aa7-b4e6-a9402653cbf3?ui=en-US&rs=en-US&ad=US
  Regards,
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected] .
  Rebecca Tu
  TechNet Community Support

• Having problem with svchost.exe/ntdll.dll errors causing GPSVC (Group Policy Client) to crash preventing users from logging into the server.

  Recently (within the past 2 weeks) I have noticed a few of our servers will have problems with the svchost.exe application causing the GPSVC (Group Policy Client) to crash. The only fix at that point is to reboot the server since the GPSVC service is tied
  to svchost.exe and therefore is protected from being manually restarted.
  I noticed the following errors when this occurs:
  Log Name:      Application
  Source:        Application Error
  Date:          7/23/2013 4:35:26 AM
  Event ID:      1000
  Task Category: (100)
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      Server1.xxx.xxx.net
  Description:
  Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
  Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec4aa8e
  Exception code: 0xc0000024
  Fault offset: 0x00000000000cd7d8
  Faulting process id: 0x46c
  Faulting application start time: 0x01ce877f9476ac07
  Faulting application path: C:\Windows\system32\svchost.exe
  Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
  Report Id: d252d26d-f372-11e2-8ad4-005056ac00e8
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Application Error" />
      <EventID Qualifiers="0">1000</EventID>
      <Level>2</Level>
      <Task>100</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2013-07-23T08:35:26.000000000Z" />
      <EventRecordID>158950</EventRecordID>
      <Channel>Application</Channel>
      <Computer>AAW19XM2.agency.nwie.net</Computer>
      <Security />
    </System>
    <EventData>
      <Data>svchost.exe</Data>
      <Data>6.1.7600.16385</Data>
      <Data>4a5bc3c1</Data>
      <Data>ntdll.dll</Data>
      <Data>6.1.7601.17725</Data>
      <Data>4ec4aa8e</Data>
      <Data>c0000024</Data>
      <Data>00000000000cd7d8</Data>
      <Data>46c</Data>
      <Data>01ce877f9476ac07</Data>
      <Data>C:\Windows\system32\svchost.exe</Data>
      <Data>C:\Windows\SYSTEM32\ntdll.dll</Data>
      <Data>d252d26d-f372-11e2-8ad4-005056ac00e8</Data>
    </EventData>
  </Event>
  All of our servers are running Server 2008 R2 Enterprise where we use Citrix to deliver desktop sessions to our users, but some are virtual and some are physical. This seemingly impacts our virtual machines more, and our VMs are hosted through VMWare, however,
  about 5 months ago a similar error fired on a non-virtual machine:
  Log Name:      Application
  Source:        Application Error
  Date:          2/27/2013 6:57:58 AM
  Event ID:      1000
  Task Category: (100)
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      AAW29033
  Description:
  Faulting application name: svchost.exe_gpsvc, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
  Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec4aa8e
  Exception code: 0xc0000024
  Fault offset: 0x00000000000cd7d8
  Faulting process id: 0x6c0
  Faulting application start time: 0x01ce14e1af313fd9
  Faulting application path: C:\Windows\system32\svchost.exe
  Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
  Report Id: ed3d01c4-80d4-11e2-9128-b499baa9e5e8
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Application Error" />
      <EventID Qualifiers="0">1000</EventID>
      <Level>2</Level>
      <Task>100</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2013-02-27T11:57:58.000000000Z" />
      <EventRecordID>286291</EventRecordID>
      <Channel>Application</Channel>
      <Computer>AAW29033</Computer>
      <Security />
    </System>
    <EventData>
      <Data>svchost.exe_gpsvc</Data>
      <Data>6.1.7600.16385</Data>
      <Data>4a5bc3c1</Data>
      <Data>ntdll.dll</Data>
      <Data>6.1.7601.17725</Data>
      <Data>4ec4aa8e</Data>
      <Data>c0000024</Data>
      <Data>00000000000cd7d8</Data>
      <Data>6c0</Data>
      <Data>01ce14e1af313fd9</Data>
      <Data>C:\Windows\system32\svchost.exe</Data>
      <Data>C:\Windows\SYSTEM32\ntdll.dll</Data>
      <Data>ed3d01c4-80d4-11e2-9128-b499baa9e5e8</Data>
    </EventData>
  </Event>
  I've searched and cannot seem to find any information as to what may be causing this, or even really where to start. Would someone be able to help me identify what might be causing this event, specific with the Exception code: 0xc0000024, which causes
  the Group Policy Client service to stop?

  You still out there looking at things? If so I have an update. The issue hasn't stopped, even though it did seemingly die down for awhile, however, it is now back with a vengeance.
  I am able to force it to happen by killing the svchost process that is hosting GPSVC. If I run gpupdate /force, then logout/login it does get GPSVC running again. Furthermore, if I simply start svchost again via the Task Manager GPSVC starts running again.
  When I access the server remotely with KVM it acts just like it does as if I'm logging into it via Citrix/RDP which for Admin IDs gives an error saying "Failed to connect to a windows service. Windows could not connect to the Group Policy Client service...",
  however, normal user accounts just get a message when logging into the server "The Group Policy Client Service Failed the Logon. Access is denied."
  I haven't opened a case with Microsoft yet, but we about ready to because of the increase in these errors.
  If you have any further suggestions that would be great, otherwise I'll provide an update once I get word back from Microsoft.
  **EDIT -- apparently I mistook the the server's SCM's actions as my own. I was able to successfully crash the GPSVC service by killing the hosting svchost process, however, after I crashed it and let it sit crashed for awhile when I attempted
  to restart either by starting a svchost task, or running gpupdate /force it failed. Either that, or there is a timing issue where if we don't restart the svchost process, or run gpupdate /force quickly enough it won't be able to recover without a reboot.

• 100% CPU utilization on svchost.exe or Automatic Updates service

  We have upgraded from WSUS 2.0 to 3.0 SP1 and now have few Windows XP SP2 PCs that are extremely slow because the CPU is at 100% utilization running a process called "svchost.exe."  If I go into services and stop and disable the "Automatic Updates" service the CPU drop to normal almost instantly.  I tried forcing a reinstall of the Windows Update Agent.  After I enable the "Automatic Updates" service the machine works fine for a day, than after a reboot it goes back to 100% CPU utilization.  We need this fixed so we can get these computers updates.

  Hi Ryan / Folks,
  NO CA Products here - but I have had the same issues with Microsoft updates!
  Here's the install path I used during my experience :
  Cold install of XP with SP1 on the PC (Full factory system restore/rebuild).
  Acer - Semperon 1.8GHz + 1GB RAM - 8Mb ADSL connection to Internet
  XP SP2
  Windows updates OK - used to install IE7
  Reason - I found IE is compromised if you go straight to XP SP3
  XP SP3
  Next Office 2003 Pro
  Switch to Microsoft updates - Custom Updates - SVCHost issue - Still checking for updates after 15 minutes
  Switch back to Windows updates - Custom Updates - NO SVCHost Issue - Checking complete after 2 minutes
  Tried both Microsoft fixes mentioned above
  http://support.microsoft.com/kb/927891
  Same report back - i.e. SP3 newer etc.
  http://support.microsoft.com/kb/943144 - Method 2
  Seems to install ok
  Reboot PC
  Swich back to manual Microsoft Updates and all is not really rosey as the initial "checking updates" scan can take at least 5 minutes with SVCHost at better than 90% CPU usage. So I believe the issue is not fixed, but it is just about useable.
  Interestingly, no issues on my work LAN where I am the systems manager - 20 PCs and 8 servers using WSUS. All units are up to date and no SVCHost issues.
  So.... No fix yet here, however my solution is as follows:
  On the problematic PC I decided to switch back to Automatic Windows Updates. This keeps the PC up to date with all Operating System patches. Performance is not affected. I have decided that I will manually switch to the Microsoft update system once every couple of weeks or so to catch the updates for Office etc. I'll just have to set the updates scan running over a quiet period I suppose.
  Plan B = Manual Office Updates http://office.microsoft.com/en-gb/downloads/default.aspx - Left Pane - Office Updates.
  Hope this sheds some light.
  Regards,
  Knaphie
   

• 'svchost.exe has encountered a problem and needs to close.'

  I keep getting this error message  svhost has encountered a problem and needs to close. I am running Windows XP 3,  Does HP have a solution for XP-3?

  Hi,
  the error "svchost.exe" that you get is not necessarily because of your printer. i advice you to scan your computer for any kind of virus or trojan, or trt the following steps:
   Method 1Leave the svchost.exe - Error dialog box open, and then follow these steps.Step1: Check whether settings for the Automatic Updates service and for the Background Intelligent Transfer Service (BITS) are correctTo do this, follow these steps:
  Click Start, point to Run, type services.msc, and then click OK.
  In the details pane, locate and double-click Automatic Updates.
  Click the Log On tab.
  Make sure that the Local System account option is selected and that the Allow service to interact with desktop check box is cleared.
  Make sure that this service has been enabled in the Hardware Profile list. If this service has not been enabled, click Enable to enable the service.
  Click the General tab, and make sure that the Automatic option is selected in the Startup Type list. Under Service status, click Start to start the service if it is not already running.
  Repeat steps 2 through 6 for Background Intelligent Transfer Service (BITS).
  Step 2: Reregister Windows Update componentsTo do this, follow these steps:
  Click Start, click Run, type REGSVR32 WUAPI.DLL, and then press ENTER.
  When you receive the "DllRegisterServer in WUAPI.DLL succeeded" message, click OK.
  Type the following commands in the Open box, one after the other, and then press ENTER after each command:
  REGSVR32 WUAUENG.DLL
  REGSVR32 WUAUENG1.DLL
  REGSVR32 ATL.DLL
  REGSVR32 WUCLTUI.DLL
  REGSVR32 WUPS.DLL
  REGSVR32 WUPS2.DLL
  REGSVR32 WUWEB.DLL
  Step 3: Rename the Windows Update temporary folderThe temporary folder of Windows Update may be corrupted. In this case, you can rename the temporary folder of Windows Update. To do this, follow these steps:
  Click Start, click Run, type cmd, and then press ENTER.
  At the command prompt, type net stop Wuauserv, and then press ENTER.
  Click Start, click Run, type %windir%, and then press ENTER.
  In the folder that opens, locate and rename the SoftwareDistribution folder to SDold.
  At the command prompt, type net start Wuauserv, and then press ENTER to start the Automatic Updates service.

• Expected actions of svchost.exe - what is interesting, in the context of monitoring what svchost.exe is doing?

  Hi,
  I have seen numerous articles explaining svchost, and I think I have a reasonable grasp of it (although basic).  My favourite article so far is
  http://www.bleepingcomputer.com/tutorials/list-services-running-under-svchostexe-process/#advanced, which I think is well written and very handy indeed!
  My current issue is that I am tweaking a security program called McAfee Host IPS, currently running on 2003 R2 and 2008 R2 servers, and getting a lot of events associated with svchost.exe that I believe require exceptions to be configured.  What I do
  not want to do, however, is configure an exception that hides something that may be useful information, however there is a balance required in what I am doing.
  Focusing on my current task at hand, I can confirm I have seen a large number of events associated with the below.  The below is all of the information I have on the Host IPS signature in question, although I am currently digging further.
  IPS Signature Name: CMD Tool Access by a Network Aware Application
  IPS Signature details: This event indicates an attempt by a networked application to access, modify or execute a system program that may be used to modify the configuration of your system.
  IPS Signature severity: Low
  I have seen a large number of events with threat source process = C:\WINNT\SYSTEM32\SVCHOST.EXE, and the following files, either accessed or executed.
  C:\WINNT\System32\tasklist.exe
  C:\WINNT\System32\ipconfig.exe
  C:\WINNT\System32\cmd.exe
  C:\WINNT\System32\route.exe
  As the above reference lists DLLs specifically, and not EXEs, I am not sure if this is expected (but am gathering it is, especially as the IPS signature details refers to 'system programs').
  I am suspecting that my best action here is to configure an exception for threat source process <systemdir>\SVCHOST.EXE and target files <systemdir>\*.*, as my hypothesis is that even if I have not seen it in the tuning phase, there are
  a lot of similar benign actions that could potentially trigger in the day to day workings of the OS.  I am also assuming that I will see similar in later versions of Windows Server OS.
  To throw a slight curveball, we are also integrated with a SIEM solution.  As this signature severity is low, it is mapped to a log action so nothing will actually be stopped, but if there are no exceptions, relevant events would go through to SIEM. 
  They could be filtered there, but potentially used in correlation rules or troubleshooting, but that obviously takes more space in the McAfee (ePO) database and the SIEM solution, which needs to be taken into account.
  Thoughts on this would be greatly appreciated - I genuinely wish I knew more about this subject!
  Cheers,
  Darren

  Hi,
  I am not sure what specific information you are looking for - could you clarify?  I think I have covered the majority of what is happening in my initial post, however if there is a specific bit of information you are after, let me know.
  The above is an article I had stumbled across, with the majority of the information contained in the link included in my initial post.  The final paragraph under 'could this process be a virus' is interesting - I have copied it below - from your perspective
  is this merely anecdotal or is there something behind it (references, if they exist, would be fantastic)?
  "As long as you make sure that the location of the file is in your Windows\System32 directory, you aren’t dealing with a virus. There have been cases of certain viruses trying to mimic the same filename, but they are always located in another directory."
  - source: http://www.howtogeek.com/howto/windows-vista/what-is-svchostexe-and-why-is-it-running/ , 09/01/15

• Windows Server 2008 X64 - gpupdate takes 10min - svchost.exe (gpsvc) pid logs 8.5 million events in procmon

  Hello,
  We've seen that on our 2008 x64 servers the svchost.exe that holds gpsvc in it takes up alot of CPU-time. Upon further investigation I saw that when it refreshes policies it holds 1 core for 10 minutes. I setup a procmon and filtered it on the pid off the gpsvc-svchost and saw that it logged 8.5 million events.
  It keeps looping events where it seems to be checking history-data under "C:\ProgramData\Microsoft\Group Policy\History\<GUIDS>".
  We are using GPPreferences. Has anyone seen anything like this before?
  I have the .PML-file from procmon, however its 350MB zipped so I dont know how to attach it to case.

  Hi,
  To better understand the issue, please help confirm the following:
  1.    Do all computers encounter this issue?
  2.    When did this issue begin to occur? Did it coincide with any events, such as the installation of some software?
  Meanwhile, please perform the steps below to see if the issue goes away:
  1.    Delete the contents in the "C:\ProgramData\Microsoft\Group Policy\History\" folder.
  2.    Please perform a clean boot on the server:
  1)    Click Start, type msconfig in the Start Search box, and then press ENTER.
  2)    On the General tab, click Selective Startup.
  3)    Under Selective Startup, click to clear the Load Startup Items check box.
  4)    Click the Services tab, click to select the Hide All Microsoft Services check box, and then click Disable All.
  5)    Click OK.
  6)    When you are prompted, click Restart.
  If the issue continues, please help collect the following information for further research:
  1.    Enable gpsvc.log:
  Please create the following key in Registry Editor:
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
  Type: DWORD
  Value: GPSvcDebugLevel
  Data: 0x30002 (hexadecimal)
  2.    Please run gpupdate /force to reproduce the issue and then collect MPSReport on the server:
  1) Download the MPSReport from the website below:
  http://www.microsoft.com/downloads/details.aspx?FamilyID=CEBF3C7C-7CA5-408F-88B7-F9C79B7306C0&displaylang=en
  2) Double-click the executable to launch the report gathering tool on the computer.
  3) Follow the steps as guided by the Wizard.
  4) On the Select the diagnostics you want to run page, select General, Internet and Networking, Business Networks, and Server Components.     
  3.    After that, please zip the gpsvc.log (%windir%\debug\usermode\gpsvc.log), MPSReport and the PML.file and upload to the following space:
  https://sftasia.one.microsoft.com/choosetransfer.aspx?key=ef4b8b4e-0e6c-4774-a132-2d072f8b77b0
  Password: fQxbhTjUV
  More Information about MPSReport:
  http://blogs.technet.com/askperf/archive/2009/05/01/two-minute-drill-the-new-mps-reports.aspx
  This posting is provided "AS IS" with no warranties, and confers no rights.

• Windows Server 2008 R2 - When svchost.exe memory-leaks Outlook does not load properly

  Hi all,
  We have a server which runs Windows Server 2008 R2, fully updated, and acts as a Terminal Server (Citrix XenApp 6.5).
  In the past couple months we have had problems with svchost.exe leaking memory, growing to 2-3GB of RAM usage. Sometimes is occurs with weeks between the incidents, sometimes days. To solve the issue we have to reboot the server.
  When this occurs, Outlook (fully updated) doesn't start for any users at all. Outlook doesn't continue from the "Loading profile.."-stage. The users who already has Outlook started doesn't have any problems, unless they close Outlook ;) . 
  The svchost.exe is the one which runs the services:
  NSI
  WinHttpAutoProxySvc
  W32Time
  Netprofm
  FontCache
  EventSystem
  We've patched the server with KB2847346 but with no result. Patch KB2950358 is not applicable..
  Any ideas?

  svchost is hosting multiple services. when the issue occurs you can use sysinternals procmon (or enable the command line column in task manager process tab) to view to determine which service is using that much memory.
  MCP/MCSA/MCTS/MCITP
  Did you read my whole post, or did you just misunderstand the part were I wrote:
  The svchost.exe is the one which runs the services:
  NSI
  WinHttpAutoProxySvc
  W32Time
  Netprofm
  FontCache
  EventSystem"
  I know that svchost.exe runs ALOT of services, so when the problem occurred I checked which services the specific svchost.exe runs. Everytime it happens the svchost.exe (which leaks and has 2-3GB mem usage) runs this specific services.

• SVCHOST.EXE Overflow and WMI Crash

  Hello, collegues!
  I faced with a problem after deploying SCCM 2012 Agent and SCEP 2012 on clients on Windows 7 SP1.
  The WMI Compent crushes and svchost.exe proccess for netsvc services got overflowed and it uses a lot of RAM Memory and grows and grows.
  I found out that this error appears when the agent tries to ask WMI and recieves an error ".....WBEM_E_NOT_FOUND....."
  Also i found some hotfixes from MS how to solve this problem, here they are:
  KB2492536
  KB2465990
  KB2492536
  KB982293
  KB974930
  Anyway, these help only before installing SCCM 2012 agent, afterwards i need to rebuild WMI Repository for system working correct. By the way there is no log information in Event Viewer, provided by system. I found this error only in log files of SCCM agent
  located localy in the System.
  Did anyone faced with this issue?
  Is there any normal solves provided by MS or maybe is it known?

  Since no one has answer this post, I recommend opening  a support case with CSS as they can work with you to solve this problem.
  Garth Jones | My blogs: Enhansoft and
  Old Blog site | Twitter:
  @GarthMJ