I think you'll find Svchost Viewer to be useful.

You can use it to determine which program is doing most by viewing the amount of data written and such. It should help in some way to determine which process is doing what.

Use a program like Process Explorer to determine which svchost.exe is consuming the resources. Is the svchost being run from services.exe? What are the commandline arguments for that particular svchost? There are several svchost run via Windows, you will need to isolate which one is consuming those resources. Process Explorer will display which services are associated with that process, as well as display which TCP/IP ports it is using.

Click on the Process tag so the processes show in a tree format to confirm it is being run via services.exe.

Although from looking at your Services tabs, they look legitimate.

First svchost looks like `svchost.exe -k LocalServiceNoNetwork`
Second svchost looks like `svchost.exe -k LocalServiceNetworkRestricted`

Do you have anything aggressively hitting your Windows Firewall? What do the TCP/IP and Threads tabs show? The threads tab will display CPU information for the threads within each process. Have you tried to restart the services specified or checked your eventlog to see a lot of errors?

Are you running any indexing of media files or have anything on your LAN attempting to access those media files?

That's a lot of EtwTraceMessageVa calls. Have you checked your eventlog? At the rate it's using CPU there has to be something in WMI writing to ETW. Better question, did this start recently and do you have a restore point before it happened?

I’m surprised about the advice that others have given on this issue (some even simply made guesses).

For Leonardo and others who find their way here, there are some teps that everybody else missed.

• Yes, start by getting a copy of Process Explorer.

• Yes, next look at the instances of SVCHOST.EXE that are running and double-click the one with the high CPU usage.

• Yes, look at the Services tab to find out what services are being hosted by that instance of svchost.

This is where everybody else stopped; that’s not enough. Now, you need to run Services.msc and stop each of the services that are hosted by the runaway instance of svchost in turn, making sure to wait and watch for a while after each to see if the CPU load drops. If it does, then the last one that you stopped was the culprit.

At this point, you know exactly what service was hogging the CPU and can then pursue finding out why that specific service would suck cycles.

I just had one of the svchosts processes, out of nowhere, start to cripple my Win7 32bit PC for the last 2 days, with the (Dual Core) CPU stuck on 100%. This particular svchost process was responsible for over a dozen net services process threads, all of which appeared to be standard necessary network services.

Using a combination of new admin alerts in the EventVwr, Sys Internals Process Explorer and svchost analyser, I narrowed it down to the main culprit being:

Windows Live Mesh Remote Desktop service

Disabling this in services got me back about 60% of my CPU, and this particular svchost service then dropped off in task manager.

It was then replaced by another, utilising some 35 - 45%. By right clicking in Task Manager and going to the service, the only service attributed was Windows Defender.... (and we've all heard of that one before).

As many don't realise it's installed with Windows 7 by default (you can't see it in your programs list), this link show a nice tuorial on how to disable it.

http://www.simplehelp.net/2009/03/11/how-to-disable-windows-defender-in-windows-7/

I also have had an issue with svchost.exe causing 100% CPU usage. The services in question related to svchost are NLASvc, LanmanWorkstation, Dnscache, and CryptSvc. My problem ended up being Firefox. In the latest version they added plugin-container.exe which runs as a process separately from Firefox. The idea behind it is if a plugin crashes it won't crash Firefox or your browsing session. But it made surfing on my system unbearable.

The solution: Disable plugin container process.

• Open Firefox web browser.
• Type about:config in the address bar and press Enter key.
• A warning will appear. Ignore it and press the “I’ll be careful, I promise!” button.
• In the Filter field type dom.ipc. Six preferences will appear for the filter dom.ipc.
• Ignore first and last preferences (dom.ipc.plugins.enabled and dom.ipc.plugins.timeoutSecs). Toggle (double-click) each of the four remaining preferences to change the value from “true” to “false“.

You are done, restart Firefox and open up Windows task manager to see that the plugin container process is disabled..

More information

The crash protection feature in Firefox 3.6 is enabled for certain plugins only. The four preferences that we modified here specifies four different out-of-process plugins. They are the NPAPI test plugin, Adobe Flash, Apple QuickTime (Windows) and Microsoft Silverlight (Windows). These plugins are specified in a separate dom.ipc.plugins.enabled preference by default is set to true. We can disable them by changing their value to false. And thus plugin-container.exe will not run. By default, the preference dom.ipc.plugins.enabled is already set to “false”. So, no need to touch it. The dom.ipc.plugins.timeoutSecs is also not important here as other values are false.

I hope this helps somebody.

A number of viruses can run under the name of svchost, so it's best to check you've got decent anti-virus running and updated. It's just as likely to be a non virus-related Windows problem though.

Svchost.exe is a generic host process name for services that run from dynamic-link libraries (DLLs) and you can analyse what these particular svchost processes are using Svchost Process Analyzer

Use the Sysinternal's Process Explorer

Then, find which SVCHOST service is running without any parent, because each svchost.exe must be loaded by services.exe. Kill all of them if found. (You can figure out the parent of a process by double clicking on it >> "Image" Tab >> "Parent" Label.)

Additionally, if the virus you got is the same one as with me, you should do the following steps.

Check if there is a process named Watermark.exe under the ..\Program Files\Microsoft folder. Then delete it. (You also better LOCK that folder by using the Security tab of it.)

Watermark.exe is injecting VBScripts code into every .html file. Then these infected .html files are injecting into SVCHOST.EXE. So check a few .html files from different places by opening with some text editor. * Don't run *. If you find VBScript code at the bottom of your file, the condition is worse than we hoped.

So if this is happening too, you better clear all .html files (or) remove the code from each .html file.

After cleaning the .html files, for me at this situation, I surely replaced the SVCHOST.EXE from Windows XP installation CD, by using Recovery Console from boot.

From your screenshots, it seems like the audio service is involved.

There might be a connection with the problem described in win 7 high cpu usage on 2 services (see last answer).

Try to disable the integrated audio and see if this helps.

the wevtsvc.dll is causing the high CPU usage for you.

This is the Windows Eventlog service. to see in detail what is does, you have to use xperf to capture CPU sampling data and analyze it with WPA.exe.