How to diagnose abnormal CPU usage by svchost.exe?

19

12

I've got a laptop with a Win 7 32-bit system powered by a dual-core Pentium (it's a 2010 laptop). Sometimes it works fine, but usually it idles at 100% CPU load. The CPU is consumed by two svchost.exe processes (50% each). As far as I understand, this is a service host. Is there any way to find out which service is the culprit?

Of note: this happens even in safe mode.

Violet Giraffe

Posted 2017-03-24T20:49:49.277

Reputation: 822

Question was closed 2017-03-25T07:50:48.007

1

You can use process explorer to look at the services that are running under the two instances of svchost ( https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx )

– Yorik – 2017-03-24T21:08:38.433

@Yorik: I thought of that, but ProcessExplorer showed nothing of use. – Violet Giraffe – 2017-03-24T21:19:55.173

5In Windows 7, I would say that currently >90% of svchost CPU issues are related to the Windows Update service. If you have real trouble getting a system up-to-date (which may be difficult on a fresh install with an old processor), try to install KB3050265, KB3138612 and KB3145739 without a network connection. Then reboot and search for updates. – ontrack – 2017-03-24T22:42:13.637

@ontrack: Interesting. Actually, I think checking for updates is disabled on this machine, it probably wasn't ever updated since 2010 or 2012. And I have no desire to install updates, I just need to fix the CPU issue. If you're right, will simply disabling the Windows Update service help? – Violet Giraffe – 2017-03-25T06:01:07.640

this was asked so many times. see dup. You likely see the WU scnaning issue. Solve it from steps in my answer: https://superuser.com/a/996072/174557

– magicandre1981 – 2017-03-25T07:52:04.453

To the person nominating for reopening: Can you please detail how the linked duplicates do not answer your specific question? – music2myear – 2017-04-12T17:46:55.620

@music2myear: I'm not that person, but IMO the accepted answer here beats the answers there. – Violet Giraffe – 2017-04-12T17:49:18.983

Answers

28

As an instance of svchost.exe hosts multiple system services, here is how to separate the services, each to his own instance of svchost.exe, so as to find out which service consumes the CPU.

The procedure is as follows :

  1. Use Task Manager to show all processes sorted by CPU descending and mark the PID of the processes that consume the CPU

  2. In a Command Prompt (cmd) enter the command
    Tasklist /svc /fi "IMAGENAME eq svchost.exe"
    enter image description here

  3. The problematic instances of svchost.exe can now be located by their PID and on the right you will find a list of the system services that they host

  4. For each of the names in the list enter the following command in a Command Prompt (cmd) that is Run as administrator:
    sc config <name> type= own
    (Note the space between the ‘=’ and ‘own’)

  5. Reboot

The system services that you separated will now each run in its own instance of svchost.exe and can be seen in Task Manager in the Processes tab. You may right-click on an instance and select "Go to Service(s)" to go directly to the service, or use again the tasklist command.

For more information see the Microsoft article
Getting Started with SVCHOST.EXE Troubleshooting.

harrymc

Posted 2017-03-24T20:49:49.277

Reputation: 306 093

7

Process Explorer makes this easy. I have confirmed this works with Process Explorer v16.20 on 64-bit Windows 7 Professional and 64-bit Windows 10 Pro.

  1. Run Process Explorer elevated.
  2. Locate an svchost.exe process with a high (or even just measureable/non-blank) value in the CPU column. Sorting by the Process or CPU column may assist with this.
  3. Right-click the svchost.exe process and select Properties....
  4. In the process properties window, select the Threads tab. All of the threads in this process will be displayed.
  5. Locate a thread with a high (or, again, just measurable/non-blank) value in the CPU column. Sorting by the CPU column may assist with this.Process Explorer process Threads tab
  6. The Service column will show the name of the service in which that thread is running.

If the service name is not familiar to you...

  1. In the process properties window, select the Services tab. All of the services that run in this process will be displayed.
  2. Match the Service column on the Services tab to the value of the Service column on the Threads tab you located in step 6.Process Explorer process Services tab
  3. The Display Name column will display the friendly name of the service. The description of the selected service will appear below the list of services.

BACON

Posted 2017-03-24T20:49:49.277

Reputation: 279

Ah, I didn't know about those advanced functions of Process Explorer. Thanks. – Violet Giraffe – 2017-03-25T06:04:17.627

3

You can use Task Manager. There are other ways (command line, or even write some program using WinAPI), but I won't discuss them here. Before going any further, your user should have administrative privileges.

On the Processes tab:

  • Check Show processes from all users.
  • Right click on the processes "table header" (that contains column names like Image name, PID, User Name, CPU, ...), and select Select Columns....
    • On the dialog that pops-up, scroll down and make sure you check Command line, and PID (Process Identifier) then press OK.

  • Back to the Processes tab, click on CPU column header so that the processes will be ordered by their CPU consumption (note that the processes might be displayed in ascending/descending order - each click on CPU switches the orders), click until the 2 processes appear at the top of the table. Now you''re able to see their command line (I don't know but I have a feeling that one of them is netsvcs (Network Services)) and also their PIDs.

  • Next, you need to match the 2 processes to the services. For that you can either:

    • Right click on them and then Go to service(s).... This will move to the Services tab, having all the service running in that process selected (for this option you don't need any of the previous steps :) ).
    • Open the Services snapin in mmc. When double clikc-ing on a service (only makes sense to check the ones that are running), Under Path to executable you can see their command line that you should do the match on.
  • On W10 you can view the exact info you need from Resource Monitor (you can start it from Task Manager, Performance tab). There you go to CPU tab and the services and their CPU consumption are listed.

EDIT0: Updated answer to provide a simpler (and making way more sense) approach, instead of scratching my right head side using my left hand style one, that I initially posted.

CristiFati

Posted 2017-03-24T20:49:49.277

Reputation: 215

I never noticed you can see the command line, neat! Not as straightforward as harrymc's answer, but good to know. – Violet Giraffe – 2017-03-24T21:27:08.947

Task Manager can do that on its own. If a svchost process is selected when switching to the Services tab, the services running in that process will be selected there. – Simon Richter – 2017-03-25T00:48:22.340

1Really? On W10 this doesn't happen (at least when there's some service already selected). The only way is by rclick'ing on the process, and then choose Go to service(s) (option that I missed - most likely it exists in W7 as well). Unfortunately I'm not able to check. – CristiFati – 2017-03-25T01:06:43.000

1

@CristiFati this option has existed since Windows Vista (source: https://technet.microsoft.com/en-us/library/ff642468.aspx ), you should probably add it to your answer instead of the PID matching by hand

– Spc_555 – 2017-03-25T07:23:29.543

Asked: 2017-03-24T20:49:49.277

Viewed: 2 291 times

Active: 2017-03-27T18:47:05.010