svchost.exe eating CPU: which of these services can be the cause?

17

7

Thanks to these awesome instructions I was finally (!) able to identify the services of the svchost.exe process which eats so much of my CPU on my Windows XP Professional SP3 (Version 2002):

Process                   PID    Services
========================= ====== =============================================
svchost.exe                 5516 BITS, EventSystem, Nla, RasMan, SENS,        
                                 ShellHWDetection, TapiSrv, W32Time, winmgmt, 
                                 wuauserv

Now:

  1. Which of these services can potentially be the cause of the problem?
  2. Shall I now try to stop some of them?
  3. If yes, which of these services can be stopped safely and which is better not to stop at all? (Without destabilizing the system)
  4. How can I manage the services? Using services.msc? The problem with services.msc is that I have localized Windows and I see all of them translated. Is there any way I can match and stop/start the corresponding service with the english names provided above?

Thanks a lot!

PS: producing the above output to find the services of the greedy svchost.exe process was tricky on my localized Windows, since the /fi filtering on process name didn't work (the filter commands itself are translated to czech and it's not possible to enter them on the console due to charset issues!!! Braindamaged M$!!!). This is how I did it:

  1. tasklist /v > c:\tomas\file.txt
  2. Find the PID of the proper svchost process by memory usage.
  3. tasklist /svc /fi "PID eq 5516"

PS: this is not a duplicate of #995581 at all, it's not about data but CPU consumption, also svchost issues were so frequent that it deserves it's own specific question, which is also about specific services. That question wouldn't solve my problem at all.

Tomas

Posted 2018-06-11T09:39:05.397

Reputation: 5 107

1Referring to your edit and my rollback: accepting an answer is enough indication the problem is solved. – Kamil Maciorowski – 2018-06-11T12:42:24.667

11Just to say this again: Windows XP reached full end of life more than four years ago. For the past four years, with two notable exceptions it has not had any patches created... not even critical security updates, and not even when there are known security flaws discovered (and there are many of these!) It's dangerous and irresponsible to continue using this system. Upgrading to a supported OS should be job #1. – Joel Coehoorn – 2018-06-11T15:11:26.600

@KamilMaciorowski no no, this is something special: this issue is so long going and no one had the right solution, that it's worth to emphasize it's finally solved! – Tomas – 2018-06-11T15:40:22.087

1We appreciate your input, but as Kamil already said we do not label our questions as "finally solved" within the Super User community. We can easily see that by the fact that there is an accepted answer. More importantly, you really need to move to a more modern operating system than Windows XP. Using it is simply begging for a security incident. – Run5k – 2018-06-11T17:33:34.020

1

this is same like in windows 7, where WindowsUpdate causes the issue. With a lot of updates were released over the years, WU is slow to check which updates it really needs.

– magicandre1981 – 2018-06-11T17:45:38.500

Possible duplicate of How to see which applications use "Host process for windows services" to eat metered data?.

– Peter Mortensen – 2018-06-11T18:00:34.907

I think we have been here before. – Peter Mortensen – 2018-06-11T18:03:04.453

Sorry @Peter but none of those questions/answers would actually help me to solve my problem. Let it live on its own. – Tomas – 2018-06-11T20:21:38.733

4

Should this be migrated to http://retrocomputing.stackexchange.com?

– Heinzi – 2018-06-12T11:54:58.443

@Heinzi omg no keep this question here. Hope you were just trolling though. As far as Win XP is concerned, I appreciate your feedback guys on the security, but it's also kinda tiring to hear this over and over again whenever you ask something on Win XP - I didn't ask for this. "You shouldn't use Win XP"... i didn't ask whether I should or should not use win xp. Some people might be not aware of this so it might be good but repeating this 10x times here is kinda overkill. So please stay on topic. – Tomas – 2018-06-12T15:10:50.270

1@Tomas: It was a (semi-)serious suggestion, and it would actually solve the problem you just mentioned: Since retrocomputing is all about making vintage hard- and software run, you won't get any "you shouldn't use Win XP" warnings there, since no-one will (falsely) assume that you are trying to do this on a production system. – Heinzi – 2018-06-12T15:31:27.370

Answers

41

First of all: Don't use Windows XP. This is an accident waiting to happen.

That said, I am nearly certain, that wuauserv is the culprit: Windows Update is completely broken with Windows XP, and it no longer servers any purpose. Try net stop wuauserv to make sure.

Eugen Rieck

Posted 2018-06-11T09:39:05.397

Reputation: 15 128

thanks! It seems it helped, svchost not eating cpu now! What is interesting though, that when I stopped it, the process started to serve a new service: srservice - system restore service. 1) Is it a coincidence or not? Doesn't look like to me. 2) What is it the service actually doing? I was not able to find what actually is it doing... – Tomas – 2018-06-11T10:02:29.433

12It is the server component of automatic windows updates (wuauctrl is the client). As that it has to create the list of updates to install. Since some bright mind chose an O(e^n) algorithm to do so, this becomes uncontrollably slow with an increasing number of updates to consider. Since it is also responsible for running the installers, it might run an SR instance if interrupted while trying (and failing) to install an update. – Eugen Rieck – 2018-06-11T10:06:06.097

Thank you Eugen! And sorry for not being specific enough in my previous comment - I was actually asking about the srservice not wuauserv - if the spontaneous startup was a result of me stopping wuauserv and what is it doing. Do you know? Anyway thank for all the explanations! – Tomas – 2018-06-11T10:11:37.717

3The install process for many windows updates starts with creating a system resore point as to have a known-working version of the system, if the update fails. If it does fail (e.g. by wuauservbeing killed) the system restore service will revert to this restore point, thus eliminating any unwanted side effects of the failed install attempt. – Eugen Rieck – 2018-06-11T10:14:24.677

Aha, now it's clear, thanks! So I should probably let the srservice run and do its job, right? – Tomas – 2018-06-11T10:18:54.013

1It shouldn't take long - just to make it clear: The SR service will do real work just for a short period of time, but it will continue to exist until reboot. In fact, I am quite sure it already existed before, but was so low down the activity scale, you just didn't see it. – Eugen Rieck – 2018-06-11T10:25:07.367

Thanks! And actually no, the srservice didn't appear in the tasklist /svc /fi "PID eq 5516" before, as you see in the question. It appeared there newly after stopping wuauserv. – Tomas – 2018-06-11T10:28:26.407

Anyway, it is so braindamaged to use exponential algorithm to this... So this was the problem!!! This was why I kept suffering with this process for so long! Exponential algorithm! It doesn't surprise me with Microsoft! Thanks for helping to solve the issue! – Tomas – 2018-06-11T10:30:11.547

9@Tomas , Really should reiterate, do not use WinXP any more. If you need it for some odd backwards compatibility, your best bet is an isolated virtual machine. I would also ensure it is not connected to the internet. WinXP has so many unpatched remote code vulnerabilities at this point, along with little to no security updates for browsers... as Eugen said, it's an accident (complete compromise) waiting to happen. – Jarrod Christman – 2018-06-11T15:00:40.973

7Don't just stop the service... mark it disabled, so it won't run again. Support for Windows XP was discontinued, so it's not even as if it could find a new update, and thus letting it run in the background serves not purpose. – Joel Coehoorn – 2018-06-11T15:14:57.053

... that said, the evidence here from srservice is it was trying to install something, meaning this particular system wasn't finished patching yet. It may be best to let it run and slow down the system until everything is fully up to date (or at least as up to date as it's possible to get /: ). Then disable it. – Joel Coehoorn – 2018-06-11T15:16:06.403

@JoelCoehoorn that's not the case - it has run on my CPU for such a long time I cannot even tell you!! IF there was something to install yet it would have been installed thousand times. I am so glad I finally got rid of it! – Tomas – 2018-06-11T15:38:11.367

You can still get POSready updates via Windows Update for a normal XP machine, and that still works via the service (if you updated the service itself previously and do not use broken old versions). It's a hack by itself though. – Ray – 2018-06-12T07:12:28.923

@RayKoopa as far as I'm Aware the posready updates are not going very much longer too anyways. If he wants anything out of the machine aside from leaving it completely isolated (especially the Internet) he Needs to Switch the OS to win7+ asap (or more Windows 10 as Windows 7 also is nearing ist end of updates time quite fast). – Thomas – 2018-06-12T09:11:27.660

@Thomas of course. just saying that windows update "may" be used in very rare circumstances still, which he doesn't have though. – Ray – 2018-06-12T13:39:56.463

Asked: 2018-06-11T09:39:05.397

Viewed: 3 612 times

Active: 2018-06-11T23:13:46.463