svchost.exe taking 25% cpu

5

1

For some time now I have been noticing that one of my svchost.exe was constantly taking 25% cpu time on my 4 core, Win7 Ultimate PC. This particular service host is hosting:

  1. Cryptographic Services (CryptSvc)
  2. Dns Client (DnsCache)
  3. Network Location Awareness (NlaSvc)
  4. Workstation (Lanman Workstation)

I suspected a virus but Windows Essential is up to date and reports nothing, and Autoruns doesn't show anything unusual.

Thanks for the help!

As per request the stack of the thread taking up 25% cpu:

ntkrnlpa.exe!KeSetEvent+0x2a1
ntkrnlpa.exe!KeDelayExecutionThread+0x5cc
ntkrnlpa.exe!KeWaitForMutexObject+0x393
ntkrnlpa.exe!KeQueryHighestNodeNumber+0x9fe
halmacpi.dll!KfRaiseIrql+0xcb
halmacpi.dll!KeRaiseIrqlToSynchLevel+0x8f
halmacpi.dll!HalEndSystemInterrupt+0x67
halmacpi.dll!HalInitializeProcessor+0xae8
ncsi.dll!NcsiIdentifyUserSpecificProxies+0x3a47
ncsi.dll+0x31f0
ncsi.dll!NcsiIdentifyUserSpecificProxies+0x4c92
ncsi.dll+0x1e93
ncsi.dll+0x20a2
ncsi.dll+0x1808
ncsi.dll+0x2240
ntdll.dll!RtlIsCriticalSectionLockedByThread+0x474
kernel32.dll!BaseThreadInitThunk+0x12
ntdll.dll!RtlInitializeExceptionChain+0x63
ntdll.dll!RtlInitializeExceptionChain+0x36

Looks like a problem with some kind of interrupts problem in the HAL? I'll try updating all my drivers and report back.

Mikle

Posted 2010-07-25T17:19:14.040

Reputation: 161

Answers

3

Whenever anyone finds themselves in a situation like this, the first step is to stop each of the hosted services one-by-one, waiting a few moments between each, and checking to see if the usage drops. Once you have narrowed down the problem to the specific service, then you can do a web-search to find out if others have experienced the same problem.

In this instance, it was likely indeed the DNS service (Mikle did not indicate why he thinks it is not, and his assumption about the HAL is specious).

Of the services indicated, the only one that is known to cause a 100% CPU load is the DNS service. (The only references to a high CPU load in regards to the other services is with Vista+ where they are sharing the same svchost instance as the DNS service. Sadly it often ends up going undiagnosed.[1][2]) That it would only have taken 25% of the CPU load makes sense because he said it was a four-core processor, so the DNS service was using 100% of the core it was using.

The problem occurs whenever the HOSTS file grows “too large”; for some reason, whenever the HOSTS file has too many entires, the DNS service goes into a tail-spin, starts pegging the CPU, and never recovers (no, leaving it a long time to eventually finish does not work because it never finishes, even after days).

What had likely happened in this case is that Mikle had downloaded and installed a large HOSTS file like those available from some MSMVPs or had used SpyBot’s immunization function.

Unfortunately the only option in this case is to either strip the HOSTS file down to only a few entries, or to disable the DNS service.

Note that once the DNS service flies off the handle, you will not likely be able to simply stop it like a normal service; you must actually kill the instance of svchost.exe that is hosting it. This isn’t so bad in XP because it usually gets its own copy, but in 7, it shares a copy with a few other services (though nothing critical, so you can simply re-start the other services once you have disabled the DNS service).

Synetech

Posted 2010-07-25T17:19:14.040

Reputation: 63 242

how to kill the instance of svchost.exe? It restarts immediately in task manager – user5389726598465 – 2019-07-21T15:20:00.247

You can't just kill the process; Windows will just assume it crashed and restart it. You need to disable the service. – Synetech – 2019-07-22T12:14:32.253

It's greyed out (disabling the service) – user5389726598465 – 2019-07-22T13:52:03.607

The DNS service won't let you disable it? Where is it greyed out, the Task Manager or the Services snap-in? You need to run it with elevated privileges (run as admin). Another option is to do it through regedit, but that too needs to be run as admin. – Synetech – 2019-07-23T14:43:33.467

In the services snap-in. Running as administrator did not enable the disable button. Where are instructions or how to do it through the registry? I can't use my main image until this is solved so I'm native booting a vhd which is slower. – user5389726598465 – 2019-07-23T17:12:49.180

Running the services snap-in as admin won't let you disable the DNS service? Hmm, that's very strange since it's not exactly a critical (or even necessary) service. I'm guessing this is Windows 10 right? Yet another reason I have no interest in 10. – Synetech – 2019-07-24T18:07:58.923

1If it is the DNS service, you can rename the HOSTS file so that it's not reading that and hanging. Otherwise, you can manually disable the DNS service by opening the registry in admin mode, and going to HKLM\SYSTEM\CurrentControlSet\services\Dnscache, then changing Start to 4 (disabled). Reboot and it should no longer run. Of course, this also means you won't be caching IP addresses, so it might have a slight impact on Internet performance. (You can get around this with a third-party DNS program if necessary.) – Synetech – 2019-07-24T18:11:33.397

1

I had this happening too; but it may or may not be what was happening to you. As you asked this ~5 years ago, this will more likely help others than the asker. I too have a large HOSTS file, and this can indeed cause the DNS service to be very busy just after boot; but this phenomenon will go away after the Internet is responding normally. With just over 171,000 entries, my Core I3-2100 becomes usable after 2-3 min. If it persists after that time, it probably is not that.

I did what the guy proffering the Process Explorer answered, and found the culprit. In my case, I have an ASUS mobo, and so I trustingly installed the Asus AI Suite II. It installs a file called "AsRoutineController.exe" which Process Explorer indicated was using 24-25% of the CPU, which is to say, virtually all of a single core. It seems related to the bar that starts the AI Suite applets. Stopping the AI Suite II from the System Tray caused it to stop. Restarting the AI Suite II app did NOT cause the problem to resume. Unfortunately, I have seen this happen on a fresh boot in the past, even after the 'Net begins responding normally. It thus seems that the only way to prevent it from sapping 25% of your processing power is to simply uninstall the AI Suite II, if that is what is causing it for you.

CodeLurker

Posted 2010-07-25T17:19:14.040

Reputation: 176

1

Start Process Explorer (also from Microsoft Sysinternals) as administrator.

Look at the Threads tab of the svchost.exe that is consuming too much,
you can get the Stack of a very busy Thread to see what it is doing or copy the Stack here.

Tamara Wijsman

Posted 2010-07-25T17:19:14.040

Reputation: 54 163

1I didn't think to check the stack and threads of the process, silly me :) – Mikle – 2010-07-25T21:13:15.583

1

It's the DNS Client doing it. Stop the service and it'll quit. (The service isn't required anyway. It purports to speed up DNS lookups but I haven't noticed a difference since I set it to Manual.)

BillP3rd

Posted 2010-07-25T17:19:14.040

Reputation: 5 353

I updated the question, it's not the DNS client, but thanks for helping. – Mikle – 2010-07-26T16:45:57.413

It does indeed sound like the DNS service, but it only happens if the HOSTS file is large and has many entries. Also, you cannot stop it once it has started pegging the CPU; you must kill the process. Then you must set it to disabled because simply killing it won’t help since it will immediately start the next time you do anything that requires looking up a domain name. And for the record, it definitely makes DNS lookups faster. Without it enabled, it takes ~3~7 seconds for any given web page to show up every time you start a new session. With it, they’ll show up in ~1 second. – Synetech – 2014-04-13T03:50:07.057

Asked: 2010-07-25T17:19:14.040

Viewed: 15 748 times

Active: 2015-12-29T13:18:57.237