Are 1,000 threads normal for services.exe?

0

I noticed that my system is slowing down and services.exe often uses quite some CPU (around 10-40%), especially after waking up the PC.

I find it hard to find out more about services.exe, and what is actually causing this issue.

However, I find it suspicious that the services.exe process has over 1,000 threads running. So this may be the first clue. Most of the threads are in RtlValidateHeap:

ntdll.dll!ZwWaitForWorkViaWorkerFactory+0xa
ntdll.dll!RtlValidateHeap+0x3bb
kernel32.dll!BaseThreadInitThunk+0xd
ntdll.dll!RtlUserThreadStart+0x21

So what's the recommended approach to identify issues like that?

Update: It might be that Eclipse or some of the plugins are related to this issue. After shutting down Eclipse, the thread count went down to 100-something, and is back at 1,000+ after restarting.

Markus Junginger

Posted 2012-07-08T10:04:07.690

Reputation: 59

Without analyzing more of the call stacks of these threads, it's impossible to tell what's going on. My own services.exe runs 16 threads right now. So hundreds still sounds a bit excessive. How are you even determining those values? What tool are you using? – Der Hochstapler – 2012-08-02T18:52:25.550

I just had a look at Process Explorer. Right now, I have 1,006 threads. Who offers more? ;) Anyway, how to investigate into issues like those? – Markus Junginger – 2012-08-02T18:55:20.793

I also have threads with the identical call stack. I always considered those normal, but have no real clue what they actually do. If you sort the threads by Cycles Delta (so it shows the heavy workers on top), what are the stacks that generate the most work? – Der Hochstapler – 2012-08-02T19:32:27.700

It's the call stack I posted. Just one thread tops the overs:

ntdll.dll!RtlGetFullPathName_U+0x2f5 ntdll.dll!TpAllocWork+0xfc kernel32.dll!CreateThreadpoolWork+0x18 UBPM.dll+0x1216 UBPM.dll!UbpmApiBufferFree+0x1948 UBPM.dll!UbpmApiBufferFree+0x1aba UBPM.dll!UbpmApiBufferFree+0x13b6 ADVAPI32.dll!EnableTrace+0x62a ADVAPI32.dll!EnableTrace+0x329 ADVAPI32.dll!EnableTrace+0x22a ADVAPI32.dll!ProcessTrace+0x1c4 UBPM.dll!UbpmOpenTriggerConsumerHandle+0x4c38 kernel32.dll!BaseThreadInitThunk+0xd ntdll.dll!RtlUserThreadStart+0x21 – Markus Junginger – 2012-08-02T20:19:54.440

The top scorer has around 400,000,000 Delta cycles (ntdll.dll!RtlGetFullPathName_U+0x2f5). After that loads of threads with the stack I posted initially (not much difference in the values). – Markus Junginger – 2012-08-02T20:27:38.687

Do you have any performance analysis or profiling services/applications running? The UBPM.dll and the EnableTrace call sounds highly suspicious. – Der Hochstapler – 2012-08-02T21:06:03.063

How can I tell? If so, it should be something that survives a restart. I was trying to hunt down another performance issue some time ago, so I ran some performance tools. I don't remember making any persistent changes, but I also cannot rule out that possibility. – Markus Junginger – 2012-08-02T21:28:39.287

1

I have only four RtlValidateHeap’s and a TplsTiumerSet, and a UBPM just popped in. Try checking to see if you have any non-default tasks scheduled. Also see what the highest memory-using and CPU-using processes are. Also try shutting down each service possible and check if it drops after each one.

– Synetech – 2012-08-02T21:36:48.623

Your system may be infected with virus. It may be using services.exe to start malware programs. That may be the reason why its thread count is going up. – arundevma – 2012-08-03T09:49:38.670

Using process monitor, I checked services.exe and eclipse.exe for activity. services.exe is doing almost nothing, while eclipse.exe generated 165,000 events within 270s without any user interaction. It's mostly CreateFile, CloseFile, and Query directory. My workspace is huge. – Markus Junginger – 2012-08-08T14:09:25.630

Answers

2

Normal sub-sub-processes are around 70-100 for the services.exe process. (This makes 7-10 subprocesses on average). What the OP posted was probably all of them combined.

Your running of eclipse attaches itself to services.exe because it utilizes multiple (hundreds) of built-in macros and algorithms that Eclipse doesn't need to run because it's built into Windows. These running items, as I previously mentioned, attach to services.exe as sub-processes (or threads, as you mentioned them).

This explains why it spikes when running the program. Perfectly normal. It's an intensive program, and shaves off processing time by pre-loading ALL possible algorithms and macros into Services.exe right at launch.

Hope that helps! Not much to worry about here. Scan with Malwarebytes if you're nervous it's a virus, but I've seen it before in my computer labs. Normal.

ThePCpenguin

Posted 2012-07-08T10:04:07.690

Reputation: 231

> Normal thread-count is around 70-100 for the services.exe process.   Huh? I had five. Oliver had 16.   Why would Eclipse load hundreds of threads into services.exe as opposed to eclipse.exe? o.O – Synetech – 2012-08-06T03:11:18.607

I think you're thinking of the actual threads that make up the services.exe process. Sub-processes are everything that runs under the "service" name in Windows. For example, in Windows 8 the names of some of the "processes" are "Service Host: Local Service" and "Service Host: Local Service (Network Restricted)". Each of these processes has around 10 "sub-processes" that make up that particular service.

I can see where this could be confusing. But rest assured, it is in fact normal. The reason it doesn't load them into eclipse is mentioned above; Most commands are built in to Windows. – ThePCpenguin – 2012-08-06T03:16:35.700

Windows 8 does segregate it slightly differently. For example, in Windows 7 it would be viewed as 7-10 "sub processes" while Windows 8 explains all the sub-sub-processes as well. Your comments are spot on for both operating systems, I just tried to elaborate. :) – ThePCpenguin – 2012-08-06T03:20:29.827

There are most definitely not hundreds of services running under services.exe and I can’t imagine that Eclipse would create and run hundreds of services anywhere. Either way, the question is about Windows 7. – Synetech – 2012-08-06T03:21:42.713

Synetech: What the OP posted was probably a combination of sub and sub-sub processes. ProcessExplorer doesn't tell the whole story. There's no way he's seeing 100+ sub-processes. – ThePCpenguin – 2012-08-06T03:25:08.137

I checked two other PCs with Eclipse. One has 14 threads the other has 138 threads in services.exe. So I do not think this is normal behavior for Eclipse. – Markus Junginger – 2012-08-06T10:19:11.623

> combination of sub and sub-sub processes  o.O The only thing I can find anywhere about “sub processes” is in relation to Python. Either that or incorrect terminology about threads or child-processes. – Synetech – 2012-08-06T15:28:36.533

0

I think it's not normal, who needs 1000 threads? What you can do, you can install StraceNT for Windows and debug the process what exactly it's doing.

Use -f option if it's available on Windows, it'll trace the process children.

You could also try to renice the process.

kenorb

Posted 2012-07-08T10:04:07.690

Reputation: 16 795

Is there anything StraceNT can do that SysInternal's Process Monitor cannot? – Markus Junginger – 2012-08-08T16:05:25.700

Yes, it can trace the process in the real time, not just show the threads. It could show the information exactly what the process is doing, all the syscalls performed to the system, etc. – kenorb – 2012-08-09T08:34:35.010

Asked: 2012-07-08T10:04:07.690

Viewed: 1 595 times

Active: 2012-08-09T09:09:32.750