Microsoft Windows Vista Community Forums - Vistaheads
Recommended Download



Welcome to the Microsoft Windows Vista Community Forums - Vistaheads, YOUR Largest Resource for Windows Vista related information.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so , join our community today!

If you have any problems with the registration process or your account login, please contact us.

Driver Scanner

Svchost process at 99% CPU Utilisation

microsoft.public.windowsupdate






Speedup My PC
Reply
  #1 (permalink)  
Old 05-17-2009
DJT
 

Posts: n/a
Svchost process at 99% CPU Utilisation
I have an old computer with an AMD Althon chip which I use for backup.
I run at least once a week to keep it updated.
I started it yesterday and a windows update was found, but since I
started the download of the update the CPU utilisation has been 100%
solid, no variation. The only thing that changes is the split of what
process if using the CPU.

Svchost is continually using 96 - 99 % and has been for over 24 hours.
The download is only at 78 % after running for 24 hrs.
During this time the internet connection shows barely any use at any
time and certainly is not saturated.

I have had the situation before when downloading updates but only for
a maximum of 20 Min, not for over 24 hrs.

I am not able to determine what actual update is being done.

I originally thought that it could be sp3? but the amount of data is
negligible

Any idea whay svchost should tie up tyhe CPU for so long


DJT
Reply With Quote
Sponsored Links
  #2 (permalink)  
Old 05-17-2009
Jim
 

Posts: n/a
Re: Svchost process at 99% CPU Utilisation

"DJT" <dtope@hotmail.com.au> wrote in message
news:bc1115l6prsruu9fdu77j12m2i455180f5@4ax.com...
>I have an old computer with an AMD Althon chip which I use for backup.
> I run at least once a week to keep it updated.
> I started it yesterday and a windows update was found, but since I
> started the download of the update the CPU utilisation has been 100%
> solid, no variation. The only thing that changes is the split of what
> process if using the CPU.
>
> Svchost is continually using 96 - 99 % and has been for over 24 hours.
> The download is only at 78 % after running for 24 hrs.
> During this time the internet connection shows barely any use at any
> time and certainly is not saturated.
>
> I have had the situation before when downloading updates but only for
> a maximum of 20 Min, not for over 24 hrs.
>
> I am not able to determine what actual update is being done.
>
> I originally thought that it could be sp3? but the amount of data is
> negligible
>
> Any idea whay svchost should tie up tyhe CPU for so long
>
>
> DJT

Malware. Svchost.exe seems to be a popular target.
Jim



Reply With Quote
  #3 (permalink)  
Old 05-18-2009
PA Bear [MS MVP]
 

Posts: n/a
Re: Svchost process at 99% CPU Utilisation
There is a very good chance that you are seeing the effects of a hijackware
infection!

NB: If you had no anti-virus application installed or the subscription had
expired *when the machine first got infected* and/or your subscription has
since expired and/or the machine's not been kept fully-patched at Windows
Update, don't waste your time with any of the below: Format & reinstall
Windows. A Repair Install will NOT help!

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/ma...e/default.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download the
MSRT on a non-infected machine, then transfer MRT.EXE to the infected
machine and rename it to SCAN.EXE before running it.

2. [WinXP ONLY!! =>] Run the Windows Live Safety Center's 'Protection' scan
(only!) in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

3. Run a /thorough/ check for hijackware, including posting the requested
logs in an appropriate forum, not here.

Checking for/Help with Hijackware
http://aumha.net/viewtopic.php?f=30&t=4075
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://www.elephantboycomputers.com/...moving_Malware

**Seek expert assistance in
http://spywarehammer.com/simplemachi...php?board=10.0,
http://forums.spybot.info/forumdisplay.php?f=22,
http://www.dslreports.com/forum/cleanup, http://aumha.net/viewforum.php?f=30
or other appropriate forums.**

If these procedures look too complex - and there is no shame in admitting
this isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

DJT wrote:
> I have an old computer with an AMD Althon chip which I use for backup.
> I run at least once a week to keep it updated.
> I started it yesterday and a windows update was found, but since I
> started the download of the update the CPU utilisation has been 100%
> solid, no variation. The only thing that changes is the split of what
> process if using the CPU.
>
> Svchost is continually using 96 - 99 % and has been for over 24 hours.
> The download is only at 78 % after running for 24 hrs.
> During this time the internet connection shows barely any use at any
> time and certainly is not saturated.
>
> I have had the situation before when downloading updates but only for
> a maximum of 20 Min, not for over 24 hrs.
>
> I am not able to determine what actual update is being done.
>
> I originally thought that it could be sp3? but the amount of data is
> negligible
>
> Any idea whay svchost should tie up tyhe CPU for so long
>
>
> DJT


Reply With Quote
  #4 (permalink)  
Old 05-18-2009
Jakob Bohm
 

Posts: n/a
Re: Svchost process at 99% CPU Utilisation
DJT wrote:
> I have an old computer with an AMD Althon chip which I use for backup.
> I run at least once a week to keep it updated.
> I started it yesterday and a windows update was found, but since I
> started the download of the update the CPU utilisation has been 100%
> solid, no variation. The only thing that changes is the split of what
> process if using the CPU.
>
> Svchost is continually using 96 - 99 % and has been for over 24 hours.
> The download is only at 78 % after running for 24 hrs.
> During this time the internet connection shows barely any use at any
> time and certainly is not saturated.
>
> I have had the situation before when downloading updates but only for
> a maximum of 20 Min, not for over 24 hrs.
>
> I am not able to determine what actual update is being done.
>
> I originally thought that it could be sp3? but the amount of data is
> negligible
>
> Any idea whay svchost should tie up tyhe CPU for so long
>
>
> DJT


[You may ignore PA Bear, he screams malware no matter what the question is]

Windows Updates are downloaded by the BITS service which runs in one of
the systems svchost.exe instances. Windows Update itself runs in
another instance of svchost.exe. So if anything in Windows Update
itself is using too much CPU to be useable, Task Manager will show that
CPU waste as happening in svchost.exe .

When Windows Update gets stupid about its download handling, I usually
solve it like this (This procedure cleans out half-downloaded updates
and old long-ago-installed updates, plus the internal state of Windows
Update):

1. Reboot
2. Open a "Command Prompt window"
3. NET STOP wuauserv
4. NET STOP BITS
5. CD /D %SystemRoot%
6. DIR \
7. (Note if the disk was almost full)
8. CD SoftwareDistribution
9. rd /s Download
10. Y
11. rd /s DataStore
12. Y
13. DIR \
14. (STOP if the disk is still almost full)
15. NET START wuauserv
16. Try again


--
Jakob B°hm, M.Sc.Eng. * jb@danware.dk * direct tel:+45-45-90-25-33
Netop Solutions A/S * Bregnerodvej 127 * DK-3460 Birkerod * DENMARK
http://www.netop.com * tel:+45-45-90-25-25 * fax:+45-45-90-25-26
Information in this mail is hasty, not binding and may not be right.
Information in this posting may not be the official position of Netop
Solutions A/S, only the personal opinions of the author.

Reply With Quote
  #5 (permalink)  
Old 05-18-2009
PA Bear [MS MVP]
 

Posts: n/a
Re: Svchost process at 99% CPU Utilisation
It is not unusual to see spikes in CPU when Automatic Updates is doing it's
thing but anything other than a temporary (e.g., 5-10 minutes) spike most
likely is NOT related to AU.

Continued & repeated spikes in CPU is most often associated with hijackware
so it only makes sense to rule it out.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Client - since 2002


Jakob Bohm wrote:
> DJT wrote:
>> I have an old computer with an AMD Althon chip which I use for backup.
>> I run at least once a week to keep it updated.
>> I started it yesterday and a windows update was found, but since I
>> started the download of the update the CPU utilisation has been 100%
>> solid, no variation. The only thing that changes is the split of what
>> process if using the CPU.
>>
>> Svchost is continually using 96 - 99 % and has been for over 24 hours.
>> The download is only at 78 % after running for 24 hrs.
>> During this time the internet connection shows barely any use at any
>> time and certainly is not saturated.
>>
>> I have had the situation before when downloading updates but only for
>> a maximum of 20 Min, not for over 24 hrs.
>>
>> I am not able to determine what actual update is being done.
>>
>> I originally thought that it could be sp3? but the amount of data is
>> negligible
>>
>> Any idea whay svchost should tie up tyhe CPU for so long
>>
>>
>> DJT

>
> [You may ignore PA Bear, he screams malware no matter what the question
> is]
>
> Windows Updates are downloaded by the BITS service which runs in one of
> the systems svchost.exe instances. Windows Update itself runs in
> another instance of svchost.exe. So if anything in Windows Update
> itself is using too much CPU to be useable, Task Manager will show that
> CPU waste as happening in svchost.exe .
>
> When Windows Update gets stupid about its download handling, I usually
> solve it like this (This procedure cleans out half-downloaded updates
> and old long-ago-installed updates, plus the internal state of Windows
> Update):
>
> 1. Reboot
> 2. Open a "Command Prompt window"
> 3. NET STOP wuauserv
> 4. NET STOP BITS
> 5. CD /D %SystemRoot%
> 6. DIR \
> 7. (Note if the disk was almost full)
> 8. CD SoftwareDistribution
> 9. rd /s Download
> 10. Y
> 11. rd /s DataStore
> 12. Y
> 13. DIR \
> 14. (STOP if the disk is still almost full)
> 15. NET START wuauserv
> 16. Try again


Reply With Quote
  #6 (permalink)  
Old 05-18-2009
MowGreen
 

Posts: n/a
Re: Svchost process at 99% CPU Utilisation
Jakob Bohm wrote:


> [You may ignore PA Bear, he screams malware no matter what the question is]
>
> Windows Updates are downloaded by the BITS service which runs in one of
> the systems svchost.exe instances. Windows Update itself runs in
> another instance of svchost.exe. So if anything in Windows Update
> itself is using too much CPU to be useable, Task Manager will show that
> CPU waste as happening in svchost.exe .
>
> When Windows Update gets stupid about its download handling, I usually
> solve it like this (This procedure cleans out half-downloaded updates
> and old long-ago-installed updates, plus the internal state of Windows
> Update):
>
> 1. Reboot
> 2. Open a "Command Prompt window"
> 3. NET STOP wuauserv
> 4. NET STOP BITS
> 5. CD /D %SystemRoot%
> 6. DIR \
> 7. (Note if the disk was almost full)
> 8. CD SoftwareDistribution
> 9. rd /s Download
> 10. Y
> 11. rd /s DataStore
> 12. Y
> 13. DIR \
> 14. (STOP if the disk is still almost full)
> 15. NET START wuauserv
> 16. Try again
>
>


Each time the SoftwareDistribution subfolders are deleted they are
recreated when the update service starts. Said update service is
started on boot by it's Default setting, no matter which options one
chooses for Automatic or Windows Update's settings.

If there is 3rd party software [security software] installed that is
monitoring system files, then one will see a slight spike in CPU usage
by svchost when the subfolders of SD are recreated.

When the update database located in DataStore is scanned or monitored
[DataStore.edb] there will be a spike in CPU usage due to it being in
use [ locked ].
This spike will become more noticeable over time as DataStore.edb can
become either corrupted or irreparrably damaged.
To mitigate this issue, see:

Virus scanning recommendations for computers that are running Windows
Server 2008, Windows Server 2003, Windows 2000, Windows XP, or Windows Vista
http://support.microsoft.com/kb/822158

On a system that has had subfolders of the SoftwareDistrbution directory
deleted and *if the CPU cycles stays at 99%*, then the logical
conclusion is that 3rd party software is hindering the OS from
recreating said subfolders, and/or there is an issue with the detection
logic, and/or there is an issue with the Windows Installer associated
..dll file, .msi.dll.
The latter two issues have been mitigated in the latest releases of the
Windows Update Agent.

" Old long ago updates " are flushed from the Download subfolder of SD
on a regular cycle IF the automatic update components are functioning
properly and are not being hindered from carrying out their operations
by 3rd party software.

Said 3rd party software will either be security software or malware.
Since the *vast majority of issues* posted to this newsgroup *are*
directly related to the presence of malware, then it's not illogical to
conclude that malware is present on systems where the CPU cycle issue is
present.

Conclusion: Ignore Jakob Bohm since he's unaware that malware can cause
the CPU utilization issue or that security software should be configured
to not scan nor monitor DataStore.edb


MowGreen
===============
*-343-* FDNY
Never Forgotten
===============



Reply With Quote
  #7 (permalink)  
Old 05-19-2009
Jakob Bohm
 

Posts: n/a
Re: Svchost process at 99% CPU Utilisation
MowGreen wrote:
> Jakob Bohm wrote:
>
>
>> [You may ignore PA Bear, he screams malware no matter what the
>> question is]
>>
>> Windows Updates are downloaded by the BITS service which runs in one of
>> the systems svchost.exe instances. Windows Update itself runs in
>> another instance of svchost.exe. So if anything in Windows Update
>> itself is using too much CPU to be useable, Task Manager will show that
>> CPU waste as happening in svchost.exe .
>>
>> When Windows Update gets stupid about its download handling, I usually
>> solve it like this (This procedure cleans out half-downloaded updates
>> and old long-ago-installed updates, plus the internal state of Windows
>> Update):
>>
>> 1. Reboot
>> 2. Open a "Command Prompt window"
>> 3. NET STOP wuauserv
>> 4. NET STOP BITS
>> 5. CD /D %SystemRoot%
>> 6. DIR \
>> 7. (Note if the disk was almost full)
>> 8. CD SoftwareDistribution
>> 9. rd /s Download
>> 10. Y
>> 11. rd /s DataStore
>> 12. Y
>> 13. DIR \
>> 14. (STOP if the disk is still almost full)
>> 15. NET START wuauserv
>> 16. Try again
>>
>>

>
> Each time the SoftwareDistribution subfolders are deleted they are
> recreated when the update service starts. Said update service is started
> on boot by it's Default setting, no matter which options one chooses for
> Automatic or Windows Update's settings.
>

Yes, I know that and the procedure above assumes that.

> If there is 3rd party software [security software] installed that is
> monitoring system files, then one will see a slight spike in CPU usage
> by svchost when the subfolders of SD are recreated.
>

Two other sources of spikes which I have seen over the years:

1. If the DataStore has become corrupted by a random event, the code
that manages it can spend a lot of CPU cycles spinning its wheels for
little or no gain. Clearing out the database and starting over gets you
a clean uncorrupted database in a few minutes.

2. The delta-download mechanism used by Windows Update to avoid
downloading the parts of an update already on your system sometimes
spends more time computing differences than it saves in download time.
Clearing out the download folder and starting over forces a clean
download without so much work.

> When the update database located in DataStore is scanned or monitored
> [DataStore.edb] there will be a spike in CPU usage due to it being in
> use [ locked ].


Whenever the DataStore is being processed to figure out what updates are
needed on your computer there will be a spike of a few minutes, with or
without a broken AV-scanner slowing things down further.

Additional CPU time wasted by AV scanners may be attributed to the
process that is being slowed down (svchost in the case of WU/AU) or the
scanners own processes depending on the scanner product. Most AV
scanners use an architecture where the actual scanning CPU load occurs
in a dedicated scanning process easily recognized in task manager.

> This spike will become more noticeable over time as DataStore.edb can
> become either corrupted or irreparrably damaged.


Now you are really confusing the issues: There is extra CPU waste due to
the scanner itself repeatedly scanning the database file, this does not
involve corruption or damage to the file (unless the AV product is
incompetent enough to corrupt any file being scanned while in use). And
then there is CPU waste due to a corrupted or damaged database for which
the quickest cure is to clear out the database and start over with a
fresh WU/MU/AU run.

> To mitigate this issue, see:
>
> Virus scanning recommendations for computers that are running Windows
> Server 2008, Windows Server 2003, Windows 2000, Windows XP, or Windows
> Vista
> http://support.microsoft.com/kb/822158


Hilarious article written by someone who see bugs in some AV products
(corruption of binary files that are being changed by their application
while the AV product tries to scan them), assume they apply to all AV
products, and then go on to recommend a bad partial workaround (exclude
the handful of files most important to their personal pet software) as
a general and complete solution.

>
> On a system that has had subfolders of the SoftwareDistrbution directory
> deleted and *if the CPU cycles stays at 99%*, then the logical
> conclusion is that 3rd party software is hindering the OS from
> recreating said subfolders, and/or there is an issue with the detection
> logic, and/or there is an issue with the Windows Installer associated
> .dll file, .msi.dll.


The OP was about a computer where the subfolders had not been deleted
(before applying my advice) and thus it cannot be concluded that the
slowdown is due to software interfering with WU now. Performing my
clean out procedure once, will either eliminate old corruption or
definitively show that something is continuing to interfere. You and PA
Bear blindly assume the latter possibility even when there is lots of
evidence pointing to the other one (In this case: Slow old machine,
machine generally up to date on older updates, machine not used for
general Internet access or other high risk activities, CPU usage in the
exact processes associated with a corrupted SoftwareDistribution folder).

> The latter two issues have been mitigated in the latest releases of the
> Windows Update Agent.

In which case starting over with a clean database would reap the
benefits of this improvement.

>
> " Old long ago updates " are flushed from the Download subfolder of SD
> on a regular cycle IF the automatic update components are functioning
> properly and are not being hindered from carrying out their operations
> by 3rd party software.


Unfortunately, this does not match my own experience. At least until
recently, WU was a real disk space hog, constantly eating additional
disk space every month and not listing its own temporary files in the
Disk Cleanup wizard. Because disk full on the Windows drive is a really
bad situation to be in I have made a habit out of culling excess files
from WU on a regular basis.

>
> Said 3rd party software will either be security software or malware.
> Since the *vast majority of issues* posted to this newsgroup *are*
> directly related to the presence of malware, then it's not illogical to
> conclude that malware is present on systems where the CPU cycle issue is
> present.
>


So you assume the worst, ignore all innocent explanations, then go on to
call the fire department every time you see smoke, even if it is coming
out the top of a chimney.

> Conclusion: Ignore Jakob Bohm since he's unaware that malware can cause
> the CPU utilization issue or that security software should be configured
> to not scan nor monitor DataStore.edb
>


THAT is an insult. I KNOW that malware can do all kinds of bad things,
including eat lots of CPU in strange situations. I strongly disagree
that *all* brands of security software need to specifically exclude
Windows Update files from scanning. But I also KNOW that not all
computer problems are from malware and that telling everyone to panic
and ignoring all non-malicious explanations is not helpful.

In this case the symptoms clearly matched a known problem for which
there is a quick and harmless cure. So that cure should be tried before
starting panic measures to combat an infection that might not be there.

If after cleaning out the dynamic part of the SoftwareDistribution
folder the problem immediately recurs, the next step would be to turn
off automatic updates, clean out again, then use interactive WU/MU to
see the name of the affected update. Then manually download and install
that update from Microsoft downloads and try again. If the problem is
still there after bypassing WU/MU for the directly affected update, THEN
there is something fundamentally wrong and checking for malware would be
a relevant thing to do.

--
Jakob B°hm, M.Sc.Eng. * jb@danware.dk * direct tel:+45-45-90-25-33
Netop Solutions A/S * Bregnerodvej 127 * DK-3460 Birkerod * DENMARK
http://www.netop.com * tel:+45-45-90-25-25 * fax:+45-45-90-25-26
Information in this mail is hasty, not binding and may not be right.
Information in this posting may not be the official position of Netop
Solutions A/S, only the personal opinions of the author.

Reply With Quote
  #8 (permalink)  
Old 05-20-2009
Vinny V
 

Posts: n/a
Re: Svchost process at 99% CPU Utilisation
You nedd to instal KB927891....This will fix it.

"Jakob Bohm" wrote:

> MowGreen wrote:
> > Jakob Bohm wrote:
> >
> >
> >> [You may ignore PA Bear, he screams malware no matter what the
> >> question is]
> >>
> >> Windows Updates are downloaded by the BITS service which runs in one of
> >> the systems svchost.exe instances. Windows Update itself runs in
> >> another instance of svchost.exe. So if anything in Windows Update
> >> itself is using too much CPU to be useable, Task Manager will show that
> >> CPU waste as happening in svchost.exe .
> >>
> >> When Windows Update gets stupid about its download handling, I usually
> >> solve it like this (This procedure cleans out half-downloaded updates
> >> and old long-ago-installed updates, plus the internal state of Windows
> >> Update):
> >>
> >> 1. Reboot
> >> 2. Open a "Command Prompt window"
> >> 3. NET STOP wuauserv
> >> 4. NET STOP BITS
> >> 5. CD /D %SystemRoot%
> >> 6. DIR \
> >> 7. (Note if the disk was almost full)
> >> 8. CD SoftwareDistribution
> >> 9. rd /s Download
> >> 10. Y
> >> 11. rd /s DataStore
> >> 12. Y
> >> 13. DIR \
> >> 14. (STOP if the disk is still almost full)
> >> 15. NET START wuauserv
> >> 16. Try again
> >>
> >>

> >
> > Each time the SoftwareDistribution subfolders are deleted they are
> > recreated when the update service starts. Said update service is started
> > on boot by it's Default setting, no matter which options one chooses for
> > Automatic or Windows Update's settings.
> >

> Yes, I know that and the procedure above assumes that.
>
> > If there is 3rd party software [security software] installed that is
> > monitoring system files, then one will see a slight spike in CPU usage
> > by svchost when the subfolders of SD are recreated.
> >

> Two other sources of spikes which I have seen over the years:
>
> 1. If the DataStore has become corrupted by a random event, the code
> that manages it can spend a lot of CPU cycles spinning its wheels for
> little or no gain. Clearing out the database and starting over gets you
> a clean uncorrupted database in a few minutes.
>
> 2. The delta-download mechanism used by Windows Update to avoid
> downloading the parts of an update already on your system sometimes
> spends more time computing differences than it saves in download time.
> Clearing out the download folder and starting over forces a clean
> download without so much work.
>
> > When the update database located in DataStore is scanned or monitored
> > [DataStore.edb] there will be a spike in CPU usage due to it being in
> > use [ locked ].

>
> Whenever the DataStore is being processed to figure out what updates are
> needed on your computer there will be a spike of a few minutes, with or
> without a broken AV-scanner slowing things down further.
>
> Additional CPU time wasted by AV scanners may be attributed to the
> process that is being slowed down (svchost in the case of WU/AU) or the
> scanners own processes depending on the scanner product. Most AV
> scanners use an architecture where the actual scanning CPU load occurs
> in a dedicated scanning process easily recognized in task manager.
>
> > This spike will become more noticeable over time as DataStore.edb can
> > become either corrupted or irreparrably damaged.

>
> Now you are really confusing the issues: There is extra CPU waste due to
> the scanner itself repeatedly scanning the database file, this does not
> involve corruption or damage to the file (unless the AV product is
> incompetent enough to corrupt any file being scanned while in use). And
> then there is CPU waste due to a corrupted or damaged database for which
> the quickest cure is to clear out the database and start over with a
> fresh WU/MU/AU run.
>
> > To mitigate this issue, see:
> >
> > Virus scanning recommendations for computers that are running Windows
> > Server 2008, Windows Server 2003, Windows 2000, Windows XP, or Windows
> > Vista
> > http://support.microsoft.com/kb/822158

>
> Hilarious article written by someone who see bugs in some AV products
> (corruption of binary files that are being changed by their application
> while the AV product tries to scan them), assume they apply to all AV
> products, and then go on to recommend a bad partial workaround (exclude
> the handful of files most important to their personal pet software) as
> a general and complete solution.
>
> >
> > On a system that has had subfolders of the SoftwareDistrbution directory
> > deleted and *if the CPU cycles stays at 99%*, then the logical
> > conclusion is that 3rd party software is hindering the OS from
> > recreating said subfolders, and/or there is an issue with the detection
> > logic, and/or there is an issue with the Windows Installer associated
> > .dll file, .msi.dll.

>
> The OP was about a computer where the subfolders had not been deleted
> (before applying my advice) and thus it cannot be concluded that the
> slowdown is due to software interfering with WU now. Performing my
> clean out procedure once, will either eliminate old corruption or
> definitively show that something is continuing to interfere. You and PA
> Bear blindly assume the latter possibility even when there is lots of
> evidence pointing to the other one (In this case: Slow old machine,
> machine generally up to date on older updates, machine not used for
> general Internet access or other high risk activities, CPU usage in the
> exact processes associated with a corrupted SoftwareDistribution folder).
>
> > The latter two issues have been mitigated in the latest releases of the
> > Windows Update Agent.

> In which case starting over with a clean database would reap the
> benefits of this improvement.
>
> >
> > " Old long ago updates " are flushed from the Download subfolder of SD
> > on a regular cycle IF the automatic update components are functioning
> > properly and are not being hindered from carrying out their operations
> > by 3rd party software.

>
> Unfortunately, this does not match my own experience. At least until
> recently, WU was a real disk space hog, constantly eating additional
> disk space every month and not listing its own temporary files in the
> Disk Cleanup wizard. Because disk full on the Windows drive is a really
> bad situation to be in I have made a habit out of culling excess files
> from WU on a regular basis.
>
> >
> > Said 3rd party software will either be security software or malware.
> > Since the *vast majority of issues* posted to this newsgroup *are*
> > directly related to the presence of malware, then it's not illogical to
> > conclude that malware is present on systems where the CPU cycle issue is
> > present.
> >

>
> So you assume the worst, ignore all innocent explanations, then go on to
> call the fire department every time you see smoke, even if it is coming
> out the top of a chimney.
>
> > Conclusion: Ignore Jakob Bohm since he's unaware that malware can cause
> > the CPU utilization issue or that security software should be configured
> > to not scan nor monitor DataStore.edb
> >

>
> THAT is an insult. I KNOW that malware can do all kinds of bad things,
> including eat lots of CPU in strange situations. I strongly disagree
> that *all* brands of security software need to specifically exclude
> Windows Update files from scanning. But I also KNOW that not all
> computer problems are from malware and that telling everyone to panic
> and ignoring all non-malicious explanations is not helpful.
>
> In this case the symptoms clearly matched a known problem for which
> there is a quick and harmless cure. So that cure should be tried before
> starting panic measures to combat an infection that might not be there.
>
> If after cleaning out the dynamic part of the SoftwareDistribution
> folder the problem immediately recurs, the next step would be to turn
> off automatic updates, clean out again, then use interactive WU/MU to
> see the name of the affected update. Then manually download and install
> that update from Microsoft downloads and try again. If the problem is
> still there after bypassing WU/MU for the directly affected update, THEN
> there is something fundamentally wrong and checking for malware would be
> a relevant thing to do.
>
> --
> Jakob B├Şhm, M.Sc.Eng. * jb@danware.dk * direct tel:+45-45-90-25-33
> Netop Solutions A/S * Bregnerodvej 127 * DK-3460 Birkerod * DENMARK
> http://www.netop.com * tel:+45-45-90-25-25 * fax:+45-45-90-25-26
> Information in this mail is hasty, not binding and may not be right.
> Information in this posting may not be the official position of Netop
> Solutions A/S, only the personal opinions of the author.
>
>

Reply With Quote
  #9 (permalink)  
Old 05-20-2009
PA Bear [MS MVP]
 

Posts: n/a
Re: Svchost process at 99% CPU Utilisation
"Release Date: June 26, 2007"

If the machine needs KB927891, you've got way bigger problems, my friend!!

Vinny V wrote:
> You nedd to instal KB927891....This will fix it.
>
> "Jakob Bohm" wrote:
>
>> MowGreen wrote:
>>> Jakob Bohm wrote:
>>>
>>>
>>>> [You may ignore PA Bear, he screams malware no matter what the
>>>> question is]
>>>>
>>>> Windows Updates are downloaded by the BITS service which runs in one of
>>>> the systems svchost.exe instances. Windows Update itself runs in
>>>> another instance of svchost.exe. So if anything in Windows Update
>>>> itself is using too much CPU to be useable, Task Manager will show that
>>>> CPU waste as happening in svchost.exe .
>>>>
>>>> When Windows Update gets stupid about its download handling, I usually
>>>> solve it like this (This procedure cleans out half-downloaded updates
>>>> and old long-ago-installed updates, plus the internal state of Windows
>>>> Update):
>>>>
>>>> 1. Reboot
>>>> 2. Open a "Command Prompt window"
>>>> 3. NET STOP wuauserv
>>>> 4. NET STOP BITS
>>>> 5. CD /D %SystemRoot%
>>>> 6. DIR \
>>>> 7. (Note if the disk was almost full)
>>>> 8. CD SoftwareDistribution
>>>> 9. rd /s Download
>>>> 10. Y
>>>> 11. rd /s DataStore
>>>> 12. Y
>>>> 13. DIR \
>>>> 14. (STOP if the disk is still almost full)
>>>> 15. NET START wuauserv
>>>> 16. Try again
>>>>
>>>>
>>>
>>> Each time the SoftwareDistribution subfolders are deleted they are
>>> recreated when the update service starts. Said update service is started
>>> on boot by it's Default setting, no matter which options one chooses for
>>> Automatic or Windows Update's settings.
>>>

>> Yes, I know that and the procedure above assumes that.
>>
>>> If there is 3rd party software [security software] installed that is
>>> monitoring system files, then one will see a slight spike in CPU usage
>>> by svchost when the subfolders of SD are recreated.
>>>

>> Two other sources of spikes which I have seen over the years:
>>
>> 1. If the DataStore has become corrupted by a random event, the code
>> that manages it can spend a lot of CPU cycles spinning its wheels for
>> little or no gain. Clearing out the database and starting over gets you
>> a clean uncorrupted database in a few minutes.
>>
>> 2. The delta-download mechanism used by Windows Update to avoid
>> downloading the parts of an update already on your system sometimes
>> spends more time computing differences than it saves in download time.
>> Clearing out the download folder and starting over forces a clean
>> download without so much work.
>>
>>> When the update database located in DataStore is scanned or monitored
>>> [DataStore.edb] there will be a spike in CPU usage due to it being in
>>> use [ locked ].

>>
>> Whenever the DataStore is being processed to figure out what updates are
>> needed on your computer there will be a spike of a few minutes, with or
>> without a broken AV-scanner slowing things down further.
>>
>> Additional CPU time wasted by AV scanners may be attributed to the
>> process that is being slowed down (svchost in the case of WU/AU) or the
>> scanners own processes depending on the scanner product. Most AV
>> scanners use an architecture where the actual scanning CPU load occurs
>> in a dedicated scanning process easily recognized in task manager.
>>
>>> This spike will become more noticeable over time as DataStore.edb can
>>> become either corrupted or irreparrably damaged.

>>
>> Now you are really confusing the issues: There is extra CPU waste due to
>> the scanner itself repeatedly scanning the database file, this does not
>> involve corruption or damage to the file (unless the AV product is
>> incompetent enough to corrupt any file being scanned while in use). And
>> then there is CPU waste due to a corrupted or damaged database for which
>> the quickest cure is to clear out the database and start over with a
>> fresh WU/MU/AU run.
>>
>>> To mitigate this issue, see:
>>>
>>> Virus scanning recommendations for computers that are running Windows
>>> Server 2008, Windows Server 2003, Windows 2000, Windows XP, or Windows
>>> Vista
>>> http://support.microsoft.com/kb/822158

>>
>> Hilarious article written by someone who see bugs in some AV products
>> (corruption of binary files that are being changed by their application
>> while the AV product tries to scan them), assume they apply to all AV
>> products, and then go on to recommend a bad partial workaround (exclude
>> the handful of files most important to their personal pet software) as
>> a general and complete solution.
>>
>>>
>>> On a system that has had subfolders of the SoftwareDistrbution directory
>>> deleted and *if the CPU cycles stays at 99%*, then the logical
>>> conclusion is that 3rd party software is hindering the OS from
>>> recreating said subfolders, and/or there is an issue with the detection
>>> logic, and/or there is an issue with the Windows Installer associated
>>> .dll file, .msi.dll.

>>
>> The OP was about a computer where the subfolders had not been deleted
>> (before applying my advice) and thus it cannot be concluded that the
>> slowdown is due to software interfering with WU now. Performing my
>> clean out procedure once, will either eliminate old corruption or
>> definitively show that something is continuing to interfere. You and PA
>> Bear blindly assume the latter possibility even when there is lots of
>> evidence pointing to the other one (In this case: Slow old machine,
>> machine generally up to date on older updates, machine not used for
>> general Internet access or other high risk activities, CPU usage in the
>> exact processes associated with a corrupted SoftwareDistribution folder).
>>
>>> The latter two issues have been mitigated in the latest releases of the
>>> Windows Update Agent.

>> In which case starting over with a clean database would reap the
>> benefits of this improvement.
>>
>>>
>>> " Old long ago updates " are flushed from the Download subfolder of SD
>>> on a regular cycle IF the automatic update components are functioning
>>> properly and are not being hindered from carrying out their operations
>>> by 3rd party software.

>>
>> Unfortunately, this does not match my own experience. At least until
>> recently, WU was a real disk space hog, constantly eating additional
>> disk space every month and not listing its own temporary files in the
>> Disk Cleanup wizard. Because disk full on the Windows drive is a really
>> bad situation to be in I have made a habit out of culling excess files
>> from WU on a regular basis.
>>
>>>
>>> Said 3rd party software will either be security software or malware.
>>> Since the *vast majority of issues* posted to this newsgroup *are*
>>> directly related to the presence of malware, then it's not illogical to
>>> conclude that malware is present on systems where the CPU cycle issue is
>>> present.
>>>

>>
>> So you assume the worst, ignore all innocent explanations, then go on to
>> call the fire department every time you see smoke, even if it is coming
>> out the top of a chimney.
>>
>>> Conclusion: Ignore Jakob Bohm since he's unaware that malware can cause
>>> the CPU utilization issue or that security software should be configured
>>> to not scan nor monitor DataStore.edb
>>>

>>
>> THAT is an insult. I KNOW that malware can do all kinds of bad things,
>> including eat lots of CPU in strange situations. I strongly disagree
>> that *all* brands of security software need to specifically exclude
>> Windows Update files from scanning. But I also KNOW that not all
>> computer problems are from malware and that telling everyone to panic
>> and ignoring all non-malicious explanations is not helpful.
>>
>> In this case the symptoms clearly matched a known problem for which
>> there is a quick and harmless cure. So that cure should be tried before
>> starting panic measures to combat an infection that might not be there.
>>
>> If after cleaning out the dynamic part of the SoftwareDistribution
>> folder the problem immediately recurs, the next step would be to turn
>> off automatic updates, clean out again, then use interactive WU/MU to
>> see the name of the affected update. Then manually download and install
>> that update from Microsoft downloads and try again. If the problem is
>> still there after bypassing WU/MU for the directly affected update, THEN
>> there is something fundamentally wrong and checking for malware would be
>> a relevant thing to do.


Reply With Quote
  #10 (permalink)  
Old 05-21-2009
DJT
 

Posts: n/a
Re: Svchost process at 99% CPU Utilisation
On Wed, 20 May 2009 11:15:33 -0400, "PA Bear [MS MVP]"
<PABearMVP@gmail.com> wrote:

>"Release Date: June 26, 2007"
>
>If the machine needs KB927891, you've got way bigger problems, my friend!!
>
>Vinny V wrote:
>> You nedd to instal KB927891....This will fix it.
>>
>> "Jakob Bohm" wrote:
>>
>>> MowGreen wrote:
>>>> Jakob Bohm wrote:
>>>>
>>>>
>>>>> [You may ignore PA Bear, he screams malware no matter what the
>>>>> question is]
>>>>>
>>>>> Windows Updates are downloaded by the BITS service which runs in one of
>>>>> the systems svchost.exe instances. Windows Update itself runs in
>>>>> another instance of svchost.exe. So if anything in Windows Update
>>>>> itself is using too much CPU to be useable, Task Manager will show that
>>>>> CPU waste as happening in svchost.exe .
>>>>>
>>>>> When Windows Update gets stupid about its download handling, I usually
>>>>> solve it like this (This procedure cleans out half-downloaded updates
>>>>> and old long-ago-installed updates, plus the internal state of Windows
>>>>> Update):
>>>>>
>>>>> 1. Reboot
>>>>> 2. Open a "Command Prompt window"
>>>>> 3. NET STOP wuauserv
>>>>> 4. NET STOP BITS
>>>>> 5. CD /D %SystemRoot%
>>>>> 6. DIR \
>>>>> 7. (Note if the disk was almost full)
>>>>> 8. CD SoftwareDistribution
>>>>> 9. rd /s Download
>>>>> 10. Y
>>>>> 11. rd /s DataStore
>>>>> 12. Y
>>>>> 13. DIR \
>>>>> 14. (STOP if the disk is still almost full)
>>>>> 15. NET START wuauserv
>>>>> 16. Try again
>>>>>
>>>>>
>>>>
>>>> Each time the SoftwareDistribution subfolders are deleted they are
>>>> recreated when the update service starts. Said update service is started
>>>> on boot by it's Default setting, no matter which options one chooses for
>>>> Automatic or Windows Update's settings.
>>>>
>>> Yes, I know that and the procedure above assumes that.
>>>
>>>> If there is 3rd party software [security software] installed that is
>>>> monitoring system files, then one will see a slight spike in CPU usage
>>>> by svchost when the subfolders of SD are recreated.
>>>>
>>> Two other sources of spikes which I have seen over the years:
>>>
>>> 1. If the DataStore has become corrupted by a random event, the code
>>> that manages it can spend a lot of CPU cycles spinning its wheels for
>>> little or no gain. Clearing out the database and starting over gets you
>>> a clean uncorrupted database in a few minutes.
>>>
>>> 2. The delta-download mechanism used by Windows Update to avoid
>>> downloading the parts of an update already on your system sometimes
>>> spends more time computing differences than it saves in download time.
>>> Clearing out the download folder and starting over forces a clean
>>> download without so much work.
>>>
>>>> When the update database located in DataStore is scanned or monitored
>>>> [DataStore.edb] there will be a spike in CPU usage due to it being in
>>>> use [ locked ].
>>>
>>> Whenever the DataStore is being processed to figure out what updates are
>>> needed on your computer there will be a spike of a few minutes, with or
>>> without a broken AV-scanner slowing things down further.
>>>
>>> Additional CPU time wasted by AV scanners may be attributed to the
>>> process that is being slowed down (svchost in the case of WU/AU) or the
>>> scanners own processes depending on the scanner product. Most AV
>>> scanners use an architecture where the actual scanning CPU load occurs
>>> in a dedicated scanning process easily recognized in task manager.
>>>
>>>> This spike will become more noticeable over time as DataStore.edb can
>>>> become either corrupted or irreparrably damaged.
>>>
>>> Now you are really confusing the issues: There is extra CPU waste due to
>>> the scanner itself repeatedly scanning the database file, this does not
>>> involve corruption or damage to the file (unless the AV product is
>>> incompetent enough to corrupt any file being scanned while in use). And
>>> then there is CPU waste due to a corrupted or damaged database for which
>>> the quickest cure is to clear out the database and start over with a
>>> fresh WU/MU/AU run.
>>>
>>>> To mitigate this issue, see:
>>>>
>>>> Virus scanning recommendations for computers that are running Windows
>>>> Server 2008, Windows Server 2003, Windows 2000, Windows XP, or Windows
>>>> Vista
>>>> http://support.microsoft.com/kb/822158
>>>
>>> Hilarious article written by someone who see bugs in some AV products
>>> (corruption of binary files that are being changed by their application
>>> while the AV product tries to scan them), assume they apply to all AV
>>> products, and then go on to recommend a bad partial workaround (exclude
>>> the handful of files most important to their personal pet software) as
>>> a general and complete solution.
>>>
>>>>
>>>> On a system that has had subfolders of the SoftwareDistrbution directory
>>>> deleted and *if the CPU cycles stays at 99%*, then the logical
>>>> conclusion is that 3rd party software is hindering the OS from
>>>> recreating said subfolders, and/or there is an issue with the detection
>>>> logic, and/or there is an issue with the Windows Installer associated
>>>> .dll file, .msi.dll.
>>>
>>> The OP was about a computer where the subfolders had not been deleted
>>> (before applying my advice) and thus it cannot be concluded that the
>>> slowdown is due to software interfering with WU now. Performing my
>>> clean out procedure once, will either eliminate old corruption or
>>> definitively show that something is continuing to interfere. You and PA
>>> Bear blindly assume the latter possibility even when there is lots of
>>> evidence pointing to the other one (In this case: Slow old machine,
>>> machine generally up to date on older updates, machine not used for
>>> general Internet access or other high risk activities, CPU usage in the
>>> exact processes associated with a corrupted SoftwareDistribution folder).
>>>
>>>> The latter two issues have been mitigated in the latest releases of the
>>>> Windows Update Agent.
>>> In which case starting over with a clean database would reap the
>>> benefits of this improvement.
>>>
>>>>
>>>> " Old long ago updates " are flushed from the Download subfolder of SD
>>>> on a regular cycle IF the automatic update components are functioning
>>>> properly and are not being hindered from carrying out their operations
>>>> by 3rd party software.
>>>
>>> Unfortunately, this does not match my own experience. At least until
>>> recently, WU was a real disk space hog, constantly eating additional
>>> disk space every month and not listing its own temporary files in the
>>> Disk Cleanup wizard. Because disk full on the Windows drive is a really
>>> bad situation to be in I have made a habit out of culling excess files
>>> from WU on a regular basis.
>>>
>>>>
>>>> Said 3rd party software will either be security software or malware.
>>>> Since the *vast majority of issues* posted to this newsgroup *are*
>>>> directly related to the presence of malware, then it's not illogical to
>>>> conclude that malware is present on systems where the CPU cycle issue is
>>>> present.
>>>>
>>>
>>> So you assume the worst, ignore all innocent explanations, then go on to
>>> call the fire department every time you see smoke, even if it is coming
>>> out the top of a chimney.
>>>
>>>> Conclusion: Ignore Jakob Bohm since he's unaware that malware can cause
>>>> the CPU utilization issue or that security software should be configured
>>>> to not scan nor monitor DataStore.edb
>>>>
>>>
>>> THAT is an insult. I KNOW that malware can do all kinds of bad things,
>>> including eat lots of CPU in strange situations. I strongly disagree
>>> that *all* brands of security software need to specifically exclude
>>> Windows Update files from scanning. But I also KNOW that not all
>>> computer problems are from malware and that telling everyone to panic
>>> and ignoring all non-malicious explanations is not helpful.
>>>
>>> In this case the symptoms clearly matched a known problem for which
>>> there is a quick and harmless cure. So that cure should be tried before
>>> starting panic measures to combat an infection that might not be there.
>>>
>>> If after cleaning out the dynamic part of the SoftwareDistribution
>>> folder the problem immediately recurs, the next step would be to turn
>>> off automatic updates, clean out again, then use interactive WU/MU to
>>> see the name of the affected update. Then manually download and install
>>> that update from Microsoft downloads and try again. If the problem is
>>> still there after bypassing WU/MU for the directly affected update, THEN
>>> there is something fundamentally wrong and checking for malware would be
>>> a relevant thing to do.



Thanks for all the suggestions. I was running adaware and spybot SD
and scans by either of these found nothing.

I removed them and installed a copy of Trend Micro Internet Security
pro that I had tried on my Vista machine( removed due to Excessive
slowdown). It found several items of malware and the PC has been ok
since

Thanks

DJT
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
what process is svchost.exe associated with Jeremy microsoft.public.windows.vista.performance maintenance 5 06-02-2009 01:38
Problem In Vista ,Svchost.exe Process Pls Help Its Slowing My Pc.. AhM3D microsoft.public.windows.vista.general 6 09-22-2008 04:45
Article ID: 933771 Windows Explorer stops responding or the Svchost.exe process stops responding when you try to copy encrypted files to a WebDAV resource in Windows Vista KBArticles English 0 10-22-2007 20:00
svchost process using 86% of CPU Steve Richter microsoft.public.windows.vista.general 5 03-01-2007 04:50




All times are GMT +1. The time now is 03:28.




Driver Scanner - Free Scan Now

Vistaheads.com is part of the Heads Network. See also XPHeads.com , Win7Heads.com and Win8Heads.com.


Design by Vjacheslav Trushkin for phpBBStyles.com.
Powered by vBulletin® Version 3.6.7
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.6.0 RC 2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120