Saturday, October 22, 2016

SVChost in a loop eating the cpu


microsoft blog entry on how to diagnose or attack svchost service processes eating the cpu problems

https://blogs.technet.microsoft.com/askperf/2009/04/10/prf-high-cpu-svchost-exe/

svchost is a process that has many services run as an aggregate inside each of the svchost processes you see in taskmanager.

There is no internal accounting for the services attached to the svchost process, so other means are required if one of them is eating the cpu.  The means is to use a shell command for each service to force it into a separate svchost bucket on startup.

The Blog entry link has analysis and troubleshooting methods outlined as well.  The commands to break out the processes is copied from the blot into this entry below for future reference.  Looking @ what svchost arises in the reconfigured system when rebooted will usually tell you what service is broken, and either the full blog entry will suggest a fix, or you can google for that service eating the cpu and see if there is a remedy.

Be sure to run cmd.exe as administrator, that isn't mentioned in this, unless other means are used.  sc command must be admin or have authority to reconfigure the service (if not admin owned) or you won't get far.

Some services won't reconfigure, in which case you will have to remove all the services from that svchost (as determined by using the taskmanager) and run what is left.



Description:  SVCHOST.EXE is a generic host process for services. There can be multiple SVCHOST.EXE running on a system and each SVCHOST.EXE can also hold multiple services. Troubleshooting high CPU usage with SVCHOST.EXE can difficult since Task Manager or Performance Monitor cannot show which service inside the SVCHOST.EXE is causing the issue.



Scoping the Issue:  The first step is to identify the Process ID (PID) of the SVCHOST.EXE that is pegging the CPU.  This can be done through Task Manager->Processes tab. If the PID column is not present, you can add it by selecting View->Select Columns and check the PID checkbox.  Once the PID is identified, the next step is to determine which services are running under the PID. From a Command Prompt, type:

TASKLIST.EXE /SVC

TASKLIST.EXE will list all the processes and PID’s running on the system. Look for the PID in question and check the Services column. This will give you a list of Services to start investigating.  If it is not clear which Service inside the SVCHOST.EXE process is causing high CPU usage, the next step is to isolate the service into its own SVCHOST.exe container. You can use ‘SC CONFIG’ to do this. From a Command Prompt type:

sc config <service name> type= own

Do this for each service inside the SVCHOST.EXE in question. Restart the service and it will start in its own SVCHOST.EXE.

To revert the service back to its original state, type the command:

sc config <service name> type= share

Please note that resetting SVCHOST.EXE configuration via the share command will require a system reboot.

xx

No comments:

Post a Comment