Windows Legacy OS forum

General discussion

svchost.exe eating up memory/CPU

by Captianbreaker / May 28, 2009 9:27 AM PDT

Seemingly out of no where, a couple of my Svchost.exe processes have become a problem.

One of them "svchost.exe (SYSTEM)" is eating up anywhere from 8,000-18,000K of memory, which is a lot more than it did previously and the other "svchost.exe (NETWORK SERVICE)" can eat up to 99% of my CPU at times while running in the same range of memory usage as the aforementioned process.

Oddly enough, if I end either of these processes, it thinks for a second and then will flash the screen while it starts up the process again and it seems to run closer to normal capacities. But after that my sound card is no longer recognized and I have to restart the computer to regain my sound capability.

I considered that it might be a sound card issue and looked for driver updates which were not available.

I scan with AntiVir, Spybot and Ad-aware, all coming up clean.

any ideas?

Post a reply
Discussion is locked
You are posting a reply to: svchost.exe eating up memory/CPU
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: svchost.exe eating up memory/CPU
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Just ideas.
by R. Proffitt Forum moderator / May 29, 2009 2:14 AM PDT

You wrote "AntiVir, Spybot and Ad-aware" and didn't some of those have conflicts with each other or firewalls or other software at some point in time?

As a test run, uninstall Spybot and Adaware. These have fallen out of favor for newer tools.

Collapse -
Svchost.exe NOT.
by Cursorcowboy / June 1, 2009 1:17 AM PDT

1. The article [Q314056] describes Svchost.exe (%SystemRoot%\System32 folder), the generic host process name for services that run from dynamic-link libraries (DLLs), can run in multiple instances at the same time and each session can contain a grouping of services so they can run depending on how and where it is started. FYI, also read the article [Q314056].

Note: If you feel a service stared and running is to blamed for the excessive CPU usage, use the procedure in [Q316434] to stop services one at a time simply for the purpose of determining which one could be causing the anomaly. "Starter" is yet another free startup manager that allows you to view and manage all the programs that are starting automatically whenever Windows boots. It lists all the hidden registry entries, as well as the common Startup Folder items. You can choose to safely disable selected entries, edit them or delete them altogether (if you know what you're doing). Expert users can even add their own entries.

2. "SVCHOST.EXE -- application error" Windows Update Broke My Machine:

? svchost.exe -- application error the instruction at "0x745f2780" reference memory at "0x00000000". the memory could not be 'read'

? Faulting application svchost.exe, version 5.1.2600.2180, faulting module msi.dll, version 3.1.4000.2435, fault address 0x00012780.

3. If you are running XP Pro you can find out more about what is using svchost by typing tasklist /svc at the command prompt, (note the space after tasklist).

? What you'll see is something similar to the following. Note that SERVICES run under svchost and the more used unnecessarily, the more memory used. Why svchost and services are not lumped together entirely is a good question but some services are listed separately where the majority is lumped as one.

NOTE: I had to access the "Blackviper" site to obtain all the Registry SERVICE names to know which service are used.

Image Name PID Services
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 596 N/A
csrss.exe 668 N/A
winlogon.exe 692 N/A
services.exe 736 Eventlog, PlugPlay
lsass.exe 748 SamSs
svchost.exe 924 DcomLaunch, TermService
svchost.exe 1000 RpcSs

svchost.exe 1108 AudioSrv, CryptSvc, Dhcp, EventSystem,
lanmanserver, lanmanworkstation, Netman,
Schedule, SENS, SharedAccess,
ShellHWDetection, srservice, winmgmt,

svchost.exe 1132 Dnscache
AAWService.exe 1216 Lavasoft Ad-Aware Service
spoolsv.exe 1308 Spooler
explorer.exe 1616 N/A
MailWasher.exe 652 N/A
RoboType.exe 672 N/A
iexplore.exe 1300 N/A
avgwdsvc.exe 1836 avg8wd
nTuneService.exe 1864 nTuneService
nvsvc32.exe 1912 NVSvc
UpdateCenterService.exe 1996 UpdateCenterService
MsPMSPSv.exe 1200 WMDM PMSP Service
avgrsx.exe 1744 N/A
avgemc.exe 1736 avg8emc
avgcsrvx.exe 284 N/A
unsecapp.exe 404 N/A
alg.exe 444 ALG
wmiprvse.exe 1528 N/A
svchost.exe 416 stisvc
cmd.exe 1524 N/A
tasklist.exe 1740 N/A
wmiprvse.exe 500 N/A

Collapse -
by Nightmares0nwax / June 1, 2009 5:08 AM PDT

svchost is for running services, services are programs that run even before you login. in fact the name svchost is an abbreviation for servicehost.

one of your services is acting up, might be good or bad who knows.

download that, run it, right click the offending instance of svchost and click the service tab. there you go.

Collapse -
by Captianbreaker / June 1, 2009 6:05 AM PDT
In reply to: jajajaja

Using Process explorer, I was able to find a few interesting things.

1. Using the "Lower pane" button I was able to see that a file by the name of:


Would open just before the CPU spike and it would close just before the CPU went back down. I'm not sure what that file is exactly but maybe it's something?

2. I used the "debug" option on the svchost in question. I'm not really sure what it did, if anything, but it's done.

3. Through the services tab I noticed that this version of svchost runs the Windows automatic update utility, which I had turned on. I turned it off but I'm not sure if it helped yet, seeing as it was intermittent before.

Thanks for all the response and any more insight would be greatly appreciated!

Collapse -
by Nightmares0nwax / June 1, 2009 10:28 AM PDT
In reply to: 3

well your host file is a simple dns resolver, it checks the domain names contained within, against an ip address, all programs that try to resolve domain names like check your host file first. to see if there is an ip that can be resolved against the queried domain name, you can open it with notepad and see.

the point was to use process explorer to see what service was being run by svchost when it was spiking. the services run by that particular instance of svchost will be the offending service.

what services were being run by that particular instance of svchost?

Collapse -
by Captianbreaker / June 3, 2009 3:23 AM PDT
In reply to: electricdonkey

Well, something I did seemed to help. The CPU spikes are less frequent and less paralyzing now. The memory usage is still rather high, but I'm not sure what to do about that.

The first Svchost that I had a problem with had an entire list of "services" that it ran, probably 30+. So I really didn't see how I could decide which one was causing the problem, being that they never seemed to change position or anything like that. But the Svchost that's spiking now only has one service running, according to Process explorer.

"Dnscache- DNS Client- C:\WINDOWS\System32\dnsrslvr.dll"

It will spike up to about 80% CPU usage for 30 seconds or so and then plummets down to zero. This is probably just regular usage, right? Not a whole lot I can do about it.

Collapse -
disable DNS resolver service.
by Nightmares0nwax / June 3, 2009 11:22 AM PDT
In reply to: Services

start > run > services.msc

scroll down untill you find "DNS client" right click and "properties" click the "stop" button in the box that opens up, then select "disabled" from the startup type drop down box.

i would recommend disabling some of the services you dont need to conserve some memory, but its a lot of work if you are unsure. you can post the names of the "started" services here if you like and i can help you. i have abnout 30 or 40 running on my box, so its no small task Silly

Collapse -
by Captianbreaker / June 3, 2009 11:50 AM PDT

Alright, I followed those instructions. What does the DNS client do exactly? Just so I know the symptoms if it causes a problem?

I'll post my started services here.

Application Layer Gateway Service
Automatic Updates
Avira AntiVir Personal - Free Antivirus Guard
Avira AntiVir Personal - Free Antivirus Scheduler
Background Intelligent Transfer Service
COM+ Event System
Computer Browser
Cryptographic Services
DCOM Server Process Launcher
DHCP Client
Distributed Link Tracking Client
Error Reporting Service
Event Log
Fast User Switching Compatibility
Help and Support
IPSEC Services
Java Quick Starter
Network Connections
Network Location Awareness (NLA)
Plug and Play
Print Spooler
Protected Storage
Remote Access Connection Manager
Remote Procedure call (RPC)
Secondary Logon
Security Accounts Manager
Security Center
Shell Hardware Detection
SSDP Discovery Service
System Event Notification
System Restore Service
Task Schduler
Terminal Services
Viewpoint Manager Service
Windows Audio
Windows Firewall/Internet Connection Sharing (ICS)
Windows Image Acquisition (WIA)
Windows Management Instrumentation
Windows Time
Wireless Zero Configuration

Collapse -
long post, sorry.
by Nightmares0nwax / June 3, 2009 9:59 PM PDT
In reply to: Hmm

dns stands for domain name service, where a domain name is for example.
there are servers dotted all over the internet that match up domain names to ip addresses. so if you typed then your request will be sent to a DNS server and the IP address will be returned to your browser.
the dns resolver (DNSRC) is a cache of websites you've visited previously and it stores their IP address, much like your own mini DNS server on your computer, it dynamically build a profile so next time you type in that domain, your browser checks the dns resolver cache first then your HOST file, if its not in either it will makes a request to your DNS server. your ISP provides you with a dns server by default.
DNSRC has been exploited by malware in the past to redirect you to malicious sites, so is probably better to turn off as its not really needed. the HOSTS file does the exact same thing except the ip addresses and domains need to be added manually.

well just before you go through and start disabling services you might want to weigh out the pros and cons, first, some services dont really take up a lot of memory, some of them are just single dll files that are tiny.
for example, if you use process explorer to examine that instance of svchost that had tons of services running from it, right click it and go to "properties" then click the performance tab, under the "physical memory" section it says how much memory that instance of svchost is using, "working set" is how much ram it would typically use, "peak performance" is obviously when its load is at its heaviest. one of my instances of svchost was running 26 services! but its working set was only 12mb, and peak performance 30mb, which is tiny! most computer will have at least 1gb of ram, and unless you are using some extremeny memory heavy applications, such as modern computer games it remains to be seen if you will notice the difference. some of the virtual size for these instances of svchost are quite big, so its trial and error really. it should help a bit when starting up your computer, especially if its an older model.

also you might want to consider when you will need them. these services are there for a reason, usually to aid different needs you may have now or in the future. once such example is the "wireless zero configuration" service, you dont need it if your not using wireless, but in the future if you get wireless and realise it dosnt work, it could be quite a while before you figure out why. it dosnt mean you shouldnt disable unused services, it just means you have to take some precautions and do a little bit of research on things you are unsure of, weigh up resources vs conveninence, sometimes its just good that things work, but to spend 3 hours trying to fix a computer, because you disabled a service that took up 512kb of memory just isnt practical =P so i gues syou really have to find which services are actually causing a problem or even if a particular service is a security issue, such as net bios or UNPNP.
i have a couple of suggestions to make if you decide to disable any, one is to set the services to "manual" instead of "disabled" that way windows can still enable the service if its needed, such as if another service needs it, but that could be a service that is totally useless, starting another useless service.

My second suggestion is write down all the services you are changing. write down a brief description for each, that way you know what has changed and its easy to reference if you are trouble shooting.

and lastly a complete fail safe is to back up the registry key that contains your current service configuration. it can be found at:
right click that key and select "export" and give it a descriptive name. if things stop working, at least you can use this to change it back to the configuration you have now. i would use this as a last resort though, as it could have some quirky side effects, mainly enabling or disabling services that you have changed since you backed it up.

the elder geek is pretty helpful for windows boxes, check the service list at the bottom.

also blackvipe has a more comprehensive description of services

dont take the recommended settings literally, read the descriptions, example:
it says that service isnt needed, but automatic updates rely on it, also some services have dependancies, that is some service depend on others, you can check the dependancy tab in your service manager.

1. Computer Browser -- Disable if your not on a network ie if you have a stand alone pc

2. DHCP Client - Only if you have a static IP address, if you dont know what that is, leave it enabled.

3. Distributed Link Tracking Client - If your not on a network, disable it.

4. Error Reporting Service - Disable this, 100% not needed

5. Fast User Switching Compatibility - only needed if you use the "switch user" funtion, in other words to switch between logins, set to disabled if you dont need it

6. Help and Support - Disable, help and support is useless anyway. in all the years ive used windows its never once been of any help, nor has it ever supported me.

7. IPSEC Services - used for encrypting data transfer across a network or subnet(s), not really something a typical home user has use for. set it to manual if you are unsure, but mine is set to disabled. its quite safe to do so.

8. Java Quick Starter - personally i would disable it as i have never had any use for java. do you use java? even so, this service is only to speed up the initialisation of java applets, unless you use java applets all the time and it would make a difference, i would disable it. it also uses 20mb of ram + whatever is running in virtual memory.

9. Network Location Awareness (NLA) - only needed if you are using windows firewall or if you are connecting to the internet through another computer, or vice versa. also if you are connecting to multiple networks. i would set it to manual but it looks to be one of those services that continue to run when set to manual. probably because of windows firewall.

10. Print Spooler - do you have a printer?

11. Protected Storage - used for securely storing passwords in memory for the "auto complete" function when browsing the web or using applications, can be useful. up to you. i use mine.

12. Remote Access Connection Manager - if you have a router, like me, you dont need this, only if you connect directly to the internet this is sometimes needed, or if you connect to the internet through another computer (ICS) mine is disabled, set it to manual if that is more comfortable.

13. Server Service - for filesharing and network printers. useless if you dont have a network.

14. Shell Hardware Detection - used to detect new hardware such as usb devices etc and used with the autoplay feature. most of the time when you connect new hardware you have software to go with it, so all round pretty pointless. it can also be exploited in an privilege escalation attack. set it to manual and take note of this particular service, if you find symptoms that match what it is used for, set it back to automatic.

15. SSDP Discovery Service - useless wiothout a network, probably useless with one too. the service "Universal Plug and Play Device Host" depends on this, but you can disable that too. you need this service for ICS, connecting to the internet through another computer, unless you do that then their is not point.

16. TCP/IP NetBIOS Helper disabled! also disable netbios:

17. Telephony - manual.

18. Terminal Services - the following services make use of this, Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server. remeber "fast user switching"? also if you are expeting remote assistance from anyone you will need this running, the others you wont need to worry about. also it displays usernames next to running processes in task manager, so if you dont have a need for any of these set it to manual, however i use mine for fast user switching and usernames in taskmanager.

19. Themes - i use mine, for xp themes.

20. Viewpoint Manager Service - no idea what it is, apparently comes bundled with AOL software and some other stuff, viewpoint has several applications, media player, toolbar etc. its used for graphical programs of somesort, its described as bloatware, in other words software that takes up resources. disable it because there is no need for a service for it.
some people say its spyware, which im not sure it is.
some info on it:

21. WebClient - has apparently no use, set it to manual and stop the service.

22. Windows Image Acquisition (WIA) - used for cameras and scanners. set to manual, or leave it as automatic if you think you will need it.

23. Wireless Zero Configuration - needed for wireless configuration. do you use wireless? disable and take note for future reference. Happy

24. Workstation only really needed on a domain based network, set it to manual.

25. reboot your pc. and see if everything works, ie youc an connect to the internet etc.

26. Remote Access Connection Manager - i left this until last because it makes no sense. the description is "creates a network connection" i have a small single pc network at home, where i connect to my router, i have this service disabled and it does not affect me in any way, rather pointless.
that description say sif you use a router there is no need, i guess its only needed for direct connection to a larger network such as the internet. i donno beyond me. if you have a router/gateway then you dont need it.

dont take my word as absolute, do a bit of research behind each service if you are uncomfortable disabling them. just remeber you can undo any changes with that regisrty backup you done, you can also set a restore point before you start, but they are one and much the same thing.

Collapse -
SVChost eating memory
by kencid99 / April 23, 2012 5:38 AM PDT

I had this exact problem. It ended up being a virus in the MBR of the hard drive. I used a Windows boot disk to repair it and then everything was peachy again. It caused memory and CPU usage to fly sky high whenever I was connected to the network but there was no corresponding child processes visible. Rootkit?

Collapse -
by R. Proffitt Forum moderator / April 23, 2012 5:44 AM PDT
In reply to: SVChost eating memory

In the definition of a rootkit is a feature to hide from the usual Task Manager and such.

Popular Forums
Computer Help 49,613 discussions
Computer Newbies 10,349 discussions
Laptops 19,436 discussions
Security 30,426 discussions
TVs & Home Theaters 20,308 discussions
Windows 10 360 discussions
Phones 15,802 discussions
Windows 7 7,351 discussions
Networking & Wireless 14,641 discussions

CNET Holiday Gift Guide

Looking for great gifts under $100?

Trendy tech gifts don't require a hefty price tag. Choose from these CNET-recommended useful and high-quality gadgets.