Problems? See this thread at archive.org.
Question to the OS experts - svchost goes mad...
OS is Vista Business SP2
Ok, for some reason - under certain conditions (generally a little while after logging in - I felt audio (X-Fi Go, Foobar accelerated it - but no, see later down) my Svchost seems to go haywire - one of them anyway.
Its the one that deals with "Plug and Play" as well as " DCOM Launch".
I had a slight feeling it may be audio related... but that's as far as I ever got.
(X-Fi Go, Foobar - maybe) (but it isn't - see X-Fi further down and not running Foobar doesn't help either)
Whenever it goes "mad" it runs under a CPU load between 20-50% - and recovers after around 15 minutes (once looked at my clock)
The thread that tends to cause this problem is:
ntdll.dll!RtlSizeHeap+0x642
When I tried some online digging I didn't find anything conclusive - except that maybe it has got something to do with video and audio.
Thinking of what updates I did in that department... X-Fi go drivers are the only one that spring to mind since it occured.
Unistalled X-Fi Go - problem still occured.
Looked at the stack on the file/process.
Disabled NVidia components from starting up - see what happens now.
Error occured with NVidia services disabled at startup too - not responsible, NVidia processes are active again at startup.
Looking through the error logs I found a TPM related problem - which matched the time svchost went "mad" - disabled the TPM module, started my laptop - still occured, so TPM is running again.
I've run Malwarebytes on the Windows Folder and have KIS 2010 running - I also sent the offending file to virustotal.com - which came back as a negative.
Else... the Windows Error logs don't seem to help - using time i went through all and found nothing except that TPM module (which was close).
Also, the process once ran for about 15 minutes - so it does shut down again - but still, 15 minutes at mostly 50% CPU load eats up my battery - and I really don't fancy a reinstal.
I also ran "sfc /scannow" - that originally did something - but since then tells me my system has no problems.
Looking at the stack in that ntdll.dll - resulted in these - OS components being in the top tiers...
hal.dll!KeAcquireInStackQueuedSpinLockRaiseToSynch+0x31
ntdll.dll!KiFastSystemCallRet
____________________
ntkrnlpa.exe!KiDispatchInterrupt+0xf9
___________________________
ntkrnlpa.exe!KiDispatchInterrupt+0x104
ntkrnlpa.exe I found has got somthing to do with PAE...
Any help would be appreciated
Thanks a lot in advance
-
-
I did use process explorer You're right about this.
IE8 - hmm, I don't think I need IE8 for this to start - but I'll check again once I restart - I have a feeling I didn't occur in my immediate past hour (editing photogrpahs).
It definitely occurs shortly after startup - from memory I'm not sure if it also occurs shortly after waking from standby.
Thanks for looking into it
OK, update:
I just sent my Vaio to sleep and woke it up a little later eeping process exporer running.
PID (I assume its pocess ID) helps here.
The samesvchost process went into activity immedately before Standby or when waking up - oad jumped to 68% onone point of the graph - but that may be normal standby behaviour.
Else: It hasn't yet kicked in after waking from standby. -
-
Ah OK Thanks for clarifying this.
-
As far as I am aware the DCOM serice is essential for aa lot of OS operations? no?
I'll try disablig plug & play though
Good idea - by the way.
Edit: Can't shut down plug and play via the "Services" - manager or what you call it. I'm just thinking though... I need to test this in safe mode! -
It sure doesn't sound like it from reading those pages I linked to. Unless you run distributed Windows applications such as multi-computer web server setups etc. If you aren't running a big website or a bank or something I doubt you'd be using that stuff.
EDIT: Never mind... blackviper seems to say that the DCOM service is needed for Windows to work.
http://www.blackviper.com/WinVista/Services/DCOM_Server_Process_Launcher.htm
You can shut it off on-the-fly like this: Task Manager > Processes tab > Show processes from all users > Services tab > right-click the service > Stop service. Quick but doesn't persist through a reboot.
You can also disable it in the "Services" app a.k.a. "services.msc"... but then you need to reboot before that takes effect.
Or you can do both, and then it shuts off now without a reboot and persists through reboots.
EDIT: Apparently MS says disabling Plug and Play may make your system unstable. http://www.blackviper.com/WinVista/Services/Plug_and_Play.htm
So... bad idea I guess.
Hmmm... try this: disable all your audio/sound devices in Device Manager. (blackviper says Windows Audio uses the Plug and Play service.) -
-
Thanks Swarmer
Thought that DCOM was a bit important (looking at all the dependencies it has)
And Plug and Play - couldn't disable it.
But I just found something out:
I ran Windows in Safe Mode - and it didn't seem too appear
I ran sfc /scannow in safe mode - apparently it found some errors...
Now I'm back in normal windows - started off with a lot of CPU usage - my little svchost also used a few CPU cycles but only for seconds at startup - sp far its behaving...
I'll have to monitor it
Hmm - what do you think?
You've got plenty of valuable posts here but this isn't one of them.
A laptop that runs its CPU at 50% load isn't too useful - laptops - especially smaller ones are built for mobility - and as I say in my first post it eats up battry life if i runs a process for 15 minutes.
Also, those 15 minutes were at a full 2,5GHz,in battery saver my CPU is locked to the lowest multiplier where it runs at 1,6GHz
Sorry for this little attack - but that question annoys me a touch.
Edit:
It just started again a few minutes after my sytem start.. let's figure out the time gap.
Edit2:
It started about 5 minutes after the system started up (or after the logged starup time) -
What category is it listed under in dev mgr?
EDIT: All the Google results are networking-related. Oh... you have a non-English Windows, right? Like German maybe? So it's 6-to-4 adapter? As in IPv6 to IPv4. Weird...
If you haven't run antivirus and antispyware scans yet, I'd do that. Oh yeah, you ran MBAM on the Windows folder... run something else. Download MSE from Microsoft if necessary, or run the NOD32 online scanner. -
Its listed under network adapters - the error is it can't load the driver...
Trying to check for new ones doesn't yield anything
I just disabled Bluetoth Audio and my Sigmatel Audio in the device manager and have restarted - I'm keeping an eye on it
Edit:
Svchost was running at its full 50% when I shut down...
I got the following my logs:
(sense)
DLL for automatic WLAN configuration slowed down shutdown.
Wlansvc is the filename...
May it be my Wlan driver? -
-
I doesn't, it stays active.
It even jumped to 56% recently...
I tried starting without Wi-Fi - interestingly deactivating it in Device Manager didn't work... I had to use my Wi-Fi switch...
still came back
So now I'll deactivte that strange adapter.
Edit:
Adpater is deactivated - stayed deactivated - now keeping an eye on it.
Edit2:
its started again... -
-
How would I set services to factory default?
As far as I am aware they are in their factory default settings - only maybe some additional ones from Pogrammes like KIS or Adobe.
I'm currently testing Dave's suggestion - Stopped KIS before the CPU load.
The IP-Helperstarts automatically ba the way.
Error logs - up to no nothing has come up regarding the CPU spike I've checked - but would have to recheck once I try your suggestion.
At the moment I'm trying Dave's suggestion.
Edit:
Without KIS the problem still occured - repaired the Wi-Fi driver as that's had a problem shutting down once... (recently when I asked for a shutdown during the CPU load) -
It only happens after a reboot - the thing is, it doesn't seem to want to stop an more.
Its not normal - something is wrong, I just wish I knew what
Interestignly... it seems as if it takes longer and longer to crop up...
Edit:
Disabled IPv6 in my 2 active netwokadapters.
Set the IP-Helper to manual
and deactivated devies in the device manager.
Now I'll wait....
Edit2: I'm not someone who plays with Service any more - I learnt its useless to do so.
The only changes to services that I would have potentially made was deactivating services I added through programmes - so all the OS services should be in the factory default
Edit3:
Took a while but its at 50% load again
the file that is repsonsible is still ntdll.dll
Edit4:
hortly before ntdll.dll went "mad" again RPCRT4.dll was constantly working at around 2% (1,45-2,21) virustotal, KIS 2010 and Malwarebytes say its "clean". -
OK people - I'll call it a day for now - its 11pm and I feel like sleeping.
Any new ideas - plese let me know - I just don't want to go down te installatio path... I have come to hate OS installations as they consume so much time...
I just hope someone knows what it is.
Thank you so far
Edit:
Unistalled my Wi-Fi driver while the process was misbehaving... I'll need to monitor it tomorrow on the stock Sony or default Vista driver...
Oh, and reverted changes to IPv6
Edit:
I am on the stock Wi-Fi driver and "here we go again" - although it seems the more often I restart the later it happens...
Edit2:
I'm running my laptop in Power Saver mode so it doesn't get too warm...
(means my procesor runs at 1,6GHz multiplier of 6)
The proess is still going mad and has even hit a value above 90% - only for a few seconds though.
Also: After ages it does settle down.
The process continuesto run aroun 2% though... in safe mode it drops to 0...
However I notice that this specific svchost process is running around 2% sometimes 1,4, sometime 3
Edit: Its back again....
On another note: It has started jumping to up to 97% too for just a short while and then fallig back to 50ish... -
Update:
I may - stress - may - have found an answer to my problem.
removed Kaspesky 9.0.0.736 and since then my Process is calm - my fingerprint sensor also stopped using 2 od % of CPU load - I'll need to continue to monitor it.
After I removed KIS I also updated my Wi-Fi driver.
Interestingly - Dave had the idea with the anti virus suite early on - starting the computer and closing it before the CPU load did not work.
If it was KIS then I wonder what is happenng with that company becase now my laptop is much faster too...
-
microsoft security essentials....
and glad i could help
-
I've got those on my old laptop running Win7 - KIS is more powerful - but version 2010 seems to have its problems
I'll have to see and monitor my lappy a little bit
I'll survive without an anti virus on NBR
-
sure? forums are a main target to deploy viri currently.
better install the mse, just in case.
and no, kis doesn't give you much. microsoft gives you antivir, firewall, uac. should be enough. firefox gives you adblock, and that's about it then (a-patch for msn for adblocking there)
-
KIS does give me more it checks files that are executed, checks .exe files before they actually execute
Also: KIS guards what leaves my lappy the MS firewall on looks at what wants to come in.
-
well, that's what every virus software does. checking the files, at best before it's too late, at least the moment you try to start them.
and no, the firewall of vista/win7 is inbound and outbound afaik. but i'm unsure.
and even then, it doesn't matter
-
Edit:
I think it definitel was KIS related - I've been using the laptop all afternoon now - and it never reocured.
I really wonder why - I may try KIS again at a later date.
Also: Its so much more responsive without KIS 2010 - its really a shame its causing such lag
Thank you to all who replied
Rep went out to all but Gary - I can't rep you at the moment I have a note to remind me though
Thanks again!
Question to the OS experts - svchost goes mad...
Discussion in 'Windows OS and Software' started by DetlevCM, Nov 14, 2009.
