SVCHOST any ideas what is behind this?

DevilWAH

Hi,

I have an SVCHOST process running that has the below services under it. I am trying to work out what application is behind this process as it is causing a lot of disk access errors. Does any one know how to determing what this is?

svchost instance running: 1544
• COM+ Event System
• Network List Service
• Network Store Interface Service
• Windows Time
• Diagnostic Service Host
• WebClient

Cheers

DevilWAH

it_consultant

Is this server in a cluster? Services host is a generic service executable that runs various Windows applications. The one that is most likely the problem is the COM+ or the Diagnostic service, since those are the ones that would likely be writing to the disk.

JDMurray

Those are all services that belong to Windows itself. What kinds of disk access errors? Bad blocks? That's indication of a physical disk problem. If it's a disk access permission problem then a service is not running under the correct owner or group (usually SYSTEM or LOCAL SYSTEM). Are you seeing these error in a Windows event log or a application-specific log file?

The svchost.exe process is a generic Windows service used to run other services that are implemented as loadable .DLL executable rather than as self-loading .EXE executables. While the presence of multiple svchost.exe is normal, Malware can use svchost to run and masquerade as a legitimate Windows service.

DevilWAH

Hi,

See below, this is taken with sysinternals promonutility captuing the file system, and it is full of these unknow requests. I dont think this is malware as the system is a work system and sits behind a lot of security systems and has very limited connections to out side. I am not saying it deffently is not, but I dont think this is the case.

The MCafee antivirus the company runs also seems to hit the hard drive hard! at complete idle (with out scan running just on access) it is showing about 5megbytes of activity a second. Which compared to me vista machine is massive. (this system is a windows 7 box)

with the screen shots below any ideas ?? Second if from proexpo from sys insternals. It looks like it might be mcafee, but not sure why it would be doing this?

JDMurray

That's just Windows walking the folders in a path. You are seeing the actual operation of how Windows locates a file in an NTFS file system. Windows doesn't just jump straight to a file and must instead "walk the path" of folders to find a file (in this case, the files it is locating are Windows Registry or Event Log files). If you look at the registry monitor you will see that Windows uses the same method for locating values stored under a specific Registry key. Run Process Monitor on any Windows box and you will see the same activity.

DevilWAH

But the volume of them is far more than I have seen on any other windows box, pages of the same with out any read or write activity to go along with it.

Maybe its jsut Windows 7 is much more disk intensive that vista as comparing the two side by side and there is far more of this activity on this one box than any others.

Simple test will be to look at another windows 7 box with same set up to see if they are bboth doing it.

Thank you for the pointers though, cheers

Aaron

demonfurbie

when is the last time ya error checked the drive for bad sectors?

Devilsbane

It has been quite some time since I've used dependency walker, but if you pull up the SVChost.exe process, shouldn't that tell you the .dll's that it is pulling from? Depending on the results, this might help you to better pinpoint the application that is being used.

demonfurbie

Devilsbane wrote: »

It has been quite some time since I've used dependency walker, but if you pull up the SVChost.exe process, shouldn't that tell you the .dll's that it is pulling from? Depending on the results, this might help you to better pinpoint the application that is being used.

true but those dll files are quite small and are normally written at install so they will be close together on the drive so if there is a bad sector or bad track on the disk multiple dll files could be effected

JDMurray

According to one of the posted screen shots, the svchost.exe process(es) are hitting files in the C:\Windows\System32\config folder, which is where the Windows Registry and Event log files are stored. Any process that perform heavy logging or Registry access will appear to be hitting files in this folder quite frequently. Once again, this is typically very normal behavior on a Windows box.

TheShadow

Seems to be beating on the registry aufully hard. So what else process wise, that should be silent, is also using CPU cycles? The usual suspects, a full system search gone wrong, full system virus scanner, MS security essentials has been known to lose track of time after a data update, auto disk defrag software, background disk backup snapshots etc. The recent daylight savings time switchover could have uncovered a sync bug and a reboot may correct the problem.

onesaint

You may want to grab Process Explorer or Process Monitor that JD mentioned and have a look at the threads associated with the process. Generally speaking you can pick up on what the process is and what it is doing based on those tools.

These are threads from a random svchost.exe process in Process Explorer:

JDMurray

TheShadow wrote: »

Seems to be beating on the registry aufully hard. So what else process wise, that should be silent, is also using CPU cycles?

Have you checked your Windows Event Logs lately? You might have something running amok and spewing out a bunch of debugging log entries. If your logs are provisioned to only over-write entries older than N days your event logging service is spending a lot of time searching for log entries to over-write.

DevilWAH

JDMurray wrote: »

Have you checked your Windows Event Logs lately? You might have something running amok and spewing out a bunch of debugging log entries. If your logs are provisioned to only over-write entries older than N days your event logging service is spending a lot of time searching for log entries to over-write.

I wonder if that might have some thing to do with it ?? Sorry really I should know better and look at the logs first, I't some issue around the prefmon service. seems its not uncommon and a few people have come across it. VMware reports vmauthd errors

lets see how much that improves the disk access issues.

Cheers for all the help guys, espicaly linking it to the event log files from the path, I think that was the bit that threw me.

Aaron

Looks like that was the issues. massive drop in disk activity and no where near the same activiny in the log files. Thanks every one.

JDMurray

Excellent! I'm glad the problem had both a logical place to find it and an easily Googleable solution.

DevilWAH

Horray for Google,

With it I am a genuis, with out it I am but a fool

onesaint

DevilWAH wrote: »

Horray for Google,

With it I am a genuis, with out it I am but a fool

I recently had a luagh when I came across my two 3-ring binders that used to house all my sys admin notes. Now it's google and my wiki.

Nice work on getting it fixed.