Published by Mesila; San Francisco, CA
I recently had unknown malware that was causing Windows to keep rebooting at odd moments. Another thing it did was install a kazillion services and then have all of them running at once. It wasn't something that any scanner would pick up--and being big on file sharing, I've made it a point to keep a whole army of antimalware programs around. I'm assuming the culprit was either one that was new at the time, or a variant that had morphed itself from an older version. Eventually, after a lot of fussing and cussing, I had to reinstall Windows XP. (The malware had also gacked the System Restore function.)
Services in general faze me, even as an intermediate-to-advanced user. I use Process Explorer to ferret out running services that do not belong to Windows or to programs that I am familiar with, but more than once I have shut down something I'll see running that hides under svchost.exe. It confuses me to see svchost.exe running multiple copies of itself--that's one place a lot of active malware hides, but too often I'll end up hosing something that I shouldn't have and screwing up my system in the process.
I wonder if there's some way to shut down services we're never going to use, or keep anything other than Windows from using them, because then I wouldn't have this happen so much. I'd imagine that would also save resources. Windows Help files about services are unfortunately not very helpful.
Editor's response
Good move with Process Explorer. We've extolled its virtues in many an editorial as a clear way to see what's running and pick off what ought not to be. Yet despite Windows' proclivity to run multiple instances of the generically-named process, not all host files are troubled.
However, since you asked, one way we know about how to control a Windows service in XP is through the Service Control Manager. There are two methods of getting to this native control. Method one: Open the control panel, and then select Administration Tools. Select Services from the bottom of the pile. Method two: Press the Start button, select Run, and type in services.msc.
If you hover over an instance of the svchost.exe in Process Explorer, you'll see which services are associated with each process, and can then suspend the service from the Service Control Manager. You can also right-click any process in Process Explorer and click "Properties," then hit the "Service Tab" to stop or pause any of them without using services.msc.
That's my take, but if others of you out there have insight for Mesila or for anyone else confounded by hosts, now's your chance to pipe up in the comments.
This is a continuation of my previous posting (Using Process Explorer to tame svchost.exe - Advanced topics) which introduced the excellent Process Explorer program, a souped up version of Task Manager. According to the author, "Process Explorer works on Windows 9x/Me, Windows NT 4.0, Windows 2000, Windows XP, Server 2003, and 64-bit versions of Windows for x64 and IA64 processors, and Windows Vista." And, it's free.
When a computer is running slow, people sometimes guess at the underlying problem. An experienced Process Explorer user doesn't have to guess.
Below is the main Process Explorer window. There's a lot going on here, you may want to, click here for a larger version of the image.
As computers go, the one in the picture is pretty boring, it's a Windows XP virtual machine with next to nothing installed. Chances are, a similar display on your computer will reveal two or three times as many processes.
The Process Explorer window is extremely configurable, the next posting will cover installing and configuring the program. The screen shot shows eight data fields, those I find the most useful. I also like to include I/O counts but left them out here for space reasons. This is one application that really benefits from a wide screen display.
The columns in the middle are what first attracted me to Process Explorer - the description of the process, the name of the company that created the process and, most importantly, the executable file running in the process. Just knowing the directory that a program is running out of has been useful in and of itself. The CPU History column is also vital, with spikes of green showing processes consuming large amounts of the processor over the last few minutes.
Properties of a Process
To get information on a running process in Process Explorer, double click on the process name. This opens a properties window (see below) with nine tabs.
Earlier I noted the difficulty in pinpointing a performance problem to a Windows service* running inside an instance of the svchost.exe process. This is because Process Explorer breaks down processes by thread rather than by service. Even when a process hosts a single service, there can can be multiple threads. But all is not lost.
Go to the Threads tab, expand the CPU column and click on the column heading to sort the list of threads by their current CPU usage.
To see more information about a thread highlight it and click on the Module button just below the list of threads. This displays the properties of the file underlying the thread (see below). The properties window opens in the General tab, go to the Version tab. This isn't foolproof, but you may get lucky, as in the example below, where the file/module is obviously the DNS Caching Resolver Service.
Another useful tab is Services, which, as you can see below, provides information on the services, if any, running inside the target process.
Setting Priorities
Sometimes a necessary program on your computer can get in the way. If, for example, you're facing a deadline and the computer is running a full hard disk scan, it may become so slow as to interfere with your work. Such was the problem Peter Butler faced. While your knee jerk reaction may be to cancel the interfering software, on a corporate computer this can be problematic. Process Explorer offers a couple less intrusive options - it can slow down or freeze a program in its tracks.
Slowing down a running program/process is something Task Manager can also do. In both Task Manager (from the Processes tab) and Process Explorer, right click on the name of the process and select "Set priority" from the pop-up menu (see below). The default priority is "Normal", changing it to "Below Normal" lowers the priority one notch. Changing it or "Low" (in Task Manager) or "Idle" (in Process Explorer) lowers it two notches, and should let you get your work done with a minimum of interference.
Freezing a process is something Task manager can not do. In Process Explorer click on "Suspend" after right clicking on the process name. By default, Process Explorer displays suspended processes as dark gray. If a suspended processes was running a visible application, the application window can't be minimized, resized or even re-painted when another window covers it up. To resume the application, right click on the process name again and select "Resume".
There is one caveat however, some processes do not allow their priority to be changed. I don't know a way around that.
Next Up...
Next time, installing and configuring Process Explorer.
*A service is a special type of Windows program. Most services are part of Windows, the previous posting discussed the Automatic Updates service and the Task Scheduler service. Applications can also install their own services. In Windows XP services are managed from the Administrative Tools applet in the Control Panel.
Note: This posting is based on Process Explorer version 11.04, which was current at the time this posting was written. The screen shots were taken on a machine running Windows XP.
See a summary of all my Defensive Computing postings.
Svchost.exe processes in Windows Task Manager.
(Credit: CNET Networks)The situation is familiar to countless Windows users: They're in a groove at work, firing off e-mails, crafting documentation, and even blogging on their personal site during breaktime, when suddenly, something takes over 99 percent of the CPU, slowing it to a virtual standstill. A quick look at the invaluable Process Explorer (or the standard Windows Task Manager) indicates that a process called svchost.exe is using all that CPU. What's more, there's one main CPU offender. Multiple versions of svchost.exe are running in the background and hogging CPU cycles. What is it? Is it spyware? Hackers? Terrorists?
Although there are historical cases of malware using svchost.exe, because of its common presence, it's most likely just Windows being Windows. Svchost.exe is a generic process name for Windows services that run from Microsoft DLLs (dynamically linked libraries). Each of those instances of svchost.exe in the process lists actually represents a group of services that each process is managing. With Process Explorer, it's easy to see which services each process manages, and stop them one by one to see which is the CPU culprit.
In the spring of 2007, a major problem arose with a Windows update that caused svchost.exe to use 100 percent of CPU because of an issue with Automatic Updates. To correct that bug, be sure that Windows is fully patched with the most recent updates.
The first thing to do is to determine which of the active svchost.exe processes is causing the slowdown. Fire up Process Explorer, and click on the CPU column header to sort the list of processes by processor usage. A list of processes, sorted from most processor intensive to least intensive, is displayed. When the computer stalls, switch over to Process Explorer and see which running process is causing the crunch. ... Read more
- prev
- 1
- next
