Monday, January 27, 2014

svchost is utilizing 100% of the CPU

The other night I ran into an issue I haven't seen for a little while, having seen this in the past and knowing what I did to resolved the issue, I decided I'd make a little write up to help anyone else that might run into this problem.This my friends, is what you call a memory leak.

What is a Memory leak exactly?
Microsoft describes it as: "RPCSS makes synchronous calls to track object identifiers (OIDs) for clients as part of the Distributed Component Object Model (DCOM) pinging mechanism. During this process, RPCSS acquires a handle and memory, which are not released if these clients are not pumping window messages efficiently. This causes a handle and memory resource leak in the Svchost.exe process."

Do Not Ever end a svchost service without first knowing which services are attached. Svchost.exe is short for "service host", this is not a virus; In fact it's a required system component. You'll usually find multiple copies of svchost.exe running. Svchost.exe is a program that is designed to run other programs and "hosts" many of the system services in all Microsoft Operating Systems up to Windows 8.1(latest released O\S). 

First things first
Since there are multiple copies of svchost running on every Windows O\S you must first find out the PID of the specific svchost.exe that is using all of the computers CPU or memory. To do this hold down [CTRL]+[SHIFT] and [ESC] at the same time to open the 'Task Manager' and click on the 'Details' tab if using Window 8 or newer or 'Processes' if using an older O/S.

To show the 'PID' within the task manager you must first right click on any tab and then left click on 'Select Columns'. This will open the 'Select Properties Page Columns' where you must check the checkbox next to 'PID (Process Identifier)'.

Notice the PID (Process Identifier) of the svchost.exe process that is consuming all of the resources. In this case PID 484 is utilizing the most resources.

To see all the running copies of svchost.exe
From within an Administrative CMD prompt type "tasklist.exe /SVC | more". The /SVC switch will display the services hosted within each process.

Notice the services within PID 484:(one of these services are the culprit)
AeLookupSvc, AppInfo, BITS, Browser, CertPropSvc, IKEEXT, iphlpsvc, LanManServer, ProfSvc, Schedule, SENS, SessionEnv, ShellHWDetection, Themes, Winmgmt, or Wuauserv. Right now there are 16 services running under PID 484, now we must separate these 16 services into their own PID. This will show us the service that is causing all this trouble.

Note: Winmgmt and wuauserv are pretty common culprits. I would start with these services.

Now that we've narrowed the list of possible culprits we can start separating the services into their own PID's by running the following command in an Administrative CMD prompt:

 sc config servicename type= own

for instance:
sc config Winmgmt type= own

This will break the Power Service out of PID 484 group into it's own PID. Just continue to do this until you find the service that is going crazy and restart that service if applicable.

Note: Most commonly this is due to a bug of some sort with the Windows Update Service or wuapp for short.