Monday, January 27, 2014

svchost is utilizing 100% of the CPU

The other night I ran into an issue I haven't seen for a little while, having seen this in the past and knowing what I did to resolved the issue, I decided I'd make a little write up to help anyone else that might run into this problem.This my friends, is what you call a memory leak.

 What is a Memory leak exactly?
Microsoft describes it as: "RPCSS makes synchronous calls to track object identifiers (OIDs) for clients as part of the Distributed Component Object Model (DCOM) pinging mechanism. During this process, RPCSS acquires a handle and memory, which are not released if these clients are not pumping window messages efficiently. This causes a handle and memory resource leak in the Svchost.exe process."


Do Not Ever end a svchost service without first knowing which services are attached. Svchost.exe is short for "service host", this is not a virus; In fact it's a required system component. You'll usually find multiple copies of svchost.exe running. Svchost.exe is a program that is designed to run other programs and "hosts" many of the system services in all Microsoft Operating Systems up to Windows 8.1(latest released O\S). 

First things first
Since there are multiple copies of svchost running on every Windows O\S you must first find out the PID of the specific svchost.exe that is using all of the computers CPU or memory. To do this hold down [CTRL]+[SHIFT] and [ESC] at the same time to open the 'Task Manager' and click on the 'Details' tab if using Window 8 or newer or 'Processes' if using an older O/S.


To show the 'PID' within the task manager you must first right click on any tab and then left click on 'Select Columns'. This will open the 'Select Properties Page Columns' where you must check the checkbox next to 'PID (Process Identifier)'.


Notice the PID (Process Identifier) of the svchost.exe process that is consuming all of the resources. In this case PID 484 is utilizing the most resources.


 To see all the running copies of svchost.exe
From within an Administrative CMD prompt type "tasklist.exe /SVC | more". The /SVC switch will display the services hosted within each process.

 Notice the services within PID 484:(one of these services are the culprit)
AeLookupSvc, AppInfo, BITS, Browser, CertPropSvc, IKEEXT, iphlpsvc, LanManServer, ProfSvc, Schedule, SENS, SessionEnv, ShellHWDetection, Themes, Winmgmt, or Wuauserv. Right now there are 16 services running under PID 484, now we must separate these 16 services into their own PID. This will show us the service that is causing all this trouble.

Note: Winmgmt and wuauserv are pretty common culprits. I would start with these services.



Now that we've narrowed the list of possible culprits we can start separating the services into their own PID's by running the following command in an Administrative CMD prompt:

 sc config servicename type= own

for instance:
sc config Winmgmt type= own



This will break the Power Service out of PID 484 group into it's own PID. Just continue to do this until you find the service that is going crazy and restart that service if applicable.

Note: Most commonly this is due to a bug of some sort with the Windows Update Service or wuapp for short.
Posted by at

Tuesday, January 21, 2014

PowerShell Remoting: Invoke-Command

PowerShell remoting allows you to run commands on local and remote computers.

PowerShell Remoting was first introduced with PowerShell v2 which can be installed on any Windows Operating System XP or newer.

     Common problems:
    • Not running an elevated PowerShell prompt.
    • Must be an Administrator to user WinRM.
    • PowerShell Execution is not set
    • PSRemoting is not enabled.
    • The remote computer is not on.
    • Not a member of the domain or a trusted domain.
    • A network adapter is set to public(http & https are blocked by windows firewall) 

First Things First:Don't forget to enable PSRemoting and set a proper execution policy on the computer to want to remotely access.

 
PS C:\> Set-ExecutionPolicy RemoteSigned -Force
PS C:\> Enable-PSRemoting -Force

To run a command against the local machine:
PS C:\ > Invoke-Command -ScriptBlock{ Hostname } -ComputerName .
matthewkerfoot
PS C:\ >

To run a command against local and remote computers:
Invoke-command -ScriptBlock { Hostname ; Get-Counter '\Processor(_Total)\% Processor Time' } -ComputerName localhost, remoteserver1, remoteserver2

To run a command against a list of computernames:
Invoke-command -ScriptBlock { Hostname ; Get-Counter '\Processor(_Total)\% Processor Time' } -ComputerName (Get-Content $env:USERPROFILE\Desktop\ServerList.txt)

To run a script against remote computers:
Invoke-command -ComputerName localhost, remoteserv1, remoteserver2 -FilePath C:\Scripts\report.ps1

To run a script against remote computers with alternative credentials:
Invoke-Command -Scriptblock { Hostname ; Get-Counter '\Processor(_Total)\% Processor Time' } -ComputerName SRV-PSWA -Credential kerfoot\matthew

A slightly different remoting method is with the use of Enter-PSSession which will open an interactive session with the remote computer of your choosing.
PS C:\Users\mkerfoot> Enter-PSSession -ComputerName SRV-PSWA
[ SRV-PSWA ] PS C:\ >Get-WmiObject Win32_LogicalDisk | Format-Table -Autosize

DeviceID DriveType ProviderName     FreeSpace          Size VolumeName       
-------- --------- ------------     ---------          ---- ----------       
C:               3               352527327232  479554695168 SSD RAID 0       
E:               3              1079370080256 2000395694080 Kerfoot's Backups
F:               3               499943936000  500109930496 HDD RAID 0       
Z:               5                          0    3406368768 G71-MGD3005

To exit the remote session type Exit-PSSession or Exit for short.
[ SRV-PSWA ] PS C:\ > Exit-PSSession
PS C:\ >
Posted by at
Minneapolis, Minnesota, USA Hennepin, MN, USA

Monday, January 13, 2014

Find the amount of time it takes to complete a script

Lately I've been running nightly backups against my main computer at midnight every night which got me wondering . . . how long does it take to complete the backup?

Below are a few lines of code that can be added to any script to find out how long it takes your script to complete.

## Begin the timer.
$StartTime = (Get-Date)

## Begining of code.
hostname ; Get-Counter -Counter "\Memory\Available MBytes" -SampleInterval 1 -MaxSamples 3
## End of code

## Stop timer.
$EndTime = (Get-Date)

## Calculate amount of seconds your code takes to complete.
"Elapsed Time: $(($EndTime - $StartTime).totalseconds) seconds"


Posted by at
Subscribe to: Posts (Atom)