let me start off by saying that i first noticed this in the new version of process explorer, one of the new things from sysinternals that i guess MS bought out... also please try to stay out of it if you're just googling stuff that i've likely already read. links from the ms security messageboard would be cool if you've read something i havent thoughanyways, sometimes on my personal laptop, and only when i bring it back from "sleep" mode (aka whenever i open the laptop after its been closed a while) there is a process running, svchost.exe -- i know that in itself is not a problem, but one in particular has been bothering me latelywhenever this thing gets called and is running, it is running almost EXACTLY 1/2 of my CPU (49.47% average). it has about 30 threads, and i have checked out each individual DLL/EXE that is involved with it. i'm no expert on hooking and all that, but it appears that one of the files acts like there is a jump that isnt supposed to be there.ive seen no network activity linked to this chain of shit. i've seen no UNUSUAL network activity at all. but i have noticed that most of the time, my internet connection turns to shit unless i go in and manually kill the process. as soon as i kill it, all my stuff starts going network happy again this creates no problem that i can see, so that is my fix for it so far.just wondering if anyone else has experienced this thing that seems to limit itself to exactly one half of the cpu usage... and that it seems to be related to leaving the computer suspended. all i can think of is some kind of something has masked itself. i've even gone so far as to upload every DLL listed to virscan, virustotal, threatexpert, etc. there seems to be something that sophos detects in one DLL, but thats all i can see. i'm a pretty avid reader of the microsoft security portal and keep on top of the patches and updates and news releases and all that. their rootkit scanner shows nothing, their malware scanner shows nothing, their 'virus' scanner shows nothing, and my scanner (clamAV) shows nothing.but its definitely something, may not be harmful - but it does not go away eventually after coming back from sleep. anyone familiar with this? ive got this feeling that my computer becomes a zombie slave to the storm botnet or some crazy shit.
1/22/2008 10:36:20 AM
Which OS?Is it the net.dll that you're killing to make your internet connection work better again?Which version of Process Explorer?
1/22/2008 12:43:46 PM
possible Microsoft Update error? not sure if you ran across this or not, but BITS wouldn't show up as unusual network traffic and is typically allowed in the background to run updates, it would explain some of the network crap and the cpu utilizationanother question, i'm assuming it's using 100% of a single core in a dual core machine correct? not 50% of a single core... ? http://support.microsoft.com/kb/927891/http://support.microsoft.com/kb/916089
1/22/2008 12:59:49 PM
jay, long time no see dude, hope shits good in the legion of l33t its vista home premium (32) [build 6xxx] its basically 6000 straight out the factory with all the buildons i could find up to and including what was supposedly included in sp1 (all the bugfixes with the drive access time estimates, all the security patches, etc etc). the machine runs perfectly except for this little flaw, and im not convinced its a bad thing. i just worry, i'd hate to have some shit going on behind my back on here that could look like i'm doing itversion is PE v11.04and what im killing is the whole svchost.exe, so its killing a ton of threads with it. not sure exactly which one. i'll see if net.dll is in there. it seems like the suspicious one was labeled as an nt kernel blah blah, i forget exactly. it hasnt done it since i made the thread cause i try not to close the laptop unless i have to (i hide it in the closet when i leave most times so i can tunnel in). let me know if you have any ideasprospero, thats an interesting suggestion. it is a dual, and i dont have PE set up to show which cpu is burning (it may be a setting). i'll grab some widget tomorrow and test it all out, i'll check out your fix. i may have an issue with windows update. i THOUGHT i turned it off cause it started grabbing old video and nic drivers for my stuff... and i just check for essentials every day when i check my email. but maybe i didnt turn it offi'll let you know if that works
1/23/2008 11:05:33 PM
Unless you have office installed, its not going to be the problem Prospero has outlined.If you have Office installed, I'll bet at least a 80% chance that is the problem. I've had to disable Microsoft Update on at least a dozen computers in the past year or two. Vista and XP.
1/24/2008 2:13:36 AM
1/24/2008 11:04:20 AM
When you're using Process Explorer, towards the top there should be an entry for Deferred Procedure Calls (DPC) in all of the processes. Is this running high by any chance?When you open Process Explorer and see the SVCHOST.EXE running with such a high %, if you hover over it with your mouse, what services does it show as being controlled by the SVCHOST.EXE process? - alternately, you should be able to get the affected PID and type "tasklist /svc" from the command line and match up services and PID for this instance. (Having never even *seen* Vista, I presume it's the same).What authority (User Name) is the SVCHOST.EXE running as for this instance?You may want to do a search for SVCHOST.EXE on your system and see if it resides anywhere except here:C:\Windows\System32C:\Windows\ServicePackFiles\i386C:\Windows\$NtServicePackUninstall$C:\I386Again, this is XP/2003 specific nomenclature, so I am not sure if it matches or helps.Last thing I would try, if you aren't using the modem, is to turn off the Telephony service under services.msc as I've heard/read about issues such as this before and this turned out to be the culprit.
1/24/2008 5:44:09 PM
Whenever I see something like that I have people run rootkitrevealer (also one of the sysinternals tools MS bought) just to be safe. When you open up the properties of the specific svchost instance that is using up the proc in process explorer, which services are associated with it? I'd also check the command line the instance of svchost was started with to see if there wasn't something nasty appended to it.If this is a lenovo, I've seen access connections freak out and spike the proc on a single core after waking up from sleep. I've also seen the windows update detebase get messed up and spike the processor, but it usually crashes after a few minutes (at least on XP).
1/24/2008 7:44:46 PM
1/25/2008 12:14:50 PM
Its the problem Prospero described then, I will bet anything on it.Microsoft Update has a known issue that causes this. You need to disable it and move back to Windows Update.Microsoft Update = Windows Update + Office Update basically.And I can't tell you how many (#$*&% hours of time I lost trying to track down why this was happening, and never could find an actual answer. Just followed the instructions above and everything worked great from there.
1/25/2008 1:10:05 PM
1/25/2008 9:14:35 PM
just the mention of the LOL scares the nasties awayi actually had it come up for a minute today and tried to get screenshots. it looks like the DNS client service might be the one i need to be looking at, but there are like 48 threads i think, looks like i underestimated at first.and it would make a lot of sense... but i still havent had it come back long enough to play with it, but i'm gonna try to use some ip addresses instead of hostnames while its spiked and see what happens. if i can catch a connection that way, i'm going with that route to find the solution. otherwise i'll just blindly do what prospero said. cause, hell, if it works, then i don't care at this point. as noen implied, there's only a certain amount of time you can waste trying to "learn why" shit happens before you're just obsessing over some silly knowledge thats never gonna benefit you in the future. no matter how bad you wanna crack the case of the superspike!as for the windows/ms update thing. i use windows update. but thats not even on auto mode, cause of what i said about it downloading old shit and writing over my good drivers. it took me a while to get the video and the wireless NIC working like i wanted, and that stupid updater would take me back to 5 drivers ago. think thats still a problem? im not getting what you mean by disable it, when it is essentially on manual modeanyways i did find an old text file that i had saved some notes in, and i had tracked something to here before: 0x000912FE @ ntkrnlpa.exe[Edited on January 27, 2008 at 1:58 AM. Reason : /]
1/27/2008 1:55:14 AM
i kick it rootkit
1/27/2008 2:23:42 AM
1/27/2008 4:42:56 AM
well this is my first new laptop. and unlike a desktop where i've had 20 and know all about the hardware... i know i can just go get a new monitor when the old one dies, etc-- im not so sure about replacing the screen or the hdd or the processor in this thing. i'd imagine a lot isnt much different, but i still dont want to cross that bridge till i come to itplus, although this computer is used for most of the day, even when i'm not home... i kinda try to take care of it (let it sleep when i'm going out and don't need access, turn it off when i go to bed, etc)i guess since i never had one before i treat it like its worth more than it really is, if that makes sense.
1/29/2008 9:19:05 PM
well, i'm gonna go ahead and close this one and split the points between everyone who replied with a remotely technical answer cause it has disappeared. and i cant recreate it. sucks, cause i really was interested in it. and i was really hoping i could use it to carry some lame homemade UBAR HAX PAYLOAD and get the world on the folding at home team!!1 and turn my thumbdrive into a virus insertion tool of doom!!1/thread
1/31/2008 8:35:40 PM
h4xcat saved you
1/31/2008 9:28:16 PM