Page 1 of 2 12 LastLast
Results 1 to 20 of 28

Thread: Something flakey going around...generic host process and svchost errors..

  1. #1
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Location
    Somewhere along the shoreline in New England
    Posts
    50,908

    Something flakey going around...generic host process and svchost errors..

    ...when people reboot their machines. In the past week...got a couple of calls. Ignore the error windows (just slide them out of the way)...and people can continue to work. If you click OK or whatever on the windows...it shuts down networking services.

    Talking my usual build machines, and ones that came out of a Dell box within one month ago. (meaning, behind NAT, all windows and office updates, Spybot updated 'n immunized, NOD32 antivirus, no blank local admin password, etc)

    Got a couple of calls so far...sytem restore doesnt work, tcp/winsock rebuild doesn't work, the 2x Microsoft hot fixes from this similar error a year ago doesn't work. Arrggg....

    Something's quietly floating around the 'net...rootkit or something..not good.
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

  2. #2
    Elite Member Norm's Avatar
    Join Date
    Mar 2001
    Posts
    14,133
    Not sure if it's related YOSC, but try disabling Windows automatic updating, and also disable the Automatic update service.

    I've had a couple of infected machines here the past week, and both of them had a scvhost process taking cpu cycles to 100%. After investigating it turned out to be the auto update service. Still trying to figure out why that service has gone haywire. Possibly a MS update?

  3. #3
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Location
    Somewhere along the shoreline in New England
    Posts
    50,908
    Quote Originally Posted by Norm
    Possibly a MS update?
    Possibly...honestly I've not had a Windows Update tank me or my clients in the past. I know some users experienced that IE related one in Aug..but most of my clients are XP..and naturally they'd all have SP2..which the Aug one didn't affect.

    But this one may have been...it does have me curious..2x clients so far, same exact symptoms...but different networks...different states even. One on a domain, the other on a peer to peer. Both 1x month old Dells.

    Combined with the resurfacing of this symptom in some other threads in the security forum, and on a few other forums. Seems like it's spreading this week.

    I'll have them try to disable that auto update service for now..see how it goes. Tnx Norm
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

  4. #4
    Certified SG Addict CableDude's Avatar
    Join Date
    Jun 2001
    Posts
    26,786
    I'll keep an eye out.

  5. #5
    SG Enthusiast koldchillah's Avatar
    Join Date
    Apr 2002
    Location
    Orlando, FL
    Posts
    4,609
    Whats the error say?
    "Nobody's invincible, no plan is foolproof, We all must meet our moment of truth." - Guru

  6. #6
    Dr Tweak mnosteele52's Avatar
    Join Date
    Jul 2001
    Location
    Chesapeake, VA
    Posts
    11,912
    It is a MS update, I'll have to look for the reference to it but I have seen this as well.


  7. #7
    Certified SG Addict CableDude's Avatar
    Join Date
    Jun 2001
    Posts
    26,786
    Quote Originally Posted by mnosteele52
    It is a MS update,

    oooohhh great. Better quit while I'm ahead or something.

  8. #8
    Junior Member
    Join Date
    Jan 2005
    Posts
    12

    Angry

    Using XP Pro and Auto Updates turned ON...

    This is is far as a know a very clean machine, I use AVG pro set to scan anduppdate daily and the drives get defragged every night using DiskKeeper.
    I also use at all times and regularly update Spybot search and destroy and keep the windows security settings andfirewall set at least the reccommended levels.

    My system pw isset (NOT default) as well as my linksys router . Machine is custom built celeron with a decent ASUS mobo and 1gb of ram.


    I have had this SvcHost phenomenon occur for some months now- at startup and every 12 hours like clockwork svchost (usually a lower id number) generic host process kicks in and for 10-12 minutes uses 100% cpu and 80-90% of resources doing "something" (I installed and am going by installed Sysinternals Processs Explorer info). I havent noticed if all networking is lost (i.e. with my networked laptop) but I do know thatI cant access the internet while it is going thru this rigamorale.

    Windows update HAS always been turned on to "Auto". Windows updated itself last night (update did not state thatit needed a restart) and this morning one of these svchost sessions started and went on for about 20 minutes till I got tired of waiting for it and did a regular system shutown (windows managed to shut itself down with outme having to pull the power plug or doing a double 3 finger salute). Besides being generally aggravated I was wodering if windows really did need a restart.

    In any case turned off the machine and rebooted with no problem except what has become the norm of Windows needing to take about 15 minutes to compltely start (it does this svc host dance at startup and every 12 hours based upon the startup time).

    I contacted MS earlier this year about thisand the CSR sent me a file to run:
    an archive named 227100_ENUi386_zip.exe that contains two files: WindowsXP-KB890582-x86-ENU.exe and WindowsXP-KB890582-x86-Symbols-ENU.exe and a folder named "Symbols" that contains several folders as follows: Folder named sp2qfe containing folder named "retail" that contains two folders: "dll" which contains a file named user32.pdb and another folder (at the same level as "dll") containing a file named win32k.pdb.

    The above mentioned package was "supposed" to correct this SvcHost problem , seems like before that the machine would randomly go into this mode several times a day but I wasnt paying that much attention other than to notice I couldnt get on the web. The CSR did say it was "normal for Windows to take 15-20 min to get started up properly.

    I have turned off Auto updates lets see how it goes.

    If anyone is a a Windows under the hood specialist and wants me to try to save the output of the Sysinternals process explorer and send alog file (have to look and se if this is actually posible) in the interest of investigating and resolving this nuisance please let me know.

    Its annoying to have to stop whtever I am doing for 10-15 minutes when this little dance stops, its gotten to where I arrange my day around it.

    RH
    Last edited by rrhobbs; 09-27-06 at 10:32 AM.

  9. #9
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Location
    Somewhere along the shoreline in New England
    Posts
    50,908
    Beginning to think the issues my 2 clients had were related to Dells..as they both had Dells, most of my clients are HPs and IBMs. So that leaves hundreds and hundreds of other clients who I have my standard setup on..which did not have this issue..and auto-windows update running.
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

  10. #10
    Junior Member
    Join Date
    Jan 2005
    Posts
    12
    well I shouldfind out tonight around 9pm (9am when I rebooted this morning) whether turning off auto updates makes any difference.

    I also applied the following reg tweak:
    http://support.microsoft.com/default...B;EN-US;317843

    found here:
    http://www.experts-exchange.com/Oper..._20947897.html

  11. #11
    Junior Member
    Join Date
    Jan 2005
    Posts
    12
    9:38 pm nope. it wasnt the auto updates. svchost is wailing away. hope its only 10-15 min.

  12. #12
    Second Most EVIL YARDofSTUF's Avatar
    Join Date
    Nov 2000
    Location
    USA
    Posts
    69,992
    Quote Originally Posted by rrhobbs
    9:38 pm nope. it wasnt the auto updates. svchost is wailing away. hope its only 10-15 min.

    Well first off, Welcome to SG!

    Only time I've seen svchost go crazy its from junk related to adware or spyware.

    Are you familar with hijackthis? Would be nice to see a log of it.

    http://www.spywareinfo.com/~merijn/p...php#hijackthis

    Also go to start > run > msconfig and look for odd junk there, like 8 letters or more of random letters.

  13. #13
    Elite Member Norm's Avatar
    Join Date
    Mar 2001
    Posts
    14,133
    rrhobbs,

    Did you also go into services and disable the automatic update service?

    Using a process explorer myself, I found that the svchost that was using 100% cpu cycles was 'only' being used to run the autoupdates. Strange though, (possibly normal) it was running two instances of the same file.

    - A word of advice if I may as well.....defragging can become necessary over time, but there is no need to do it daily. It will work the HD hard and lessen it's lifespan.


    YOSC, if it means anything...
    The two machines I found the problem on were 1. A Dell, and 2. an IBM

  14. #14
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Location
    Somewhere along the shoreline in New England
    Posts
    50,908
    I tried killing the autoupdate Norm..didn't make my clients issue go away.
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

  15. #15
    Elite Member Norm's Avatar
    Join Date
    Mar 2001
    Posts
    14,133
    Quote Originally Posted by YeOldeStonecat
    I tried killing the autoupdate Norm..didn't make my clients issue go away.
    Maybe our two problems are unrelated.

    Have you used proccess explorer to check what files the bad scvhost is using?

  16. #16
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Location
    Somewhere along the shoreline in New England
    Posts
    50,908
    Quote Originally Posted by Norm
    Maybe our two problems are unrelated.

    Have you used proccess explorer to check what files the bad scvhost is using?
    Yeah..probably quite a few possible causes for it. These two clients aren't easy to get to, each over an hour away..haven't been able to go there to roll up my sleeves and dig into it (such as run process explorer).
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

  17. #17
    Junior Member
    Join Date
    Jan 2005
    Posts
    12
    I disabled auto updates from the windows security settings, didnt do it from the control panel/services manager- I'll try that.

    I did d/l and run Hijsck this- thats some powerful stuff kinda scary the thread on nukecops I read the poor bloke seemed like he ran it and killed all his settings and system customizations (even the good ones) he messed up his Norton and had to reinsatll it and goodness knows what else. So I ran it andtookalookat the logfile, didnt see much unusual and didnt change anything.

    Most of what I see going on in proc explorer while this little dance goes on seems like RPC related stuff like its resetting the dns or something (?)

    I dont think it is but I would really like to be absolutely sure I am no phoning home twice a day to some eastern bloc country with stuff like all my passwords and the credit card numbers I have used to buy stuff online and the cached pages of when I have gone online to look at my bank account!

    LOL

    thanks for all the input y'all. Maybe some bored MS MVP will stumble accross this thread and tell us all what this all about?

    RH

  18. #18
    Quote Originally Posted by rrhobbs

    thanks for all the input y'all. Maybe some bored MS MVP will stumble accross this thread and tell us all what this all about?

    RH

    That would be Norm.... I Hope your issue gets resolved.

  19. #19
    Junior Member
    Join Date
    Jan 2005
    Posts
    12
    wasnt aware we were so priveleged.

    I am honored and humbled.

    Mr. Norm if you are out there I would be honored and eternally grateful as to your opinion regarding the phenomenon I have been experiencing per previous posts in this thread.

    beaucoup thanks
    RH

  20. #20
    Quote Originally Posted by rrhobbs
    wasnt aware we were so priveleged.

    I am honored and humbled.

    Mr. Norm if you are out there I would be honored and eternally grateful as to your opinion regarding the phenomenon I have been experiencing per previous posts in this thread.

    beaucoup thanks
    RH
    There are 2 here ...Norm and TonyT. Both are wizards. I'm certain they can help.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •