let me start off by saying that i first noticed this in the new version of process explorer, one of the new things from sysinternals that i guess MS bought out... also please try to stay out of it if you're just googling stuff that i've likely already read. links from the ms security messageboard would be cool if you've read something i havent though

anyways, sometimes on my personal laptop, and only when i bring it back from "sleep" mode (aka whenever i open the laptop after its been closed a while) there is a process running, svchost.exe -- i know that in itself is not a problem, but one in particular has been bothering me lately

whenever this thing gets called and is running, it is running almost EXACTLY 1/2 of my CPU (49.47% average). it has about 30 threads, and i have checked out each individual DLL/EXE that is involved with it. i'm no expert on hooking and all that, but it appears that one of the files acts like there is a jump that isnt supposed to be there.

ive seen no network activity linked to this chain of shit. i've seen no UNUSUAL network activity at all. but i have noticed that most of the time, my internet connection turns to shit unless i go in and manually kill the process. as soon as i kill it, all my stuff starts going network happy again this creates no problem that i can see, so that is my fix for it so far.

just wondering if anyone else has experienced this thing that seems to limit itself to exactly one half of the cpu usage... and that it seems to be related to leaving the computer suspended. all i can think of is some kind of something has masked itself. i've even gone so far as to upload every DLL listed to virscan, virustotal, threatexpert, etc. there seems to be something that sophos detects in one DLL, but thats all i can see.

i'm a pretty avid reader of the microsoft security portal and keep on top of the patches and updates and news releases and all that. their rootkit scanner shows nothing, their malware scanner shows nothing, their 'virus' scanner shows nothing, and my scanner (clamAV) shows nothing.

but its definitely something, may not be harmful - but it does not go away eventually after coming back from sleep. anyone familiar with this? ive got this feeling that my computer becomes a zombie slave to the storm botnet or some crazy shit.

1/22/2008 10:36:20 AM

Which OS?

Is it the net.dll that you're killing to make your internet connection work better again?

Which version of Process Explorer?

1/22/2008 12:43:46 PM

possible Microsoft Update error? not sure if you ran across this or not, but BITS wouldn't show up as unusual network traffic and is typically allowed in the background to run updates, it would explain some of the network crap and the cpu utilization

another question, i'm assuming it's using 100% of a single core in a dual core machine correct? not 50% of a single core... ?

http://support.microsoft.com/kb/927891/
http://support.microsoft.com/kb/916089

Quote :

"The first step may not apply if you don't have Microsoft Update installed: Go to Windows Update. On the left side, click the link "Change settings". Check the box "Disable Microsoft Update software and let me use Windows Update only". Click "Apply changes now". Now, onto the slightly technical part: Right click My Computer and click Manage. Click the + next to Services and Applications. Click Services. Right click Automatic Update and choose Stop. Keep this window open, as you'll need to come back for the last step. Open up Windows Explorer and browse to %WinDir%\SoftwareDistribution\DataStore. Note: %WinDir% is usually C:\Windows or C:\WinNT Delete the contents of DataStore. Lastly, go back to the Computer management window and right click Automatic Update and choose Start. No reboots are necessary and I'd be very surprised if this doesn't fix the issue with SVCHost.exe running 100% CPU time."

[Edited on January 22, 2008 at 1:00 PM. Reason : .]

[Edited on January 22, 2008 at 1:01 PM. Reason : .]

1/22/2008 12:59:49 PM

jay, long time no see dude, hope shits good in the legion of l33t its vista home premium (32) [build 6xxx] its basically 6000 straight out the factory with all the buildons i could find up to and including what was supposedly included in sp1 (all the bugfixes with the drive access time estimates, all the security patches, etc etc). the machine runs perfectly except for this little flaw, and im not convinced its a bad thing. i just worry, i'd hate to have some shit going on behind my back on here that could look like i'm doing it

version is PE v11.04

and what im killing is the whole svchost.exe, so its killing a ton of threads with it. not sure exactly which one. i'll see if net.dll is in there. it seems like the suspicious one was labeled as an nt kernel blah blah, i forget exactly. it hasnt done it since i made the thread cause i try not to close the laptop unless i have to (i hide it in the closet when i leave most times so i can tunnel in). let me know if you have any ideas



prospero, thats an interesting suggestion. it is a dual, and i dont have PE set up to show which cpu is burning (it may be a setting). i'll grab some widget tomorrow and test it all out, i'll check out your fix. i may have an issue with windows update. i THOUGHT i turned it off cause it started grabbing old video and nic drivers for my stuff... and i just check for essentials every day when i check my email. but maybe i didnt turn it off

i'll let you know if that works

1/23/2008 11:05:33 PM

Unless you have office installed, its not going to be the problem Prospero has outlined.

If you have Office installed, I'll bet at least a 80% chance that is the problem. I've had to disable Microsoft Update on at least a dozen computers in the past year or two. Vista and XP.

1/24/2008 2:13:36 AM

Quote :

"Unless you have office installed, its not going to be the problem Prospero has outlined. If you have Office installed, I'll bet at least a 80% chance that is the problem."

so what is it? no chance? or 20% chance?

the Microsoft Update is the only thing i could think of...

[Edited on January 24, 2008 at 11:05 AM. Reason : .]

1/24/2008 11:04:20 AM

When you're using Process Explorer, towards the top there should be an entry for Deferred Procedure Calls (DPC) in all of the processes. Is this running high by any chance?

When you open Process Explorer and see the SVCHOST.EXE running with such a high %, if you hover over it with your mouse, what services does it show as being controlled by the SVCHOST.EXE process?

- alternately, you should be able to get the affected PID and type "tasklist /svc" from the command line and match up services and PID for this instance. (Having never even *seen* Vista, I presume it's the same).

What authority (User Name) is the SVCHOST.EXE running as for this instance?

You may want to do a search for SVCHOST.EXE on your system and see if it resides anywhere except here:

C:\Windows\System32
C:\Windows\ServicePackFiles\i386
C:\Windows\$NtServicePackUninstall$
C:\I386

Again, this is XP/2003 specific nomenclature, so I am not sure if it matches or helps.

Last thing I would try, if you aren't using the modem, is to turn off the Telephony service under services.msc as I've heard/read about issues such as this before and this turned out to be the culprit.

1/24/2008 5:44:09 PM

Whenever I see something like that I have people run rootkitrevealer (also one of the sysinternals tools MS bought) just to be safe. When you open up the properties of the specific svchost instance that is using up the proc in process explorer, which services are associated with it? I'd also check the command line the instance of svchost was started with to see if there wasn't something nasty appended to it.

If this is a lenovo, I've seen access connections freak out and spike the proc on a single core after waking up from sleep. I've also seen the windows update detebase get messed up and spike the processor, but it usually crashes after a few minutes (at least on XP).

1/24/2008 7:44:46 PM

Quote :

"When you open Process Explorer and see the SVCHOST.EXE running with such a high %, if you hover over it with your mouse, what services does it show as being controlled by the SVCHOST.EXE process?"

Quote :

"When you open up the properties of the specific svchost instance that is using up the proc in process explorer, which services are associated with it? I'd also check the command line the instance of svchost was started with to see if there wasn't something nasty appended to it."

maybe i didn't make it totally clear in my first post, but i spent a good deal of time one night tracking each thread, each service, etc, and making sure they were in their normal location. i've followed each potential dll/exe/etc all the way down to the file and verified file size/location/even the hashes for a lot of them (drhavoc, you're right, vista has moved SOME stuff around, but its mostly application data and stuff [that ive noticed]. there are also some really interesting wormholes built in, but thats a different story). i've written down PIDs, in both PE and command line and killed the process and seen every related pid die. and like i said, i've even gone so far as to upload most of the files associated with the particular instance of SVCHOST to some of the sites that scan them with 20some scanners, match them with existing/known malware, etc, etc etc. also did the rootkit scanner thing that gonzobill mentioned.

noen: i do have office installed, and all my software is legit. does that mean i fall in the 20% that won't have this "bug" with the updater?

also, i couldn't find a DPC checkbox anywhere in the columnns definition section.

but lastly, it seems that none of this matters anyways [for now] because i still haven't seen a spike since i started this thread (which is odd). i leave the computer open when i'm not home, but i do close it on my way to bed. (it sleeps when i do, how cute) -- anyways, i've tried to shut it and open it and fuck with it to cause the spike again (which btw gonzobill, it would run all day if i let it, it does not crash the computer ever, and its not a lenovo.. its from their rival)

so i guess the point is this: i appreciate all the help and ideas. i've tried a few before coming here, but there are a bunch of good ideas and bugs that i wasnt aware of. the problem is that it has gone away (if you call that a problem, but i was really wanting to figure out what it was)

i think it is self-aware, and saw me make the thread and went into hiding. but if it comes back, i'll get you guys some more detailed info on the services and threads and possible tcp/udp connections

thx

1/25/2008 12:14:50 PM

Its the problem Prospero described then, I will bet anything on it.

Microsoft Update has a known issue that causes this. You need to disable it and move back to Windows Update.

Microsoft Update = Windows Update + Office Update basically.

And I can't tell you how many (#$*&% hours of time I lost trying to track down why this was happening, and never could find an actual answer. Just followed the instructions above and everything worked great from there.

1/25/2008 1:10:05 PM

Quote :

"i think it is self-aware, and saw me make the thread and went into hiding. but if it comes back, i'll get you guys some more detailed info on the services and threads and possible tcp/udp connections"

More like "teh legion of l33t in on my tip, yo, I best ta ackrite, nahmean?"

1/25/2008 9:14:35 PM

just the mention of the LOL scares the nasties away

i actually had it come up for a minute today and tried to get screenshots. it looks like the DNS client service might be the one i need to be looking at, but there are like 48 threads i think, looks like i underestimated at first.

and it would make a lot of sense... but i still havent had it come back long enough to play with it, but i'm gonna try to use some ip addresses instead of hostnames while its spiked and see what happens. if i can catch a connection that way, i'm going with that route to find the solution. otherwise i'll just blindly do what prospero said. cause, hell, if it works, then i don't care at this point. as noen implied, there's only a certain amount of time you can waste trying to "learn why" shit happens before you're just obsessing over some silly knowledge thats never gonna benefit you in the future. no matter how bad you wanna crack the case of the superspike!

as for the windows/ms update thing. i use windows update. but thats not even on auto mode, cause of what i said about it downloading old shit and writing over my good drivers. it took me a while to get the video and the wireless NIC working like i wanted, and that stupid updater would take me back to 5 drivers ago. think thats still a problem? im not getting what you mean by disable it, when it is essentially on manual mode

anyways i did find an old text file that i had saved some notes in, and i had tracked something to here before:
0x000912FE @ ntkrnlpa.exe

[Edited on January 27, 2008 at 1:58 AM. Reason : /]

1/27/2008 1:55:14 AM

i kick it rootkit

1/27/2008 2:23:42 AM

Quote :

"aka whenever i open the laptop after its been closed a while"

automatically made me wonder "why doesnt he just set it to never sleep"

1/27/2008 4:42:56 AM

well this is my first new laptop. and unlike a desktop where i've had 20 and know all about the hardware... i know i can just go get a new monitor when the old one dies, etc-- im not so sure about replacing the screen or the hdd or the processor in this thing. i'd imagine a lot isnt much different, but i still dont want to cross that bridge till i come to it

plus, although this computer is used for most of the day, even when i'm not home... i kinda try to take care of it (let it sleep when i'm going out and don't need access, turn it off when i go to bed, etc)

i guess since i never had one before i treat it like its worth more than it really is, if that makes sense.

1/29/2008 9:19:05 PM

well, i'm gonna go ahead and close this one and split the points between everyone who replied with a remotely technical answer

cause it has disappeared. and i cant recreate it. sucks, cause i really was interested in it. and i was really hoping i could use it to carry some lame homemade UBAR HAX PAYLOAD and get the world on the folding at home team!!1 and turn my thumbdrive into a virus insertion tool of doom!!1


/thread

1/31/2008 8:35:40 PM

h4xcat saved you

1/31/2008 9:28:16 PM