Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
svchost.exe consuming GB's of private bytes

Unanswered svchost.exe consuming GB's of private bytes

  • Wednesday, August 08, 2012 5:47 AM
     
     
    Sign In to Vote
    0

    Hi Guys,

    We have two Windows 2008 R2 servers that are experiencing massive memory paging by svchost.exe. It takes around 6 hours, but one of the svchost.exe processes will consume more than 10GB of private bytes, using all the page file (and disk) causing an error 2004 in the event log.

    I believe this has something to do with a recent Windows Update.

    Any ideas to track this down? Under the process I cannot see any child processes. 

     

All Replies

  • Wednesday, August 08, 2012 5:59 AM
     
     
    Sign In to Vote
    0

    Hi,

    Please check

    Detecting Low Virtual Memory Conditions in Windows 2008 and R2

    http://blogs.technet.com/b/mikelag/archive/2010/09/04/detecting-low-virtual-memory-conditions-in-windows-2008.aspx

    Event ID 2004 — Resource Exhaustion Detector

    http://technet.microsoft.com/en-us/library/cc774731(v=ws.10).aspx

    Thx

    Please give credit to the contributor who really helped you with the issues.

     
  • Wednesday, August 08, 2012 6:01 AM
     
     
    Sign In to Vote
    0

    Both don't help. First link is for Exchange servers, which this isn't. One is a DC, other is a web server. I know what the error means, I want to know why svchost.exe has suddenly started consuming huge amounts of memory.


    • Edited by infused Wednesday, August 08, 2012 6:01 AM
    •  
     
  • Wednesday, August 08, 2012 6:06 AM
     
     
    Sign In to Vote
    0

    For RCA, you might want to involve MS PSS by creating support request.

    Meantime, you may try using process explorer.

    Please give credit to the contributor who really helped you with the issues.

     
  • Wednesday, August 08, 2012 6:11 AM
     
     
    Sign In to Vote
    0

    For RCA, you might want to involve MS PSS by creating support request.

    Meantime, you may try using process explorer.

    Please give credit to the contributor who really helped you with the issues.

    Yep. Tried that... I just can't see much going on...
     
  • Wednesday, August 08, 2012 8:12 AM
     
     
    Sign In to Vote
    0

    Disable the Av for a while on the DC and check how it behaves ? if it doesn't solves the issue you can also perform a clean boot and check the issue.

    http://www.arabitpro.com


     
  • Wednesday, August 08, 2012 9:14 AM
     
     
    Sign In to Vote
    0

    Disable the Av for a while on the DC and check how it behaves ? if it doesn't solves the issue you can also perform a clean boot and check the issue.

    http://www.arabitpro.com


    FYI, never servers have AV. Done clean boot, same issue.
     
  • Wednesday, August 08, 2012 8:32 PM
     
     
    Sign In to Vote
    0

    This is what I'm seeing:


     
  • Thursday, August 09, 2012 7:55 AM
     
     
    Sign In to Vote
    0
    double click the svchost.exe go to the services and please let us know what all services you have running there.

    http://www.arabitpro.com

    • Marked As Answer by infused Thursday, August 09, 2012 10:20 PM
    • Unmarked As Answer by infused Monday, August 13, 2012 1:38 AM
    •  
     
  • Thursday, August 09, 2012 10:10 PM
     
     
    Sign In to Vote
    0
    double click the svchost.exe go to the services and please let us know what all services you have running there.

    http://www.arabitpro.com

    Found the issue.

    The services were Event Log. Looking at the event log we noticed thousands of Security messages on the Security Event Log. Checking the domain group policy, we found that someone had enabled auditing on everything, failure and success. They had also set each event log to 1gb. So, we reverted all this to Windows defaults, rest the process and the problem has gone away.

    What's the best way to track changes made like this so we can track down who changed this in future?

    Thanks for all the help.


    • Edited by infused Thursday, August 09, 2012 10:11 PM
    • Marked As Answer by infused Thursday, August 09, 2012 10:20 PM
    • Unmarked As Answer by infused Monday, August 13, 2012 1:38 AM
    •  
     
  • Sunday, August 12, 2012 10:36 PM
     
     
    Sign In to Vote
    0
    Just letting you know this problem has now happened on another server. Settings are completely different (Default Domain Policy) so nothing with the event log is configured through group policy. Same service grew and used all available disk. There has to be a Windows update that has caused this. These problems have only arisen after the latest patches.
     
  • Monday, August 27, 2012 11:41 PM
     
     
    Sign In to Vote
    0
    I am having this same exact issue on about 10 different servers in two different customer sites. These are domain controllers that only get Windows Updates installed (nothing else). This problem started less than 2 weeks ago. Anyone else having this issue? Any solutions yet? I have a case open with Microsoft and they are still looking into it. For now, I am monitoring virtual memory usage and when it exceeds 70%, I am killing the svchost.exe process for Event Log service. This frees up virtual memory and starts the cycle again.