none
After installing XP SP3 svchost running - incapacitating update service

    Question

  • After I installed XP SP3 I find that I am unable to use Microsoft Update to check for updates. When I try to update suddenly my machine becomes extremely slow because the CPU is at 50% utilization running a process called "svchost.exe."  If I go into services and stop and disable the "Automatic Updates" service the CPU drop to normal almost instantly.  I tried a reinstall of the Windows Update Agent, however, the install in unsuccessful because the XP SP3 update is newer than the update agent file.

    Thursday, May 08, 2008 2:13 PM

Answers

  • I'm running 2 machines with XP/SP2 and 2 machines with XP/SP3 and I can now reproduce and correct this issue at any time on any of theese machines.  It is definately the CA AntiVirus engine that is interfering with the svchost.exe process that is causing the poor performance and CPU spike.

    I have opened a case with CA who have acknowledged that a recent dat/engine update may be responsible and am waiting to hear back from them.

    If you have Automatic Updates enabled in any form on your PC and have CA AV installed and the real-time scanner enabled, you will have this issue when the computer is rebooted.  This is because one of the first things XP does after boot is to see if there are any updates needed for the computer.  The Automatic Update process uses svchost.exe as part of the scan of the workstation to see which updates are necessary.  Because the AV real-time scanner is enabled, the AV software "interferes" with svchost.exe causing the CPU spike the scan never completes.

    If you turn Automatic Updates off, you will not experience this issue at boot time.  However, you can still reproduce this issue by manually running a scan for updates from the Microsoft Update page in IE.  If you navigate to this page and run a scan and the AV real-time scanner is enabled, you will have this issue.  If you put the real-time scanner in sleep mode before you run a scan, the issue does not occur and the updates for your computer will be displayed and can be downloaded or installed.

    Fix 1:  Remove CA AV software from your computer.  I have tested 5 other AV software products and I cannot reproduce this issue with any of them.  Avast, AVG, McAfee, Trend Micro, and Norton all work fine and do not interfere with svchost.exe and Automatic/Microsoft Update process.

    Fix 2:  Disable Automatic updates on the PC.  This will solve the boot time issues.  Disable the real-time scan engine when manually scanning for patches from the Microsoft Update site

    Fix 3:  Wait for CA to resolve their issue and push a new DAT/Engine.  I'm sure CA will be able to fix the issue in time, but PC with Automatic Updates will suffer until this is done.

    Good luck to all of you.
    Saturday, May 10, 2008 5:02 PM

All replies

  • Hi,

    First stop automatic updates from services.

    Next download windows update agent 3.0. link below.

    http://go.microsoft.com/fwlink/?LinkID=100334

    rename the windows update agent file to 1.exe and save it in drive C:

    Then type this command at Run

    C:\1.exe /wuforce


    Restart the computer and then do windows update.


    Regards
    Deepak
    Thursday, May 08, 2008 2:28 PM
  • Hi,

     

    I did everything just as you suggested (twice), however, the symptom keeps returning. Your methodology had the benefit of getting the update agent file to install. Still, every time I get into windows updates and automatic updates is empowered (as it must be to process updates) the svchost jumps back up to 50% of the resources and stays there.

     

    Roger 

     

    Friday, May 09, 2008 1:57 AM
  • Roger, to a certain extent it is normal for Microsoft Update or Windows Update to perform a long computation at 100% processor utilisation (which will look like 50% on dual-core or hyper-threaded hardware).  It should run like that for a few minutes, and then stop normally.  If that is what you are seeing, it is normal.  If the processing never stops, then you should use "Process Explorer" to identify which Services are running in the instance of svchost.exe that is consuming the processor time.  Let us know which Services those are.

     

    There are known issues with some 3rd-party software that can cause this effect - such as HP printers.

    Friday, May 09, 2008 11:09 AM
  • I had this issue on 2 laptops and 2 workstations.  All are running Windows XP/SP2 and this issue started 2 days ago.  I thought I had a virus or malware that was spreading from machine to machine.

    I finally tracked this issue down to a DAT or Engine update for my CA AntiVirus 2008 software.  I disabled the Automatic Updates service to alleviate the issue, but the issue still occured if I tried to go to the Microsoft Update site and scanned my PCs for necessary updates.

    When I disabled the real time scanner on my AV software, this issue went away.

    I have removed this AV software and am now using the free Avast Anti-Virus.  Issue resolved on all machines.

    I may even attempt an upgrade to SP3 this weekend.
    Friday, May 09, 2008 10:31 PM
  • Roger,

     

    I had exactly what you described on two PCs from different sites, both XP Pro sp2. I found (rediscovered!) all the old fixes as well as your post, but the one which definitely worked was from Jake Billo's blog, originated on February 5, 2007:

    http://jakebillo.com/svchostexe-causing-99-100-cpu-usage-solution-follows/ 

     - both PCs have the possibly relevant Office 2003, BTW.

    1. Start Microsoft Update (Tools > Windows Update from Internet Explorer), then click the Change settings button on the left.
    2. Select the Disable Microsoft Update software and let me use Windows Update only checkbox and click Apply changes now.
    3. Reboot your system.  

    Perfect solution for both PCs!

     

    Oddly enough, when I came to impart this news to you, there was a later post "blaming" CA-AV which is also present on the two now speeded-up PCs. However, CA-AV did not appear to be relevant to the svchost problem on either PC here.

     

    I have not yet switched Microsoft Update back "on"...  

     

    If this doesn't work for you, I hope you find your solution and let us know,

     

    Cheers,

     

    Bill

    • Proposed as answer by L.I Monday, January 06, 2014 7:09 AM
    Saturday, May 10, 2008 1:07 AM
  • Roger,

     

    Neglected to mention that SP3 was on neither PC when the problem occurred. It is now on one - but it is still working OK!

     

    Bill

    Saturday, May 10, 2008 1:16 AM
  • I'm a self-employed computer tech and have been battling this problem since SP3 came out.  It all now makes sense....If I'm not mistaken, each of us that are having issues is using Computer Associates Security Suite 2007.  I like the program, and unfortunately have it installed on about 200 of my customer's computers.  I'm sooo excited about having to uninstall CA's stuff and loading on AVG.  Let us pray to the computer Gods that CA will fix this QUICKLY.

     

    Brad

    Saturday, May 10, 2008 1:57 AM
  • I'm encountering much the same as some of you (although not the same as the original post in this thread if they actually managed to get SP3 installed) on my IBM notebook, running XP Pro SP2 (note on an IBM notebook the XP is an OEM version, not the off-the-shelf variety, I have no idea if that matters). Yes, it has CA Internet Security Suite 2007 on it (although before reading this thread I didn't suspect it to be part of the problem except to the extent that I thought it wasn't finding the virus I thought I'd contracted). I also have an HP printer driver installed (an early reply in this thread pointed the finger at HP printers), although the printer itself is not connected to the notebook and has been powered off the entire time I've had this issue. And also Office 2003 (mentioned in yet another post as possibly being relevant).

     

    So if any of you are awake now, I'd appreciate your advice.

    Because I have SP3 on a thumb drive now, I can install it while off line, so I'm not too worried about disabling CA while I do the update. Am I going to hit problems when I enable CA again? I can also uninstall the HP printer driver if that's likely to help - but sooner or later I will need it again so is there any more info on what the problem is with HP printers?

     

    In case it's of use to anyone who may be trying to fix the issue before it happens to others, here's a rundown on my experiences over the last few days. And before I attempt to install SP3 from the downloaded file, is there any more info that I can provide that might help? Note someone asked for "Process Explorer" output - I assume that's a third party tool that I don't have - stick to info I can give you with XP Pro SP2.

     

    After a Windows Update a few days ago I accepted the option to install XP SP3 (I don't allow it to do updates without my OK, although I don't think I've refused any Windows Updates except maybe SilverLight if that was ever offered through Windows Update). I stayed connected to the net on a high speed connection for some time after accepting it - expecting a service pack to take longer than a regular update. I was using the notebook during this time, and I got no errors, but SP3 does not appear to have installed, it still shows XP SP2 in the "About Windows" dialog. I didn't realise that immediately, though. Nor did I initially think it was related to SP3 because it was OK on that day - it was the following day I had problems and in what I now must assume was a coincidence the only other PC in the house (a Vista Destop, which we leave running almost all the time) had also locked up (to the point where I could not call up the task manager or access the Start menu - I had to power it off), so virus was the conclusion I leapt to.

    After booting the notebook up the day after the attempted update it ground to a halt - Task Manager identified "svchost.exe" as consuming 50% of the CPU time (yes I have dual processors), and around 73MB of memory (I mention it because that doesn't vary much, it's always 72-73MB). That was less informative than I had hoped. This is when I tried to use the desktop and realised it was frozen so of course my first thought was virus. I restarted the notebook with wireless off (it has a switch for that) - the internet connection is through a wireless router. With the wireless off the notebook behaved as normal (I started Task Manager almost straight away). I ran a full virus scan - found nothing - and a spyware scan found only a few cookies, which I removed. Turned the wireless back on - apparently OK - tried to do a CA update (thinking it might be a very new virus) - almost immediately the svhost issue came back - turning the wireless off at that point didn't make any difference. Several reboots later I'd come to the conclusion that the problem happened as soon as an internet connection was established. Something on boot up must do this, because if I start up with the wireless on it occurs immediately, but if I start without wireless and then turn the wireless on the svchost thing doesn't occur until several minutes later, unless I do something that accesses the internet - Internet Explorer, Send/Recieve Mail, CA update - in which case it occurs then.

    I tried the desktop again and it seemed to be fine. So I used it to download the latest CA updates and installed them on the notebook and scanned again - still nothing. I eventually realised that SP3 had not installed, and what with the desktop appearing to be OK I started to think that the SP3 update had not finished, and maybe THAT was what was taking up the processor time. So I left it running in its svchost crippled state for several hours (keeping an eye on it while using the desktop). After some time (I'm not sure how long, but certainly a lot more than the "few minutes" mentioned in an earlier reply on this thread) the svchost process stopped consuming all the CPU time (no errors and nothing obvious in the system logs either) - but SP3 had still not installed and after a reboot the same issue recurred.

    I downloaded XP SP3 using the desktop with the intent of installing it manually on the notebook, and I starting hunting on the net for issues with SP3 - and ended up here.

     

    I don't know if CA ISS is related to this, but I can see why it might get falsely accused. Depending upon the CA settings, it might check for updates, or do a partial scan, or both, as soon as the PC is powered up. This svchost issue occurs as soon as the PC is powered up (assuming it has an internet connection straight away). So it wouldn't be surprising at all to see these things occurring at the same time and (possibly falsely) assuming they're related.

    Saturday, May 10, 2008 8:47 AM
  • According to Thomas Scheidegger in this thread SP3 isn't available to Automatic Update yet, but for some reason PC with the Auto Update set to "Notify me but don't automatically download" are getting notified of it. That is my auto update setting, and that's how I ended up trying to install it.

    Could that be where the problem is coming in? If it's not properly implemented for Automatic Update yet, then when we accept the notification's option to install the available update is it trying to download it through Automatic Update (where it isn't properly implemented or is blocked in some fashion)?

     

    Saturday, May 10, 2008 10:14 AM
  • I'm running 2 machines with XP/SP2 and 2 machines with XP/SP3 and I can now reproduce and correct this issue at any time on any of theese machines.  It is definately the CA AntiVirus engine that is interfering with the svchost.exe process that is causing the poor performance and CPU spike.

    I have opened a case with CA who have acknowledged that a recent dat/engine update may be responsible and am waiting to hear back from them.

    If you have Automatic Updates enabled in any form on your PC and have CA AV installed and the real-time scanner enabled, you will have this issue when the computer is rebooted.  This is because one of the first things XP does after boot is to see if there are any updates needed for the computer.  The Automatic Update process uses svchost.exe as part of the scan of the workstation to see which updates are necessary.  Because the AV real-time scanner is enabled, the AV software "interferes" with svchost.exe causing the CPU spike the scan never completes.

    If you turn Automatic Updates off, you will not experience this issue at boot time.  However, you can still reproduce this issue by manually running a scan for updates from the Microsoft Update page in IE.  If you navigate to this page and run a scan and the AV real-time scanner is enabled, you will have this issue.  If you put the real-time scanner in sleep mode before you run a scan, the issue does not occur and the updates for your computer will be displayed and can be downloaded or installed.

    Fix 1:  Remove CA AV software from your computer.  I have tested 5 other AV software products and I cannot reproduce this issue with any of them.  Avast, AVG, McAfee, Trend Micro, and Norton all work fine and do not interfere with svchost.exe and Automatic/Microsoft Update process.

    Fix 2:  Disable Automatic updates on the PC.  This will solve the boot time issues.  Disable the real-time scan engine when manually scanning for patches from the Microsoft Update site

    Fix 3:  Wait for CA to resolve their issue and push a new DAT/Engine.  I'm sure CA will be able to fix the issue in time, but PC with Automatic Updates will suffer until this is done.

    Good luck to all of you.
    Saturday, May 10, 2008 5:02 PM
  • Just an FYI here...I updated XP to Sp3 and have had a slow down on the system.  I can click on the start button and wait a few seconds before it opens and a slow down to the next step.  Disabled windows automatic update...no help.  I finally snoozed CA Anti-Virus and Boom! all worked fine after that...So I'm thinking that yes, there may be a problem in the CA force for awhile.  I checked their site but nothing yet.

     

    If anyone is haveing an XP slow down try snoozing the anti-virus portion for a short time and see it it helps.  Right click on CA icon in lower left tray go to CA Anti-Virus and then snooze....sleck a number of minutes and just try it.

     

    Hope this helps someone...it did me....Good luck all...Ron...W

    Saturday, May 10, 2008 7:18 PM
  • I ended up following Willie Mac's suggestion. I changed the Microsoft Update setting to disable Microsoft Update and use Windows Update only (this actually warns you that it has uninstalled Microsoft Update and if you want to use it again you will need to reinstall it). This stopped the rogue svchost from appearing on boot up, although I suspect that's a side effect of uninstalling Microsoft Update. I believe that the rogue svchost is Auto Update trying to continue it's initial failed download, but continuing to fail probably because of either a firewall or a real-time virus scanner. I suspect there's probably another way to abort that attempt without uninstalling MS Update.

    After that, SP3 had not installed. I used "Windows Update" from my Start menu, it informed me that SP3 was available, I chose to install it and dealt with a number of dialog boxes - including one from the CA firewall asking whether to allow it. I definitely didn't get that one the first time. This time the installation ran smoothly. I've rebooted twice and been using the system for a few hours without hiccups.

     

    I suspect there's something about the Auto Update process that causes the firewall or real-time virus scanner to block it silently, while a user instigated install results in the user being given the option of allowing it.

     

    I don't know if it's related, but I'm running XP Pro (not XP Home) and I do have several user profiles. The one I almost always use (and was using during this whole episode) does have administrator rights. The Auto Update I think probably runs as SYSTEM (certainly the rogue svchost was). The user instigated install probably ran as my account. That may be why I got a lot of dialog boxes and prompts the second time and almost none with the Auto Update (except I think for a licence agreement, but am unsure).

    Sunday, May 11, 2008 3:35 AM
  • CD, you mentioned "Process Explorer" earlier: believe me, you need it! (Even if it's just to waste time exploring processes...)

    Miscrosoft liked it so much, they bought the company:

     

    http://technet.microsoft.com/en-gb/sysinternals/default.aspx 

     

    I used it to see what the "bad" svchost was up to. I would have pasted a screen dump, but I don't think it's allowed here.

     

    I'm guessing that Shep also had CA, but there are some postscripts from my POV:

    I did get a CA program update prior to the problem, but only DAT updates since.

    I always snooze CA-AV during SP installs.

    I have not uninstalled CA-AV (the only component of the suite I use) at any time. 

    A manual Windows Update [today - just as a test!] did the svchost CPU hog, but cleared OK.

    Otherwise, SP3 is on & the two PCs are both working OK.

    Another PC in my office (Home, not Pro) and a laptop (Pro) - both SP2 haven't suffered a bit...

     

    PPS I am struck by the similarity of this problem with what was happening 12-13 months ago.

     

    Bill

    Tuesday, May 13, 2008 3:15 PM
  • Hi Roger / Folks,

     

    NO CA Products here - but I have had the same issues with Microsoft updates!

    Here's the install path I used during my experience :

    • Cold install of XP with SP1 on the PC (Full factory system restore/rebuild).
      • Acer - Semperon 1.8GHz + 1GB RAM - 8Mb ADSL connection to Internet
    • XP SP2
    • Windows updates OK - used to install IE7
      • Reason - I found IE is compromised if you go straight to XP SP3
    • XP SP3
    • Next Office 2003 Pro
    • Switch to Microsoft updates - Custom Updates - SVCHost issue - Still checking for updates after 15 minutes
    • Switch back to Windows updates - Custom Updates - NO SVCHost Issue - Checking complete after 2 minutes
    • Tried both Microsoft fixes mentioned above
    • Swich back to manual Microsoft Updates and all is not really rosey as the initial "checking updates" scan can take at least 5 minutes with SVCHost at better than 90% CPU usage. So I believe the issue is not fixed, but it is just about useable.

    Interestingly, no issues on my work LAN where I am the systems manager - 20 PCs and 8 servers using WSUS. All units are up to date and no SVCHost issues.

     

    Also, I have installed Avast Anti Virus since, and the isses are still just as above. My point is that I don't believe the issue is CA related.

     

    So.... No fix yet here, however my solution is as follows:

    On the problematic PC I decided to switch back to Automatic Windows Updates. This keeps the PC up to date with all Operating System patches. PC performance is not affected. I have decided that I will manually switch to the Microsoft update system once every few weeks or so to catch the updates for Office etc. I'll just have to set the updates scan running over a quiet period I suppose.

     

    Hope this sheds some light.

     

    Regards,

    Knaphie

     

     

    Friday, May 16, 2008 9:37 AM
  • Hi again,

     

    Plan B for Office Updates = http://office.microsoft.com/en-gb/downloads/default.aspx - Left pane - Office Update.

     

    This runs fine. Just be aware that your version on Office (install key) must be validated to run these updates. If the key is out of date or invalid, you may need to use this fix to correct the key issues. http://support.microsoft.com/kb/895456 

     

    Regards,

    Knaphie.

     

     

     

    Friday, May 16, 2008 10:30 AM
  • Hi,

     

    i really wonder why SP3 contains a old WUAU Client "5.4.3790.5512"

    and not the actual one "7.1.6001.65" or at least 7.x.


    Anyone have a clue if there is a issue why this new one should not be inclused in SP3 ?

    BR,

    127

    Friday, May 16, 2008 11:06 AM
  • Wondering if it only happens with XP Pro? Two of the posts on this thread (one being mine) state they had the problem on an XP Pro machine, and one thread states that they didn't on 2 XP Home machines and on 1 XP Pro. One said they had no problems on their work LAN - which I'm guessing might be using an Enterprise edition (or whatever the right term is for the version that's designed to be rolled out across a network).

     

    So has anyone had this problem on a machine that was NOT XP Pro? Anyone had it on XP Home?

     

     

    Also Willie Mac mentioned a "possibly relevant Office 2003". Taking that thought further, since I finally managed to get XP SP3 installed properly (I hope) I have noticed that it has also installed SP3 for Office Pro 2003. I had deliberately denied and "hidden" that update, because of known problems it causes with VBA code (which will probably not bother most people but could have upset some of the stuff I do so I took the cautious path). If only I'd done that with XP SP3. I still can't believe I accepted that update so readily - I mustn't have had enough coffee that morning.

     

    At any rate - how many of us had been running Office 2003 with SP2 prior to the XP SP3 update? Has anyone else had the Office SP3 forced on them as I did?

    Saturday, May 17, 2008 7:25 AM
  • This might have something to do with some kind of CA vulnerability.  You can check around here to see.  http://secunia.com/vendor/7/

     

    Saturday, May 17, 2008 9:19 AM
  • Thanks to Knaphie

    I don't have any CA products either. Running Bit Defender Internet Security

    I have just completed fresh installs of XPP on two different machines:

    HP - P4, 1.8Mhz, 512 Mb
    an older IBM  P3, 700Mhz, 512 Mb

    Downloaded SP3 and installed it on both machines. Installed Microsoft Update and found that both machines needed up to 15 minutes to settle down. Undertook
    Knaphie's solution and now both finish their start up within 2 minutes.

    You figure MS would have recognized this prior to releasing SP3 as this is a repeat issue from late winter 2006/07.
    Sunday, May 18, 2008 6:22 PM
  • This worked for me:
    1. Click START/Run/Notepad

    2. Copy these files into notepad:
    REGSVR32 WUPS2.DLL /S
    REGSVR32 WUPS.DLL /S
    REGSVR32 WUAUENG.DLL /S
    REGSVR32 WUAUENG1.DLL /S
    REGSVR32 WUAPI.DLL /S
    REGSVR32 MUCLTUI.DLL /S
    REGSVR32 WUCLTUI.DLL /S
    REGSVR32 WUWEB.DLL /S
    REGSVR32 MUWEB.DLL /S
    REGSVR32 QMGR.DLL /S
    REGSVR32 QMGRPRXY.DLL /S
    REGSVR32 JSCRIPT.DLL /S
    REGSVR32 MSXML3.DLL /S

    3. Click File/SaveAs and enter:
    File Name        register.bat
    Save as Type   All files
    Encoding         ANSI

    4. Save on to the desktop.

    5. Click register.bat on the desktop and allow to run.     

    Your auto updates should now work
    .

    The problem centers around not updating Microsoft auto updates, before installing SP3.  A lot of people will be kissin' my *** for this one.     John
    • Proposed as answer by KMarieB Thursday, September 26, 2013 10:17 PM
    • Unproposed as answer by KMarieB Thursday, September 26, 2013 10:18 PM
    Friday, August 15, 2008 11:09 PM
  • THIS is the fast & easy way to fix this! Doesn't matter if you're running XP Pro, Home, etc. and it doesn't matter what mentioned program above could be causing the problem... THIS is your FIX:

    I am new here and not yet able to post links or pics... The link below I am referring to, is the one way up above, that was posted by Deepak, on Thursday, May 08, 2008 2:28 PM. The 2nd post from the top.

    1- Downloaded Windows Update Agent for Windows XP (32-bit):  Deepak's download link above.
    2- IN THE COMMAND BOX: Stop Windows Automatic Update Service (net stop wuauserv)
    3-IN THE COMMAND BOX: Stop Background Intelligent Transfer Service (net stop bits)
    4-IN THE COMMAND BOX: Run Windows Update Agent setup: WindowsUpdateAgent30-x86.exe /wuforce /norestart  If it tells you it can't be run, run it manually (the file you just downloaded). Your system won't automatically reboot anyway. After it has been run, come back to the command prompt and then proceed with the next step below:
    5- IN THE COMMAND BOX: Start net start wuauserv just to be sure Windows Automatic Update Service is started (actually it was started already by Windows Update Agent setup)
    6- IN THE COMMAND BOX: Start Background Intelligent Transfer Service (net start bits)

    Now, go to Microsoft Update and....... voila!

    • Proposed as answer by daniel(c) Thursday, January 23, 2014 10:11 PM
    Thursday, September 26, 2013 10:38 PM