none
DCOMLaunch thrashing my hard disk.

    Question

  • Hi folks,

    My disk is being hit many times every second that my PC is powered on.  Poking around with the excellent process monitor from SysInternals has shown that the activity is from the DCOMLaunch utility that runs within the svchost daemon.  The program is constantly querying registry keys that generally have some sort of CLSID for a name and seem to contain PCI IDs as values.  I'm not sure why DCOM would be trying to enumerate my hardware, but that's beside the point - I want this to stop.  Please  help!  I've provided a brief exerpt of a sample ProcMon log below, and I would be happy to provide any other information that would help you to help me.

    Thanks in advance,

    Eglin

    4:45:43.7766394 PM svchost.exe 764 RegQueryValue HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\##?#USB#VID_045E&PID_028E#0B5D273#{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\DeviceInstance SUCCESS Type: REG_SZ, Length: 60, Data: USB\VID_045E&PID_028E\0B5D273 4:45:43.7766689 PM svchost.exe 764 RegCloseKey HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\##?#USB#VID_045E&PID_028E#0B5D273#{ec87f1e3-c13b-4100-b5f7-8b84d54260cb} SUCCESS 4:45:43.7766894 PM svchost.exe 764 RegCloseKey HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\##?#USB#VID_045E&PID_028E#0B5D273#{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\# SUCCESS 4:45:43.7768539 PM svchost.exe 764 RegQueryKey HKLM\System\CurrentControlSet\Control\DeviceClasses SUCCESS Query: HandleTags, HandleTags: 0x0 4:45:43.7768924 PM svchost.exe 764 RegOpenKey HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb} SUCCESS Desired Access: Query Value 4:45:43.7769337 PM svchost.exe 764 RegQueryKey HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb} SUCCESS Query: HandleTags, HandleTags: 0x0 4:45:43.7769579 PM svchost.exe 764 RegOpenKey HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\##?#USB#VID_045E&PID_028E#0B5D273#{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\# SUCCESS Desired Access: Query Value 4:45:43.7769894 PM svchost.exe 764 RegCloseKey HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb} SUCCESS 4:45:43.7770145 PM svchost.exe 764 RegQueryKey HKLM\System\CurrentControlSet\Control\DeviceClasses SUCCESS Query: HandleTags, HandleTags: 0x0 4:45:43.7770367 PM svchost.exe 764 RegOpenKey HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb} SUCCESS Desired Access: Query Value 4:45:43.7770615 PM svchost.exe 764 RegQueryKey HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb} SUCCESS Query: HandleTags, HandleTags: 0x0 4:45:43.7770824 PM svchost.exe 764 RegOpenKey HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\##?#USB#VID_045E&PID_028E#0B5D273#{ec87f1e3-c13b-4100-b5f7-8b84d54260cb} SUCCESS Desired Access: Query Value 4:45:43.7771089 PM svchost.exe 764 RegCloseKey HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb} SUCCESS

    test

    Thursday, February 09, 2012 11:04 PM

All replies

  • Hi,

    Since lots of services host on SVChost.exe, so maybe we can try to narrow down which service is trying to access all the disk via DCOM.

    We can list all the instences of service host on SVChost.exe by "tasklist -svc".

    Also you can try to separate all the affected SVChost.exe to the standalone svchost instances by the following steps: 

    Preparing to Debug the Service Application

    http://msdn.microsoft.com/en-us/library/ff553427(v=vs.85).aspx

    After that, please locate the affected service, find out if this service needs to list all the disk. 

    Thanks.


    “Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.”

    Friday, February 17, 2012 4:11 PM
  • Hi there, Kevin!

    Thanks a million for taking the time to help me.  I have determined that the service in question is DComLaunch.  Please tell me how to proceed.

    Sunday, February 19, 2012 7:48 AM
  • Hi,

    For the DCOM issue, usually we can perform the following troubleshooting steps:

    1. Generally, we can do the following steps to perform the default permission:
    =====================
    a. Click Start -> Run, type DCOMCNFG and press Enter.
    b. Expand Component Services -> Computers -> My Computer. Right click on My Computer and choose Properties.
    c. Go to COM Security tab, under Access Permissions, click Edit Limits, and make sure "Everyone" account has Local Access and Remote Access permission.
    d. Under Launch and Activation Permissions, click Edit Limits, and give "Everyone" account Local Launch, Remote Launch, Local Activation and Remote Activation.
    e. Close the dialog boxes, and in the previous Component Services, expand to Component Services -> Computers -> My Computer -> DCOM Config, find the 3rd party component, right click on it, and choose Properties. 
    f. In General tab, set Authentication Level to "Default".
    g. In Security tab, set Launch and Activation Permissions to Customize, click Edit, and give Everyone account all the permissions listed: Local Launch, Remote Launch, Local Activation and Remote Activation.
    h. Set Access Permissions to Customize, and also give Everyone account all the permissions: Local Access and Remote Access, give SELF all the permissions, and give SYSTEM Local Access permission. 
    i. Click OK to save all the settings, and see if it helps.


    2. If still not work, we can backup "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole", and import the working keys from another server/PC.

    thanks.



    “Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.”

    Thursday, March 01, 2012 7:23 AM
  • Thank you very much for continuing to help me troubleshoot, sir.  Looking at your outline gave me great optimism, as it seems like such a concise and thorough regimen.  Unfortunately, adjusting the COM Access permissions (remote launch and activation were not previously allowed) did not do the trick.  I looked at the list of the the COM components as directed in step 'e', but I do not know which item you would have me adjust.  The list appears to include every COM component on my system, many identified only by what appear to be CLSIDs, and the only one that had "third party" in the title was the EAP dispatcher - the security options were all set to default and greyed out.  Is there something about my situation that leads you to believe that my security settings are somehow to blame, or is this just good general troubleshooting?

    I do have a laptop running Windows 7 and could try to import the OLE registry branch, although I'm a bit concerned.  It seems that if the troublesome component also exists on my laptop (I don't believe it does, but I haven't tested), then the import will not help.  If the problem does not exist on the laptop, merging the keys will not remove the problematic section.  Or, are you suggesting that I first delete the entire \ole registry branch?  Is such a thing possible without catastrophic system failure?

    Is there any way to actually determine what activity is requesting the constant hard drive reads, short of mucking around aimlessly with a kernel debugger?  Perhaps some sort of DCOM diagnostic tool?  I can hear my hard drive making funny noises now, and (although it could be paranoia, after losing more than two drives a year over several years to hardware failure) with current drive prices I'm loathe to start making purchases.

    Thanks again for trying to help me, and I am hoping that you can continue to assist me.  It would be wonderful to get this taken care of.

    Thanks,

    Eglin

    Thursday, March 01, 2012 3:12 PM
  • You can look at stacks in procmon if you setup the symbols...

    Thursday, March 01, 2012 7:33 PM
  • You can look at stacks in procmon if you setup the symbols...

    Hi, JS.  Would you please describe how to setup the debug symbols and what I would look for after doing so?

    Thanks,

    Eglin

    Friday, March 02, 2012 3:43 PM
  • Maybe this link will help: 

    http://devcoma.blogspot.com/2009/11/how-to-configure-sysinternals-procmon.html

    The tricky part is installing windbg.  These days you have to download the windows sdk web installer, and then only check off windows debugger.

    Friday, March 02, 2012 4:00 PM
  • Hi Eglin,

    Do you have any updates from the procmon?

    If the DCOM is keeping querying HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\##?#USB#VID_045E&PID_028E#0B5D273#{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}

    i am thinking if there are too many orphaned registry keys there? 

    please check if the following KB applies to your server?

    http://support.microsoft.com/kb/982210


    “Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.”

    Monday, March 19, 2012 10:00 AM
  • Hi Eglin,

    Do you have any updates from the procmon?

    If the DCOM is keeping querying HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\##?#USB#VID_045E&PID_028E#0B5D273#{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}

    i am thinking if there are too many orphaned registry keys there? 

    please check if the following KB applies to your server?

    http://support.microsoft.com/kb/982210


    “Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.”

    Hi Mr. Tu,

    Thank you for responding again.  I'm embarrassed to notice that I didn't mention that I'm using Windows 7 Home Premium.  Since that workaround is only intended for Windows Server machines, is there another method for checking and removing orphaned registry keys that you might recommend?

    Thanks in advance,

    Eglin

    Tuesday, March 20, 2012 1:07 AM
  • Hi,

    Can you find the identifier "USB#VID_045E&PID_028E#0B5D273#{ec87f1e3-c13b-4100-b5f7-8b84d54260cb" in the Device Management? If so please try to re-install this device. 

    On the Windows 7 client, i think the USB device is not a critical part for the system. please try to backup the related registry keys and delete them.



    “Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.”

    • Proposed as answer by Niki HanModerator Tuesday, April 03, 2012 8:55 AM
    • Unproposed as answer by Eglin Tuesday, September 04, 2012 7:39 AM
    Thursday, March 22, 2012 1:35 PM
  • Hi,

    Can you find the identifier "USB#VID_045E&PID_028E#0B5D273#{ec87f1e3-c13b-4100-b5f7-8b84d54260cb" in the Device Management? If so please try to re-install this device. 

    On the Windows 7 client, i think the USB device is not a critical part for the system. please try to backup the related registry keys and delete them.



    “Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.”

    The ID you've given seems to correspond with my USB XBox controller.  Would you please describe to me the steps I should take to reinstall it?  I believe that I'm currently using Windows 7's built-in drivers for the device, although I did allow Windows Update to install a driver update for it.
    Wednesday, April 04, 2012 10:43 AM
  • Hi,

    Please backup the registry key and delete them. Next time when you connected the USB device to this pc, OS will recreate a new identifier for this device. 

    please monitor if this issue still occurs after deleting the affected registry.

    Thanks.


    “Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.”

    • Marked as answer by Niki HanModerator Friday, April 13, 2012 3:05 AM
    • Unmarked as answer by Eglin Tuesday, September 04, 2012 7:39 AM
    Thursday, April 05, 2012 8:24 AM
  • Hi,

    I have to bring that topic up again because I am having the exact same problem and couldn't solve it by deleting the key. (I deleted every key that is beeing access and listed below)

    I am using Process Monitor to see that my harddrives are beeing accessed nearly every second by C:\Windows\system32\svchost.exe -k DcomLaunch

    Basically it accesses all my drives (that is a vertex 3 SSD and a RAID5 with the Intel Onboard RapidStorage of three WD Greens) and some USB3 stuff (that one I dont understand a bit because I do not have a single USB device connected. Even if I delete that key Windows just recreates it after a reboot and starts accessing it again)

    HKLM\System\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\##?#IDE#DiskOCZ-VERTEX3_____________________________2.22____#4&18f37dbf&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
    HKLM\System\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\##?#IDE#DiskStore1.0.00__#4&18f37dbf&0&0.1.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
    HKLM\System\CurrentControlSet\Control\DeviceClasses\{f5f8219f-14c2-4e33-8b8b-06ee75321d07}\##?#IUSB3#ROOT_HUB30#4&a3f7854&0#{f5f8219f-14c2-4e33-8b8b-06ee75321d07}

    The PC is quite new and freshly installed with Windows 7 Professional 64bit.

    Does anybody have another idea? I am stumped and feel the health of my harddrives decreasing with every second :(

    Thanks!


    • Edited by EpoX_ Friday, August 31, 2012 9:02 PM
    Friday, August 31, 2012 9:00 PM
  • I'm afraid that I never found any resolution for the issue.
    Tuesday, September 04, 2012 7:41 AM
  • I have the exact same issue but it doesn't seem related to DComLaunch. If I run tasklist I see 3 services sharing the same svchost as DComLaunch:

    tasklist /svc /fi "imagename eq svchost.exe"

    svchost.exe            872 DcomLaunch, PlugPlay, Power

    When I look at the stack trace in ProcMon for those registry calls they originate in ntdll.dll and then go through RPCRT4.dll and umpnpmgr.dll before hitting kernel dll's. This makes me think it's the PlugPlay service that is hammering the registry.

    The issue only occurs on my machine when Steam is running. As soon as I close Steam then the registry activity immediately ceases. Start Steam and it starts again. It makes the system totally unusable.

    Re: setting up the symbols in ProcMon, I think this might be default in newer versions of ProcMon. If not, go to Options > Configure Symbols. Set Symbol Paths to srv*http://msdl.microsoft.com/download/symbols

    Friday, January 25, 2013 7:07 PM
  • Thanks for the information about setting up symbols in ProcMon.  I will download a newer version and check it out (the version I've been using is probably very ancient).

    Some of the registry entries that are getting hammered for me have UUIDs corresponding to USB devices, so there may certainly be some relationship to P&P.  For me, the issue happens even when I have shut down every service and application I'm able to disable.  My system remains responsive, but the constant hard drive activity worries me.  Hard drives are expensive, and I have zero doubt that all this constant activity wears them out.  I'm also extremely frustrated that MS doesn't have better controls for system management.  Every bit of software seems to feel privileged to install stuff all over the system, setup services, and open network connections.  There really needs to be some better way to insulate the system from this stuff - something short of running a heavy-weight VM for every application.

    Anyway,  thank you for sharing.  If you come up with further information, I'd very much appreciate it if you would report back.

    Thanks,

    Eglin

    Friday, January 25, 2013 9:12 PM
  • I deleted some registry values matching f5f8219f-14c2-4e33-8b8b-06ee75321d07 and it still did not stop after a restart.

    That ID is something related to USB3 so I uninstalled the Intel USB3 driver. That helped, might be worth a try.

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{f5f8219f-14c2-4e33-8b8b-06ee75321d07}

    Wednesday, March 20, 2013 4:44 PM
  • I eventually resolved this issue by unplugging my 8 year old ipod from the USB slot. I traced it using the Resource Monitor and checked that during the hangs there was disk activity originating from the System process to /Device/HardDisk/DR4, with a response time around 20 seconds. This device was the ipod. Since leaving it unplugged for about a month now I have not had this issue.

    What is strange is that I still have registry activity on those keys from svchost, but my hard disk doesn't sound like it's thrashing anymore. So I can't be sure what the issue was but I would suggest checking Resource Monitor and try unplugging USB devices.

    Did you ever find the real cause of this?
    Thursday, March 21, 2013 11:54 AM
  • I have the same issue, need help!

    Monday, March 25, 2013 12:37 PM
  • I never did find the cause or solution.  Most of the UUIDs/CLSIDs I found being constantly accessed by the DCOM service correlated to USB devices - Intel's USB driver, XBox 360 controller, etc, but I was never able to create an environment that halted the constant disk access.  I have/ have had concurrent issues with Zone Alarm's paid firewall suite doing unbuffered writes to its log files several times a second.  The whole situation has really soured me on Windows in general.  Every application feels like it has the right to install services and background tasks, and Microsoft has done nothing to help us isolate out processes and control permissions with a fine grain.  It's pretty hard, as an example, to browse the web without having Adobe's awful Flash installed; MS should have tools to protect us from allowing Flash to essentially alter the comspec and hijack every single running process on the system.  I know this is devolving into a rant, rather than constructive troubleshooting, but after having MANY hard drive failures over the last few years, I am very much fed up.
    Tuesday, March 26, 2013 9:18 AM
  • This is an example, how we a small fishes are have 'in are ass kicked. The true is that, there could be a big number of people that has the same problem and don't realized it. I'm no developer so i have only the base knowledge of the system functionality, and it is hard for me finding the resolution to this issue. Since win95 i always had an original system on my pc, never complaining, what is a paradox newer needed help till now. The bizarre and odd thing  is that even formatting the system and installing win 7 on clear ssd don't help...


    • Edited by matisf Tuesday, March 26, 2013 9:56 AM
    Tuesday, March 26, 2013 9:54 AM
  • never give up
    Thursday, March 28, 2013 4:06 PM
  • UP

    Tuesday, April 09, 2013 4:13 PM
  • Hi, I found this topic while investigating this Steam problem. It's exhibiting the same registry spam symptoms and the same registry key as you describe,  and it involves nonstop probing for the presence of a particular gamepad device. Because it hands off the work to svchost, it obscures the originating process's identity. But it was still susceptible to be located by process of elimination. Note that it's a fairly harmless low-cpu activity, but it's still wasteful and annoying.

    Wednesday, April 10, 2013 12:17 AM
  • hey ultramage, thanks for linking that information. Good investigation and nicely done finding the root of our issue, I think I learned a bit more about some techniques to employ.I can confirm that I no longer see the registry activity when I suspend the thread with SDL2.dll. I really wish that Steam would fix this issue, it's really terrible programming from them.

    Seems we have a slightly different problem than the OP, which is a pity. But I think it highlights an important point: the stack trace in this case does not lead to the prime mover in the chain of registry spam. Eglin, I'm curious to know if you're still hearing the hard disk activity? You may have some luck trying to isolate the issue by booting to safe mode. If that stops the problem, then using Sysinternals autoruns can help to progressively add programs back into the boot until the problem re-occurs.

    Wednesday, April 10, 2013 9:28 PM
  • The dcomlaunch registry accesses were most likely not the cause and just distracted from the actual problem (you'd have to have 10000+ of them a second going on before it starts being noticable, and it'd cause cpu usage, not disk usage). Process monitor does not have full access to the system so it may not be able to record lowlevel disk activity; turning off some of the default filters (SYSTEM, IRP_*, etc) may show it. Also in Windows Resource monitor, the disk section can show low-level stuff like volume-level defragmentation that happens below the filesystem. Also Process Explorer may reveal who's doing the activity by watching each process's deltas (page faults, i/o bytes per second,. etc).
    Friday, April 12, 2013 6:45 PM
  • I had problem like this - too much HDD crunches and standard windows performance monitor shows that svchost.exe(DCOMLaunch) access many files and crunch HDD very high after some unactivity, so I can not sleep at night.

    The problem was fixedfor me after I turn off protecting system on disk C:

    Control Panel -> System -> System Protection -> System protection (tab) -> Protecting parameters -> Local disk C (System) -> click Setup button -> Turn off system Protection

    I have localized system so names can be slightly different from original.

    Of course it is to user responsibility to turn off such feature but silent HDD more important for me.

    So now my HDD don't crunched and it so cool because I had this problems several months.

    Monday, May 27, 2013 5:20 PM
  • I have the same problem since two years. I have read a lot of blogs in a lot of web sites for so long. So far i haven't been able to fix this problem... entirely.

    Sometimes when I stop WinDfend (Windows Defender) Service the problem stops, but sometimes don't, lately I have found that I need to stop hpqddsvc (HP CUE DeviceDiscovery) Service too. After this the computer runs very good, like new, no lags, no excessive CPU Usage nor Hard Drive usage.

    The only annoying thing is that I need to do this every time I start the computer in order to make it work. I don't know too much of computer systems, but so far this is the best solution I have found, I hope this works for the rest of you.

    Best regards.

    Tuesday, November 19, 2013 6:32 AM
  • I just had this same problem and thank everyone for the discussions.  I am far from being as technically advanced as anyone who posted, but using what you all posted and deductive reasoning this is what fixed my computer the first time.  Perhaps some of you may be able to analyze the reason.  I only know what I did to fix it. 

    First, I knew that I had nothing attached to my computer except mouse, monitor and keyboard.  the only thing I did from the time my computer was operating amazingly well, to the unresponsive IE issues and DCOM described issues, is allowed Apple to update iTunes.  My fix was to uninstall everything in programs/control panel that was Apple (lemon LOL) related.  The only program that had issues uninstalling was a program called Bonjour by Apple.  Not sure why it was even there, but the error said for me to close IE first if I wanted to proceed with uninstall.   I did uninstall everything Apple in my programs, restarted computer.  This time no problem.  I can't explain why it fixed it, because I don't know enough about the things you all do.  I just know that Apple programs-now uninstalled- is what seems to be the cause and cure.  


    • Edited by MWebb2 Tuesday, December 03, 2013 12:06 AM
    Monday, December 02, 2013 2:35 PM
  • Hey guys,

    I was having the exact same problem. My svhost was going to town on my cpu through DcomLaunch. It only started recently, and only began when I was using Steam. I have good and bad news. The good news is, I seem to have found the problem. The bad news is it appears to be different than the OP's problem, but I hope it might shed some light on how this problem is able to manifest. Yes, it only happened when I was on Steam gaming. The reason? My headphones were plugged in.. I unplugged them, and CPU usage dropped instantly. I had seen one of the services under that svhost was some audio function, so i unplugged my headphones and it worked fine after that.

    So, Im not sure what use this is for you guys, but I had read through all this last night desperately trying to fix my issue. So when I realized by simply unplugging my headphones the problem was fixed it was appropriate for me to share this, in case it helps any of you or hints towards any sort of issue (I am not as computer-savvy as the rest of you seemingly, albeit I am not completely oblivious)

    Good luck and I hope you (OP) solve your issue!

    Sunday, December 08, 2013 5:43 PM
  • I have the same issue. After rebooting my pc, when I insert USB flash drive, svchost.exe (DComLaunch) scans harddisk for about 15-20 seconds (constant disk activity). And then I can use USB flash memory. It is very very annoying issue.
    Monday, February 10, 2014 11:08 AM
  • I was having the same issue on an old laptop that was given to me for work.  After reading many threads about svchost.exe and DcomLaunch, I downloaded and ran Malwarebytes.  Ran a deep scan and it found Tojan.Zekos.Patchedwv2 file on the pc.  Running Vista 32 bit.  Svchost.exe was maxing out CPU at 99-100% and spinning HDD like crazy.  Malwarebytes quarantined and removed Zekos trojan and CPU now at 27% and HDD seems normal now.  Hope this info helps some people.  I guess the bosses son was previously using this laptop for P2P file sharing :(
    Sunday, April 06, 2014 7:56 PM
  • I had have this problem since 3 weeks. My cpu was increasing about %50 because of svchosts.exe which is  related to DcomLaunch.  I found that DcomLaunch were being used and occupying by Plug and Play by using this metod:

    Start > Programs > Accessories right-click Command Prompt
    Select: Run as Administrator

    Using the mouse, copy the following text inside the code box:
    Code:

    TASKLIST /SVC /FI "IMAGENAME EQ SVCHOST.EXE"

    Paste the above at the blinking cursor of the Command Prompt
    Press: Enter

    then i found a solution while searching internet.

    here it is

    "I know this topic is a bit old but the problem seems as common as ever. I have a solution that probably won't help many people but since it's tricky to spot I wanted to post my experience in the hopes it helps someone whose problems result from many unused USB device drivers.

    We use our laptops as part of a programming process for devices our company sells. Each device has a unique serial number and as a result we end up with device drivers that are installed with each device programming but never used again. Our laptops would slowly become unusable and digging in to the cause showed that only disabling the plug and play service would bring the CPU cycles under control. Since disabling this service results in an unusable laptop, we did more digging and found that our problem was the unused drivers, which aren't normally viewable in the Device Manager. To view these, you must:

    1. Right click My Computer and Select Properties
    2. Click Advanced tab
    3. Click Environment Variables
    4. Below the bottom Environment Variables window pane (System Variables), click New
    5. For Variable Name, enter devmgr_show_nonpresent_devices
    6. For Variable Value enter 1
    7. Click OK. OK to close My Computer

    Open Device Manager, click on View, select show hidden devices from the menu. We found large numbers of unused drivers in three sections on Windows 7 machines and two sections on XP machines. Disk Drive, Storage Volumes, and one other section. If you see a large number of unused drivers, uninstalling them through this Windows interface is painful to say the least. You need to click on each one and select 'uninstall' after which the computer stays busy and unresponsive for a while. The better approach is to use this free tool which allows you to view only unused drivers and uninstall all in one pass." quoted from web

    I hope this will help to you to solve your computer's high cpu usage problem.

    Have a nice day ^^


    • Edited by Equelan Monday, September 29, 2014 8:40 AM
    Monday, September 29, 2014 8:36 AM