100% CPU utilization on svchost.exe or Automatic Updates service
-
Friday, April 25, 2008 2:01 PM
We have upgraded from WSUS 2.0 to 3.0 SP1 and now have few Windows XP SP2 PCs that are extremely slow because the CPU is at 100% utilization running a process called "svchost.exe." If I go into services and stop and disable the "Automatic Updates" service the CPU drop to normal almost instantly. I tried forcing a reinstall of the Windows Update Agent. After I enable the "Automatic Updates" service the machine works fine for a day, than after a reboot it goes back to 100% CPU utilization. We need this fixed so we can get these computers updates.
Answers
-
Monday, April 28, 2008 3:35 AMModerator Hi Ryan,
For this problem, please install update 927891:
You receive an access violation error and the system may appear to become unresponsive when you try to install an update from Windows Update or from Microsoft Update
http://support.microsoft.com/?scid=kb%3Ben-us%3B927891&x=4&y=21
--------------------
Regards,
Eric Zhang
All Replies
-
Monday, April 28, 2008 3:35 AMModerator Hi Ryan,
For this problem, please install update 927891:
You receive an access violation error and the system may appear to become unresponsive when you try to install an update from Windows Update or from Microsoft Update
http://support.microsoft.com/?scid=kb%3Ben-us%3B927891&x=4&y=21
--------------------
Regards,
Eric Zhang -
Friday, May 02, 2008 12:59 PMI tried that. Did not work.
-
Monday, May 05, 2008 9:13 AMModeratorHi Ryan,
Did you use symantec or other anti-virus software on your clients?
If you did, the following KB will be helpful, you need to exclude all files in SoftwareDistribution folder from scanning:
Virus scanning recommendations for computers that are running Windows Server 2003, Windows 2000, or Windows XP:
http://support.microsoft.com/kb/822158
--------------------
Regards,
Eric Zhang -
Thursday, May 08, 2008 2:51 AMEric Zhang,
I am also having this problem on Windows XP with svchost.exe taking 100% CPU. I followed the KB above and excluded the files form my virus scan, but to no avail.
Any other avenues that I can try? This is very frustrating.
Regards,
Dave -
Thursday, May 08, 2008 10:00 AMModeratorHi Dave,
The svchost issue can also be caused by virus, I'd like to suggest you boot into safe mode and perform a full scan by your anit-virus software, also, for more questions about Windows XP, please use Microsoft Public newsgroup for Windows XP which would be the most relevant newsgroup for your question.
Windows XP Newsgroup:
http://www.microsoft.com/windowsxp/expertzone/newsgroups/reader.mspx
--------------------
Regards,
Eric Zhang -
Thursday, May 08, 2008 4:37 PM
I have had the exact same problem with svchost.exe on 4 different PCs today!
They are NOT infected with virus - it must be some update from MS that is causing these problems.
I have consulted different MS forums, and it seem to be a LOT of people having this problem.
It disappears when you disable Windows Update, but that is of course not s long-term solution.
When is the fix coming out? Is it incorporated in SP3 for XP?
Thanks!
-
Thursday, May 08, 2008 5:43 PMI am going to try installing Windows XP SP3 on the machines with the issue and see if that takes care of it. I guess the only other solution is to format and re-install.
-
Friday, May 09, 2008 2:18 AM
I didn't have the problem until after SP3 was installed on my system last night.
-
Friday, May 09, 2008 10:27 PMI had this issue on 2 laptops and 2 workstations. All are running Windows XP/SP2 and this issue started 2 days ago. I thought I had a virus or malware that was spreading from machine to machine.
I finally tracked this issue down to a DAT or Engine update for my CA AntiVirus 2008 software. I disabled the Automatic Updates service to alleviate the issue, but the issue still occured if I tried to go to the Microsoft Update site and scanned my PCs for necessary updates.
When I disabled the real time scanner on my AV software, this issue went away.
I have removed this AV software and am now using the free Avast Anti-Virus. Issue resolved on all machines.
I may even attempt an upgrade to SP3 this weekend. -
Saturday, May 10, 2008 5:05 PMI'm running 2 machines with XP/SP2 and 2 machines with XP/SP3 and I can now reproduce and correct this issue at any time on any of theese machines. It is definately the CA AntiVirus engine that is interfering with the svchost.exe process that is causing the poor performance and CPU spike.
I have opened a case with CA who have acknowledged that a recent dat/engine update may be responsible and am waiting to hear back from them.
If you have Automatic Updates enabled in any form on your PC and have CA AV installed and the real-time scanner enabled, you will have this issue when the computer is rebooted. This is because one of the first things XP does after boot is to see if there are any updates needed for the computer. The Automatic Update process uses svchost.exe as part of the scan of the workstation to see which updates are necessary. Because the AV real-time scanner is enabled, the AV software "interferes" with svchost.exe causing the CPU spike the scan never completes.
If you turn Automatic Updates off, you will not experience this issue at boot time. However, you can still reproduce this issue by manually running a scan for updates from the Microsoft Update page in IE. If you navigate to this page and run a scan and the AV real-time scanner is enabled, you will have this issue. If you put the real-time scanner in sleep mode before you run a scan, the issue does not occur and the updates for your computer will be displayed and can be downloaded or installed.
Fix 1: Remove CA AV software from your computer. I have tested 5 other AV software products and I cannot reproduce this issue with any of them. Avast, AVG, McAfee, Trend Micro, and Norton all work fine and do not interfere with svchost.exe and Automatic/Microsoft Update process.
Fix 2: Disable Automatic updates on the PC. This will solve the boot time issues. Disable the real-time scan engine when manually scanning for patches from the Microsoft Update site
Fix 3: Wait for CA to resolve their issue and push a new DAT/Engine. I'm sure CA will be able to fix the issue in time, but PC with Automatic Updates will suffer until this is done.
Good luck to all of you. -
Sunday, May 11, 2008 12:55 AMyep. I had the exact same problem. I have CA Antivirus and with automatic update off its not happening.
-
Sunday, May 11, 2008 10:50 AM
I have exactly the same issue on 2 machines. One runs Vista the other runs XP SP3 which was running SP2 a couple of days ago but also had issues then.
I have also placed a call with CA in regards to this issue.
-
Sunday, May 11, 2008 7:22 PM
Me too, on a portable PC Acer running XP SP2 Home ! Will try to disable Windows Automatic Updates...
Update : I did disable automatic updates in the corresponding panel and also by changing the starting mode of the service (from "automatic" to "on demand"). The reboot worked fine. Problem is gone for now. I do hope CA fix this real quick, even if the link with CA is not obvious.
Thanks for sharing this info, I was really getting crazy !
-
Sunday, May 11, 2008 8:20 PM
Started to experience this same sympton, on both XP and Vista machines. Common application is CA's antivirus on the two machines.
Thanks
-
Monday, May 12, 2008 2:11 AMHave had lots of calls regarding this ca problem, the wierd thing is that on my own machines it hasn't happened. Will have to wait for ca to sort it out
-
Monday, May 12, 2008 5:43 AM
Have just got off talking to a CA technician. Was advised to exclude all *.msp and *.msi files in the Real-Time scan.
What I did was:
1. "Open Security Center"
2. "Open Advance Settings"
3. Clicked on the "Options" button
4. Clicked on the "Modify" link under the Exclusions list and then "Added" *.msi and *.msp to the list and clicked OK
Ran the MS update manually to verify that this worked and it seemed to work ok.
Mind you this worked on my Vista machine. I will verify it on the XP box also but I think it should be ok.
-
Monday, May 12, 2008 5:48 AM
Excellent find. Disabled CA realtime scanner. All working well now.
Did you hear from CA yet? As turning off the CA antivirus would mean the machine practically has no anti-virus installed.
Regards,
-
Monday, May 12, 2008 7:03 AM
Works on both xp and vista machines -
Monday, May 12, 2008 8:12 AM
you shouldn't need to turn off CA antivirus just exclude the *.msi and *.msp files. -
Monday, May 12, 2008 10:10 AM
Thank you, Colflagg. Now at least I understand what hit me as from May 6 when it all started.
-
Monday, May 12, 2008 1:41 PM
I am another victim of this. Within my business, I have a total of 6 PCs. 2 of which I have just purchased in the last fortnight and thankfully are not afflicted with this problem.
The older PCs including a laptop that have been operating over a reasonable period of time are suffering with the exact same symptoms described. Seeing that said laptop had nothing of importance on it (only used for accessing emails on the run), I decided to do a clean install of Windows XP Professional and immediately installed SP3 prior to reinstalling my CA Internet Suite software. The only minor hiccup I suffered was AV Realtime scanner not wanting to work but after reading the FAQs, that was quickly resolved.
Has not yet been 24 hrs but with all definition updates installed and Auto Updates left ON, I have observed that the svchost.exe did briefly work up to 100% CPU for about 30 seconds early on, but since then it has been keeping under 10%. Will keep the PC running idle and have Process Explorer try keep a log of it.
Not saying that everyone would like to take the same action as myself, but obviously fresher systems may not have the same issues. Will watch this space.
Cheers to colflagg for identifying the cause.
-
Monday, May 12, 2008 3:39 PM
Thanks for the pointer to this thread.
I certainly can't/won't discount the potential link to CA Antivirus [yes, I run it]. However I did finally get my situation corrected on a laptop by eliminating the original SoftwareDistribution folder within the Windows directory. A new version of it got created, presumably by the windows update service, and ever since the system has been running fine, even with CA fully enabled and no files or directories excluded [which would be a serious exposure].
When I first experienced the problem [last Wednesday] on my desktop XP/SP2 system, it was resolved be allowing it to 'loop' itself back to health - no other changes were made, and CA was never stopped or suspended. Each time I allowed wauaend.dll to loop [perhaps an hour or so each time], I eventually found that a Microsoft update had been installed [and they were not always identified], one of which had to do with Genuine Advantage. Now I do find that interesting.
So perhaps CA is somehow involved, but they are not alone in this mystery. I still have a nagging suspicion that Microsoft is at the heart of this situation.
Regards...
-
Tuesday, May 13, 2008 1:08 AM
Found this to be an EXTREMELY helpful post. I disabled the CA On Access scan and it fixed the problem. I looked on CA's website but couldn't find anything about the issue.Keep me posted if you see CA fixes the issue and I'll do the same. So much for vulnerabilities
-
Tuesday, May 13, 2008 2:11 AMExcluding *.msp and *.msi in the CA AntiVirus exclusions did it for me, on two XP machines. Now we just need to wait for the CA folks to get the problem fixed so we can remove the exclusions. Thank you!
-
Tuesday, May 13, 2008 2:55 PMUpgrading to Windows XP Service Pack 3 does not fix the issue. I do not have CA Antivirus on these machines. We use Symantec AV v.10.1.4.4000. Is there any issues with that Symantec AV version and Automatic updates?
-
Tuesday, May 13, 2008 4:19 PM
I also use CA on all the networked machines here, with RealTime Scanner On, and Automatic Updates ON. I realised it was a Windiows Update issue late last night but was too tired to deal with it. I left one (the fastest) PC on overnight and by morning CPU was back to 3%. This indicated seemingly indicated that the Update Service had completed - but there were no new updates!?!. Somehow the svchost.exe 100% resolved itself. The other PCs have taken me all day to resolve and I wish I had found this thread earlier!
In the end the svchost.exe 100% does finally resolve (as I was able to show on the other PCs taking up to 4 hrs to sort out each!), and I have also downloaded today's CA updates as well. The problem hadnt shown up earlier because we so rarely reboot machines. Not the case with another group of PCs I look after. I have wasted 12 hours on this and hold MS and CA jointly responsible, till evidence shows to the contrary.
I suspect its more CAs fault than MSs fault as in another famous update from CA they managed to label a whole raft of kosher sites as shipping out trojans. That took about 4 hrs for them to correct. This has taken longer already.
Thanks to all who have unwound the problem and given the workarounds.
-
Tuesday, May 13, 2008 9:17 PM
I just "chated" with the folks at CA and they said ...
"The update will be released which will fix the issue"
Joe says:
any eta?
Asher says:
No Joe. Adding *.msp and *.msi to realtime exclusion will resolve the issue. However, there is no eta for the update
-
Wednesday, May 14, 2008 1:19 AM
I just spoke to CA, its a recognised problem. They are aparently relasing an update on the 16th of may that will automatically fix the issue. If you can't wait until then, do the following:
1. Boot to safe mode
2. Open CA, go to the advanced options menu
3. Go to options
4. click 'modify' on realtime scanner
5. Add *.msi and *.msp individually, dont use the comma.
6. Reboot and use as per usual. When the CA update is released delete those exclusions.
Everything will work fine, windows updates ect will operate as per usual.
-
Friday, May 16, 2008 12:42 AM
I found this solution on the CA website.
It seems CA is not willing to provide a date when this issue might be fixed. The above document provides a hotfix and manual instructions.
-
Friday, May 16, 2008 10:22 AM
Hi Ryan / Folks,
NO CA Products here - but I have had the same issues with Microsoft updates!
Here's the install path I used during my experience :
- Cold install of XP with SP1 on the PC (Full factory system restore/rebuild).
- Acer - Semperon 1.8GHz + 1GB RAM - 8Mb ADSL connection to Internet
- XP SP2
- Windows updates OK - used to install IE7
- Reason - I found IE is compromised if you go straight to XP SP3
- XP SP3
- Next Office 2003 Pro
- Switch to Microsoft updates - Custom Updates - SVCHost issue - Still checking for updates after 15 minutes
- Switch back to Windows updates - Custom Updates - NO SVCHost Issue - Checking complete after 2 minutes
- Tried both Microsoft fixes mentioned above
- http://support.microsoft.com/kb/927891
- Same report back - i.e. SP3 newer etc.
- http://support.microsoft.com/kb/943144 - Method 2
- Seems to install ok
- Reboot PC
- http://support.microsoft.com/kb/927891
- Swich back to manual Microsoft Updates and all is not really rosey as the initial "checking updates" scan can take at least 5 minutes with SVCHost at better than 90% CPU usage. So I believe the issue is not fixed, but it is just about useable.
Interestingly, no issues on my work LAN where I am the systems manager - 20 PCs and 8 servers using WSUS. All units are up to date and no SVCHost issues.
So.... No fix yet here, however my solution is as follows:
On the problematic PC I decided to switch back to Automatic Windows Updates. This keeps the PC up to date with all Operating System patches. Performance is not affected. I have decided that I will manually switch to the Microsoft update system once every couple of weeks or so to catch the updates for Office etc. I'll just have to set the updates scan running over a quiet period I suppose.
Plan B = Manual Office Updates http://office.microsoft.com/en-gb/downloads/default.aspx - Left Pane - Office Updates.
Hope this sheds some light.
Regards,
Knaphie
- Cold install of XP with SP1 on the PC (Full factory system restore/rebuild).
-
Friday, May 16, 2008 11:49 AM
Do you think CA's fix of excluding *.msi *.msp files is safe? Virus writers will be all over this. I prefer to disable windows automatic update for now and hope they can get a real fix in place. This is not how to keep a system safe.... Allthough CA is still better than Norton or McAfee they use 50% mem/cpu all the time!! -
Friday, May 16, 2008 12:49 PM
I had the same problem and excluded *.msi and *.msp files from the Real-Time scan.
I also excluded them from the ON-Demand scan.
This solution seems to work. Thanks for posting it.
-
Friday, May 16, 2008 2:50 PMAnyone who believes that excluding the msi and msp file extensions from the CA A/V scanner is an acceptable solution is delusional, and asking for trouble. Exclude installer files? Come on people!
Identifying the cause of this problem was very important, as is finding a permanent, secure solution. Anyone who experiences the problem would be far better off disabling the windows update service for a time rather than crippling their antivirus protection - there aren't daily updates from Microsoft anyway, so what do they think they would be missing?
Having said that, let me add that I am grossly disappointed with CA. This is not the first issue I have experienced because of their A/V product; I'm still waiting for a resolution to that 8 month old problem. My disappointment extends to their attitude regarding disclosure and accepting responsibility. Once identified, this problem should have been more prominently addressed by CA, at least by way of public notification. Even after they started to provide a risky circumvention, they were mum on an expected target date for a more permanent solution. Savvy users hit the forums in search of answers, and eventually started to piece together the situation. What about the not so savvy users - the millions of trusting CA customers potentially affected by this situation?
Competition in this market is fierce and image is important. However, company integrity is more important. If customer loyalty is an important company goal then it is better kept with honesty than subterfuge.
Savor Life, and Smile. -
Saturday, May 17, 2008 3:18 AM
MoosieAZ2 wrote: Anyone who believes that excluding the msi and msp file extensions from the CA A/V scanner is an acceptable solution is delusional, and asking for trouble. Exclude installer files? Come on people!
Identifying the cause of this problem was very important, as is finding a permanent, secure solution. Anyone who experiences the problem would be far better off disabling the windows update service for a time rather than crippling their antivirus protection - there aren't daily updates from Microsoft anyway, so what do they think they would be missing?
Having said that, let me add that I am grossly disappointed with CA. This is not the first issue I have experienced because of their A/V product; I'm still waiting for a resolution to that 8 month old problem. My disappointment extends to their attitude regarding disclosure and accepting responsibility. Once identified, this problem should have been more prominently addressed by CA, at least by way of public notification. Even after they started to provide a risky circumvention, they were mum on an expected target date for a more permanent solution. Savvy users hit the forums in search of answers, and eventually started to piece together the situation. What about the not so savvy users - the millions of trusting CA customers potentially affected by this situation?
Competition in this market is fierce and image is important. However, company integrity is more important. If customer loyalty is an important company goal then it is better kept with honesty than subterfuge.
Savor Life, and Smile.I agree that CA has let down a lot of people in regards to this. A few days after I posted the original temporary solution provided to me by our "trusted" friends at CA I began to rethink having *.msi and *.msp files excluded and to also rethink on my customer loyalty to CA.
I had oringally purchased the VET anti virus software about 10 years ago when the company that developed it wasn't under CA's control and have never had a problem with it until this event. I was also disappointed by the speed at which I was shuffled off the online help call without them waiting until I had asked questions and tested what they had suggested, not that it was exactly the best solution.
Nonetheless I turned everything back to normal today as it appears that CA has finally put a fix in place.
-
Sunday, May 18, 2008 3:17 AM
As long as the update fix does not exclude *.msi *.msp in the CA updates, then yes this is reassuring. -
Wednesday, May 21, 2008 3:26 PM
this is a CA bug - update CA signatures, the fix is in there...then boot....no more CPU at 50-100%
-
Friday, May 23, 2008 3:15 PM
So what is the solution. I am still facing the same problem -
Friday, May 23, 2008 3:41 PMDear teetu, did you read the previous posts? What was it you did not understand?
The overwhelming majority of reported problems indicate and conflict between Windows update and CA Antivirus engine 31.4.
Reread the prior posts..... -
Friday, May 23, 2008 5:19 PM
Thanks I read the posts.. The last one says its fixed by updating the signatures.. Which does not work for me... Is there anyone else who is facing the same problem even after updating their signatures?
Regards
-
Friday, May 23, 2008 7:28 PMIt is not the signatures, but the Engine. Version 31.4 had the issue, version 31.5 eliminated it. Go into CA A/V and manually run the update, then check the version of the engine [click the
▼ to the right of the help button, then click About..]. If you are still having the problem, you may have a different one than what is described in this thread.
-
Friday, May 23, 2008 7:31 PMI am having the exact same problem, 100% cpu utilizzation to the detriment of everything else on the PC, only I have no CA products running.
I had this FIXED with the 927891 microsoft fix, but then as soon as I installed SP3, it came back...and now the 927891 fix will NOT install over SP3.
If anyone finds a solution to this, please post. I have turned automatic updates off to see if that works, and set an outlook reminder to check for updates once a week. Thanks. -
Friday, May 23, 2008 7:52 PMI had a similar issue with a laptop after the SP3 upgrade. In that situation, I found a post somewhere that suggested deleting the entire C:\WINDOWS\SoftwareDistribution folder. In order to delete that folder structure you first have to stop the Windows Automatic Update Service, then delete the folder structure, then reboot. I was cautious so I just renamed the folder rather than deleting it. After a reboot, I noticed that a new structure had been created and the system was running normally again.
Note that you should let the system run for a while after the reboot because it does have to perform some work, which may appear to be running at high CPU, but it does not last very long. When things settled down I did delete the structure I renamed earlier. -
Wednesday, September 17, 2008 9:33 AMHi all,
I got similar problem with svchost.exe using about 50% of cpu just today sep 17 2008 ,with win xp prof. sp3 installed on aug 13 , i.e ~ 1month ago. With Bitdefender internet security 2008(Bdis2008) , it started when i installed the newer Bdis 2009, about 2dayes ago.
And like every body said here it resoled temporarly with rebooting but not to turnig off Real time protection, and when i tried to exclude *.msi ,*.msp i couldn't cz the av setting lacks the adding of extention to exclusions. Instead Bdis 2009 had add directory and files should directly added.
fortunately, there was only 1 msi file in folder system32 - C:\windows/system32/webfldrs.msi , and one *.msp in the framework in "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp".......... u can find it by surching.
also exclude the C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\winlogon.exe
after that click ok then close the program , then it worked.
i hope to be of benefit, and i pray it will keep working. -
Friday, October 24, 2008 10:06 AMI had the same problem with one of my clients running Trend Micro. It seems this problem isn't related to a specific Anti Virus program. Exluding the files as CA suggests isn't realy a solution. Excluding winlogon and stuff mentioned causes a real security issue. Since im running Trend Micro all the CA "solutions" didnt apply for me so i didnt even bother trying all the solutions and went for the one that makes the most sence.
Stopped the Update Service
Renamed the C:\WINDOWS\SoftwareDistribution folder
Restarted the Client
Issue solved.
Seems to me that something in this folder causes AV software to scan it and keeping svchost.exe from duing its job. Causing high cpu values. By Renaming/Deleting the folder all the files are refreshed including the one(s) that caused the problem. What the exact problem is? I dont think w'll ever know. But hey, whats new.
Thanks all for the posts, really helped me out here. -
Wednesday, August 10, 2011 7:44 PM
Hello,
3 years later, I was having the same problem on my XP desktops.
I have no CA software installed. FreakyEnzo's solution worked perfectly.
Thanks, BobM
.png){kind=spacer}
