01-24-10 - svchost

Fucking Windows and the way it runs services is the bane of my computing life. If it wasn't for that, XP would be near perfect. Every time I have a computer problem these days it's because of some fucking mystery shit happening in svchost. And I have no easy way to track down WTF is happening or block it. I cannot for the life of me figure out a good reason why they did that instead of just making each service its own process, which I could then diagnose, block, verify was legitimate, etc.

Periodically I'll get a crash from svchost, or suddenly my disk starts churning, or svchost is suddenly taking 90% of CPU. If it happens repeatedly I can usually figure out the culprit, but there's no reason it should happen at all through this mystery fucking obfuscation/anonymization host.


Kevin Gadd said...

Procexp can tell you which services are running in a given svchost. Does that help?

Sam said...

Mark Russinovich's (the author of procexp) blog is full of interesting tidbits on debugging the internals of Windows. I followed this particular blog entry once to discover which driver was causing constant disk access (it was just showing up as IO in the "system" process or lsass.exe or something).

slyid said...

1) viruses
2) /windows/system32/drivers/etc/hosts being too big (many security software put hundreds of site addresses in here, which makes svhost take 100% of the cpu). Either clean this up or disable the "DNS Client" service.
3) Windows bug: once in a while on my office computer, svhost and lots of services would crash after I log in.

JLennox said...

They fold into a single process because when the system was designed (early'ish NT days) the overhead from each additional process was to great to seperate stuff so heavily.

If it's crashing, load the dump in windbg to check the call stack.

But it is time to move on from xp. Windows 7 or bust.

old rants