Thoughts from the EPS Windows Server Performance Team
Useful Microsoft Blogs
Troubleshooting issues with the SVCHOST.EXE process can be a very frustrating experience for server administrators. Whether the issue manifests as High CPU or the SVCHOST.EXE process crashing, there are some challenges that make the troubleshooting process a little more tricky. So before we dive into the troubleshooting, let's talk about what exactly the SVCHOST.EXE process does. SVCHOST.EXE is a generic host process for services. When you look at the list of running processes in Task Manager, you may see a number of different SVCHOST.EXE processes (as shown below). Each of these processes hosts a group of services.
When the system starts up, SVCHOST.EXE checks the registry to determine which services it should load. The specific registry key is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost. A sample is shown below:
Although this gives us useful information regarding which account a particular SVCHOST.EXE is running under, it doesn't necessarily help us with troubleshooting an issue where one instance of SVCHOST.EXE is utilizing a lot of CPU. You may remember an issue several months ago where Windows machines would become unresponsive when scanning for Windows Updates, or an SVCHOST.EXE process would crash when scanning for updates. An issue like that typifies the problems with SVCHOST.EXE troubleshooting. So, if we were to run into another problem with SVCHOST.EXE, how would we go about troubleshooting it?
The first thing to do is understand which services are mapped to which instance of SVCHOST.EXE. Using the TASKLIST.EXE utility we can determine which services belong to which instance. The command syntax is: tasklist /SVC /FI "IMAGENAME eq svchost.exe" - the output from this command is below:
Now we have some useful information that we can use to isolate and troubleshoot. Using the information in this output along with the view in Task Manager, we would be able to identify which specific instance of SVCHOST.EXE was consuming the CPU by using the Process Identifier (PID). If you don't have the PID column visible in Task Manager, you can add it by selecting View ... Select Columns and then checking the box for PID. Also ensure that you select the CPU column so you can sort by that to figure out which instance is the culprit. In some cases, simply knowing which processes reside within the culprit instance may be enough - because you can identify what tasks are running on the machine at that time - such as scanning / installing updates at a specific time via WSUS. However, where the problem is not quite so easily identifiable, or the SVCHOST.EXE process itself is crashing, it helps to be able to isolate the services to allow more granular troubleshooting.
To isolate these services, there are two different approaches with very subtle differences. The first method is to create an isolated process that runs within the same SVCHOST group as it did before, just not in a shared process. The second method is to create a completely separate SVCHOST group. Since we've been using Windows Updates as our example, let's continue on with that.
Method 1: Creating an Isolated Process
What this method really does is modify one of the registry parameters for the service in question from a shared process to an isolated process. The command syntax is fairly straightforward and uses the sc config command set: sc config <service name> type= own. So for Windows Updates (wuauserv), the command would be: sc config wuauserv type= own. Note that there is a space between the '=' and 'own' - you must insert that space. Behind the scenes, what happens is that the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Type registry value is changed from 0x20 (which denotes a shared process) to 0x10 (indicating it has its own process). You can read more about these particular values on the MSDN Article about SERVICE_STATUS_PROCESS Structure. In order to complete the change, you need to stop and restart the service. To change this service back to being a shared service, run the following command: sc config wuauserv type= share. For this change to complete, the machine itself needs to be rebooted. No other parameters are being modified with respect to this service, however when you change the type to isolated, restart the service and then run the tasklist command to get the list of services, you will notice that there is an SVCHOST.EXE process that only contains the Windows Update service.
Method 2: Creating an isolated Service Group
This method is a bit more involved, and involves directly editing the registry. Please remember to back up the registry before making any changes! The process is below:
An additional refinement to this method would be to create copies of SVCHOST.EXE that are appropriately named for the isolated service - for example copy %systemroot%\system32\svchost.exe to a new file named %systemroot%\system32\svchost_wuauserv.exe. Remember that you will need to make the appropriate modifications to the ImagePath value in the registry that reflect the name of the executable file. By customizing the executable, you can use tools such as the Debug Diagnostic Toolkit that we covered in an earlier post to monitor specific services for crashing. You can also quickly tell which services are misbehaving in Task Manager as well as getting the name of the failing executable logged in the Event Viewer in the event of that service crashing.
And that brings us to the end of this post. As always be extremely careful when editing the registry directly. Until next time ...
- CC Hameed
Problem Event Name: APPCRASH
Application Name: svchost.exe
Application Version: 6.0.6001.18000
Application Timestamp: 47919291
Fault Module Name: xrwcscd.dll
Fault Module Version: 126.96.36.199
Fault Module Timestamp: 4549d2ea
Exception Code: c0000005
Exception Offset: 0000000000009d30
OS Version: 6.0.6002.2.2.0.768.3
Locale ID: 17417
Additional Information 1: 2b5e
Additional Information 2: d41d8cd98f00b204e9800998ecf8427e
Additional Information 3: 58eb
Additional Information 4: e0ab7f6c3db8ca5376495e0cc3bfdb3d
How Am i suppose to solve this Problem.. its been frustrating out here .. Please Help
The faulting module is named Xrwcsdc.dll, which from an internet search appears to be part of the Xerox WorkCentre Pro software. You would need to either remove this software, or contact the manufacturer for an updated driver.
voila..gr8 post. I've already known this command but it dont use to work. I know reason now..need to restart service.
Following here I wanted to reduce the number of svchost processes. I created a new group and moved two groups in this unique group but the number of svchost processes is always 2, instead of 1.
Can anyone tell me why?