HIGH CPU – SVCHOST.EXE


Description:  SVCHOST.EXE is a generic host process for services. There can be multiple SVCHOST.EXE running on a system and each SVCHOST.EXE can also hold multiple services. Troubleshooting high CPU usage with SVCHOST.EXE can difficult since Task Manager or Performance Monitor cannot show which service inside the SVCHOST.EXE is causing the issue.

 

Scoping the Issue:  The first step is to identify the Process ID (PID) of the SVCHOST.EXE that is pegging the CPU.  This can be done through Task Manager->Processes tab. If the PID column is not present, you can add it by selecting View->Select Columns and check the PID checkbox.  Once the PID is identified, the next step is to determine which services are running under the PID. From a Command Prompt, type:

TASKLIST.EXE /SVC

TASKLIST.EXE will list all the processes and PID’s running on the system. Look for the PID in question and check the Services column. This will give you a list of Services to start investigating.  If it is not clear which Service inside the SVCHOST.EXE process is causing high CPU usage, the next step is to isolate the service into its own SVCHOST.exe container. You can use ‘SC CONFIG’ to do this. From a Command Prompt type:

sc config <service name> type= own

Do this for each service inside the SVCHOST.EXE in question. Restart the service and it will start in its own SVCHOST.EXE.

To revert the service back to its original state, type the command:

sc config <service name> type= share

Please note that resetting SVCHOST.EXE configuration via the share command will require a system reboot.

 

Data Gathering:  In all instances, collecting either MPS Reports with the General, Internet and Networking, Business Networks and Server Components diagnostics, or a Performance-oriented MSDT manifest must be done.  Additional data required may include the following:

  • Performance Monitor logs that include the timeframe when the high CPU usage occurred.  Ideally, the capture interval should not exceed 10 seconds.  You can create the log parameters manually, or by using the Performance Monitor Wizard.  Required counters include:
    • All Processor Counters / All Instances
    • All Process Counters / All Instances
    • All System Counters / All Instances
    • All Thread Counters / All Instances
  • Task Manager
    • Sort CPU Time/Usage columns under the Process tab for highest consumers
  • Process Explorer
    • Sort by the CPU column under the Process window for highest consumers
    • Sort by the CPU column under the Thread tab in the Process Properties for highest consumers
    • Configure debug symbols to see thread stack information in the Thread tab
  • Another great tool for Vista/2008 and to a lesser extent XP/2003, is XPERF, which is part of the Windows Performance Analysis Tools:
  • You may need to get dumps of the process when it is in state. Please see ‘Capturing Application Crash Dumps’ for more info.
  • Additionally, there may be specific utilities available to help troubleshoot certain applications such as PSSDIAG for Microsoft SQL Server or the Exchange Best Practice Analyzer for Microsoft Exchange servers.  For third-party applications you should also contact the application vendor / developer for assistance.

 

Troubleshooting / Resolution:

After you have gathered this data, review the following:

  • MPS Reports
    • Look for any loaded modules in the process that may not be from the vendor
    • Outdated components, such as updates for a specific process or driver/filter updates if the System process is the culprit
  • Performance Monitor Logs
    • Check Processes->%Processor time for high usage
    • Also look for evidence of a hardware bottleneck, such as Processor Queue Length, System\Context Switch/sec, Thread\Context Switches/sec, and Processor\Interrupts/sec
  • Task Manager
    • Sort CPU Time/Usage columns under the Process tab for highest consumers
    • Check the base Priority of a process.  Some applications are able to boost their priority within the application.
  • Process Explorer
    • Identify the process by sorting the CPU column.  Bring up the Properties of the process and click the Threads tab. You can sort by CPU and see which threads are taking up most of the CPU time.  If symbols are configured, you may be able to get more details on the thread, such as Stack information.
  • Xperf
    • The trace.etl file can be viewed with Xperfview.exe. Detailed analysis may require a Microsoft Support Professional.
  • User Dump
    • If you are comfortable with debugging, you can try using the !runaway extension to see which thread is consuming CPU time.  Detailed analysis may require assistance from a Microsoft Support Engineer

 

Additional Resources: