Windows 7 svchost.exe hogging all available memory

brandonkick

Well-Known Member
Reaction score
860
My father has a dell OptiPlex GX 270 running windows 7.

For the longest time, it ran just fine and it only had 1GB of memory.
Now, just under a year later it has been slowing way way down. Now
I've figured out that it is due to all of the available memory being used
even after placing another 1GB stick in the machine.

But in both cases, when it had 1GB system memory and even after
it had 2 GB system memory, the system would "run out" of memory
after some period of time (5 min to 40 min) and it is SVChost.exe
taking up large large chunks. Sometimes as much as 500+ MB memory
for one single svchost.exe instance.

Any ideas of how to get this to stop, or identify which underlying processes
that are causing this? I'm running MalwareBytes Anti Malware right now.

Just strange that it worked fine for so long, and now it does this "memory
hogging" situations?
 
Infected, or has installed some program like weatherbug that is hogging it horribly.
 
Fire up Process Explorer from SysInternals, then hover the mouse over the offending process and ProcExp will show a bubble listing everything that's running within that process. Nice little tool.
 
My guess is either an infection or like others have mentioned a program that's hogging. Come across it quite a few times, most recent of which was WD's external HD backup utility.
 
Any ideas of how to get this to stop, or identify which underlying processes
that are causing this? I'm running MalwareBytes Anti Malware right now.

Hit it with all the usual virus cleanup tools FIRST before you start worrying about how to identify it. When possible always let your tools do the work for you.
 
Fire up Process Explorer from SysInternals, then hover the mouse over the offending process and ProcExp will show a bubble listing everything that's running within that process. Nice little tool.

This is the best way to find out whats going on.
look at lesson 2 and especially Lesson 3 here http://www.howtogeek.com/school/sysinternals-pro/lesson2/

BTW, I don't envy your dad running 7 on a GX 270 with 1 or even 2 gigs of ram. I have a stack here that I pulled out of service that are getting ready to be donated. hopefully you replaced the 40 gig drive with something more substantial. I may keep one here and put an ssd in it to see what happens
 
Last edited:
Process Explorer yields nothing....


So basically it has no "expansion box" next to the svchost.exe that is hogging all the memory and when I hover over it all it says is

Command line:

svchost.exe

Path:

C:\Windows\System32\svchost.exe

Which doesn't tell me anything more. Going into the resource monitor in the task manager doesn't give me any extra information either.

I've already ran MBAM and it found a bunch of "non-malware" threats... PUPs mostly and even cleaning those didn't make much of a difference.

Going on now to rkill, tdss killer and MBAR.


@GX270 on 1GB of ram

The machine, while not fast, was actually pretty usuable for their needs. It wasn't extremely snappy but most "delays" or lags were usually 3 to 5 seconds or so and he was quite okay with that. I do have another 1GB PC3200 DIMM that I will slap in for him. The extra GB should help a little.
 
I use process hacker and mouse over the svchost.exe to list which services that particular instance covers. That would at least help narrow it down, you can check threads to see if any additional info, or monitor that process id via process monitor and see if you see any actions its taking that is unusual.


Edit: btw I always do MBAR first, not last. good detection, good reversal of damage. removing pup junk while a rootkit is still in the system means rootkit has chance to replace pup junk.
 
Look for a "stuck" windows update.

Had a few of the going in endless loops.

Double post.....see 2nd one.

Need more coffee.

Sorry.
 
Last edited:
Look for a "stuck" windows update.

Had a few of the going in endless loops.

Try temp. disabling Win Update components and see how it runs.
 
Process Explorer yields nothing....


So basically it has no "expansion box" next to the svchost.exe that is hogging all the memory and when I hover over it all it says is

Command line:

svchost.exe

Path:

C:\Windows\System32\svchost.exe

Which doesn't tell me anything more. Going into the resource monitor in the task manager doesn't give me any extra information either.
.
You need to do more than just hover. You need to expand the svchost process (control H for handles/files and control d for dll's) to look up which files and dll's it's using. You can search the dlls from within the proprgram to see what they do.
 
Where I'm at right now.

Currently in safe mode with networking:

Ran MBAM (updated, version 2.1) and it found nothing
Ran rkill and it found nothing (I guess)
Running rougekiller now (it stopped the SVChost.exe that was hogging memory)

After that I'm going to make a clone of the current hard drive to save myself from damaging the install.

Will run MBAR, TDSSKiller and Adwcleaner again (still in safe mode with networking)

I'll try process hacker to see if it will give me more info on what may be the underlying culprit in my svchost.exe hogging memory.

Then I'll disable windows update (which compnets do I disable, or just turn windows updates off)?

Then I'll try tweaking.com AIO repair and or combofix.



Main reason I care is that he uses a bookeeping/mechanical shop software called invomax. Unless he has an "active" subscription (which is $118 for 3 months) he cannot reinstall the software because THEY have to do it for you. They remote in, load the files and then remove any way for you to do it on your own. We have paid over $700 for this crap and are not willing to pay a cent more to "reload" the software we already own a liscense to use. SO if your hard drive crashes, or seizes up and you don't have an active subscription it will cost you ANOTHER $118 to get back the software.

Otherwise I'd have wiped and reloaded by now, would have saved much more time since it's almost the ONLY thing he uses on the computer.
 
Open Process Explorer, click the "View" menu, go to "Lower Pane View", select "DLLs"

Select the target svchost process in the main pane (the one that's hogging memory). Right-click the column header for the lower pane (DLL view pane) and click "Select Columns", check "WS Total Bytes", and click OK.

I think that has to do with the memory being used by the particular resource? Not sure though :D
 
It appears, for now, that disabling windows update MIGHT have fixed the issue. Time will tell for sure, but it seems to be working smoothly for now. Checking in the task manager shows roughly 500MB out of the 1GB memory being used.

The computer is decently snappy / responsive for what he needs it for. Launching chrome to a fully loaded home page takes around 5-8 seconds, and then navigating to a fully loaded page (choose NHL.com) takes around another 5-8 seconds. It's not a lightning bolt, but it's fast enough. I have another 1GB dimm lying around that I'm going to throw in it for him.



Open Process Explorer, click the "View" menu, go to "Lower Pane View", select "DLLs"

Select the target svchost process in the main pane (the one that's hogging memory). Right-click the column header for the lower pane (DLL view pane) and click "Select Columns", check "WS Total Bytes", and click OK.

I think that has to do with the memory being used by the particular resource? Not sure though :D

Thanks, I'll try that again.

The Gx270 is a Pentium 4 computer that takes DDR1 memory... Time to take it to the pasture.

I know it's old, but it works for his needs and it's running a modern OS. As long as it works, then I'm going to leave it working. Main reason is that his software (Invomax) is ridiculous in that THEY have to install the software for you. In order for that to happen, you need to be in their "subcription" service which is $118 every three months. If your subscription isn't active and you need to reload the software, your SOL. You have to repay the fee for them to reload it for you again. I asked the sales rep/secretary to put me in contact with the manager, whom wasn't in at the time. I still await that phone call.

If not for that mess, I'd consider upgrading his machine. IF and WHEN we get this sorted (or if disabling windows update fixed it) then I'm going to try to deploy a sysprepped image to another test computer. If that works without messing up the Invomax software I may try to upgrade his machine.
 
In Process Explorer, if I click on the svchost.exe that is hogging memory, nothing shows up in the Lower Pane View. It won't let me kill it either...

So it seems that shutting of windows updates didn't do it.

I'm going to boot into safe mode and run, TDSS then MBAR and finally another shot of Adwcleaner before making an image and then trying tweaking AIO / combofix.

Hopefully that fixes it. I really don't want to have to deal with reloading this Invomax software again.
 
Back
Top