I read through the articles on svchost and CPU utilization. I am wondering if the same goes for svchost and memory utilization. I have been trying to trace back to when this started and cannot. But, the problem is I have one svchost process that will accumulate very large amounts of physical and virtual memory (almost 2 GBs!) which slows my system down considerably. I have ended this process without my computer shutting down consistently, the process just restarts. Is there a way to trace the PID to the program executing this?
As I’ve discussed in prior articles, svchost is a required system component. It’s the “host” for a variety of “services”, hence the name – service host or svchost.
It gets complicated because there may be multiple copies of svchost.exe running, and each copy of svchost .exe may be hosting multiple services.
Why it’s organized that way is probably beyond mortal comprehension, but there are some tools and techniques to try and isolate which svchost is doing what.
]]>
I’ll start with one of my favorite tools: Process Explorer (or just “procexp”). It’s a free download from Microsoft, and to sum it up it’s Task Manager on steroids. Download and run it.
Clicking on a column header in procexp will sort by the contents of that column. Here’s the top of the list on my laptop as I type this:
You can see that Firefox, Thunderbird, Snagit and of course a few copies of svchost are the top VM users on my machine right now. I’m guessing you did something similar to determine that svchost was taking up 2 gigabytes of virtual memory on yours.
Hover your mouse pointer over one of those svchost’s and you’ll get a very enlightening tooltip:
This is showing the list of services that this particular instance of svchost happens to be hosting. In this case the list is pretty long, but it’ll vary from svchost to svchost. Some may host only one, others – like this one – may host many different services.
You can view this same list by right clicking on the svchost.exe, selecting Properties, and then clicking on the Services tab:
So now we can see which svchost is taking up all your memory, and which services it specifically hosts.
Now what?
Trial and error, mostly.
If you’re lucky, the svchost that’s causing you problems only hosts one or a few services, because the next step is to simply try stopping the services one at a time (if you can), and seeing what happens.
As you can see in the properties dialog above, you can actually select one of the services that the svchost is hosting and stop it. That should release the resources that service is eating up. Now, not all services can, or should be stopped. Pay attention to the descriptive text that’s displayed for each.
If you can stop the service, and you notice that all of a sudden your svchost releases the 2GB of virtual memory, you’ve found your culprit.
What happens next, of course, depends on exactly what service that was, but it at least gives you additional direction for your investigation.
Even if you can’t determine exactly which service is causing the issue by stopping it, just knowing the list of services involved narrows down your search and may give you additional information you can use to diagnose the problem.
