Win2k8R2 svchost.exe suddenly starts to use all memory (Network Steve Forum)

Win2k8R2 svchost.exe suddenly starts to use all memory

Dear all

I have a Windows 2008 R2 SP1 + current Patchlevel Remote Desktop Host. Installed are a lot of applications, SCCM 2012 Client, Kasperksky AntiVirus Enterprise Edition.

Yesterday i had the problem that the svchost.exe is using all RAM of the Server (32GB) and has a private working set of 120GB. A quick "fix" was to restart the server. And now after around 24h i have the same problem again.

I did not change something on the server except install the Microsoft CA Hotfix against flame.

The svchost that has this problem controls this services:

svchost.exe
AeLookupSvc, CertPropSvc, gpsvc, IKEEXT, iphlpsvc, LanmanServer, MMCSS, ProfSvc, Schedule, SENS, SessionEnv, ShellHWDetection, Themes, Winmgmt

The server is now running since 2 Years without any problems and now it starts :/

After a restart this svchost.exe is using just 48MB RAM.

Thanks for any tips

JBAB

June 8th, 2012 11:57am

Hi,

For troubleshooting purposes please reconfigure so that the services for this group run in their own process. To do this you may create a .cmd file using Notepad with the following contents:

sc config AeLookupSvc type= own
sc config Appinfo type= own
sc config AppMgmt type= own
sc config BITS type= own
sc config Browser type= own
sc config CertPropSvc type= own
sc config EapHost type= own
sc config gpsvc type= own
sc config hkmsvc type= own
sc config IKEEXT type= own
sc config iphlpsvc type= own
sc config LanmanServer type= own
sc config MMCSS type= own
sc config MSiSCSI type= own
sc config ProfSvc type= own
sc config RasAuto type= own
sc config RasMan type= own
sc config RemoteAccess type= own
sc config sacsvr type= own
sc config Schedule type= own
sc config SCPolicySvc type= own
sc config seclogon type= own
sc config SENS type= own
sc config SessionEnv type= own
sc config SharedAccess type= own
sc config ShellHWDetection type= own
sc config Themes type= own
sc config wercplsupport type= own
sc config Winmgmt type= own
sc config wuauserv type= own

After saving the file please double-click to apply the changes and then restart your server so that they will take effect.

After restarting your server please open task manager, select the Processes tab, and sort the display by the memory column so that the processes that are using the most memory will appear on top. When one of the services starts to use too much memory you will be able to right-click on it and choose Go to Service(s) and you will know which service is misbehaving.

Thanks.

-TP

Marked as answer by Clarence ZhangModerator Wednesday, June 13, 2012 7:39 AM

Free Windows Admin Tool Kit Click here and download it now

June 8th, 2012 12:24pm

Hi TP

Thanks. I have set it and i will restart the server this evening. Then i am wondering if it happen again and will report.

best

JBAB

June 8th, 2012 12:37pm

Hi TP

At the moment everything is (still) normal. What i can see now is, that winmgmt is using the most ram of all svchost.exe processes (100MB) and it is slowly growing (started at 50MB). Perhaps something with SCCM.

Because i have discoverd on this server:

------------------

A provider, PolicyAgentInstanceProvider, has been registered in the Windows Management Instrumentation namespace root\CCM\Policy\<sid> to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

------------------

I already read KB2688239 so there is something wrong. I opened a thread in the sccm section.

best

JBAB

Edited by JBAB Tuesday, June 12, 2012 7:31 AM
Marked as answer by Clarence ZhangModerator Wednesday, June 13, 2012 7:39 AM

Free Windows Admin Tool Kit Click here and download it now

June 12th, 2012 7:30am

Did you find the problem. I have the exact same problem only with Windows server 2008 service pack 2.

Any help would be appreciated.

Thanks

Jim

July 25th, 2012 10:50pm

Hi IbJim

No unfortunately not really. It didn't happen again :/ And i have no idea why it was happen twice and now not longer.

For the WMI Error from SCCM i opened a CSS case

best

JBAB

Free Windows Admin Tool Kit Click here and download it now

July 26th, 2012 6:37am

Hi,

Well if it happens again:

I split all the services out of the problem svchost into it's own svchost: http://blogs.technet.com/b/askperf/archive/2008/01/11/getting-started-with-svchost-exe-troubleshooting.aspx

What I found using all the memory was winmgmt (Windows Management Instrumentation). If I just killed the svchost that only contained winmgmt, everything went back to normal with no problems (until it happened again).

I also found that running any type of virus scanner would cause the problem. The one that would cause it every time was "HouseCall". It would reach 16% and away svchost would go.

So I don't know if it is a corrupt WMI repository or a virus. In my cause, I just stopped the service. I was already in the process of upgrading the functions on that computer to larger hardware.

Good Luck

Jim

July 30th, 2012 3:53am

Hi,

I got that issue on my Win 7. The svchost.exe take over 1GB.

When i make network adapter disabled or turn off Microsoft Security Essensial, the issue is disappeared.

Dang.

Free Windows Admin Tool Kit Click here and download it now

April 15th, 2015 11:23pm

This topic is archived. No further replies will be accepted.