svchost.exe consuming GB's of private bytes
Hi Guys, We have two Windows 2008 R2 servers that are experiencing massive memory paging by svchost.exe. It takes around 6 hours, but one of the svchost.exe processes will consume more than 10GB of private bytes, using all the page file (and disk) causing an error 2004 in the event log. I believe this has something to do with a recent Windows Update. Any ideas to track this down? Under the process I cannot see any child processes.
August 8th, 2012 1:53am

Hi, Please check Detecting Low Virtual Memory Conditions in Windows 2008 and R2 http://blogs.technet.com/b/mikelag/archive/2010/09/04/detecting-low-virtual-memory-conditions-in-windows-2008.aspx Event ID 2004 Resource Exhaustion Detector http://technet.microsoft.com/en-us/library/cc774731(v=ws.10).aspx ThxPlease give credit to the contributor who really helped you with the issues.
Free Windows Admin Tool Kit Click here and download it now
August 8th, 2012 2:05am

Both don't help. First link is for Exchange servers, which this isn't. One is a DC, other is a web server. I know what the error means, I want to know why svchost.exe has suddenly started consuming huge amounts of memory.
August 8th, 2012 2:06am

For RCA, you might want to involve MS PSS by creating support request. Meantime, you may try using process explorer.Please give credit to the contributor who really helped you with the issues.
Free Windows Admin Tool Kit Click here and download it now
August 8th, 2012 2:11am

For RCA, you might want to involve MS PSS by creating support request. Meantime, you may try using process explorer. Please give credit to the contributor who really helped you with the issues. Yep. Tried that... I just can't see much going on...
August 8th, 2012 2:16am

Disable the Av for a while on the DC and check how it behaves ? if it doesn't solves the issue you can also perform a clean boot and check the issue. http://www.arabitpro.com
Free Windows Admin Tool Kit Click here and download it now
August 8th, 2012 4:17am

Disable the Av for a while on the DC and check how it behaves ? if it doesn't solves the issue you can also perform a clean boot and check the issue. http://www.arabitpro.com FYI, never servers have AV. Done clean boot, same issue.
August 8th, 2012 5:20am

This is what I'm seeing:
Free Windows Admin Tool Kit Click here and download it now
August 8th, 2012 4:37pm

double click the svchost.exe go to the services and please let us know what all services you have running there.http://www.arabitpro.com
August 9th, 2012 3:59am

double click the svchost.exe go to the services and please let us know what all services you have running there. http://www.arabitpro.com Found the issue. The services were Event Log. Looking at the event log we noticed thousands of Security messages on the Security Event Log. Checking the domain group policy, we found that someone had enabled auditing on everything, failure and success. They had also set each event log to 1gb. So, we reverted all this to Windows defaults, rest the process and the problem has gone away. What's the best way to track changes made like this so we can track down who changed this in future? Thanks for all the help.
Free Windows Admin Tool Kit Click here and download it now
August 9th, 2012 6:14pm

Just letting you know this problem has now happened on another server. Settings are completely different (Default Domain Policy) so nothing with the event log is configured through group policy. Same service grew and used all available disk. There has to be a Windows update that has caused this. These problems have only arisen after the latest patches.
August 12th, 2012 6:41pm

I am having this same exact issue on about 10 different servers in two different customer sites. These are domain controllers that only get Windows Updates installed (nothing else). This problem started less than 2 weeks ago. Anyone else having this issue? Any solutions yet? I have a case open with Microsoft and they are still looking into it. For now, I am monitoring virtual memory usage and when it exceeds 70%, I am killing the svchost.exe process for Event Log service. This frees up virtual memory and starts the cycle again.
Free Windows Admin Tool Kit Click here and download it now
August 27th, 2012 7:42pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics