svchost.exe consuming GB's of private bytes
Hi Guys,
We have two Windows 2008 R2 servers that are experiencing massive memory paging by svchost.exe. It takes around 6 hours, but one of the svchost.exe processes will consume more than 10GB of private bytes, using all the page file (and disk) causing an error
2004 in the event log.
I believe this has something to do with a recent Windows Update.
Any ideas to track this down? Under the process I cannot see any child processes.
August 8th, 2012 1:53am
Hi,
Please check
Detecting Low Virtual Memory Conditions in Windows 2008 and R2
http://blogs.technet.com/b/mikelag/archive/2010/09/04/detecting-low-virtual-memory-conditions-in-windows-2008.aspx
Event ID 2004 Resource Exhaustion Detector
http://technet.microsoft.com/en-us/library/cc774731(v=ws.10).aspx
ThxPlease give credit to the contributor who really helped you with the issues.
Free Windows Admin Tool Kit Click here and download it now
August 8th, 2012 2:05am
Both don't help. First link is for Exchange servers, which this isn't. One is a DC, other is a web server. I know what the error means, I want to know why svchost.exe has suddenly started consuming huge amounts of memory.
August 8th, 2012 2:06am
For RCA, you might want to involve MS PSS by creating support request.
Meantime, you may try using process explorer.Please give credit to the contributor who really helped you with the issues.
Free Windows Admin Tool Kit Click here and download it now
August 8th, 2012 2:11am
For RCA, you might want to involve MS PSS by creating support request.
Meantime, you may try using process explorer.
Please give credit to the contributor who really helped you with the issues.
Yep. Tried that... I just can't see much going on...
August 8th, 2012 2:16am
Disable the Av for a while on the DC and check how it behaves ? if it doesn't solves the issue you can also perform a clean boot and check the issue.
http://www.arabitpro.com
Free Windows Admin Tool Kit Click here and download it now
August 8th, 2012 4:17am
Disable the Av for a while on the DC and check how it behaves ? if it doesn't solves the issue you can also perform a clean boot and check the issue.
http://www.arabitpro.com
FYI, never servers have AV. Done clean boot, same issue.
August 8th, 2012 5:20am
This is what I'm seeing:
Free Windows Admin Tool Kit Click here and download it now
August 8th, 2012 4:37pm
double click the svchost.exe go to the services and please let us know what all services you have running there.http://www.arabitpro.com
August 9th, 2012 3:59am
double click the svchost.exe go to the services and please let us know what all services you have running there.
http://www.arabitpro.com
Found the issue.
The services were Event Log. Looking at the event log we noticed thousands of Security messages on the Security Event Log. Checking the domain group policy, we found that someone had enabled auditing on everything, failure and success. They had also set
each event log to 1gb. So, we reverted all this to Windows defaults, rest the process and the problem has gone away.
What's the best way to track changes made like this so we can track down who changed this in future?
Thanks for all the help.
Free Windows Admin Tool Kit Click here and download it now
August 9th, 2012 6:14pm
Just letting you know this problem has now happened on another server. Settings are completely different (Default Domain Policy) so nothing with the event log is configured through group policy. Same service grew and used all available disk.
There has to be a Windows update that has caused this. These problems have only arisen after the latest patches.
August 12th, 2012 6:41pm
I am having this same exact issue on about 10 different servers in two different customer sites. These are domain controllers that only get Windows Updates installed (nothing else). This problem started less than 2 weeks ago. Anyone else having this issue?
Any solutions yet? I have a case open with Microsoft and they are still looking into it. For now, I am monitoring virtual memory usage and when it exceeds 70%, I am killing the svchost.exe process for Event Log service. This frees up virtual memory and starts
the cycle again.
Free Windows Admin Tool Kit Click here and download it now
August 27th, 2012 7:42pm