svchost.exe using 90+% Traffic constantly?

I have just noticed that for some strange reason that svchost.exe is using almost 100% of the traffic constantly. Previously this would have dropped as soon as I opened my browser (Firefox) and then FF would have the biggest percentage but now i get about 5% for FF meanwhile svchost is still hogging over 90%. Can anyone advise me on how to redeem this situation?.

On the summary page you’ll have bar graphs. How many SVCHosts are listed? Are they all outbound? When you click on the outbound connections, it’ll open up a window that shows the connections. What is the desination of the SVCHost connections? Are the bytes in and out changing?

I’ve noticed that these connections can hang around for awhile, but eventually they should die. What is your Windows Auto Update settings? Is it configured to automatically download and install?

To identify the nature of the problem we’d need the PID of the svchost instance and the individual services hosted by that instance of svchost. Unless you’re using a third-party process viewer such as Process Hacker or Process Explorer you can do the following:

  1. Open CIS and then View Active Connections
  2. Identify the instance of svchost that appears to be causing the high volume of traffic and note the PID (the number in square brackets]
  3. Open a command prompt and type tasklist /SVC
  4. Find svchost and the PID then look at the services listed against that PID

Report the information here.

I can almost bet you got an HP printer. this sounds very much like the numerous other posts i have seen about HP’s network monitoring utility which is nonetheless incredibly buggy and many times causes massive CPU hugs as well. poor programming across all their drivers if u ask anyone who knows a little IT and has had one of these all in one printers or had clients dealing with one.

I had this very same weird situation, did the research and turns out, this instance of svchost is used for this particular purpose

further reading:
http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1177917
and a late patch from HP (use at your own risk, make sure model numbers match)
http://h10025.www1.hp.com/ewfrf/wc/softwareCategory?lc=en&dlc=en&cc=us&lang=en.&os=228&product=2512010

keyword that got me to notice the CPU hug issue : hpslpsvc from cmd window

Good luck to you and thanks for posting this issue, for a moment I thought security breach and was too paranoid not to follow it up quickly. and also thanks for the little instructions above, they made this fast and str8 fwd :wink:

ive started having this problem recently aswell. just a couple of days ago it was working absolutely fine, and then i noticed that svchost.exe started hogging 80%+ of the network traffic. ive tried looking around for a reason, but cant seem to find anything.

the information i got from tasklist /svc was the following:

svchost.exe 428 BITS, Browser, gpsvc, IKEEXT, iphlpsvc, LanmanServer, MMCSS, ProfSvc, Schedule, SENS, ShellHWDetection, Themes, Winmgmt,

edit: bumping once to see if anyone can help.

bumping once to see if anyone can help.

As this is network related, my guess would be iphlpsvc. You can check this easily enough by running services.msc from the start menu. When the service console opens, scroll down until you find the IP Helper service. Temporarily stop the service and observer the network performance.

it seems to be changing between svchosts every now and then. the last two reboots have been other svchosts hogging traffic. not as much as the one i stated above though.

is iphlpsvc needed at all or is it ok to turn it off?

It’s primarily used to support IPv6 and disabling it for an hour or two whilst you observe network traffic is not going to hurt.

hmm… this time it was the same svchost as above that was hogging, so i turned off iphlpsvc for about an hour, and granted it went down a bit, to around 25-30%. after turning it back on it has stayed around this.

so yeah, dont know what to make of this =/

As I said earlier, the IP helper service is primarily used to support IPv6, specifically IPv6 tunnelling. If you’re not using this feature, you can disable it by copying and pasting the following into a command prompt. The process is reversible:

netsh interface ipv6 set privacy state=disable
netsh interface ipv6 6to4 set state state=disabled
netsh interface ipv6 isatap set state state=disabled
netsh interface ipv6 set teredo disabled

how would i know if im using it?

i guess ill turn it off and just see if theres any problems.

Unless your ISP is offering native IPv6 (you’ll have to ask them) you will only be able to use IPv6 tunnelling techniques, such as Teredo or 6to4. At this time the only reason to be actively using IPv6 is if you have a specific requirement, or you’re actively testing the protocol. Using the method described above, you’re simply disabling the tunnelling aspects of the protocol, so if your ISP does supply native IPv6, you won’t be affected.

well then, i turned it all off. and it seems that svchost isnt hogging anymore.

thanks a lot for the help :slight_smile: