SVCHOST.exe spiking CPU

I see this from time to time, on both workstations and servers. Your system seems to be extremely sluggish or unresponsive. So you open up task manager and you see that a svchost.exe process using 50% or more of CPU. To complicate the matter, there are more than one svchost.exe processes running.

What is one to do???

In many cases, a recent Windows update may be the cause. But it’s hard to track down which update might be the culprit.

Meanwhile, here is what I will often do to at least quickly address and resolve the issue:

  1. Identify the PID of the spiking svchost
  2. Identify a list of services associated with that svchost occurrence
  3. Stop each service until you find the offender

Here’s the blow-by-blow:

Identify PID of svchost.exe that is spiking

  • Open up Task Manager
  • Click on View –> Select Columns… –> then click to check PID (Process identified)
    image    
    image
  • Click on the Image Name column to sort by name
  • Scroll down and find the PID number associated with the spiking svchost.exe service. In my case, it was PID 844.
    image

Identify list of services associated with that svchost.exe process

  • Leave Task Manager window open
  • Open up a command prompt window, and type TASKLIST /SVC and press enter
  • This will give you a list of specific services associated with each svchost.exe
  • Locate your PID and note all the actual services running under that instance.
    image

Identify specific service causing the spike

  • Open up Services console (Start –> Run –> services.msc)
  • Position the Services and Task Manager windows side by side
  • Now, one by one, from the Services window, locate each service listed for the associated PID, and stop or pause the service.
  • Then see if from the Task Manager window, if the svchost.exe suddenly drops back to normal. If so, you found your problem service!
  • In my case, I often find that Automatic Updates (wuauserv) Windows Management Instrumentation (winmgmt) to be the culprit. In this particular case, it was wuauserv causing the spike
    image

 

* These screenshots were taken from a Windows 2003 server, but the process is that same for other Windows platform. The only big difference is that the Task Manager window has a new format with Windows 8/2012, and they display the PID# automatically, saving you one step!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.