Windows – svchost.exe taking 25% cpu

cpu usagesvchostwindows 7

For some time now I have been noticing that one of my svchost.exe was constantly taking 25% cpu time on my 4 core, Win7 Ultimate PC. This particular service host is hosting:

  1. Cryptographic Services (CryptSvc)
  2. Dns Client (DnsCache)
  3. Network Location Awareness (NlaSvc)
  4. Workstation (Lanman Workstation)

I suspected a virus but Windows Essential is up to date and reports nothing, and Autoruns doesn't show anything unusual.

Thanks for the help!

As per request the stack of the thread taking up 25% cpu:

ntkrnlpa.exe!KeSetEvent+0x2a1
ntkrnlpa.exe!KeDelayExecutionThread+0x5cc
ntkrnlpa.exe!KeWaitForMutexObject+0x393
ntkrnlpa.exe!KeQueryHighestNodeNumber+0x9fe
halmacpi.dll!KfRaiseIrql+0xcb
halmacpi.dll!KeRaiseIrqlToSynchLevel+0x8f
halmacpi.dll!HalEndSystemInterrupt+0x67
halmacpi.dll!HalInitializeProcessor+0xae8
ncsi.dll!NcsiIdentifyUserSpecificProxies+0x3a47
ncsi.dll+0x31f0
ncsi.dll!NcsiIdentifyUserSpecificProxies+0x4c92
ncsi.dll+0x1e93
ncsi.dll+0x20a2
ncsi.dll+0x1808
ncsi.dll+0x2240
ntdll.dll!RtlIsCriticalSectionLockedByThread+0x474
kernel32.dll!BaseThreadInitThunk+0x12
ntdll.dll!RtlInitializeExceptionChain+0x63
ntdll.dll!RtlInitializeExceptionChain+0x36

Looks like a problem with some kind of interrupts problem in the HAL? I'll try updating all my drivers and report back.

Best Answer

Whenever anyone finds themselves in a situation like this, the first step is to stop each of the hosted services one-by-one, waiting a few moments between each, and checking to see if the usage drops. Once you have narrowed down the problem to the specific service, then you can do a web-search to find out if others have experienced the same problem.

In this instance, it was likely indeed the DNS service (Mikle did not indicate why he thinks it is not, and his assumption about the HAL is specious).

Of the services indicated, the only one that is known to cause a 100% CPU load is the DNS service. (The only references to a high CPU load in regards to the other services is with Vista+ where they are sharing the same svchost instance as the DNS service. Sadly it often ends up going undiagnosed.[1][2]) That it would only have taken 25% of the CPU load makes sense because he said it was a four-core processor, so the DNS service was using 100% of the core it was using.

The problem occurs whenever the HOSTS file grows “too large”; for some reason, whenever the HOSTS file has too many entires, the DNS service goes into a tail-spin, starts pegging the CPU, and never recovers (no, leaving it a long time to eventually finish does not work because it never finishes, even after days).

What had likely happened in this case is that Mikle had downloaded and installed a large HOSTS file like those available from some MSMVPs or had used SpyBot’s immunization function.

Unfortunately the only option in this case is to either strip the HOSTS file down to only a few entries, or to disable the DNS service.

Note that once the DNS service flies off the handle, you will not likely be able to simply stop it like a normal service; you must actually kill the instance of svchost.exe that is hosting it. This isn’t so bad in XP because it usually gets its own copy, but in 7, it shares a copy with a few other services (though nothing critical, so you can simply re-start the other services once you have disabled the DNS service).

Related Question