wuauserv causing svchost memory usage to explode

To be honest, I started out investigating the wrong thing. This all started because I would have errors in Chrome. The Aww, Snap or It's Dead Jim errors, etc. Or Chrome would just crash and I would relaunch and restore. I did normal Chrome things like check the shockwave and flash files, disable extensions, and finally created a new user profile. But I still got application exception errors after that.

Then I saw it.

I had Task Manager open and saw one of the svchost instances jump from a normal 22,988 K to 995,688 K!!! And then saw it go higher! And at the bottom of task manager, my Physical Memory was at 86% instead of it's normal 30-40%.

So first I looked at which services were associated with that svchost process. The services were: BITS, Browser, IKEEXT, iphlpsvc, LanmanServer, ProfSvc, Schedule, SENS, ShellHWDetection, Themes, Winmmt, & wuauserv.

Of those, the only one I knew exactly what it was associated with was wuauserv. So I stopped that service. As *SOON* as I stopped it, the memory for svchost dropped back down to normal.

So I left wuaserv stopped and set startup to Manual.

About 15 or 20 minutes later, something started it back up and memory exploded to the same levels again. So I stopped it and again, memory usage dropped back down. This time I set wuauserv startup to Disabled.

So, I guess what I am looking for is suggestions on what to troubleshoot or clear or cleanup so that I can start wuauserv without the excessive memory usage causing exception errors and causing Chrome to crash.

My system is a homebuilt system running Win 7 Home Premium x64. 8gb ram. Plextor 256gb ssd. Asus P8Z68-V board. i5-2500k cpu.

There are a multitude of unintended consequences with disabling Services in an OS as lean as Win7. Better to repair, if you're confident you already have a solid install. If not look over these steps which compile everything that works best in a Clean Reinstall Windows 7.

Otherwise work through the Troubleshooting Steps for Windows 7 starting with establishing a Clean Boot, running full Malwarebyte and SuperAntiSpyware scans, then System File Checker. If these don't resolve it then continue working through the steps which almost always pin down the problem if not the solution.

Thanks for the recommendations. While I was waiting on responses, I did 2 things.

1. I did run SFC and it came back fine.

2. I ran Disk Cleanup and let it clean up update files.

After a reboot, I re-enabled the wuauserv service. And started it. Then went to Windows Update to check for updates. svchost did once again explode. From 23,699 to 1,013,xxx and higher. However...unlike before where my physical memory percentage shot up from around 30% to 86%, this time it stayed in the 30-42% range (though admittedly, I didn't have Chrome running). I did all critical updates then made sure Windows Updates was set to never check for updates (but left wuauserv alone) and rebooted.

After reboot, something did call on wuauserv. Don't know what since Updates were set to never check, but something did start it. And svchost again went up...but a whole lot less...only into the 450,000 range. And physical memory again stayed reasonable. And now, after a while, svchost is back to normal and physical memory is sitting at 28%.

So...the problem is most definitely related to the Windows Update agent. And I would like to know what starts it even though Updates are set to never check.

To be honest, I might just re-disable wuauserv. After troubleshooting this all day I won't lose any sleep if wuauserv is disabled since I had updates set to Never Check anyway.

Layback Bear said:

Why would you not want Windows 7 Updates?

Mostly because it is far easier to remember the times that updates have caused problems than all the times they don't.

And at the moment I would much rather eliminate the source of high memory usage and other applications crashing. And if that source is Windows Update (wuauserv) then so be it.

I'm still trying to figure out what process or app causes wuauserv to start up even with Windows Update set to Never Check. Something starts it. Just can't tell what yet. I checked the WindowsUpdate.log and when it starts up, the "Caller ID = " is blank. (When Windows Update is set to auto check instead of never, then Caller ID is Windows Update.)

One of my next steps may be to delete (or at least rename) the c:\windows\SoftwareDistribution folder. But I'm putting that off as a last resort item.

Or I may just go with leaving wuauserv set to disabled and just manually enable whenever I want to check for updates.

Everything else on the system has been fine and continues to be fine. And when wuauserv has been disabled I have had no Chrome problems at all versus the previous multiple crashes a day. And physical memory usage is remaining in a normal 30-45% range rather than 86%.

Layback Bear said:

Must be your system.
Billions of people around the world get Windows Update.

Yes...thus the reason I posted here in the first place?

If you complete this tutorial and post the log here maybe one of our experts can locate your problem.
Windows Genuine and Activation Issue Posting Instructions

Umm...yes, my system is 100% legit.

Code:

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-MHF4X-F993M-WP3HY
Windows Product Key Hash: iKlhBEVaG4AHWXRNEfXRhw5o1l0=
Windows Product ID: 00359-029-2937851-85598
Windows Product ID Type: 5
Windows License Type: Retail
Windows OS version: 6.1.7601.2.00010300.1.0.003
ID: {18776FFE-BE68-413A-A0A3-E8450DB6241F}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Home Premium
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.150202-1526
TTS Error: 
Validation Diagnostic: 
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Professional 2007 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-b01a_E2AD56EA-766-0_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Users\myname\AppData\Local\Google\Chrome\Application\chrome.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{18776FFE-BE68-413A-A0A3-E8450DB6241F}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-WP3HY</PKey><PID>00359-029-2937851-85598</PID><PIDType>5</PIDType><SID>S-1-5-21-3923643399-1494497486-2402846068</SID><SYSTEM><Manufacturer>System manufacturer</Manufacturer><Model>System Product Name</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>3402</Version><SMBIOSVersion major="2" minor="6"/><Date>20120507000000.000000+000</Date></BIOS><HWID>86F53407018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120000-0014-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional 2007</Name><Ver>12</Ver><Val>6855CA46CF2670E</Val><Hash>11bbwyn613bTntmR6guNrXMMM0c=</Hash><Pid>81605-903-3698862-65283</Pid><PidType>1</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>  

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.1.7601.17514

Name: Windows(R) 7, HomePremium edition
Description: Windows Operating System - Windows(R) 7, RETAIL channel
Activation ID: 2e7d060d-4714-40f2-9896-1e4f15b612ad
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00359-00170-029-293785-01-1033-7600.0000-2562011
Installation ID: 002531874304391151258171475152350903300900943780009196
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: WP3HY
License Status: Licensed
Remaining Windows rearm count: 3
Trusted time: 3/20/2015 11:31:51 AM

Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: N/A
HealthStatus: 0x0000000000000000
Event Time Stamp: N/A
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:


HWID Data-->
HWID Hash Current: NAAAAAIAAwABAAEAAQABAAAAAgABAAEAln3CWk409jt4GayLGl148yQ73ojKxF8DEkcucw==

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes, but no SLIC table
Windows marker version: N/A
OEMID and OEMTableID Consistent: N/A
BIOS Information: 
  ACPI Table Name	OEMID Value	OEMTableID Value
  APIC			ALASKA		A M I
  FACP			ALASKA		A M I
  HPET			ALASKA		A M I
  MCFG			ALASKA		A M I
  SSDT			SataRe		SataTabl
  SSDT			SataRe		SataTabl
  SSDT			SataRe		SataTabl
  BGRT			ALASKA		A M I

Malware Bytes...only found 5 registry entries

Code:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 3/20/2015
Scan Time: 11:41:47 AM
Logfile: MBAM.txt
Administrator: Yes

Version: 2.01.4.1018
Malware Database: v2015.03.20.05
Rootkit Database: v2015.02.25.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: myname

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 371988
Time Elapsed: 4 min, 46 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 4
PUP.Optional.MyFreeze.A, HKLM\SOFTWARE\WOW6432NODE\Freeze.com, Quarantined, [dee73c0b8cfe48ee878c853cc2414db3], 
Adware.TryMedia, HKU\S-1-5-21-3923643399-1494497486-2402846068-1000\SOFTWARE\Trymedia Systems, Quarantined, [a71ec97e206a3afcf5e9146743c18977], 
PUP.Optional.InstallCore.A, HKU\S-1-5-21-3923643399-1494497486-2402846068-1000\SOFTWARE\INSTALLCORE\1I1T1Q1S, Quarantined, [3c892c1b2169360013a3ac559b69a65a], 
PUP.Optional.InstallCore.A, HKU\S-1-5-21-3923643399-1494497486-2402846068-1000\SOFTWARE\INSTALLCORE, Quarantined, [576e301782080b2bd9b773a4897ce61a], 

Registry Values: 1
PUP.Optional.InstallCore.A, HKU\S-1-5-21-3923643399-1494497486-2402846068-1000\SOFTWARE\INSTALLCORE|tb, 0G2Y1R2X0G1M2S1M0G1S1H, Quarantined, [576e301782080b2bd9b773a4897ce61a]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

SuperAntiSpyware...found a couple hundred Adware Tracking Cookies. Can post the whole log if desired, but only found these tracking cookies.

Also, because I don't think I mentioned it above, my AV program is ESET NOD32.

SFC /SCANNOW = Windows Resource Protection did not find any integrity violations.