svchost.exe (netsvcs) draining all my memory

ripsw · 12 Jul 2015

ask2solve turned off BITS and still seeing memory being consumed. The svchost process that is taking the memory is the on that contains the nsi service.
Nedly, im seeing a problem with memory be consumed not a cpu issue, thanks.

Nedly · 12 Jul 2015

O I agree that it is not a cpu issue, but the other issues with these services intertwine with the same conflicts, the issue varies based on a specific combination of services. The machines I have dealt with so far have been memory issues as well. I watched a Windows system power on and instantly fill 4gb's of nonsense. It is a memory leak issue.

We are on the right trail though. I am currently firing up some stuff to try tracking it down. I have to try and replicate some different hardware to get to the issues. From what I can tell so far it is system based, not software based. Even if the software aspect is caused because of specific hardware, it still seems to be a conflict based on specific services with specific hardware.

I have to compile case information to try and find the similarities first. I might have something good to post by tonight. Full time CIS/ISS student so I am pretty busy but I plan to try and figure this out. Personally I love tracking down bugs.

Callender · 12 Jul 2015

ask2solve said:

Go services
search for Background Intelligence Transfer Service
double click on that
stop the service status
and startup type disable
all done

Startup type for BITS should be manual

If disabled windows will not be able to check for updates.

svchost.exe (netsvcs) draining all my memory-bits-service-properties.jpg

Refer again to Brink's script:

Code:

:: Created by: Shawn Brink
:: https://www.sevenforums.com
:: Tutorial: https://www.sevenforums.com/tutorials/91738-windows-update-reset.html


net stop bits
net stop wuauserv
net stop appidsvc
net stop cryptsvc
Ipconfig /flushdns

del /f /q "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat"
del /f /s /q %SystemRoot%\SoftwareDistribution\*.* 
del /f /s /q %SystemRoot%\system32\catroot2\*.*
del /f /q %SystemRoot%\WindowsUpdate.log 

sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
cd /d %windir%\system32
Ren %systemroot%\system32\catroot2 catroot2.bak
regsvr32.exe /s atl.dll
regsvr32.exe /s urlmon.dll
regsvr32.exe /s mshtml.dll
regsvr32.exe /s shdocvw.dll
regsvr32.exe /s browseui.dll
regsvr32.exe /s jscript.dll
regsvr32.exe /s vbscript.dll
regsvr32.exe /s scrrun.dll
regsvr32.exe /s msxml.dll
regsvr32.exe /s msxml3.dll
regsvr32.exe /s msxml6.dll
regsvr32.exe /s actxprxy.dll
regsvr32.exe /s softpub.dll
regsvr32.exe /s wintrust.dll
regsvr32.exe /s dssenh.dll
regsvr32.exe /s rsaenh.dll
regsvr32.exe /s gpkcsp.dll
regsvr32.exe /s sccbase.dll
regsvr32.exe /s slbcsp.dll
regsvr32.exe /s cryptdlg.dll
regsvr32.exe /s oleaut32.dll
regsvr32.exe /s ole32.dll
regsvr32.exe /s shell32.dll
regsvr32.exe /s initpki.dll
regsvr32.exe /s wuapi.dll
regsvr32.exe /s wuaueng.dll
regsvr32.exe /s wuaueng1.dll
regsvr32.exe /s wucltui.dll
regsvr32.exe /s wups.dll
regsvr32.exe /s wups2.dll
regsvr32.exe /s wuweb.dll
regsvr32.exe /s qmgr.dll
regsvr32.exe /s qmgrprxy.dll
regsvr32.exe /s wucltux.dll
regsvr32.exe /s muweb.dll
regsvr32.exe /s wuwebv.dll
regsvr32 /s wudriver.dll

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f

netsh winsock reset
net start bits
net start wuauserv
net start appidsvc
net start cryptsvc
bitsadmin.exe /reset /allusers

Note: Personally I needed to manually run some of the above commands using a command prompt window and also use Powershell for some of them. I also needed to enable access to cmd. powershell and regsvr32 (usually blocked on my machine by certain security software). I needed to run each command and confirm results before running the next one.

svchost.exe (netsvcs) draining all my memory-settings.jpg

I also had to manually force delete windowsupdate.log

Callender · 12 Jul 2015

ripsw said:

ask2solve turned off BITS and still seeing memory being consumed. The svchost process that is taking the memory is the on that contains the nsi service.
Nedly, im seeing a problem with memory be consumed not a cpu issue, thanks.

Try RAMMap

On the "File Summary" tab sort by "Active" highest at the top and if anything shows up as using a lot of memory.

ripsw · 12 Jul 2015

Callender said:

ripsw said:

ask2solve turned off BITS and still seeing memory being consumed. The svchost process that is taking the memory is the on that contains the nsi service.
Nedly, im seeing a problem with memory be consumed not a cpu issue, thanks.

Try RAMMap

On the "File Summary" tab sort by "Active" highest at the top and if anything shows up as using a lot of memory.

Top 5 are mcafee -medscan.dat @ 52KK, Atkimdag 37KK, shell32 @ 18KK, Defender mpengine.dll @ 16KK and WDI\logfile\bootckcl.etl @ 15KK

Callender · 12 Jul 2015

@ Nedly. Let us know if you manage to track it down. I have only suspicions about what caused the memory leak on my machine. I managed to fix it.

Here's what might have caused the issue for me:

IE 11 was disabled by a registry hack (by me) and needed to be re-enabled, reset and all updates applied including a pending update that had been downloaded but not applied.

System Restore was disabled (by me) and needed to be enabled when downloading and installing those Freak attack update fixes for SSL that patched numerous important system files (including IE 11 fixes). rstrui.exe was one of the patched files and the update failed in left disabled.

Also in order to fix:

Needed to run advanced disk cleanup including windows update cleanup.

Needed to clear windows update temp files and delete windows update history.

Needed to delete datastore.edb

Needed to force re-install Windows Update Agent.

Note: Just running though some of the stuff that helped me and that's not to say that it applies in every case!

:)

Callender · 12 Jul 2015

~~@ Nedly~~ oops!

@ ripsw

Re: RAMMap active memory usage by files. Nothing to worry about then.

Nedly · 12 Jul 2015

It is definitely a memory leak, we can see that in ripsw's stats. It is like loop and other scripting issues, all of the data is nonsense, possibly even issues much like split packets - the starts and ends are shifted or there is a collision like I/O errors.

Big clues are:
Same software on different machines and only certain machines have the issue.
Windows updates as of recently, and only once or twice in the past contain the cause.

Windows without updates fresh off the install should not have the same errors, and I would bet for the most part Windows 8, 8.1, and soon to be 10 users are not facing the issue. So far I have found it in Vista and 7, all pro, home, and server systems.

I think it is a developing issue which is the reason we cannot find any good bug statistics. When I first got into the issue I found using SEO tools that there was a huge spike in this issue around a month - month and a half ago.

It is not the same on all machines either. I could, for example, set up a replica of your system on my Thinkpad and it will not show the same result. I know this cause I have all systems here, including 10 previews, and I have never faced the issue on my local machines.

Nedly · 12 Jul 2015

Callender said:

Here's what might have caused the issue for me:

I do not think it is due to any of these adjustments. You were running updates at the time, no?

Nedly · 12 Jul 2015

What I am trying to do now is compile the common machine types who have the issue. Then map out the updates' dates and updates codes to match the dates (using SEO tools) of those issues beginning on the net. Then I should be able to compile the updates informations regarding which components and services they work for. Then we should be able to narrow down possibilities and have some play time - in a virtual machine of course.