Finegrained performance reporting on svchost.exe

windows performance-monitoring task-manager process-explorer svchost
9,575

Solution 1

Yes, there is an (almost) non-intrusive and easy way:

Split each service to run in its own SVCHOST.EXE process and the service consuming the CPU cycles will be easily visible in Process Explorer (the space after "=" is required):

SC Config Servicename Type= own

Do this in a command line window or put it into a BAT script. Administrative privileges are required and a restart of the computer is required before it takes effect.

The original state can be restored by:

SC Config Servicename Type= share

Example: to make Windows Management Instrumentation run in a separate SVCHOST.EXE:

SC Config winmgmt Type= own

This technique has no ill effects, except perhaps increasing memory consumption slightly. And apart from observing CPU usage for each service it also makes it easy to observe page faults delta, disk I/O read rate and disk I/O write rate for each service. For Process Explorer, menu View/Select Columns: tab Process Memory/Page Fault Delta, tab Process Performance/IO Delta Write Bytes, tab Process Performance/IO Delta Read Bytes, respectively.

On most systems there is only one SVCHOST.EXE process that has a lot of services. I have used this sequence (it can be pasted directly into a command line window):

rem  1. "Automatic Updates"
SC Config wuauserv Type= own

rem  2. "COM+ Event System"
SC Config EventSystem Type= own

rem  3. "Computer Browser"
SC Config Browser Type= own

rem  4. "Cryptographic Services"
SC Config CryptSvc Type= own

rem  5. "Distributed Link Tracking"
SC Config TrkWks Type= own

rem  6. "Help and Support"
SC Config helpsvc Type= own

rem  7. "Logical Disk Manager"
SC Config dmserver Type= own

rem  8. "Network Connections"
SC Config Netman Type= own

rem  9. "Network Location Awareness"
SC Config NLA Type= own

rem 10. "Remote Access Connection Manager"
SC Config RasMan Type= own

rem 11. "Secondary Logon"
SC Config seclogon Type= own

rem 12. "Server"
SC Config lanmanserver Type= own

rem 13. "Shell Hardware Detection"
SC Config ShellHWDetection Type= own

rem 14. "System Event Notification"
SC Config SENS Type= own

rem 15. "System Restore Service"
SC Config srservice Type= own

rem 16. "Task Scheduler"
SC Config Schedule Type= own

rem 17. "Telephony"
SC Config TapiSrv Type= own

rem 18. "Terminal Services"
SC Config TermService Type= own

rem 19. "Themes"
SC Config Themes Type= own

rem 20. "Windows Audio"
SC Config AudioSrv Type= own

rem 21. "Windows Firewall/Internet Connection Sharing (ICS)"
SC Config SharedAccess Type= own

rem 22. "Windows Management Instrumentation"
SC Config winmgmt Type= own

rem 23. "Wireless Configuration"
SC Config WZCSVC Type= own

rem 24. "Workstation"
SC Config lanmanworkstation Type= own

rem End.

Solution 2

While I don't know of easy way to do it directly, you can often infer it from the Process Explorer properties page for the svchost process. The Services tab on the process properties will tell you which services are hosted in that process. And the Threads tab will show you the threads and thread stacks running as well as their CPU usage. Often the Start Address on the thread will give an indication of the entry point DLL, and by extension the service, that's running on that thread. Other times you can look at the thread callstack and will see the module name in the call stack that tells you which piece of code is running.

Solution 3

Try Service Disclosure tool. It:

  1. Stores services which share svchost.exe process.
  2. Configures services to run in separate process. After reboot you will see each service in separate process.
  3. Returns all stored at step #1 services back to one process.

Your comments and suggestions are welcome.

@Peter Mortensen: Thanks for idea.

Solution 4

Caution: Please take the necessary research, restore point and backup procedures before applying this, as well as check that everything is still working afterwards. It is possible to recover from this through the Recovery Environment only on non-RAID systems, as well as Safe Mode on both RAID and non-RAID systems. This has been tested on a developer machine, not on servers.

In Powershell, you can do this for all non-lsass services using the following commands:

Get-Service | ForEach-Object `
    { SC.EXE config $_.Name type= own }
ForEach ($svc in @("efs", "keyiso", "netlogon", "policyagent", "samss", "vaultsvc", `
    "was", "w3svc")) `
    { SC.EXE config $svc type= share }

The list that is excluded here all need to run in a shared lsass.exe, with the exception of policyagent, which is required for the group policy agent to communicate properly during boot.

Also recently discovered that was (Process Activation) and w3svc (IIS World Wide Web) need to share their processes, so they have been added to the exclusions.

This has been tested on Windows 10 (1607, build 14393.953), the exclusions are different in XP, ....

Share:
9,575

Related videos on Youtube

Randolpho
Author by

Randolpho

They call me a solution architect. Everybody has a different opinion about what that means. To me, it means that I care about both the forest and the trees. I care about the software, and the things the software interacts with, and the things they interact with, and so on; I think about how each piece of the system works with every other piece to solve the problem at hand. I'm also very much a hands-on architect. I like to solve problems with architecture, but I also like to write custom software within that architecture.

Updated on September 17, 2022

Comments

  • Randolpho
    Randolpho over 1 year

    This is something that's always bothered me, so I'll ask the Server Fault community.

    I love Process Explorer for keeping track of more than just the high-level tasks you get in the Task Manager. But I constantly want to know which of those dozen services hosted in a single process under svchost is making my processor spike.

    So... is there any non-intrusive way to find this information out?

  • Matt Simmons
    Matt Simmons almost 15 years
    wow, awesome solution +1
  • Randolpho
    Randolpho over 14 years
    I have to agree. Thanks! I shall implement it soon
  • Randolpho
    Randolpho about 14 years
    Just realized I never accepted this. So done!
  • user42670
    user42670 almost 14 years
    To the poster that recommended the PowerShell script: I tried it and it succesfully changed all my services. However, upon reboot an error box popped up and a restart was triggered. I had to restore with 'last good configuration'. Be careful.
  • Philip
    Philip almost 13 years
  • GFK
    GFK almost 13 years
    @TomWij that's an answer on its own
  • DeveloperDan
    DeveloperDan about 12 years
    Dmytro, where can I learn how to use your Service Disclosure tool? I downloaded and ran service_disclosure.exe on Windows 7. Briefly I saw a black command window open and close, but nothing more seemed to happen. This was disconcerting! I'd like to know what it did to my computer and how to properly use the tool.
  • Dmytro Ovdiienko
    Dmytro Ovdiienko about 12 years
    Hi Dan. Please consider this step-by-step guide (sourceforge.net/p/svcdisclsr/wiki/Home)
  • Stoph
    Stoph about 12 years
    @user42670: That's pretty vague, you should mention what error you are experiencing. I didn't experience any errors.
  • Stoph
    Stoph about 12 years
    @ChrisS: These are protected from tampering in later versions of Windows; I guess it's important in Windows XP, though...
  • Synetech
    Synetech almost 11 years
    Of course this requires rebooting, or at least restarting the services in question, so it doesn’t help diagnose the current issue since it may not show up again for a while (or at all, especially if part of the reason is due to it being shared).
  • cxw
    cxw almost 8 years
    @ChrisS Thanks for the link to the keep-shared list! That site now appears to be dead. Per Archive, the list was: HTTPFilter, KDC, Netlogon, NTLMssp, PolicyAgent, ProtectedStorage, SamSs, Eventlog, PlugPlay (all associated with lsass.exe)
  • Stoph
    Stoph about 7 years
    Split off the PowerShell script into its own answer to embed these developments, as indeed this is harmful to lsass.exe services as well as PolicyAgent during boot.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Logging Hardware Interrupts (IRQs) which are using 10-25% CPU
What is a Process Handle?
what is dllhost.exe in windows xp, and can I delete it?
How to use TASKKILL for 32 bit applications in Windows 64 bit environment?
Windows 10 - no Startup folder in Task Manager
How to find out when an application was started using the Event Viewer on Windows 8.1
How to find the culprit that freeze windows 10 when task manager is also frozen (till windows unfreezes)?
Can't change tasks to realtime priotity
How to find Skype in Windows automatic startup
automatic end useless processes