Windows Update - SVCHOST findings

I've been trying to track down problems with MU and WU
dealing with Windows 2000 and Windows XP.

Here are the tools I've been using extensively, during
manual update requests (Express AND Custom) as well as
automatic updates (Express):

1. FileMon (www.sysinternals.com)
2. RegMon (www.sysinternals.com)
3. Esentutl (Microsoft EDB Database Utility tool)
4. Windows Update Registry Trace setting for Windows Update
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\WindowsUpdate\Trace(gives
extensive tracing in WindowsUpdate.log)

Flags REG_DWORD 7
Level REG_DWORD 4

I have found that most of the problems stem around
SoftwareDistribution/DataStore DataStore database getting totally
out of whack with SVCHOST.EXE.

Most of the CPU 90-100% run problems seems to occur when Windows
ASSUMES that the information collected in the support files IS ACCURATE.

Since SVCHOST is doing the processing, it cannot determine if it's current
state is correct, so after pre-processing the data support files
(by snapshotting C:\Windows\Installer files, support DLLS, Update checks,
....),
it continues on without doing any I/O (FileMon shows nothing) nor Registry
processing (RegMon).

Steps that I have taken, NUMEROUS times, to correct this situtation:

1. Re-register support DLLS
2. Remove SoftwareDistribution Folder
3. Remove C:\Windows\System32\Wbem\Repository folder
4. Remove BITS Downloader folder
5. Remove CatRoot2 folder
6. Clean-up Temporary Internet Folder files

In some cases this has helped, DEPENDING on the time of the month I try to
perform Manual Updates. Curious is the fact that I don't seem to have a
problem
with the semi-daily Windows Defender updates (which all go thru the same
channels).

Sometimes, as stated above, I use the ESENTUTL application which can check
the
integrity of the SoftwareDistribution/DataStore/Datastore.edb file. In many
cases,
this integrity check has failed, even after I have removed the folder,
re-performed a
manual download (that recreates the file).

You would think after re-creating the datastore database file, that
everything would
in sync. Not so, many times ESENTUTL has failed that the EDB.LOG file does
not
reflect correctly in the DATASTORE.EDB file.

So my findings basically are, until Microsoft fixes this, is that Windows
Update and
Microsoft Update updates are a crap-shoot. Depending on your network
connection,
Microsoft Server loads, number of updates, time of the month ... you may
have problems
or may not.

Microsoft REALLY needs to address this!!!

It's like the initial Windows XP selling point ... quicker reboot times
since Windows
XP doesn't load everything as in previous Windows Versions. Just look at
the reboot
times NOW, they cannot state that claim anymore based on the initial CPUs
available
when Windows XP came out. Those same PC CPU's no longer quickly boot up.

"NewScience" <> wrote in message
news:%...
> I've been trying to track down problems with MU and WU
> dealing with Windows 2000 and Windows XP.
>
> Here are the tools I've been using extensively, during
> manual update requests (Express AND Custom) as well as
> automatic updates (Express):
>
> 1. FileMon (www.sysinternals.com)
> 2. RegMon (www.sysinternals.com)
> 3. Esentutl (Microsoft EDB Database Utility tool)
> 4. Windows Update Registry Trace setting for Windows Update
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\WindowsUpdate\Trace(gives
> extensive tracing in WindowsUpdate.log)
>
> Flags REG_DWORD 7
> Level REG_DWORD 4
>
> I have found that most of the problems stem around
> SoftwareDistribution/DataStore DataStore database getting totally
> out of whack with SVCHOST.EXE.
>
> Most of the CPU 90-100% run problems seems to occur when Windows
> ASSUMES that the information collected in the support files IS ACCURATE.
>
> Since SVCHOST is doing the processing, it cannot determine if it's current
> state is correct, so after pre-processing the data support files
> (by snapshotting C:\Windows\Installer files, support DLLS, Update checks,
> ...),
> it continues on without doing any I/O (FileMon shows nothing) nor Registry
> processing (RegMon).
>
> Steps that I have taken, NUMEROUS times, to correct this situtation:
>
> 1. Re-register support DLLS
> 2. Remove SoftwareDistribution Folder
> 3. Remove C:\Windows\System32\Wbem\Repository folder
> 4. Remove BITS Downloader folder
> 5. Remove CatRoot2 folder
> 6. Clean-up Temporary Internet Folder files
>
> In some cases this has helped, DEPENDING on the time of the month I try to
> perform Manual Updates. Curious is the fact that I don't seem to have a
> problem
> with the semi-daily Windows Defender updates (which all go thru the same
> channels).
>
> Sometimes, as stated above, I use the ESENTUTL application which can check
> the
> integrity of the SoftwareDistribution/DataStore/Datastore.edb file. In
> many cases,
> this integrity check has failed, even after I have removed the folder,
> re-performed a
> manual download (that recreates the file).
>
> You would think after re-creating the datastore database file, that
> everything would
> in sync. Not so, many times ESENTUTL has failed that the EDB.LOG file
> does not
> reflect correctly in the DATASTORE.EDB file.
>
> So my findings basically are, until Microsoft fixes this, is that Windows
> Update and
> Microsoft Update updates are a crap-shoot. Depending on your network
> connection,
> Microsoft Server loads, number of updates, time of the month ... you may
> have problems
> or may not.
>
> Microsoft REALLY needs to address this!!!
>
> It's like the initial Windows XP selling point ... quicker reboot times
> since Windows
> XP doesn't load everything as in previous Windows Versions. Just look at
> the reboot
> times NOW, they cannot state that claim anymore based on the initial CPUs
> available
> when Windows XP came out. Those same PC CPU's no longer quickly boot up.
>

NewS..
Well you have certainly done some work on this one - its a shame that your
final conclusions are the same as my non-technical conclusion in July - MS
updates is a crap-shoot as you put it.
Yours and others input in this group, over the last few months has been
great.
Do keep up the good work - but please take some time out in readiness for
the next Black Tuesday.
I think that WU is getting overloaded with the numbers rushing in for the
latest 5, 6 or 9 patches, plus the apparent increase in the numbers doing
the SP2.
I left it until Friday before I tried to get into WU Home - and then it took
just over 10 minutes for the little 'train' to stop. Still, it was quicker
than the August lot. :-)
Thanks again
Rgds
Antioch

From: "NewScience" <>

| I've been trying to track down problems with MU and WU
| dealing with Windows 2000 and Windows XP.
|
| Here are the tools I've been using extensively, during
| manual update requests (Express AND Custom) as well as
| automatic updates (Express):
|
| 1. FileMon (www.sysinternals.com)
| 2. RegMon (www.sysinternals.com)
| 3. Esentutl (Microsoft EDB Database Utility tool)
| 4. Windows Update Registry Trace setting for Windows Update
|
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\WindowsUpdate\Trace(gives
| extensive tracing in WindowsUpdate.log)
|
| Flags REG_DWORD 7
| Level REG_DWORD 4
|
| I have found that most of the problems stem around
| SoftwareDistribution/DataStore DataStore database getting totally
| out of whack with SVCHOST.EXE.
|
| Most of the CPU 90-100% run problems seems to occur when Windows
| ASSUMES that the information collected in the support files IS ACCURATE.
|
| Since SVCHOST is doing the processing, it cannot determine if it's current
| state is correct, so after pre-processing the data support files
| (by snapshotting C:\Windows\Installer files, support DLLS, Update checks,
| ...),
| it continues on without doing any I/O (FileMon shows nothing) nor Registry
| processing (RegMon).
|
| Steps that I have taken, NUMEROUS times, to correct this situtation:
|
| 1. Re-register support DLLS
| 2. Remove SoftwareDistribution Folder
| 3. Remove C:\Windows\System32\Wbem\Repository folder
| 4. Remove BITS Downloader folder
| 5. Remove CatRoot2 folder
| 6. Clean-up Temporary Internet Folder files
|
| In some cases this has helped, DEPENDING on the time of the month I try to
| perform Manual Updates. Curious is the fact that I don't seem to have a
| problem
| with the semi-daily Windows Defender updates (which all go thru the same
| channels).
|
| Sometimes, as stated above, I use the ESENTUTL application which can check
| the
| integrity of the SoftwareDistribution/DataStore/Datastore.edb file. In many
| cases,
| this integrity check has failed, even after I have removed the folder,
| re-performed a
| manual download (that recreates the file).
|
| You would think after re-creating the datastore database file, that
| everything would
| in sync. Not so, many times ESENTUTL has failed that the EDB.LOG file does
| not
| reflect correctly in the DATASTORE.EDB file.
|
| So my findings basically are, until Microsoft fixes this, is that Windows
| Update and
| Microsoft Update updates are a crap-shoot. Depending on your network
| connection,
| Microsoft Server loads, number of updates, time of the month ... you may
| have problems
| or may not.
|
| Microsoft REALLY needs to address this!!!
|
| It's like the initial Windows XP selling point ... quicker reboot times
| since Windows
| XP doesn't load everything as in previous Windows Versions. Just look at
| the reboot
| times NOW, they cannot state that claim anymore based on the initial CPUs
| available
| when Windows XP came out. Those same PC CPU's no longer quickly boot up.
|

You have certainly done your hoemwork -- excellent.

Howeverm,, there is ONE aspect that was left out, malware. Often the cause of high
utilization associated with SVCHOST.EXE.


For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/
http://www.lavasoft.de/ms/index.htm

* SpyBot Search and Destroy v1.4
http://security.kolla.de/
http://www.safer-networking.org/microsoft.en.html

* SuperAntiSpyware
http://www.superantispyware.com/supe...freevspro.html

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon

http://www.majorgeeks.com/downloadge...4332b4b8b8442d

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

I should have mentioned that this is from a basic out-of-the-box Windows XP
Pro SP2 with all updates.
I tend to try not to put any non-Microsoft software on my system, and tend
to monitor the system myself.
I have some of the tools mentioned (e.g., Ad-aware), but try to limit
third-party software, since they themselves
are considered somewhat as malware, since they ALSO modify the system (e.g.,
drivers, startup applications, services, ...).

I had tried McAfee, Trend, Avant, ... but have found that most of the free
versions have very little support and other apps (McAfee) modify the system
in ways that you cannot control in a normal operational mode.

I'm not a typical oridinary user, I have 15 years experience in Unix System
Internals and Appications, as well as 20 years in Windows development and
operations.

So I have the knowledge in most cases to be able to monitor/analyze the
Windows Registry (e.g., BHO's, Services, ...) and determine operational
impacts.

Like I said, I try to limit myself to Microsoft Windows tools (Defender,
Live OneCare, Firewall, ...) and try to steer clear of as much third party
software as I can.

I should have stated this up front.
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:...
> From: "NewScience" <>
>
> | I've been trying to track down problems with MU and WU
> | dealing with Windows 2000 and Windows XP.
> |
> | Here are the tools I've been using extensively, during
> | manual update requests (Express AND Custom) as well as
> | automatic updates (Express):
> |
> | 1. FileMon (www.sysinternals.com)
> | 2. RegMon (www.sysinternals.com)
> | 3. Esentutl (Microsoft EDB Database Utility tool)
> | 4. Windows Update Registry Trace setting for Windows Update
> |
> |
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\WindowsUpdate\Trace(gives
> | extensive tracing in WindowsUpdate.log)
> |
> | Flags REG_DWORD 7
> | Level REG_DWORD 4
> |
> | I have found that most of the problems stem around
> | SoftwareDistribution/DataStore DataStore database getting totally
> | out of whack with SVCHOST.EXE.
> |
> | Most of the CPU 90-100% run problems seems to occur when Windows
> | ASSUMES that the information collected in the support files IS ACCURATE.
> |
> | Since SVCHOST is doing the processing, it cannot determine if it's
> current
> | state is correct, so after pre-processing the data support files
> | (by snapshotting C:\Windows\Installer files, support DLLS, Update
> checks,
> | ...),
> | it continues on without doing any I/O (FileMon shows nothing) nor
> Registry
> | processing (RegMon).
> |
> | Steps that I have taken, NUMEROUS times, to correct this situtation:
> |
> | 1. Re-register support DLLS
> | 2. Remove SoftwareDistribution Folder
> | 3. Remove C:\Windows\System32\Wbem\Repository folder
> | 4. Remove BITS Downloader folder
> | 5. Remove CatRoot2 folder
> | 6. Clean-up Temporary Internet Folder files
> |
> | In some cases this has helped, DEPENDING on the time of the month I try
> to
> | perform Manual Updates. Curious is the fact that I don't seem to have a
> | problem
> | with the semi-daily Windows Defender updates (which all go thru the same
> | channels).
> |
> | Sometimes, as stated above, I use the ESENTUTL application which can
> check
> | the
> | integrity of the SoftwareDistribution/DataStore/Datastore.edb file. In
> many
> | cases,
> | this integrity check has failed, even after I have removed the folder,
> | re-performed a
> | manual download (that recreates the file).
> |
> | You would think after re-creating the datastore database file, that
> | everything would
> | in sync. Not so, many times ESENTUTL has failed that the EDB.LOG file
> does
> | not
> | reflect correctly in the DATASTORE.EDB file.
> |
> | So my findings basically are, until Microsoft fixes this, is that
> Windows
> | Update and
> | Microsoft Update updates are a crap-shoot. Depending on your network
> | connection,
> | Microsoft Server loads, number of updates, time of the month ... you may
> | have problems
> | or may not.
> |
> | Microsoft REALLY needs to address this!!!
> |
> | It's like the initial Windows XP selling point ... quicker reboot times
> | since Windows
> | XP doesn't load everything as in previous Windows Versions. Just look
> at
> | the reboot
> | times NOW, they cannot state that claim anymore based on the initial
> CPUs
> | available
> | when Windows XP came out. Those same PC CPU's no longer quickly boot
> up.
> |
>
> You have certainly done your hoemwork -- excellent.
>
> Howeverm,, there is ONE aspect that was left out, malware. Often the
> cause of high
> utilization associated with SVCHOST.EXE.
>
>
> For non-viral malware...
>
> Please download, install and update the following software...
>
> * Ad-aware SE v1.06
> http://www.lavasoft.de/
> http://www.lavasoftusa.com/
> http://www.lavasoft.de/ms/index.htm
>
> * SpyBot Search and Destroy v1.4
> http://security.kolla.de/
> http://www.safer-networking.org/microsoft.en.html
>
> * SuperAntiSpyware
> http://www.superantispyware.com/supe...freevspro.html
>
> After the software is updated, I suggest scanning the system in Safe Mode.
>
> I also suggest downloading, installing and updating BHODemon for any
> Browser Helper Objects
> that may be on the PC.
>
> * BHODemon
>
> http://www.majorgeeks.com/downloadge...4332b4b8b8442d
>
> For viral malware...
>
> * Download MULTI_AV.EXE from the URL --
> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
> To use this utility, perform the following...
> Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
> Choose; Unzip
> Choose; Close
>
> Execute; C:\AV-CLS\StartMenu.BAT
> { or Double-click on 'Start Menu' in C:\AV-CLS }
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE to
> go through your
> FireWall to allow it to download the needed AV vendor related files.
>
> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
> This will bring up the initial menu of choices and should be executed in
> Normal Mode.
> This way all the components can be downloaded from each AV vendor's web
> site.
> The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and
> Reboot the PC.
>
> You can choose to go to each menu item and just download the needed files
> or you can
> download the files and perform a scan in Normal Mode. Once you have
> downloaded the files
> needed for each scanner you want to use, you should reboot the PC into
> Safe Mode [F8 key
> during boot] and re-run the menu again and choose which scanner you want
> to run in Safe
> Mode. It is suggested to run the scanners in both Safe Mode and Normal
> Mode.
>
> When the menu is displayed hitting 'H' or 'h' will bring up a more
> comprehensive PDF help
> file. http://www.ik-cs.com/multi-av.htm
>
> Additional Instructions:
> http://pcdid.com/Multi_AV.htm
>
>
> * * * Please report back your results * * *
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

On Sun, 17 Sep 2006 19:08:06 -0400, David H. Lipman posted:

>You have certainly done your hoemwork -- excellent.
>
>Howeverm,, there is ONE aspect that was left out, malware. Often the
>cause of high utilization associated with SVCHOST.EXE.

In this case, I doubt it. I first encountered this problem on
Saturday when one of my spare computers that's usually used by a
neighbor got super-slow and I found that the svchost.exe process that
involved Windows update was consuming 98-99% of the CPU. It's an
older P3 with 384mb RAM and she's been known to crap the thing up with
unwanted downloads, so I just saved her data, reformatted the drive
and did a clean install of XP Pro. No change.

So I turned off automatic updates completely and the machine speeded
up, but left me with the annoying Windows Security Center notification
in the system tray. Then, I did services.msc and turned off the
security center. The computer now runs as fast as it ever did,
although a Belarc Advisor <www.belarc.com> profiles shows that my SP2
installation is 57 updates short. Going to the Windows update site
leaves me staring at a green flag flapping back and forth but never
coming to completion... of course, it had been doing *that* before.

If everyone on this board would report this problem through update online
help and support then it might get MS attention. All update help and support
is free.

I am currently working with a support person via email. I have sent him
snap shots, log files and system files.

If everyone reported it they would be overload with the email and maybe put
some programmers on the problem.


"emtech" wrote:

> On Sun, 17 Sep 2006 19:08:06 -0400, David H. Lipman posted:
>
> >You have certainly done your hoemwork -- excellent.
> >
> >Howeverm,, there is ONE aspect that was left out, malware. Often the
> >cause of high utilization associated with SVCHOST.EXE.
>
> In this case, I doubt it. I first encountered this problem on
> Saturday when one of my spare computers that's usually used by a
> neighbor got super-slow and I found that the svchost.exe process that
> involved Windows update was consuming 98-99% of the CPU. It's an
> older P3 with 384mb RAM and she's been known to crap the thing up with
> unwanted downloads, so I just saved her data, reformatted the drive
> and did a clean install of XP Pro. No change.
>
> So I turned off automatic updates completely and the machine speeded
> up, but left me with the annoying Windows Security Center notification
> in the system tray. Then, I did services.msc and turned off the
> security center. The computer now runs as fast as it ever did,
> although a Belarc Advisor <www.belarc.com> profiles shows that my SP2
> installation is 57 updates short. Going to the Windows update site
> leaves me staring at a green flag flapping back and forth but never
> coming to completion... of course, it had been doing *that* before.
>
>

From: "NewScience" <>

| I should have mentioned that this is from a basic out-of-the-box Windows XP
| Pro SP2 with all updates.
| I tend to try not to put any non-Microsoft software on my system, and tend
| to monitor the system myself.
| I have some of the tools mentioned (e.g., Ad-aware), but try to limit
| third-party software, since they themselves
| are considered somewhat as malware, since they ALSO modify the system (e.g.,
| drivers, startup applications, services, ...).
|
| I had tried McAfee, Trend, Avant, ... but have found that most of the free
| versions have very little support and other apps (McAfee) modify the system
| in ways that you cannot control in a normal operational mode.
|
| I'm not a typical oridinary user, I have 15 years experience in Unix System
| Internals and Appications, as well as 20 years in Windows development and
| operations.
|
| So I have the knowledge in most cases to be able to monitor/analyze the
| Windows Registry (e.g., BHO's, Services, ...) and determine operational
| impacts.
|
| Like I said, I try to limit myself to Microsoft Windows tools (Defender,
| Live OneCare, Firewall, ...) and try to steer clear of as much third party
| software as I can.
|


Windows OneCare is junk. It has one of the lowest catch rates in the anti virus industry.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Reply contextualised/clipped

"Pedgie" <> wrote in message
news:CBA646CD-B818-4AD1-8D22-...
> If everyone on this board would report this problem through update online
> help and support then it might get MS attention. All update help and
> support
> is free. ................................................

.................................................. .....

> If everyone reported it they would be overload with the email and maybe
> put
> some programmers on the problem.
>


What a good idea :-)
Remind us on the eve of the next Black Tuesday, please.
Rgds
Antioch

I'm posting a little too soon here perhaps, but I've had two computers
now with the same issue. And believe me, it is not virus/spyware
related.

Microsoft has admitted a problem and released a KB article on it.
Check it out at:

http://support.microsoft.com/kb/899342/EN-US/

"HKComputerServices" <> wrote in message
news: ups.com...
> I'm posting a little too soon here perhaps, but I've had two computers
> now with the same issue. And believe me, it is not virus/spyware
> related.
>
> Microsoft has admitted a problem and released a KB article on it.
> Check it out at:
>
> http://support.microsoft.com/kb/899342/EN-US/
>

Posted too soon? - I think you have joined the party a bit late - this
svchost has been causing all sorts of prob for a month or more.
Have you used this hotfix - you dont say.
Once again MS expect us unskilled users to muck about with the registry - or
make a phone call that could cost.
Rgds
Antioch