|
Welcome to the Web Hosting Forum - Hosting Reviews, Web Hosting Discussion Forum forums. You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content etc. By registering you have access to many other special features, Like personal blogs, your own personal forum, extended profiles, posting of your resume, free links, photo galleries, auctions etc. We are Web 2.0 Compliant . We also reward our posters and referals with free hosting, domains, prizes etc. Even earn points for reading posts. We offer contests, and events that are sure to please anyone in the hosting industry, web developer or SEO at heart. Registration is fast, simple and absolutely free so please, join our community today! If you have any problems with the registration process or your account login, please contact contact us. |
|
|||||||
| Windows XP All the flavors of windows xp listed here |
 |
|
|
LinkBack | Thread Tools |
01-06-2007, 09:35 AM
|
|||
|
|||
|
Re: svchost.exe inexplicably hogs cpu
The issue is known by the Windows Update Team and they state it's an
issue with the msi.dll. There is a later hotfix then KB914810 - http://support.microsoft.com/kb/916089 This is *not* the final fix for this issue, JohnnyBeGood. A temporary workaround is to delete the *contents* of the Logs folder located in WINDOWS\SoftwareDistribution\DataStore First stop the AU service from Start > Run > type in net stop wuauserv Click OK Delete the *contents* of the SoftwareDistribution\DataStore\Logs folder (NOTE: this will erase the update history shown on the Windows/Microsoft Update sites) Go back to Start > Run > type in net start wuauserv Click OK MowGreen [MVP 2003-2007][ =============== *-343-* FDNY Never Forgotten =============== JohnnyBeGood wrote: > on my windows xp home sp2 laptop, right after startup and at random times > during operation, the computer totally freezes due to 100% cpu utilization. > this goes on for some 5 or 6 minutes. on a different, slower machine the same > problem occurs and lasts up to 20 minutes!!!!! > > using Process Explorer, i narrowed down the problem to a Windows process > called svchost.exe. this process has many different services running behind > it, among other windows update and all sorts of network services. when this > instance of svchost.exe starts consuming all resources, the thread that is > active is: > > ntdll.dll!RtlAllocateHeap+0x18c > > quite a lot of people appear to have this problem. it pops up at many > different forums. one of the more intelligent ones is this one @ ars > technica: > http://episteme.arstechnica.com/eve/...m/786004271831. > > it refers to 2 hotfixes by MS. i acquired the hotfix with KB id. no. 914810, > but don't know if it applies to my problem. i can't ascertain whether it is > the automatic update feature that makes the CPU go wild or some other > service. in addition, the problem is not RAM consumption (the KB article > states memory consumption as the problem addressed by the hotfix). RAM > consumption by svchost.exe is typically around 60-70MB when the problem > occurs. the CPU hogging is what incapacitates my machine. > > does anyone know a solution? 
|
|
01-06-2007, 09:36 AM
|
|||
|
|||
|
Re: svchost.exe inexplicably hogs cpu
thanks very much for that, MowGreen. very helpful post. one more question
tho: if KB916089 is not the final fix, is it an adequate fix? (from the link to the arstechnica forum i provided in my first message, it doesn't really seem to help.) i'm hesitant myself to install these hotfixes that M$ hasn't fully tested and where they recommend making a backup of the system before installing... and: would you think that a final fix will be available through microsoft update, or will one have to dig deep into the KB if and when it becomes available? "MowGreen [MVP]" wrote: > The issue is known by the Windows Update Team and they state it's an > issue with the msi.dll. > There is a later hotfix then KB914810 - > http://support.microsoft.com/kb/916089 > This is *not* the final fix for this issue, JohnnyBeGood. > > A temporary workaround is to delete the *contents* of the Logs folder > located in WINDOWS\SoftwareDistribution\DataStore > First stop the AU service from Start > Run > type in > > net stop wuauserv > > Click OK > Delete the *contents* of the SoftwareDistribution\DataStore\Logs folder > (NOTE: this will erase the update history shown on the Windows/Microsoft > Update sites) > > Go back to Start > Run > type in > > net start wuauserv > > Click OK > > > MowGreen [MVP 2003-2007][ > =============== > *-343-* FDNY > Never Forgotten > =============== > > > JohnnyBeGood wrote: > > > on my windows xp home sp2 laptop, right after startup and at random times > > during operation, the computer totally freezes due to 100% cpu utilization. > > this goes on for some 5 or 6 minutes. on a different, slower machine the same > > problem occurs and lasts up to 20 minutes!!!!! > > > > using Process Explorer, i narrowed down the problem to a Windows process > > called svchost.exe. this process has many different services running behind > > it, among other windows update and all sorts of network services. when this > > instance of svchost.exe starts consuming all resources, the thread that is > > active is: > > > > ntdll.dll!RtlAllocateHeap+0x18c > > > > quite a lot of people appear to have this problem. it pops up at many > > different forums. one of the more intelligent ones is this one @ ars > > technica: > > http://episteme.arstechnica.com/eve/...m/786004271831. > > > > it refers to 2 hotfixes by MS. i acquired the hotfix with KB id. no. 914810, > > but don't know if it applies to my problem. i can't ascertain whether it is > > the automatic update feature that makes the CPU go wild or some other > > service. in addition, the problem is not RAM consumption (the KB article > > states memory consumption as the problem addressed by the hotfix). RAM > > consumption by svchost.exe is typically around 60-70MB when the problem > > occurs. the CPU hogging is what incapacitates my machine. > > > > does anyone know a solution? >
|
|
01-06-2007, 09:39 AM
|
|||
|
|||
|
Re: svchost.exe inexplicably hogs cpu
MowGreen (must be a Godfather lover!!!):
We should tell the poster that this really is a temporary solution. After a while, they will probably have to do it again. Also, in order to keep everything in line, the C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader folder should be cleaned out (remove *.dat files) so that BITS history is cleaned out. This keeps track of what has downloaded/updated and what is in transistion. When it really gets screwed up, the CatRoot2 folder and WBEM/Repository folder should also be cleaned. MS KB has articles on this as well as the BITS folder. "JohnnyBeGood" <JohnnyBeGood@discussions.microsoft.com> wrote in message news:8961A4AA-A763-480D-8769-2CD68A4857E7@microsoft.com... > thanks very much for that, MowGreen. very helpful post. one more question > tho: if KB916089 is not the final fix, is it an adequate fix? (from the > link > to the arstechnica forum i provided in my first message, it doesn't really > seem to help.) i'm hesitant myself to install these hotfixes that M$ > hasn't > fully tested and where they recommend making a backup of the system before > installing... > > and: would you think that a final fix will be available through microsoft > update, or will one have to dig deep into the KB if and when it becomes > available? > > "MowGreen [MVP]" wrote: > >> The issue is known by the Windows Update Team and they state it's an >> issue with the msi.dll. >> There is a later hotfix then KB914810 - >> http://support.microsoft.com/kb/916089 >> This is *not* the final fix for this issue, JohnnyBeGood. >> >> A temporary workaround is to delete the *contents* of the Logs folder >> located in WINDOWS\SoftwareDistribution\DataStore >> First stop the AU service from Start > Run > type in >> >> net stop wuauserv >> >> Click OK >> Delete the *contents* of the SoftwareDistribution\DataStore\Logs folder >> (NOTE: this will erase the update history shown on the Windows/Microsoft >> Update sites) >> >> Go back to Start > Run > type in >> >> net start wuauserv >> >> Click OK >> >> >> MowGreen [MVP 2003-2007][ >> =============== >> *-343-* FDNY >> Never Forgotten >> =============== >> >> >> JohnnyBeGood wrote: >> >> > on my windows xp home sp2 laptop, right after startup and at random >> > times >> > during operation, the computer totally freezes due to 100% cpu >> > utilization. >> > this goes on for some 5 or 6 minutes. on a different, slower machine >> > the same >> > problem occurs and lasts up to 20 minutes!!!!! >> > >> > using Process Explorer, i narrowed down the problem to a Windows >> > process >> > called svchost.exe. this process has many different services running >> > behind >> > it, among other windows update and all sorts of network services. when >> > this >> > instance of svchost.exe starts consuming all resources, the thread that >> > is >> > active is: >> > >> > ntdll.dll!RtlAllocateHeap+0x18c >> > >> > quite a lot of people appear to have this problem. it pops up at many >> > different forums. one of the more intelligent ones is this one @ ars >> > technica: >> > http://episteme.arstechnica.com/eve/...m/786004271831. >> > >> > it refers to 2 hotfixes by MS. i acquired the hotfix with KB id. no. >> > 914810, >> > but don't know if it applies to my problem. i can't ascertain whether >> > it is >> > the automatic update feature that makes the CPU go wild or some other >> > service. in addition, the problem is not RAM consumption (the KB >> > article >> > states memory consumption as the problem addressed by the hotfix). RAM >> > consumption by svchost.exe is typically around 60-70MB when the problem >> > occurs. the CPU hogging is what incapacitates my machine. >> > >> > does anyone know a solution? >>
|
|
01-06-2007, 09:43 AM
|
|||
|
|||
|
Re: svchost.exe inexplicably hogs cpu
YW, JBG. Your mileage will vary with KB916089. Some report success with
others, not. MS has tested the newer version of msi.dll and I doubt it's toxic. Frankly, I'd just clear out the logs when the issue pops up. From what I understand the msi wrapping will be different. The so-called final fix will definitely come down Automagically and be available from WU/MU and the MS Download Center. Still ... my theory lends more to the amount of entries in the log files, their possible corruption, combined with the amount of registry settings and files that must be scanned. Let's hope SP3 is pushed up a tad. That would help *immensely* since it would reduce the amount of areas that needed to be scanned on the system. MowGreen [MVP 2003-2007] =============== *-343-* FDNY Never Forgotten =============== JohnnyBeGood wrote: > thanks very much for that, MowGreen. very helpful post. one more question > tho: if KB916089 is not the final fix, is it an adequate fix? (from the link > to the arstechnica forum i provided in my first message, it doesn't really > seem to help.) i'm hesitant myself to install these hotfixes that M$ hasn't > fully tested and where they recommend making a backup of the system before > installing... > > and: would you think that a final fix will be available through microsoft > update, or will one have to dig deep into the KB if and when it becomes > available? > > "MowGreen [MVP]" wrote: > > >>The issue is known by the Windows Update Team and they state it's an >>issue with the msi.dll. >>There is a later hotfix then KB914810 - >>http://support.microsoft.com/kb/916089 >>This is *not* the final fix for this issue, JohnnyBeGood. >> >>A temporary workaround is to delete the *contents* of the Logs folder >>located in WINDOWS\SoftwareDistribution\DataStore >>First stop the AU service from Start > Run > type in >> >>net stop wuauserv >> >>Click OK >>Delete the *contents* of the SoftwareDistribution\DataStore\Logs folder >>(NOTE: this will erase the update history shown on the Windows/Microsoft >>Update sites) >> >>Go back to Start > Run > type in >> >>net start wuauserv >> >>Click OK >> >> >>MowGreen [MVP 2003-2007][ >>=============== >> *-343-* FDNY >>Never Forgotten >>=============== >> >> >>JohnnyBeGood wrote: >> >> >>>on my windows xp home sp2 laptop, right after startup and at random times >>>during operation, the computer totally freezes due to 100% cpu utilization. >>>this goes on for some 5 or 6 minutes. on a different, slower machine the same >>>problem occurs and lasts up to 20 minutes!!!!! >>> >>>using Process Explorer, i narrowed down the problem to a Windows process >>>called svchost.exe. this process has many different services running behind >>>it, among other windows update and all sorts of network services. when this >>>instance of svchost.exe starts consuming all resources, the thread that is >>>active is: >>> >>>ntdll.dll!RtlAllocateHeap+0x18c >>> >>>quite a lot of people appear to have this problem. it pops up at many >>>different forums. one of the more intelligent ones is this one @ ars >>>technica: >>>http://episteme.arstechnica.com/eve/...m/786004271831. >>> >>>it refers to 2 hotfixes by MS. i acquired the hotfix with KB id. no. 914810, >>>but don't know if it applies to my problem. i can't ascertain whether it is >>>the automatic update feature that makes the CPU go wild or some other >>>service. in addition, the problem is not RAM consumption (the KB article >>>states memory consumption as the problem addressed by the hotfix). RAM >>>consumption by svchost.exe is typically around 60-70MB when the problem >>>occurs. the CPU hogging is what incapacitates my machine. >>> >>>does anyone know a solution? >>
|
|
01-06-2007, 09:43 AM
|
|||
|
|||
|
Re: svchost.exe inexplicably hogs cpu
Inline:
>> We should tell the poster that this really is a temporary solution. After a >> while, they will probably have to do it again. Whoever "we" is, yes, "we" should. There will be a so-called final fix. >> Also, in order to keep everything in line, the C:\Documents and Settings\All >> Users\Application Data\Microsoft\Network\Downloader folder should be cleaned >> out (remove *.dat files) so that BITS history is cleaned out. This keeps >> track of what has downloaded/updated and what is in transistion Not an issue unless there's an intrusive, destructive AV installed [Hello, NAV/NIS] Hmmm, intrusive, destructive ... smells like malware. >> When it really gets screwed up, the CatRoot2 folder and WBEM/Repository >> folder should also be cleaned. MS KB has articles on this as well as the >> BITS folder. CatRoot2, sí. Clearing out the WBEM repository should not be done on a whim. There are two articles here and both of them state ' DO NOT DELETE THE REPOSITORY right away! Use WMI Diagnosis Tool instead! ' = http://www.lissware.net/ Alain knows WMI. > >> MowGreen (must be a Godfather lover!!!): "I was making my bones while you were still going out with cheerleaders" MowGreen [MVP 2003-2007] =============== *-343-* FDNY Never Forgotten =============== NewScience wrote: > MowGreen (must be a Godfather lover!!!): > > We should tell the poster that this really is a temporary solution. After a > while, they will probably have to do it again. > > Also, in order to keep everything in line, the C:\Documents and Settings\All > Users\Application Data\Microsoft\Network\Downloader folder should be cleaned > out (remove *.dat files) so that BITS history is cleaned out. This keeps > track of what has downloaded/updated and what is in transistion. > > When it really gets screwed up, the CatRoot2 folder and WBEM/Repository > folder should also be cleaned. MS KB has articles on this as well as the > BITS folder. > > "JohnnyBeGood" <JohnnyBeGood@discussions.microsoft.com> wrote in message > news:8961A4AA-A763-480D-8769-2CD68A4857E7@microsoft.com... > >>thanks very much for that, MowGreen. very helpful post. one more question >>tho: if KB916089 is not the final fix, is it an adequate fix? (from the >>link >>to the arstechnica forum i provided in my first message, it doesn't really >>seem to help.) i'm hesitant myself to install these hotfixes that M$ >>hasn't >>fully tested and where they recommend making a backup of the system before >>installing... >> >>and: would you think that a final fix will be available through microsoft >>update, or will one have to dig deep into the KB if and when it becomes >>available? >> >>"MowGreen [MVP]" wrote: >> >> >>>The issue is known by the Windows Update Team and they state it's an >>>issue with the msi.dll. >>>There is a later hotfix then KB914810 - >>>http://support.microsoft.com/kb/916089 >>>This is *not* the final fix for this issue, JohnnyBeGood. >>> >>>A temporary workaround is to delete the *contents* of the Logs folder >>>located in WINDOWS\SoftwareDistribution\DataStore >>>First stop the AU service from Start > Run > type in >>> >>>net stop wuauserv >>> >>>Click OK >>>Delete the *contents* of the SoftwareDistribution\DataStore\Logs folder >>>(NOTE: this will erase the update history shown on the Windows/Microsoft >>>Update sites) >>> >>>Go back to Start > Run > type in >>> >>>net start wuauserv >>> >>>Click OK >>> >>> >>>MowGreen [MVP 2003-2007][ >>>=============== >>> *-343-* FDNY >>>Never Forgotten >>>=============== >>> >>> >>>JohnnyBeGood wrote: >>> >>> >>>>on my windows xp home sp2 laptop, right after startup and at random >>>>times >>>>during operation, the computer totally freezes due to 100% cpu >>>>utilization. >>>>this goes on for some 5 or 6 minutes. on a different, slower machine >>>>the same >>>>problem occurs and lasts up to 20 minutes!!!!! >>>> >>>>using Process Explorer, i narrowed down the problem to a Windows >>>>process >>>>called svchost.exe. this process has many different services running >>>>behind >>>>it, among other windows update and all sorts of network services. when >>>>this >>>>instance of svchost.exe starts consuming all resources, the thread that >>>>is >>>>active is: >>>> >>>>ntdll.dll!RtlAllocateHeap+0x18c >>>> >>>>quite a lot of people appear to have this problem. it pops up at many >>>>different forums. one of the more intelligent ones is this one @ ars >>>>technica: >>>>http://episteme.arstechnica.com/eve/...m/786004271831. >>>> >>>>it refers to 2 hotfixes by MS. i acquired the hotfix with KB id. no. >>>>914810, >>>>but don't know if it applies to my problem. i can't ascertain whether >>>>it is >>>>the automatic update feature that makes the CPU go wild or some other >>>>service. in addition, the problem is not RAM consumption (the KB >>>>article >>>>states memory consumption as the problem addressed by the hotfix). RAM >>>>consumption by svchost.exe is typically around 60-70MB when the problem >>>>occurs. the CPU hogging is what incapacitates my machine. >>>> >>>>does anyone know a solution? >>> > >
|
|
01-06-2007, 01:36 PM
|
|||
|
|||
|
Re: svchost.exe inexplicably hogs cpu
MowGreen [MVP] skrev:
> Inline: > > >> We should tell the poster that this really is a temporary solution. After a > >> while, they will probably have to do it again. > > Whoever "we" is, yes, "we" should. There will be a so-called final fix. > > >> Also, in order to keep everything in line, the C:\Documents and Settings\All > >> Users\Application Data\Microsoft\Network\Downloader folder should be cleaned > >> out (remove *.dat files) so that BITS history is cleaned out. This keeps > >> track of what has downloaded/updated and what is in transistion > > Not an issue unless there's an intrusive, destructive AV installed > [Hello, NAV/NIS] Hmmm, intrusive, destructive ... smells like malware. > > >> When it really gets screwed up, the CatRoot2 folder and WBEM/Repository > >> folder should also be cleaned. MS KB has articles on this as well as the > >> BITS folder. > > CatRoot2, sí. Clearing out the WBEM repository should not be done on a > whim. There are two articles here and both of them state ' DO NOT DELETE > THE REPOSITORY right away! Use WMI Diagnosis Tool instead! ' = > http://www.lissware.net/ > > Alain knows WMI. > > > > >> MowGreen (must be a Godfather lover!!!): > > "I was making my bones while you were still going out with cheerleaders" > > > MowGreen [MVP 2003-2007] > =============== > *-343-* FDNY > Never Forgotten > =============== > > > > NewScience wrote: > > > MowGreen (must be a Godfather lover!!!): > > > > We should tell the poster that this really is a temporary solution. After a > > while, they will probably have to do it again. > > > > Also, in order to keep everything in line, the C:\Documents and Settings\All > > Users\Application Data\Microsoft\Network\Downloader folder should be cleaned > > out (remove *.dat files) so that BITS history is cleaned out. This keeps > > track of what has downloaded/updated and what is in transistion. > > > > When it really gets screwed up, the CatRoot2 folder and WBEM/Repository > > folder should also be cleaned. MS KB has articles on this as well as the > > BITS folder. > > > > "JohnnyBeGood" <JohnnyBeGood@discussions.microsoft.com> wrote in message > > news:8961A4AA-A763-480D-8769-2CD68A4857E7@microsoft.com... > > > >>thanks very much for that, MowGreen. very helpful post. one more question > >>tho: if KB916089 is not the final fix, is it an adequate fix? (from the > >>link > >>to the arstechnica forum i provided in my first message, it doesn't really > >>seem to help.) i'm hesitant myself to install these hotfixes that M$ > >>hasn't > >>fully tested and where they recommend making a backup of the system before > >>installing... > >> > >>and: would you think that a final fix will be available through microsoft > >>update, or will one have to dig deep into the KB if and when it becomes > >>available? > >> > >>"MowGreen [MVP]" wrote: > >> > >> > >>>The issue is known by the Windows Update Team and they state it's an > >>>issue with the msi.dll. > >>>There is a later hotfix then KB914810 - > >>>http://support.microsoft.com/kb/916089 > >>>This is *not* the final fix for this issue, JohnnyBeGood. > >>> > >>>A temporary workaround is to delete the *contents* of the Logs folder > >>>located in WINDOWS\SoftwareDistribution\DataStore > >>>First stop the AU service from Start > Run > type in > >>> > >>>net stop wuauserv > >>> > >>>Click OK > >>>Delete the *contents* of the SoftwareDistribution\DataStore\Logs folder > >>>(NOTE: this will erase the update history shown on the Windows/Microsoft > >>>Update sites) > >>> > >>>Go back to Start > Run > type in > >>> > >>>net start wuauserv > >>> > >>>Click OK > >>> > >>> > >>>MowGreen [MVP 2003-2007][ > >>>=============== > >>> *-343-* FDNY > >>>Never Forgotten > >>>=============== > >>> > >>> > >>>JohnnyBeGood wrote: > >>> > >>> > >>>>on my windows xp home sp2 laptop, right after startup and at random > >>>>times > >>>>during operation, the computer totally freezes due to 100% cpu > >>>>utilization. > >>>>this goes on for some 5 or 6 minutes. on a different, slower machine > >>>>the same > >>>>problem occurs and lasts up to 20 minutes!!!!! > >>>> > >>>>using Process Explorer, i narrowed down the problem to a Windows > >>>>process > >>>>called svchost.exe. this process has many different services running > >>>>behind > >>>>it, among other windows update and all sorts of network services. when > >>>>this > >>>>instance of svchost.exe starts consuming all resources, the thread that > >>>>is > >>>>active is: > >>>> > >>>>ntdll.dll!RtlAllocateHeap+0x18c > >>>> > >>>>quite a lot of people appear to have this problem. it pops up at many > >>>>different forums. one of the more intelligent ones is this one @ ars > >>>>technica: > >>>>http://episteme.arstechnica.com/eve/...m/786004271831. > >>>> > >>>>it refers to 2 hotfixes by MS. i acquired the hotfix with KB id. no. > >>>>914810, > >>>>but don't know if it applies to my problem. i can't ascertain whether > >>>>it is > >>>>the automatic update feature that makes the CPU go wild or some other > >>>>service. in addition, the problem is not RAM consumption (the KB > >>>>article > >>>>states memory consumption as the problem addressed by the hotfix). RAM > >>>>consumption by svchost.exe is typically around 60-70MB when the problem > >>>>occurs. the CPU hogging is what incapacitates my machine. > >>>> > >>>>does anyone know a solution? > >>> > > > > I've had a similar experience with svchost driving the CPU usage over the 90 percent mark for a significant time roughly each 4 minutes. Often with the side effect, that data/keyboard entry is reduced to a crawl or intermittendly "ignored". I have tried practically every advice on this problem (there are loads of threads on the subject). As far as I can recollect, the problem is of a fairly recent nature (months??), and is consistent on a standard factory installed HP nx8220 portable upgraded to 2GB memory and 160GB hard disk and kept updated until recently. Since this mostly prevents the computer entering sleep mode - and often forces the CPU-fan to go into quite noticable "overdrive" - it is becomming quite irritating; to put it mildly. I have tried to hunt down the key elements for some time by using "Process Monitor". The following seems to be the key "time consuming" single elements, that turn up every time, the CPU enters the 90 percent plus mode roughly every 4 minutes. Process Monitor filter: PID is 1948 (the process periodically reaching 9x-99%) Duration more than 0.0005 (virually identical to more than 0.001) Interesting observations???: 1. Why does the registry key: HKU\.DEFAULT\Software....\Winlogon\ParseAutoexec Need to be set to the value 1 every odd 4 minutes or so? 2. Why do the files C:\WINDOWS\System32\wbem\Repository\FS\... files need to be updated very odd 4 minutes or so? 3. These operations are taking place EACH time the CPU use for PID 1948 goes to approx. 90-99 percent and mostly keeps around the top of the interval for some very "noticable" period of time roughly each 4 minutes. 20708 17:48:22.1903859 svchost.exe 1948 3372 RegOpenKey 00:00:59.1903413 0.0019307 HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18 SUCCESS Desired Access: Read C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 20713 17:48:22.1924121 svchost.exe 1948 3372 RegSetValue 00:00:59.1923675 0..0007322 HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ParseAutoexec SUCCESS Type: REG_SZ, Length: 5, Data: 1 C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 122981 17:48:29.2060675 svchost.exe 1948 2932 RegQueryValue 00:01:06.2060229 0.0008590 HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0002\NetCfgInstanceID SUCCESS Type: REG_SZ, Length: 78, Data: {7E61B0D2-BD1A-4A99-8636-65A5CD4EB692} C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 185035 17:48:36.0771329 svchost.exe 1948 2932 RegSetValue 00:01:13.0770883 0.0006663 HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ParseAutoexec SUCCESS Type: REG_SZ, Length: 5, Data: 1 C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 250414 17:48:44.3936849 svchost.exe 1948 1376 QueryOpen 00:01:21.3936403 0.0007177 C:\WINDOWS\Temp SUCCESS CreationTime: 11-11-2005 01:58:50, LastAccessTime: 13-12-2006 17:10:28, LastWriteTime: 13-12-2006 17:10:28, ChangeTime: 13-12-2006 17:10:28, AllocationSize: 0, EndOfFile: 0, FileAttributes: D C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 307352 17:48:57.8955168 svchost.exe 1948 356 FlushBuffersFile 00:01:34.8954722 0.0578605 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 307354 17:48:57.8955668 svchost.exe 1948 356 WriteFile 00:01:34.8955222 0.0008035 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A SUCCESS Offset: 6.004.736, Length: 32.768, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 307441 17:48:57.9569124 svchost.exe 1948 356 FlushBuffersFile 00:01:34.9568678 0.0327206 C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 307443 17:48:57.9569657 svchost.exe 1948 356 WriteFile 00:01:34.9569211 0.0152626 C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR SUCCESS Offset: 1.089.536, Length: 65.536, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 307458 17:48:57.9910343 svchost.exe 1948 356 FlushBuffersFile 00:01:34.9909897 0.0098004 C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 307465 17:48:58.0011764 svchost.exe 1948 356 FlushBuffersFile 00:01:35.0011318 0.0108659 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 307470 17:48:58.0123820 svchost.exe 1948 356 FlushBuffersFile 00:01:35.0123374 0.0108536 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MA P SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 307476 17:48:58.0239119 svchost.exe 1948 356 FlushBuffersFile 00:01:35.0238673 0.0103921 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 308633 17:49:05.5202772 svchost.exe 1948 356 FlushBuffersFile 00:01:42.5202326 0.0722078 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 308635 17:49:05.5203309 svchost.exe 1948 356 WriteFile 00:01:42.5202863 0.0045757 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A SUCCESS Offset: 1.318.912, Length: 8.192, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 308646 17:49:05.5945453 svchost.exe 1948 356 FlushBuffersFile 00:01:42.5945007 0.0078935 C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 308663 17:49:05.6039803 svchost.exe 1948 356 FlushBuffersFile 00:01:42.6039357 0.0094959 C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 308670 17:49:05.6138173 svchost.exe 1948 356 FlushBuffersFile 00:01:42.6137727 0.0107936 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 308675 17:49:05.6249500 svchost.exe 1948 356 FlushBuffersFile 00:01:42.6249054 0.0110048 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MA P SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 308690 17:49:05.6366362 svchost.exe 1948 356 FlushBuffersFile 00:01:42.6365916 0.0103820 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 318131 17:50:05.6462737 svchost.exe 1948 356 FlushBuffersFile 00:02:42.6462291 0.1445382 C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 318150 17:50:05.7911882 svchost.exe 1948 356 FlushBuffersFile 00:02:42.7911436 0.0189357 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 318157 17:50:05.8104731 svchost.exe 1948 356 FlushBuffersFile 00:02:42.8104285 0.1100955 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MA P SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 318159 17:50:05.8105153 svchost.exe 1948 356 WriteFile 00:02:42.8104707 0.0087756 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MA P SUCCESS Offset: 0, Length: 4.096, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 318176 17:50:05.9212687 svchost.exe 1948 356 FlushBuffersFile 00:02:42.9212241 0.0244601 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 355866 17:52:53.5574968 svchost.exe 1948 3372 RegSetValue 00:05:30.5574522 0.0006724 HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ParseAutoexec SUCCESS Type: REG_SZ, Length: 5, Data: 1 C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 472604 17:53:01.9425658 svchost.exe 1948 1376 RegOpenKey 00:05:38.9425212 0..0026255 HKLM\system\currentcontrolset\control\minint NAME NOT FOUND Desired Access: Read C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 520066 17:53:07.4733302 svchost.exe 1948 3372 RegSetValue 00:05:44.4732856 0.0006780 HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ParseAutoexec SUCCESS Type: REG_SZ, Length: 5, Data: 1 C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 534790 17:53:08.9426284 svchost.exe 1948 3372 RegCloseKey 00:05:45.9425838 0.0025570 HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameter s\Interfaces\{F443CE9D-FB51-4601-94BB-EC20BE3245D3} SUCCESS C:\WINDOWS\System32\svchost..exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 536076 17:53:09.2669663 svchost.exe 1948 2932 CreateFile 00:05:46.2669217 0..0008308 C:\WINDOWS\Debug\UserMode\userenv.log SUCCESS Access: Write Data/Add File, Append Data/Add Subdirectory/Create Pipe Instance, Read Attributes, Synchronize, Disposition: OpenIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: 26.036.594.259.525.632, Impersonating: NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 619598 17:53:20.8431806 svchost.exe 1948 1376 RegSetValue 00:05:57.8431360 0.1506350 HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ParseAutoexec SUCCESS Type: REG_SZ, Length: 5, Data: 1 C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 641851 17:53:29.3507501 svchost.exe 1948 2276 FlushBuffersFile 00:06:06.3507055 0.0644188 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 641853 17:53:29.3508068 svchost.exe 1948 2276 WriteFile 00:06:06.3507622 0.0041676 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A SUCCESS Offset: 6.004.736, Length: 32.768, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 641865 17:53:29.4185640 svchost.exe 1948 2276 FlushBuffersFile 00:06:06.4185194 0.0081729 C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 641867 17:53:29.4186087 svchost.exe 1948 2276 WriteFile 00:06:06.4185641 0.0015016 C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR SUCCESS Offset: 1.089.536, Length: 65.536, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 641873 17:53:29.4281669 svchost.exe 1948 2276 FlushBuffersFile 00:06:06.4281223 0.0097714 C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 641883 17:53:29.4382800 svchost.exe 1948 2276 FlushBuffersFile 00:06:06.4382354 0.0108695 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 641894 17:53:29.4502946 svchost.exe 1948 2276 FlushBuffersFile 00:06:06.4502500 0.0541871 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MA P SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 641896 17:53:29.4503469 svchost.exe 1948 2276 WriteFile 00:06:06.4503023 0.0036080 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MA P SUCCESS Offset: 0, Length: 4.096, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 641913 17:53:29.5051996 svchost.exe 1948 2276 FlushBuffersFile 00:06:06.5051550 0.0103513 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 643161 17:53:37.0065505 svchost.exe 1948 2276 FlushBuffersFile 00:06:14.0065059 0.0418346 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 643163 17:53:37.0066022 svchost.exe 1948 2276 WriteFile 00:06:14.0065576 0.0263734 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A SUCCESS Offset: 1.318.912, Length: 8.192, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 643177 17:53:37.0504446 svchost.exe 1948 2276 FlushBuffersFile 00:06:14.0504000 0.0102647 C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 643194 17:53:37.0620928 svchost.exe 1948 2276 FlushBuffersFile 00:06:14.0620482 0.0096839 C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 643201 17:53:37.0721169 svchost.exe 1948 2276 FlushBuffersFile 00:06:14.0720723 0.0107975 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 643206 17:53:37.0832533 svchost.exe 1948 2276 FlushBuffersFile 00:06:14.0832087 0.0108628 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MA P SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 643212 17:53:37.0948427 svchost.exe 1948 2276 FlushBuffersFile 00:06:14.0947981 0.0105408 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 652687 17:54:37.1014827 svchost.exe 1948 2276 FlushBuffersFile 00:07:14.1014381 0.1364014 C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 652700 17:54:37.2382624 svchost.exe 1948 2276 FlushBuffersFile 00:07:14.2382178 0.0189057 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 652711 17:54:37.2575182 svchost.exe 1948 2276 FlushBuffersFile 00:07:14.2574736 0.0110477 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MA P SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 652717 17:54:37.2692507 svchost.exe 1948 2276 FlushBuffersFile 00:07:14.2692061 0.0105153 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 689458 17:57:24.8993606 svchost.exe 1948 2932 RegSetValue 00:10:01.8993160 0.0186409 HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ParseAutoexec SUCCESS Type: REG_SZ, Length: 5, Data: 1 C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 853781 17:57:38.8568345 svchost.exe 1948 2932 RegSetValue 00:10:15.8567899 0.0014600 HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ParseAutoexec SUCCESS Type: REG_SZ, Length: 5, Data: 1 C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 869798 17:57:40.6523521 svchost.exe 1948 1376 CreateFile 00:10:17.6523075 0..0012670 C:\WINDOWS\Debug\UserMode\userenv.log SUCCESS Access: Write Data/Add File, Append Data/Add Subdirectory/Create Pipe Instance, Read Attributes, Synchronize, Disposition: OpenIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: 1.027.806.036.372.750.336, Impersonating: NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 972130 17:57:54.9765880 svchost.exe 1948 3372 CreateFile 00:10:31.9765434 0..0006456 C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk SUCCESS Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, Impersonating: NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 972286 17:57:54.9864530 svchost.exe 1948 3372 CreateFile 00:10:31.9864084 0..0008308 C:\WINDOWS\system32\config\systemprofile\Applicati on Data\Microsoft\Network\Connections\Pbk\ PATH NOT FOUND Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, Impersonating: NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 976044 17:58:00.6810116 svchost.exe 1948 1064 FlushBuffersFile 00:10:37.6809670 0.0355182 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 976046 17:58:00.6810597 svchost.exe 1948 1064 WriteFile 00:10:37.6810151 0.0177285 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A SUCCESS Offset: 6.004.736, Length: 32.768, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 976064 17:58:00.7199571 svchost.exe 1948 1064 FlushBuffersFile 00:10:37.7199125 0.0429563 C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 976066 17:58:00.7200037 svchost.exe 1948 1064 WriteFile 00:10:37.7199591 0.0015226 C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR SUCCESS Offset: 1.089.536, Length: 65.536, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 976072 17:58:00.7643024 svchost.exe 1948 1064 FlushBuffersFile 00:10:37.7642578 0.0100122 C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 976082 17:58:00.7746610 svchost.exe 1948 1064 FlushBuffersFile 00:10:37.7746164 0.0107924 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 976087 17:58:00.7858403 svchost.exe 1948 1064 FlushBuffersFile 00:10:37.7857957 0.0108148 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MA P SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 976093 17:58:00.7973326 svchost.exe 1948 1064 FlushBuffersFile 00:10:37.7972880 0.0104195 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 977349 17:58:08.3055240 svchost.exe 1948 1064 FlushBuffersFile 00:10:45.3054794 0.0699385 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 977351 17:58:08.3055762 svchost.exe 1948 1064 WriteFile 00:10:45.3055316 0.0041511 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A SUCCESS Offset: 1.318.912, Length: 8.192, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 977371 17:58:08.3775222 svchost.exe 1948 1064 FlushBuffersFile 00:10:45.3774776 0.0080002 C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 977388 17:58:08.3869078 svchost.exe 1948 1064 FlushBuffersFile 00:10:45.3868632 0.0096825 C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 977395 17:58:08.3969325 svchost.exe 1948 1064 FlushBuffersFile 00:10:45.3968879 0.0107927 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 977400 17:58:08.4080680 svchost.exe 1948 1064 FlushBuffersFile 00:10:45.4080234 0.0108573 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MA P SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 977406 17:58:08.4196019 svchost.exe 1948 1064 FlushBuffersFile 00:10:45.4195573 0.0105865 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 986850 17:59:08.4317925 svchost.exe 1948 1064 FlushBuffersFile 00:11:45.4317479 0.1419494 C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 986876 17:59:08.5741645 svchost.exe 1948 1064 FlushBuffersFile 00:11:45.5741199 0.0188175 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 986881 17:59:08.5933298 svchost.exe 1948 1064 FlushBuffersFile 00:11:45.5932852 0.0111129 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MA P SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 986887 17:59:08.6052065 svchost.exe 1948 1064 FlushBuffersFile 00:11:45.6051619 0.0102775 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1040628 18:01:56.3281693 svchost.exe 1948 2932 RegSetValue 00:14:33.32812470.0006671 HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ParseAutoexec SUCCESS Type: REG_SZ, Length: 5, Data: 1 C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1204937 18:02:10.3632062 svchost.exe 1948 2932 RegSetValue 00:14:47.36316160.0014407 HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ParseAutoexec SUCCESS Type: REG_SZ, Length: 5, Data: 1 C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1237192 18:02:14.2480183 svchost.exe 1948 3372 CreateFile 00:14:51.2479737 0.0007811 C:\WINDOWS\system32\config\systemprofile\Applicati on Data\Microsoft\Network\Connections\Pbk\ PATH NOT FOUND Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, Impersonating: NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1270377 18:02:18.7125215 svchost.exe 1948 2932 RegEnumValue 00:14:55.7124769 0.0006912 HKLM\SYSTEM\ControlSet001\Control\Session Manager\Environment SUCCESS Index: 10, Name: TEMP, Type: REG_EXPAND_SZ, Length: 36, Data: %SystemRoot%\TEMP C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1272182 18:02:19.3219004 svchost.exe 1948 1376 RegCloseKey 00:14:56.32185580.0019200 HKLM\SYSTEM\Setup SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1327336 18:02:32.2299705 svchost.exe 1948 2900 FlushBuffersFile 00:15:09.2299259 0.0670007 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A SUCCESSC:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1327338 18:02:32.2300258 svchost.exe 1948 2900 WriteFile 00:15:09.2299812 0..0030786 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A SUCCESS Offset: 6.004.736, Length: 32.768, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1327350 18:02:32.3003507 svchost.exe 1948 2900 FlushBuffersFile 00:15:09.3003061 0.0081971 C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1327352 18:02:32.3003960 svchost.exe 1948 2900 WriteFile 00:15:09.3003514 0..0015088 C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR SUCCESS Offset: 1.089.536, Length: 65.536, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1327358 18:02:32.3099279 svchost.exe 1948 2900 FlushBuffersFile 00:15:09.3098833 0.0098197 C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1327368 18:02:32.3200904 svchost.exe 1948 2900 FlushBuffersFile 00:15:09.3200458 0.0108647 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1327379 18:02:32.3313225 svchost.exe 1948 2900 FlushBuffersFile 00:15:09.3312779 0.0108251 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MA P SUCCESSC:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1327385 18:02:32.3428254 svchost.exe 1948 2900 FlushBuffersFile 00:15:09.3427808 0.0103879 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1328522 18:02:39.8389052 svchost.exe 1948 2900 FlushBuffersFile 00:15:16.8388606 0.1216612 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A SUCCESSC:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1328524 18:02:39.8389591 svchost.exe 1948 2900 WriteFile 00:15:16.8389145 0..0382183 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A SUCCESS Offset: 1.318.912, Length: 8.192, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1328616 18:02:39.9626787 svchost.exe 1948 2900 FlushBuffersFile 00:15:16.9626341 0.0233631 C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1328642 18:02:39.9874330 svchost.exe 1948 2900 FlushBuffersFile 00:15:16.9873884 0.0098077 C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1328649 18:02:39.9976133 svchost.exe 1948 2900 FlushBuffersFile 00:15:16.9975687 0.0108302 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1328654 18:02:40.0087824 svchost.exe 1948 2900 FlushBuffersFile 00:15:17.0087378 0.0108698 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MA P SUCCESSC:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1328660 18:02:40.0203905 svchost.exe 1948 2900 FlushBuffersFile 00:15:17.0203459 0.0103209 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1338097 18:03:40.0277619 svchost.exe 1948 2900 FlushBuffersFile 00:16:17.0277173 0.0778802 C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1338107 18:03:40.1060129 svchost.exe 1948 2900 FlushBuffersFile 00:16:17.1059683 0.0109597 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1338112 18:03:40.1173171 svchost.exe 1948 2900 FlushBuffersFile 00:16:17.1172725 0.0108567 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MA P SUCCESSC:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1338118 18:03:40.1288571 svchost.exe 1948 2900 FlushBuffersFile 00:16:17.1288125 0.0103879 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1400619 18:06:27.8893543 svchost.exe 1948 2932 RegSetValue 00:19:04.88930970.0006934 HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ParseAutoexec SUCCESS Type: REG_SZ, Length: 5, Data: 1 C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1533820 18:06:38.3239048 svchost.exe 1948 3372 RegOpenKey 00:19:15.3238602 0.0019623 HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0003\Ndi\Interfaces SUCCESS Desired Access: Read C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1564937 18:06:41.9212123 svchost.exe 1948 2932 RegSetValue 00:19:18.92116770.0006696 HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ParseAutoexec SUCCESS Type: REG_SZ, Length: 5, Data: 1 C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1647943 18:06:52.6669621 svchost.exe 1948 1376 CreateFile 00:19:29.6669175 0.0009071 C:\WINDOWS\Debug\UserMode\userenv.log SUCCESS Access: Write Data/Add File, Append Data/Add Subdirectory/Create Pipe Instance, Read Attributes, Synchronize, Disposition: OpenIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: 29.695.768.956.764.160, Impersonating: NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1687631 18:07:03.7790702 svchost.exe 1948 3872 FlushBuffersFile 00:19:40.7790256 0.0174301 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A SUCCESSC:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1687633 18:07:03.7791202 svchost.exe 1948 3872 WriteFile 00:19:40.7790756 0..0008049 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A SUCCESS Offset: 6.004.736, Length: 32.768, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1687651 18:07:03.7998781 svchost.exe 1948 3872 FlushBuffersFile 00:19:40.7998335 0.0431731 C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1687653 18:07:03.7999231 svchost.exe 1948 3872 WriteFile 00:19:40.7998785 0..0015203 C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR SUCCESS Offset: 1.089.536, Length: 65.536, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1687662 18:07:03.8447562 svchost.exe 1948 3872 FlushBuffersFile 00:19:40.8447116 0.1163821 C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1687753 18:07:03.9615280 svchost.exe 1948 3872 FlushBuffersFile 00:19:40.9614834 0.0111042 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1687761 18:07:03.9729803 svchost.exe 1948 3872 FlushBuffersFile 00:19:40.9729357 0.0109855 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MA P SUCCESSC:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1687767 18:07:03.9846463 svchost.exe 1948 3872 FlushBuffersFile 00:19:40.9846017 0.0103863 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1688947 18:07:11.4822903 svchost.exe 1948 3872 FlushBuffersFile 00:19:48.4822457 0.0731037 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A SUCCESSC:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1688949 18:07:11.4823409 svchost.exe 1948 3872 WriteFile 00:19:48.4822963 0..0036244 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A SUCCESS Offset: 1.318.912, Length: 8.192, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1688960 18:07:11.5574429 svchost.exe 1948 3872 FlushBuffersFile 00:19:48.5573983 0.0078744 C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1688983 18:07:11.5667047 svchost.exe 1948 3872 FlushBuffersFile 00:19:48.5666601 0.0098177 C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1688993 18:07:11.5782760 svchost.exe 1948 3872 FlushBuffersFile 00:19:48.5782314 0.0093802 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1688998 18:07:11.5880009 svchost.exe 1948 3872 FlushBuffersFile 00:19:48.5879563 0.0108576 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MA P SUCCESSC:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1689004 18:07:11.5995379 svchost.exe 1948 3872 FlushBuffersFile 00:19:48.5994933 0.0104161 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1698453 18:08:11.6082845 svchost.exe 1948 3872 FlushBuffersFile 00:20:48.6082399 0.0677589 C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1698465 18:08:11.6764854 svchost.exe 1948 3872 FlushBuffersFile 00:20:48.6764408 0.0082005 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1698470 18:08:11.6850284 svchost.exe 1948 3872 FlushBuffersFile 00:20:48.6849838 0.0107225 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MA P SUCCESSC:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1698473 18:08:11.6964242 svchost.exe 1948 3872 FlushBuffersFile 00:20:48.6963796 0.0103935 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1743255 18:10:59.4108768 svchost.exe 1948 2932 RegSetValue 00:23:36.41083220.0006752 HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ParseAutoexec SUCCESS Type: REG_SZ, Length: 5, Data: 1 C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1859160 18:11:07.5747886 svchost.exe 1948 3372 RegCloseKey 00:23:44.57474400.0005225 HKLM\SYSTEM\Setup SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1876279 18:11:09.7478704 svchost.exe 1948 2932 RegCloseKey 00:23:46.74782580.0018123 HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameter s\Interfaces\{7E61B0D2-BD1A-4A99-8636-65A5CD4EB692} SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1888193 18:11:10.5759994 svchost.exe 1948 2932 RegOpenKey 00:23:47.5759548 0.0021034 HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Param eters\Interfaces\{593901F7-30F1-4586-B8D6-9B7F23A3BA70} SUCCESS Desired Access: Query Value C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1892610 18:11:11.5760117 svchost.exe 1948 1376 RegQueryValue 00:23:48.5759671 0.0020749 HKLM\SYSTEM\ControlSet001\Control\Network\{4D36E97 2-E325-11CE-BFC1-08002BE10318}\{F443CE9D-FB51-4601-94BB-EC20BE3245D3}\Connection\ShowIcon NAME NOT FOUND Length: 144 C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1908452 18:11:13.7228656 svchost.exe 1948 1376 RegSetValue 00:23:50.72282100.0006827 HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ParseAutoexec SUCCESS Type: REG_SZ, Length: 5, Data: 1 C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1940290 18:11:17.6410362 svchost.exe 1948 3372 CreateFile 00:23:54.6409916 0.0017474 C:\WINDOWS\system32\config SUCCESS Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, Impersonating: NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 1954013 18:11:19.0760680 svchost.exe 1948 3372 RegCloseKey 00:23:56.07602340.0020600 HKLM\SYSTEM\Setup SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 2030617 18:11:35.7341650 svchost.exe 1948 3428 FlushBuffersFile 00:24:12.7341204 0.0739365 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A SUCCESSC:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 2030619 18:11:35.7342218 svchost.exe 1948 3428 WriteFile 00:24:12.7341772 0..0044726 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A SUCCESS Offset: 6.004.736, Length: 32.768, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 2030643 18:11:35.8125907 svchost.exe 1948 3428 FlushBuffersFile 00:24:12.8125461 0.1141309 C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 2030645 18:11:35.8126368 svchost.exe 1948 3428 WriteFile 00:24:12.8125922 0..0087072 C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR SUCCESS Offset: 1.089.536, Length: 65.536, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 2030660 18:11:35.9281743 svchost.exe 1948 3428 FlushBuffersFile 00:24:12.9281297 0.0236966 C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 2030670 18:11:35.9529680 svchost.exe 1948 3428 FlushBuffersFile 00:24:12.9529234 0.0293043 C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 2030747 18:11:35.9826726 svchost.exe 1948 3428 FlushBuffersFile 00:24:12.9826280 0.0111542 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MA P SUCCESSC:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs 2030756 18:11:35.9945127 svchost.exe 1948 3428 FlushBuffersFile 00:24:12.9944681 0.0103820 C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER SUCCESS C:\WINDOWS\System32\svchost.exe NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe -k netsvcs The "unfiltered" full report contains 2.031.208 events, and has been saved to disk. The data collection was stopped immediately after the CPU usage fell to single digit values (mostly 0%) after hovering around maximum for some time. The data is viewable and searchable for specific details, if need be. Total size approx. 42x megabytes. Anyone having any ideas on what to look into? Anyone having any ideas on a new tool to kick into action to track down the real cause? Regards P.S. I have performed all necessary XP Professional updates, excluding the most recent one (tuesday, december 12) and I always perform manual updates - no automatic updates here - I need a working system. Not to be the first head to roll ;-).
|
|
04-28-2007, 09:17 AM
|
|||
|
|||
|
Re: svchost.exe inexplicably hogs cpu
Hi,
have a look at http://support.microsoft.com/kb/932494 - i think it was 927891 that cracked it for me... "Joris van der Struijk" wrote: > Hi there. > We have the exact same problem on our school campus, svchost is killing our > pc's. And bringing the entire school to sort of a halt. > > Our major problem is that this is happening on about 250 pc's, so how do i > fix all those??? I don't want to do any fix to all those pc's by hand. > > Any tips on this? > > > "MowGreen [MVP]" wrote: > > > YW, JBG. Your mileage will vary with KB916089. Some report success with > > others, not. MS has tested the newer version of msi.dll and I doubt it's > > toxic. Frankly, I'd just clear out the logs when the issue pops up. > > > > From what I understand the msi wrapping will be different. > > The so-called final fix will definitely come down Automagically and be > > available from WU/MU and the MS Download Center. > > > > Still ... my theory lends more to the amount of entries in the log > > files, their possible corruption, combined with the amount of registry > > settings and files that must be scanned. > > > > Let's hope SP3 is pushed up a tad. That would help *immensely* since it > > would reduce the amount of areas that needed to be scanned on the system. > > > > > > MowGreen [MVP 2003-2007] > > =============== > > *-343-* FDNY > > Never Forgotten > > =============== > > > > > > JohnnyBeGood wrote: > > > > > thanks very much for that, MowGreen. very helpful post. one more question > > > tho: if KB916089 is not the final fix, is it an adequate fix? (from the link > > > to the arstechnica forum i provided in my first message, it doesn't really > > > seem to help.) i'm hesitant myself to install these hotfixes that M$ hasn't > > > fully tested and where they recommend making a backup of the system before > > > installing... > > > > > > and: would you think that a final fix will be available through microsoft > > > update, or will one have to dig deep into the KB if and when it becomes > > > available? > > > > > > "MowGreen [MVP]" wrote: > > > > > > > > >>The issue is known by the Windows Update Team and they state it's an > > >>issue with the msi.dll. > > >>There is a later hotfix then KB914810 - > > >>http://support.microsoft.com/kb/916089 > > >>This is *not* the final fix for this issue, JohnnyBeGood. > > >> > > >>A temporary workaround is to delete the *contents* of the Logs folder > > >>located in WINDOWS\SoftwareDistribution\DataStore > > >>First stop the AU service from Start > Run > type in > > >> > > >>net stop wuauserv > > >> > > >>Click OK > > >>Delete the *contents* of the SoftwareDistribution\DataStore\Logs folder > > >>(NOTE: this will erase the update history shown on the Windows/Microsoft > > >>Update sites) > > >> > > >>Go back to Start > Run > type in > > >> > > >>net start wuauserv > > >> > > >>Click OK > > >> > > >> > > >>MowGreen [MVP 2003-2007][ > > >>=============== > > >> *-343-* FDNY > > >>Never Forgotten > > >>=============== > > >> > > >> > > >>JohnnyBeGood wrote: > > >> > > >> > > >>>on my windows xp home sp2 laptop, right after startup and at random times > > >>>during operation, the computer totally freezes due to 100% cpu utilization. > > >>>this goes on for some 5 or 6 minutes. on a different, slower machine the same > > >>>problem occurs and lasts up to 20 minutes!!!!! > > >>> > > >>>using Process Explorer, i narrowed down the problem to a Windows process > > >>>called svchost.exe. this process has many different services running behind > > >>>it, among other windows update and all sorts of network services. when this > > >>>instance of svchost.exe starts consuming all resources, the thread that is > > >>>active is: > > >>> > > >>>ntdll.dll!RtlAllocateHeap+0x18c > > >>> > > >>>quite a lot of people appear to have this problem. it pops up at many > > >>>different forums. one of the more intelligent ones is this one @ ars > > >>>technica: > > >>>http://episteme.arstechnica.com/eve/...m/786004271831. > > >>> > > >>>it refers to 2 hotfixes by MS. i acquired the hotfix with KB id. no. 914810, > > >>>but don't know if it applies to my problem. i can't ascertain whether it is > > >>>the automatic update feature that makes the CPU go wild or some other > > >>>service. in addition, the problem is not RAM consumption (the KB article > > >>>states memory consumption as the problem addressed by the hotfix). RAM > > >>>consumption by svchost.exe is typically around 60-70MB when the problem > > >>>occurs. the CPU hogging is what incapacitates my machine. > > >>> > > >>>does anyone know a solution? > > >> > >
|
|
«
Previous Thread
|
Next Thread
»
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| svchost.exe gobles up all CPU time | Stephen Ford | Windows XP | 6 | 01-06-2007 09:39 AM |
| Re: svchost.exe inexplicably hogs cpu | NewScience | Windows XP | 0 | 01-06-2007 09:35 AM |
| 6 running processes of svchost.exe, do they take much of RAM of computer? | smith | Windows XP | 3 | 01-06-2007 02:06 AM |
| Re: svchost.exe taking all resources at computer start up. | NewScience | Windows XP | 1 | 01-05-2007 11:47 PM |
| Re: svchost.exe to the Web? | Chuck | Networking | 0 | 01-05-2007 12:58 PM |
All times are GMT -5. The time now is 04:49 PM.
