Using Process Explorer to tame svchost.exe - Advanced topics

On February 5th, Peter Butler of CNET wrote a blog posting about using the free Process Explorer program to prevent an instance of the svchost.exe process from hogging the CPU on his CNET-provided* computer. This is a follow-up, a more advanced look at Process Explorer.

To people unfamiliar with Process Explorer, I usually call it Task Manager on steroids. But comparing Process Explorer to Task Manager is like comparing humans to amoebas. It's that far up the evolutionary scale.

Let me say up front that I am prejudiced. I think Process Explorer is an excellent program. I'd go so far as to say that it might be my favorite Windows software of all time. It's free, portable and comes from a trusted source. Although, technically the program is from Microsoft, the author, Mark Russinovich, worked at a software company, Sysinternals, with an outstanding reputation when he developed Process Explorer. Microsoft eventually bought Sysinternals. Highly recommended (this coming from the curmudgeon behind computergripes.com).

Dissecting an Svchost.exe Process

Svchost.exe is a most annoying process as it "hosts" multiple underlying components of Windows called services. Thus narrowing down a performance problem to a particular svchost process is far from the end of the detective work.

As Peter pointed out in his posting, Process Explorer can dissect an svchost processes, something that Task Manager can not. You can see an example of this below which shows the yellow pop-up window that Process Explorer displays when the mouse is hovered over an svchost.exe process. In Windows XP there are multiple instances of the svchost process and each hosts a different group of services. The example below is a worst case scenario, there are 18 different services sharing a single process. Must get crowded in there.

Process Explorer showing the services in an svchost process

Peter is not correct, however, when he says, referring to this list of services, that we "... can then use that list to determine which, if any, of the Windows services is killing their productivity." Process Explorer** does not break down CPU usage, or anything else for that matter, by service. The closest it comes, is displaying information about the individual threads in the process (see below). The problem is that there isn't a one to one correspondence between a thread and a service. A service is a logical thing and a thread is a physical thing.

Process Explorer showing the threads svchost process

Task Scheduler and Automatic Updates

Somehow Peter tracked down the excessive CPU usage on his computer to two services, Task Scheduler and Automatic Updates. He says "Both of these services are critical to the health of my PC ...". This not true.

The Automatic Updates service is Windows Update, that is, it's the part of Windows that applies bug fixes. Even when you use the GUI in Windows XP to turn off Automatic Updates, the underlying Automatic Updates service remains running at all times. Think of it like a car with the engine running, but in Park rather than Drive. Microsoft has abused the running engine to silently install updates, even on a computer where the owner told them not to. (See my Windows is Spyware posting from September 13, 2007).

Thus, I previously argued (Defending yourself against Microsoft) that the Automatic Updates service is best turned off (disabled) all the time. That's what I've done personally for quite a while with no regrets. Once a month I turn it on, run Windows Update manually and then off it goes.

The Task Scheduler does nothing more than run programs on a schedule. In and of itself, it is not critical to the health of a Windows machine. Peter was referring to anti-malware software that is scheduled using the Task Scheduler on his machine. This is not always the case. Much anti-malware software is capable of scheduling its own activities without assistance from the Windows scheduler.

Next up...

Next, more about using Process Explorer: Process Explorer Part 2.

*From the posting it sounds like Peter Butler is a CNET employee. Members of the CNET Blog Network, such as myself, are paid by CNET but we are not employees of CNET. I don't know Peter Butler.
**This discussion is based on version 11.04 of Process Explorer, which was the latest as of this writing.

See a summary of all my Defensive Computing postings.

[xZero2007x]

Very interersting read. One of the better articles that I've read in a long while.

[RicABlair]

I agree fully with xzero--terrific post. Informative, relevant and unbiased. When sticking to the topic, and not digressing to opinionate on stocks or getting paranoid about security, there's something worthwhile here. BTW did you ever contact Peter regarding some of your points?

[peterbutler]

Nope, but I did find this post on my own, and I will add a few comments.

I agree with (nearly) everything Michael says. I wouldn't characterize my statements as "wrong," but perhaps not quite as clear as I could have been.

1. 'Peter is not correct, however, when he says, referring to this list of services, that we "... can then use that list to determine which, if any, of the Windows services is killing their productivity."'

On this point, I did not mean to imply that I could do that using Process Explorer alone. I analyzed specific Services by stopping them using the Services app, and then gauged the effect using Process Explorer.

It might not be the best method since it involves quite a bit of trial and error, but it works OK for me.

2. 'Somehow Peter tracked down the excessive CPU usage on his computer to two services, Task Scheduler and Automatic Updates. He says "Both of these services are critical to the health of my PC ...". This not true'

I must disagree slightly here, but only in *my specific case* because I was referring to my work computer, for which I do not have as much control over as individual PC users. Neither service is critical for the health of *any* generic Windows PC.

As Michael notes, Task Scheduler is only important because it's tied into my corporate security software. I have no way of scheduling antivirus and antimalware scans for that software without it, so for me, that service is fairly important. Perhaps "critical" was too strong a word.

Like Michael, I do turn off Automatic Updates by default on my home computer and update Windows manually on a regular basis. Honestly, though, I wouldn't recommend it to anyone unless you can guarantee that you'll remember to manual update Windows on a regular basis.

At home, that is no problem for me. At work, I'm too busy to ever remember to manually update Windows. So for *me* those Services are actually very important (or even critical), but that's a subjective opinion based on *my* computer use and habits. I thought I implied that I was referring to my specific computing situation, but I can understand how it could be inferred I was talking about *all* Windows PCs.

I apologize if either statement was confusing or misleading.

Nice article, Michael. Thanks for the link.

[mhinnewyork]

Peter,

A few things got in the way of contacting you directly. For one, CNET doesn't publish your email address. Not being a CNET employee, I don't have access to everyone's contact information. Finally, there seemed to be a technical problem with the posting in question, I couldn't see any of the user comments, let alone leave one of my own. I tried a number of times.

I'm glad your posting prompted me to write about Process Explorer, it was on the back burner for a while. We agree, it's a great program.

I may have been a bit overly critical, wouldn't be the first time.

Michael Horowitz

[peterbutler]

Hi, Michael. No problem at all. You've got a voice of your own. :) And I always appreciate constructive criticism, which I believe yours was.

We used to post our e-mail addresses when users clicked on "All links by [author]" but that e-mail link has since been removed. I'm not sure why, but I'll investigate. One problem with posting e-mail links on popular pages is, of course, they end up as spam magnets, so that might be an issue, but I definitely like users (and other writers) to be able to contact me directory, so I'll investigate why they took it down.

Again, no worries on the criticism. One of the commenters nailed me on a much worse omission of mine - the ability to set priority for processes in Process Explorer. I meant to include that as the fastest and easiest option for reducing CPU usage, but just plumb forgot.

Cheers.

[peterbutler]

And (not meaning to dominate the comments here, but) you're right about the technical issue with Download.com blog comments. There *was* a problem with our commenting system on Download.com last week, but it was fixed sometime around last Friday. Sorry for the problems.

[peterbutler]

Dang. Also, I don't know why that "author" text above is linked. I didn't do that. I'll file a CNET bug to see what's up.