svchost – High IO on MS Windows 2003

 

What is svchost.exe?

Wikipedia
Link

svchost.exe (Service Host, or SvcHost) is a system process that hosts multiple Windows services in the Windows NT family of operating systems.
Svchost is essential in the implementation of so-called shared service processes, where a number of services can share a process in order to reduce resource consumption

 

Issue

Hard-drive stays busy.

Indicator

Task Manager

Image

Explanation

  1. Top IO Usage
    • svchost.exe
      • Process ID is 920
      • User name is System

SysInternals

Explanation

  1. Top IO Usage
    • svchost.exe
      • Process ID is 920
      • User name is System

TroubleShooting

Process Management

Tasklist

List all services running under svchost.exe

Tasklist – List all processes running under svchost.exe

Script

tasklist /svc /fi "imagename eq svchost.exe"

Output

Explanation
  1. We are focused on PID = 920

Process Explorer

Tasklist – Dig deeper into process svchost.exe = 920

Services

Own Process

In a nice Server Fault QA post, Peter Mortensen suggested that one could separate out the services into their own process and thus gain clearer understanding of each service resource uptake.

To do one will have to change the service configuration.

Here is the specific QA:

How to find memory usage of individual Windows services?
Link

Run as distinct Process

Syntax

SC Config Servicename Type= own

Run as shared Process

Syntax

SC Config Servicename Type= share;

Run as distinct Process

Sample Code

rem  1. "Automatic Updates"
SC Config wuauserv Type= own

rem  2. "COM+ Event System"
SC Config EventSystem Type= own

rem  3. "Computer Browser"
SC Config Browser Type= own

rem  4. "Cryptographic Services"
SC Config CryptSvc Type= own

rem  5. "Distributed Link Tracking"
SC Config TrkWks Type= own

rem  6. "Help and Support"
SC Config helpsvc Type= own

rem  7. "Logical Disk Manager"
SC Config dmserver Type= own

rem  8. "Network Connections"
SC Config Netman Type= own

rem  9. "Network Location Awareness"
SC Config NLA Type= own

rem 10. "Remote Access Connection Manager"
SC Config RasMan Type= own

rem 11. "Secondary Logon"
SC Config seclogon Type= own

rem 12. "Server"
SC Config lanmanserver Type= own

rem 13. "Shell Hardware Detection"
SC Config ShellHWDetection Type= own

rem 14. "System Event Notification"
SC Config SENS Type= own

rem 15. "System Restore Service"
SC Config srservice Type= own

rem 16. "Task Scheduler"
SC Config Schedule Type= own

rem 17. "Telephony"
SC Config TapiSrv Type= own

rem 18. "Terminal Services"
SC Config TermService Type= own

rem 19. "Themes"
SC Config Themes Type= own

rem 20. "Windows Audio"
SC Config AudioSrv Type= own

rem 21. "Windows Firewall/Internet Connection Sharing (ICS)"
SC Config SharedAccess Type= own

rem 22. "Windows Management Instrumentation"
SC Config winmgmt Type= own

rem 23. "Wireless Configuration"
SC Config WZCSVC Type= own

rem 24. "Workstation"
SC Config lanmanworkstation Type= own

rem End.

 

Remediation

Once we ran the code to start all the aforementioned svchost.exe services in their own process space, restarted the machine.

SysInternals – Process Explorer

Took the SysInternal’s Process Explorer, arranged based on IO, and noticed that WMI is the culprit.

Images

svchost.exe – Services

Here are the services that are using our cited svchost.exe process.

Services

Took to Control Panel, services applet to stop that service and see if it things slow down.

Dependent Services

Reviewed Dependent Services

And, I really will rather than not stop the local system firewall service.  And, start to wonder why so busy anyways.

But, all that will wait another post as it is Saturday and I have errands to run.

Dedicated

Dedicated to Peter as in Mortensen.

 

References

  1. How to find memory usage of individual Windows services?
    Link
  2. How do I discover which process is making my hard drive go crazy? (need disk io equivalent of task manager’s cpu % column)
    Link
  3. YongRhee ( MSFT )
    • How to troubleshoot Service Host (svchost.exe) related problems?
      Link

SQL Server Configuration Manager – WMI Provider Error – “Invalid Parameter [0x80041008]”

Background

For a project that I am working on, I need to change the Service Account for SQL Server Agent.

 

Best Practice

Best practice is to to use SQL Server Configuration Manager to do so and so let us launch and use it.

 

SQL Server Configuration Manager

Steps

Here are the steps:

  1. Launch SQL Server Configuration Manager
  2. Access the SQL Server Services node
    • Choose the Service
    • In our case, SQL Server Agent (MSSQLSERVER)
  3. Current Service Account
    • The current Service Account is “Local System
  4. Choose the targeted User
    • Access the “Log On” as Tab
    • Choose the “This account” option button
    • Click the “Browse” button
      • The “Select User or Group” window appears
        • Click the “Advanced Button
        • Click the “Find Now” Button
        • Choose the Account
          • In our case “NETWORK SERVICE
  5. Apply Choice
    • Back in the “Log On” Tab
    • Now that have our target User, let us apply it
    • Review the account in the “Log On” textbox
    • Click the “Apply” Button
  6. Confirm Account Change
    • Upon clicking the “Apply” button, we are greeted with the “Confirm Account Change” dialog
    • The message reads “This will cause the service to be restarted.  Do you wish to continue
    • And, we reply YES
  7. Errored
    • Unfortunately, we received an error stating “Message :- Invalid Parameter [0x80041008]

 

 

Images

Built-in Account ( Original Setting )

sqlserveragent_thisaccount_localsystem

Select User or Group

selectuserorgroup_networkaccount_20170209_0241pm

 

SelectED User or Group

selectuserorgroup-networkservice-cropped-up

 

Apply Selected Account

selectuserorgroup_tab_logon_networkaccount_20170209_0246pm

 

Confirm Account Change

confirmaccountchange_20170209_0250pm

 

Error – WMI Provider Error – Invalid Parameter [0x80041008]

Image

wmiprovidererror-invalidparameter-0x80041008_20170209_0253pm

 

Textual

Header :- WMI Provider Error
Message :- Invalid Parameter [0x80041008]

Remediation

The error is that when we choose an Account, the system expects us to supply a password.

For so called system accounts, please do not choose “This Account” option button.

But instead, please choose the “Built-In Account” option button.

 

service_tab_logon_logonas_builtinaccount_20170209_0258pm

 

Currently, the available Built-in accounts are:

  1. Local System
  2. Local service
  3. Network Service

We chose Network Services.