0

Hopefully this is a variation on the previous svchost.exe troubleshooting questions.

We initially got reports of slow performance on a number of Windows 7 PCs. Resource Monitor showed that the IP Helper Service was consuming a large amount of CPU time. We disabled the IP Helper Service across the organisation using GP as we don't use any IpV6 transition services.

After disabling IP Helper we continued to receive problem calls. This time Resource Monitor showed that the BITS service was consuming a large amount of CPU time. We can't disable this but instead moved BITS to its own svchost.exe process.

After moving BITS we still continued to receive calls. The User Profile Service (profsvc) is now the culprit! Presumably if we disabled this or moved it to a separate process the problem would move to a different service.

Obviously this is baffling as the problem seems to move from service to service, all within the netsvcs svchost.exe group.

  • Affected machines are Windows 7 SP1 32-bit. Latest Windows Updates installed.
  • This problem occurs at random. It can occur during startup, at the logon screen or when the user is already logged on
  • We've ran various malware scans (SCEP, MalwareBytes, RR) and found nothing.

Any troubleshooting strategies would be appreciated.

AdamR
  • 51
  • 6
  • Did you run offline antivirus scanners (like the bootable rescue cd of avira or kaspersky)? Scanning from the running system will not show malware that knows how to hide – Dan Oct 28 '15 at 10:05
  • Thanks for the suggestion. I have just ran the Avira Bootable CD on a machine that has had the problem. Unfortunately it did not detect anything. – AdamR Oct 28 '15 at 11:23
  • capture a xperf trace (http://pastebin.com/pgE11HRD - the Win8.1 SDK/WPT works fine with Win7, but not the Win10 one) of the CPU usage and analyze what BITS does. if you need help, share the trace – magicandre1981 Oct 29 '15 at 05:14
  • If you can, check if the machine has suspicious internet traffic, it's not uncommon to become infected and part of a botnet which is used either to attack others or to send spam. – Dan Oct 29 '15 at 07:15
  • Update: I checked for suspicious internet traffic using a WAN analyzer appliance, nothing visible. – AdamR Oct 29 '15 at 13:28
  • Further update: I managed to run Process Monitor on a machine whilst it was booting using a PSEXEC remote command prompt. I can see constant reads to a file called c:Windows\System32\wbem\repository\OBJECTS.DATA. if i examine the call stack a DLL called Repdrvfs.dll seems to be consuming the majority of CPU time. This then led me to this KB article/hotfix KB2617858. I am going to try deploying the hotfix and see if it solves the issue. If this is the culprit, I am not sure why Resource Monitor shows the CPU as belonging to different services. Bug or inaccuracy perhaps? – AdamR Oct 29 '15 at 13:31
  • does the hotfix solves the issue? – magicandre1981 Nov 07 '15 at 07:39
  • No, unfortunately not. I am opening a call with Microsoft to try and resolve this. – AdamR Nov 10 '15 at 10:45
  • Update: I have realized that the OBJECTS.DATA file on all the affected machines is 500MB+. The normal size is ~10MB. A lot of people have this problem: see http://thelazysa.com/tag/wmi/ – AdamR Nov 11 '15 at 09:48

1 Answers1

0

Update: the KB2617858 hotfix does actually resolve this issue. However machines that already have a gigantic WMI repository require the repository to be deleted and recreated. This course of action was advised by Microsoft.

AdamR
  • 51
  • 6