Windows 2003 is getting a bit long in the tooth, but we've got a number of customers that are still happily using it, and for good reason — it's a solid work horse of an OS.

We've recently come upon an issue where some of our 2003 servers in the lab were pegging the CPU at 100%.  Investigation revealed svchost was the culprit.  But there are lots of svchost processes, what is it really doing?  There is a cool trick to figure it out:

Run: tasklist.exe /svc /fi "imagename eq svchost.exe"

You'll see someething like:

tasklist

Here you can see the PID associated with those svchost processes, and which service is running in each.  Look in Task Manager to get the PID, compare to this list, and you've now narrowed down which service is hogging the CPU.

High CPU Usage in Automatic Update Service

In our case, it turns out we've run into a known issue where the Automatic Update service goes a little crazy with CPU usage.  It will drop down after finishing a scan, but will jump up again the next day.

Since this is a known issue, there is also a fix.  This page http://support.microsoft.com/kb/927891 lists two patches to install.  After running and installing these (and one was already installed in our case), we've not had the problem since 🙂

UPDATE: Elohir and Byron_K below mentioned a new patch that seems to fix this problem even in cases where the previous fix hasn't worked.  A big thank you! for sharing it.

http://technet.microsoft.com/en-us/security/bulletin/ms13-097

 

Tweet this

Share on Google+

Doug N

More about me on Google+

Share →

19 Responses to Windows 2003 and High CPU Usage in Svchost

  1. Dan says:

    Hy,
    I had a similar problem reagarding the Svchost high resource consuption. The problem was caused because the WMI repository was corrupted. I managed to fix the problem by resetting the WMI. 

  2. patrick says:

    Thanks for the solution!

  3. Jim Birchall says:

    This same problem has hit 4 of my servers this morning.  Stopping the Automatic Updates service reduces the CPU used. However, I tried applying the suggested fixes (the second one was already installed) and this has not resolved the problem.  I have 4 servers currently running at 100% CPU due to this issue and I am currently a bit stuck!

  4. Bmel says:

    Hi, yes, turning off automatic Windows updates, solved the problem, then I have installed this patch also:
    http://support.microsoft.com/kb/927891

    Thanks a lot!

     

  5. Blah says:

    KB2888505 (MS13-088) was causing the issue for me

    Stop the Automatic Update service

    Download the appropriate update manually based on your OS and IE version

    http://technet.microsoft.com/en-us/security/bulletin/ms13-088

    Reboot

     

  6. Alex says:

    Yes stopping the Automatic Updates worked for me! Windows 2003 Server Std 32 bit

     

  7. Norton says:

    I've the same issue on Windows Server 2003 Std 32bit, but nothing change after this fix. I've to turn off automatic updates.

  8. Elohir says:

    The MS patch that finally fixed it for me in December 2013 is:

    http://technet.microsoft.com/en-us/security/bulletin/ms13-097

  9. Sam says:

    MS13-097 (patch KB2898785) and reboot solved it for me too on my Windows server 2003.

  10. Vishal says:

    Yaa,,,,,,Stopped Automatic update service on server and CPU utilization came down.

    It worked for me, thanks Guys

  11. jordan says:

    the updates linked in the article are very old.  Did you guys really not have updates from 2k7 installed?   The description for the http://technet.microsoft.com/en-us/security/bulletin/ms13-097 kb does not sound like it decribes this issue.  Did ms13-097 really fix  your problem?   

  12. tzortz says:

    Same here!! Server 2003 Enterprise w/ Exchange. CPU pegged at 100%
    Shut down AU service and disabled it. I think after 10+ years I dont need anymore updates until the customer decides to upgrade.

    CPU restored and stabilized at 5-8%

  13. Paul says:

    Yep, MS13-097 (patch KB2898785) seems to have fixed my issue too.  Seems to cause AU to go into a spin for some reason.  Can't see anything in the windowsupdate.log or the event viewer.

    Cheers guys!

  14. Byron_K says:

    To be clear, the problem should be described as
    "AU takes 100% CPU, AND AU also FAILS to download anything automatically, including the patch to fix the problem".

    So, although MS gave us a fix, AU won't  download the fix. Therefore, the server admin must manually intervene.

    Sure, you can simply "turn off" the AU service and that fixes the 100% CPU, but that is unacceptable from a security standpoint.

    Doug's blog post here should be clarified as well: The 2 seven year old patches linked to in this 2013 blog fix an OLD problem where AU uses 100% CPU and DOES NOT SHARE with other processes … effectively locking up the server. (I already had both those patches. I did not see 100% CPU until very recently, but my AU did share with other processes since I already had those 7 year old patches. Thus my servers were not totally locked up (but were very slow). This "new" 100% CPU bug must have been introduced in some other fairly recent patch …Nov. 2013? … since I had the 7 year old patches for 7 years, and my AU 100% CPU issues started only recently).
    ==============================
    To FIX the problem:
    1. Temporarily disable and stop the AU service (in my case, just stopping it was not enough, I had to disable it since it was somehow "stuck" in the process of downloading, and kept restarting itself until disabled).
    2. Go to the patch page, download and install it (thank you Elohir).
       http://technet.microsoft.com/en-us/security/bulletin/ms13-097
        (That supercedes the MS13-088 patch that Blah mentioned)
    3. Reboot.
    4. Re-enable AU and start it.
    5. Go to the MS update site and get caught up on all the patches that haven't been loading since the issue started.
    ===============================

    Other things I tried, while flailing around for hours trying to solve it.
    NONE OF THE FOLLOWING FIXED the "AU 100% CPU, not downloading new patches" problem.
    I include them in case they help others with "similar" AU issues:

    I tried this:
    http://support.microsoft.com/kb/971058/en-us
    (using XP mode since XP is a kissing cousin to W2K3 and MS is good about telling you if you are running something inappropriate for your OS … MS let it run on W2K3. But to be safe, I ran it on a test instance built from one of my live W2K3 servers that was having the AU problems)

    I tried this:
    http://support.microsoft.com/kb/2714434
    (same note as above)

    I tried this:
    http://support.microsoft.com/kb/927891
    (this is the one mentioned in Doug's blog post above, which fixes AU using 100% CPU and NOT sharing with other processes … these patches are, as Jordan points out, seven years old, so you should already have them if you are keeping up with patches).

    Cheers!
    Byron K.

  15. Ev says:

    If for some bizarre reason you are building a Windows Server 2003 from scratch, you can avoid this problem by not installing the Internet Explorer upgrade in SP2. After SP2 is installed just carry on with the Windows Updates, including the IE upgrade to version 7 and the problem does not appear.

(ec2)