Svchost.exe gets worse before it’s fixed

Svchost.exe gets worse before it's fixed

By Scott Dunn Problems with an important Windows component, svchost.exe, can consume up to 100% of CPU time. Now, a beta release of Windows Live Messenger threatens to spread the problem to even more users, unless their systems are patched soon.

The svchost.exe saga has persisted for months

Readers of the paid version of Windows Secrets are familiar with this story by now. Editorial director Brian Livingston first reported the issue nearly a year ago, on July 27, 2006. Contributing editor Susan Bradley has documented Microsoft’s attempts to solve it in the Jan. 18, Apr. 19, May 10, and May 24 issues this year. The problem has risen to a such a degree that we feel all Windows users should be aware of it.

Microsoft has long known of issues with svchost.exe — the process that runs services of DLLs (dynamic link libraries). There are many symptoms associated with the problem. Among the most common is a drastic slowdown of computer performance as svchost.exe consumes memory and CPU cycles.

The cause of the issue turned out to be the service that provides Automatic Updates. In response, many users began disabling Microsoft Update, an enhanced version of the more-limited Windows Update.

Recently, users who installed the beta 8.5 version of Microsoft’s Windows Live Messenger found that Microsoft Update is automatically turned on, with no choice for opting out. If you don’t read the initial installer dialog carefully, you might not even notice what has happened. The practice potentially exposes an even wider number of users to the svchost.exe bug. (For more information, see a posting by a blogger named Pharod.)

Figure 1. The Windows Live Beta installer turns on auto-updates and switches to Microsoft Update from Windows Update.

Diagnosing the problem on your own system

How do you know if you have this problem? If your system is experiencing a dramatic slowdown, try launching Windows Task Manager to see. To do this, right-click the Task Bar, the area to the right of the Start button, (or press Ctrl+Shift+Esc) and choose Task Manager. Make sure the Processes tab is active, and click Image Name to sort the list. You’ll see one or more instances of svchost.exe. If the CPU column shows 100%, or the memory usage seems extraordinarily high, you may be experiencing this bug.

Microsoft has detailed other symptoms in Knowledge Base article 927891. These include an access violation error in svchost.exe and unresponsive systems during update scans by Windows Update or Microsoft Update.

Some users respond by selecting the memory-hogging svchost.exe in Task Manager’s Processes tab and clicking End Process. Unfortunately, doing so can kill other services your system needs, such as audio. And, it won’t prevent the problem from returning later.

The bug affects users of XP (all versions, including XP Media Center), Windows Server 2003, and Windows 2000.

What to do if you’re affected

To solve this problem, Microsoft is offering a two-part fix. The first part has been offered to those who use Automatic Updates since May 22, according to a source at Microsoft who asked not to be named. Microsoft has been rolling out the second patch to users gradually, beginning in early May, and expects to complete delivery by the end of June, according to my source. Those who don’t use Automatic Updates — or who haven’t received both fixes and want them sooner — can follow the steps below:

Step 1. Patch msi.dll. Users need to replace the msi.dll file (the Microsoft Installer DLL) that svchost.exe controls. To do this, download and install the patch from Knowledge Base article 927891.

Step 2. Update Windows Update. Users also need to get the latest Windows Update client, which is version 3.0. Links to the 32- and 64-bit versions can be found at the Windows Server Update Services (WSUS) Product Team blog.

Although previous Microsoft fixes to svchost.exe — nearly a half-dozen in the last 10 months — addressed specific issues for some users (such as patching memory leaks or eliminating svchost.exe crashes, according to my source), none have solved all the problems once and for all. Even the patches Microsoft currently offers will not stop svchost.exe from registering 100% CPU usage in Task Manager’s Processes tab at times. But, the company claims, your system should still be responsive and svchost.exe will share CPU cycles with other processes after both patches have been installed.

Unfortunately, Microsoft did not wait for these patches to be delivered to everyone before issuing a Windows Live Messenger beta that switches users from Windows Update to Microsoft Update. This introduced the problem to some users who had not experienced it before.

Microsoft is confident that it has developed an effective solution to this problem. Hopefully, this time the company’s right.

Scott Dunn is associate editor of the Windows Secrets Newsletter. He is also a contributing editor of PC World Magazine, where he has written a monthly column since 1992, and co-author of 101 Windows Tips & Tricks (Peachpit) with Jesse Berst and Charles Bermant.

Free sub extension for ZoneAlarm customers

By Scott Dunn

For months, ZoneAlarm Internet Security Suite has claimed on its box to be “Vista ready,” but users found otherwise.

Fortunately, the company has now released a Vista version of the suite and promises to make it up to customers.

Free sub extension for ZoneAlarm customers

In the June 7 issue, I responded to reader complaints that the ZoneAlarm Internet Security Suite (which I’d discussed in the May 24 issue) did not support Windows Vista, despite its product labeling saying so. Soon thereafter, I received a phone call from Allison Wagda, director of public relations at Check Point, the maker of ZoneAlarm products. She announced that Vista versions of the suite and its products would be available immediately, and apologized to customers who were affected by the delay in getting the products out.

“We are offering anyone who purchased the suite a six-month extension on their subscription to make up for the loss,” Wagda told me. Check Point is also offering a refund to customers who would rather return the product. To take advantage of these offers, customers in the U.S. should call 1-877-966-5221. Those outside the U.S. should call +49 1805 104777 in Germany.

More on EULAs and transparency

Referring to my conversation with Ed Foster on the subject of End User License Agreements (EULAs) in the June 7 issue, reader Rich Painter has this comment:

• “It was my understanding that the EULA was part of a contract between the buyer and the seller, and as such, if the buyer does not want to or cannot comply with the EULA during the installation then the buyer has the right to a full refund. Several years ago, I disagreed with a EULA during the installation. I packed it back up and took it back to the place I bought it from. I told them I did not agree to the EULA and demanded my refund. They complied.”

I’m glad that worked for you, Rich. But think how annoying it is to have to buy a product, open the package, and run the installer before you know the terms of the contract. Software developers need to make this information simpler to understand, and make it available to customers before they make their purchase.

Recalling EasyFlow’s clear EULA language

Reader Walter Black enjoyed our mention of the 1980s product EasyFlow and its plainly worded license agreement in our June 14 issue. He offers these words of praise for the product:

• “I have been an enthusiastic EasyFlow user since the early 1980s, because the program does exactly what it claims to do, is unpretentious to a fault, and the entire user manual is written with the style and substance of the license agreement. The manual could (or maybe should) be used in the curriculum of any technical writing course.”

Walter also provides a quote from the manual:

• “Fools Rush In: This section is for those of you who want to jump into the business of using EasyFlow to produce charts with a minimum of reading the manual. If you are in too big a hurry to read even these few pages, then we recommend our product ‘HardFlow’ (a charting template and a pencil); HardFlow has a lot of faults, but having to spend time reading the manual isn’t one of them.”

Walter adds:

• “The section continues with a two-page whirlwind overview and then over 100 pages of concise and detailed description of program features.

  “Many thanks for the article, and for the fond memories that it recalled of my participation in software development of that time.”

Thank you, Walter, for the chance to discuss a piece of software history.

Readers Painter and Black will receive gift certificates for a book, CD, or DVD of their choice for sending us comments that we printed.

Don McMillan explains how not to use PowerPoint

We’ve all seen PowerPoint presentations run amok. The melange of fonts, the garish colors, the bullet lists that go on forever. These mishaps are not lost on comedian Don McMillan. In this short clip, he provides some quick pointers for keeping your PowerPoint presentation from becoming a multimedia nightmare. Watch the video

Laptop protection while surfing made easier

By Jody Braverman Last week’s Top Story described ways to protect your system when surfing the Web using unknown Wi-Fi hotspots. One reader adds to the pot with a handy trick for turning on and off file and printer sharing.

Disable wireless file sharing globally

Reader Jess Merto points out that it’s not only inconvenient to “unshare” every shared folder when you need to protect your laptop, but sometimes it’s not even possible.

For example, Jess writes:

• “Some folders cannot be unshared, such as the administrative share (C$), or some users may be using a borrowed office laptop that has another user’s profile on it with a shared folder enabled and may not even know the shared folder exists.”

Jess provides an easy solution that lets XP users turn file and printer sharing on and off globally. Here’s what to do:

Step 1. Go to Control Panel and open Network Connnections.

Step 2. Right-click your wireless connection and choose Properties.

Step 3. In the box labeled This connection uses the following items, uncheck the box for File and Printer Sharing for Microsoft Networks.

Step 4. Click OK.

Update the wireless client in Windows XP SP2

Philip Le Riche recommends a little-known update to Windows XP that helps with some of the Wi-Fi security issues that associate editor Scott Dunn recently wrote about:

• “Users of Windows XP (Service Pack 2) should go to the Microsoft support page at KB 917021 and download and install the Wireless Client Update package. This update enhances the WPA2 encryption protocol and also helps prevent some of the security issues discussed in the June 14 issue surrounding wireless hotspots”

As a "thank you," we’ll be sending readers Merto and Le Riche a gift certificate for a book, CD, or DVD of their choice for submitting tips that we printed.

Jody Braverman is managing editor of the Windows Secrets Newsletter. The Insider Tricks column brings you little-known Windows techniques suggested by our readers.

Vista time-saver #8 — tweaking the interface

Many of you responded to my last column, in which I speculated about why we have no PowerToys seven months after Vista’s release.

TweakUI rated high on readers’ lists of most-missed PowerToys. This week, I’ll tell you how to hack the Registry and tweak some parts of Vista’s UI all by yourself.

What’s a TweakUI?

As I explained in my last column, Microsoft has released a semi-official collection of Windows utilities and add-ons, called PowerToys, for every version since Windows 95. Except for Vista. Seven months after Vista went gold, we still don’t have any PowerToys — and I, for one, really miss them.

Windows XP customers can avail themselves of a great "Swiss Army Knife" PowerToy called TweakUI, which includes more than a hundred different ways to modify and customize the Windows interface. Back in the days of Windows 98, ME, and 2000, legions of Windows fans spent untold hours fiddling with bits and pieces underneath Windows’ hood — primarily in the Registry — to make Windows run faster and better. With the advent of TweakUI in Windows XP, most of the modifications folks wanted to make were only a click or two away — no Registry editor required.

Many of you are tired of waiting for the Vista version of TweakUI. So, for the bit-flipper in all of us, I’ve decided to show you a handful of my favorite Vista Registry hacks. Maybe someday Microsoft will give us a new TweakUI that makes it easy to perform these hacks. Then again, maybe not.

Here’s my standard Registry disclaimer

All of these hacks require you to dive into the Registry and make a few small changes.

No doubt you’ve heard that the Registry is a dark and scary place, where one simple mis-flipped bit can lock your computer tighter than a kryptonite axial pin tumbler. In fact, the Registry is a dark and scary place, where one mis-flipped bit can… well, you get the idea.

Be careful when you change settings in Vista’s Registry. There’s no need to be overly paranoid, but don’t go changing things willy-nilly, just to see what breaks. If you follow my instructions closely, you shouldn’t have any problems at all.

And, just in case something does go bump in the night, create a System Restore point before you fire up Vista’s Registry editor. (Click Start, right-click Computer, and choose Properties. Then, on the left, click the link marked System Protection. The Create button at the lower right guides you through creating a restore point.) That way, if worse comes to worst, you can always boot to your Last Known Good Configuration, as described in MS Knowledge Base article 307852.

How to change Vista’s registered owner

Vista, like all versions of Windows before it, stores the name and organization of the registered owner. Typically, the names get stored when you first set up your machine. The stored names frequently come into play when an installer tries to guess your name — and, all too often, fails miserably.

You can see the registered owner and organization names for your computer by clicking Start, typing winver, and pressing Enter. Does Windows have the right names for you? No, I didn’t think so.

Follow these steps to change the registered owner:

Step 1. Click Start, type regedit in the search box, and press Enter.

Step 2. Click Continue to clear the User Account Control hurdle.

Step 3. On the left, double-click to navigate down to:

HKEY_LOCAL_MACHINE  SOFTWARE  Microsoft  Windows NT  CurrentVersion

Step 4. On the right, double-click on RegisteredOwner.

Step 5. In the Value Data box, type whatever name you want to appear as the registered owner, then click OK.

Step 6. Double-click RegisteredOrganization, and type the new organization in the Value Data box.

Step 7. Click OK.

Step 8. Exit the Registry Editor, then try running winver again.

Ta-da.

Removing arrows from your shortcuts

There’s been a lot of discussion about removing (or reducing) the big "arrow" overlay that Vista sticks on shortcuts. Rich Crusco at Frameworx has a nifty free utility called FxVisor that lets you switch between the regular Vista arrow, a smaller arrow, and no arrow at all. The How-To Geek has a combination of a Registry tweak and a blank icon file that works for most people. One widely publicized alternative, involving the Registry key called IsShortcut, seems to have a lot of unintended side effects, and I don’t recommend it.

I’ve developed a simple Registry hack for removing the shortcut arrow overlay, which works most of the time on most of the Vista machines I’ve tried. You might want to give it a try and see if it works on yours. As far as I know, it’s never been published before. If it doesn’t work for you (you get big, black blotches, sometimes after rebooting a half-dozen times), you can always try the Frameworx or How-to Geek approaches.

Follow these steps:

Step 1. Click Start, type regedit in the search box, and press Enter.

Step 2. On the left, double-click to navigate down to:

HKEY_LOCAL_MACHINE  SOFTWARE  Microsoft  Windows  CurrentVersion  explorer

Step 3. Right-click in a blank spot on the right and choose New, String Value. Type 29 and press Enter.

Step 4. Double-click on the 29 and give the new string a value of:

%SystemRoot%system32shell32.dll,50

Step 5. Click OK.

Step 6. Exit the Registry Editor, then log off and log back on again.

Do the shortcut overlay arrows disappear on your machine, too? (If you have problems, repeat steps 1 through 6, deleting the string value called 29. Reboot, and you’re back in Kansas.)

A grab bag of miscellaneous tweaks

While you’ve got the Registry Editor out and working, you might want to try a couple of additional tweaks. Here are my favorites. If you have Vista Business, Enterprise, or Ultimate — any version that keeps track of shadow copies of files — you may be surprised to learn that Vista lops off 15% of each hard drive with shadow copies enabled, in order to store the shadow copies. That’s a lot of real estate, particularly if you have a drive with files that don’t change very much.

To change the percentage of the drive that’s set aside for shadow copies (which are stored in Restore Points), follow these steps:

Step 1. Click Start, type regedit in the search box, and press Enter.

Step 2. Go to:

HKEY_LOCAL_MACHINE  SOFTWARE  Microsoft  WindowsNT  CurrentVersion  SystemRestore  Cfg

Step 3. On the right, double-click DiskPercent.

Step 4. Click the button to switch from hexadecimal to decimal, and change the data from 15 to whatever percentage suits your fancy.

That should do it!

The “Ribbons” screensaver in Vista can also be tweaked in various fun ways using the Registry:

Step 1. Go to:

HKEY_CURRENT_USER  Software  Microsoft  Windows  CurrentVersion  Screensavers  Ribbons

Step 2. Add a new DWORD value called NumRibbons with hexadecimal data of 100, and a new DWORD value called RibbonWidth with hex data of 3c23d70a.

Step 3. Right-click on any empty location on your desktop, choose Properties, and click Screen Saver.

Step 4. In the Screen Saver Settings dialog, choose Ribbons.

Step 5. Click Preview.

Cool, eh? I have a couple of additional settings, tweaks for other screensavers, and a description of the meaning behind that “3c23d70a” stuff in Technique 56 of Windows Vista Timesaving Techniques For Dummies.

Old tweaks that don’t work

Some old WinXP Registry tweaks simply don’t work in Vista.

Take, for example, MenuShowDelay. When you click on the Start button, or slide out any of the Start menu items, Vista intentionally pauses for a fraction of a second to let you catch up. Most people find the delay comforting. Without some delay, your eyeballs flap against the top of your head, trying to keep up with the darting menus.

But, you may well want less delay, or more. In Windows XP, you could modify a Registry entry called MenuShowDelay and make it smaller to reduce the delay, or larger to make WinXP stutter more. In Vista, at least with the Aero interface working, changing MenuShowDelay doesn’t do anything. I don’t know if anyone has yet figured out how to change the delay.

Then there’s SourcePath. Windows XP had a devil of a time locating Windows installation files — particularly vexing when you needed to use a program like System File Checker that refused to look anywhere other than the folder from which WinXP was originally installed. Fortunately in Vista, the system can find installation files with hardly a hiccup.

Got any good tweaks?

Did my disappearing arrow tweak work for you?

Do you have any other Vista Registry hacks you’d like to share? I’m all ears. Send them to me via the Windows Secrets contact page.

Woody Leonhard‘s latest books — Windows Vista All-In-One Desk Reference For Dummies and Windows Vista Timesaving Techniques For Dummies — explore what you need to know about Vista in a way that won’t put you to sleep. He and Ed Bott also wrote the encyclopedic Special Edition Using Office 2007.

Browsers: the difference between 'safe' and 'secure'

By Ryan Russell Two events — an e-mail from a reader asking why I wasn’t recommending Opera, and the release by Apple of a public beta of Safari for Windows — have forced me to think about browsers this week. Most people consider a browser’s features, performance, and looks, but I immediately wonder how secure it is.

Making a browser safe versus secure

In my June 7 column, I mentioned in passing that we here at Windows Secrets recommend for security reasons that readers run Firefox as their main browser. I said this while noting that Firefox is becoming more of a target. You’re more secure if you’re less of a target, but if simply targeting you means that you get hacked, you weren’t secure in the first place.

The difficulty here is terminology. I admit that I glossed over this point in the interest of space, so let me clarify. If hackers don’t target your browser, you are not more secure, you are safer. There is a difference. As an analogy, you’re more secure because you’re wearing a bulletproof vest, but you’re safer because you live in a nice neighborhood. However, muggers can still come to the nice neighborhood, too.

Let me also freely admit that I cannot tell you which Web browser has the fewest vulnerabilities. No one can. If we knew, we would fix them, and there would be zero. There are many more than zero. Then why do we recommend Firefox over IE? Because we know for sure that hackers hit IE harder. That means that Firefox users are a little safer, in aggregate, on average. For now. That’s why I keep an eye on what’s going on with Firefox, so I know when to tell you the neighborhood has gotten worse. Apologies for when I slip and call that "more secure" when I mean "safer."

Opera could be safer, too

A reader who gets it wants to know, if Firefox is safer because it’s not IE, why don’t I recommend Opera? Excellent question. I don’t know why. I tried to think of reasons I preferred Firefox. Well, it’s free. It’s very important to me to have free software available, so I can leave it installed on friends’ and relatives’ computers. Opera is free now, too. It isn’t open source like Firefox, but that’s not always super-important to Windows users.

About the only other measure of current security that we have to go on is past performance. While Opera has not been bug-free over the years, I do not see huge numbers of published vulnerabilities for it.

So, since Opera isn’t IE, is free, and is even less popular than Firefox, maybe I should look into it.

We know Safari is broken

There is always a good counter-example. I like to pick on Apple when it makes security mistakes, and it doesn’t look like I’ll be stopping any time soon. What is the opposite of "no holes" and "unpopular with hackers"? The Safari 3.0 beta for Windows.

As part of its Worldwide Developer’s Conference recently, Apple introduced a public beta of Safari for Windows. Safari is Apple’s in-house browser that Mac OS X users have had for years. So far, Apple hasn’t said why it made Safari for Windows. If I had to speculate, I’d guess that it has to do with iPhone integration. Just like the iPod, surely Apple wants Windows users to buy its iPhone. But I’m just guessing on that.

On the first day of the Safari for Windows beta, security researchers downloaded the software and shredded it. In my Aug. 10, 2006, column, I touched on a flap between researcher David Maynor and Apple. Payback is no fun. David claims six bugs, two of which he says are exploitable. He also links to other researchers who had similar results.

In Apple’s defense, this is a beta, so the software is not necessarily complete or secure. To Apple’s credit, it had patched the reported issues in only three days, and a new beta is already out. Of course, this saga isn’t over, and I’m sure there will be lots of back and forth to come. It’s no fun being a target.

The Perimeter Scan column gives you the facts you need to test your systems to prevent weaknesses. Ryan Russell is quality assurance manager at BigFix Inc., a configuration management company. He moderated the vuln-dev mailing list for three years under the alias “Blue Boar.” He was the lead author of Hack-Proofing Your Network, 2nd Ed., and the technical editor of the Stealing the Network book series.