Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

SVCHOST 100% hanging systems after upgrading to WSUS 3.0 SP1

15 views
Skip to first unread message

F@discussions.microsoft.com Adam F

unread,
Mar 3, 2008, 3:16:01 PM3/3/08
to
This past Friday we upgraded our WSUS 2.0 environment to WSUS 3.0 SP1. Since
the upgrade, we have experienced hundreds of systems becoming virutally
unusable due to a memory leak with svchost. The temporary fix is to disable
automatic updates. We had to do this across 7000 workstations because
hundreds of systems are affected. We did not experience this at all prior to
upgrading our WSUS servers. We have done a lot of research on this and we
have already performed the following steps:

1. Making sure that WUA 3.0 is installed. In every case the client already
has the latest version of windows update agent.
2. Install kb927891. This was released to all our workstations the middle of
last year.
3. Cleaned up the catroot folder. Some people on the internet have found
success by running a batch file that cleans up all the aspects of the catroot
folder. I tried this and it temporarily fixed the problem. However, after
rebooting the problem came back.

Any suggestions would be greatly appreciated because the upgrade has
essentially broken out patch management solution. Please help.

Kyle Blake

unread,
Mar 3, 2008, 6:17:00 PM3/3/08
to
Wow, that is horrible, holy crap all mighty.

Are you running Symantec Anti Virus on desktops?

What are GPO policies set to?

Adam F

unread,
Mar 3, 2008, 10:32:07 PM3/3/08
to
Yes, most of the workstations use v10 Symantec AntiVirus. A small portion
still use v9. Can you be more specific about which GPO's your referring to?
Thanks!

Lawrence Garvin [MVP]

unread,
Mar 4, 2008, 9:00:33 PM3/4/08
to

"Adam F" <Adam F...@discussions.microsoft.com> wrote in message
news:EB720FCE-2516-4145...@microsoft.com...

> This past Friday we upgraded our WSUS 2.0 environment to WSUS 3.0 SP1.
> Since
> the upgrade, we have experienced hundreds of systems becoming virutally
> unusable due to a memory leak with svchost. The temporary fix is to
> disable
> automatic updates. We had to do this across 7000 workstations because
> hundreds of systems are affec

In fact the issue has existed for over a year now.

Start here (from Jan 2007):
http://blogs.technet.com/wsus/archive/2007/01/17/update-on-wua-srvhost-exe-high-cpu-consumption-and-memory-consumption-issue.aspx


--
Lawrence Garvin, M.S., MCBMSP, MCTS, MCP
Senior Data Architect, APQC, Houston, Texas
Microsoft MVP - Software Distribution (2005-2008)

MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/profile/

Kyle Blake

unread,
Mar 4, 2008, 7:09:01 PM3/4/08
to
It wouldn't hurt to call tech support if you are still on a yearly
maintenance agreement and ask about svchost?

I know it's a windows process, I'm pretty sure of it, Microsoft does
regression testing and for the sake of $250 or whatever it costs, it might be
worthwhile getting them on the horn for support ticket.

The issue sounds very wide spread.

I've seen an issue with symantec v9 that caused high cpu, however it may of
been rtvscan.exe. I'm not sure.

With respect to the GPO, the wuadm admin template. There is settings in
there to control when to install patches.

I was thinking that maybe you set it to install patches immediatly or
something.

So perhaps changing it to delay the install to later on in the day may prove
your theory that a patch is what is getting installed and causing svchost
100%.

Just some ideas. If your on a vista box, the event viewer shows a lot more
detailed information about WSUS client LOGGING.

Sorry maybe I didn't real your whole post right.
KB

Harry Johnston [MVP]

unread,
Mar 4, 2008, 7:37:56 PM3/4/08
to
Lawrence Garvin [MVP] wrote:

>> This past Friday we upgraded our WSUS 2.0 environment to WSUS 3.0 SP1.
>> Since
>> the upgrade, we have experienced hundreds of systems becoming virutally
>> unusable due to a memory leak with svchost. The temporary fix is to
>> disable
>> automatic updates. We had to do this across 7000 workstations because
>> hundreds of systems are affec
>
> In fact the issue has existed for over a year now.
>
> Start here (from Jan 2007):
> http://blogs.technet.com/wsus/archive/2007/01/17/update-on-wua-srvhost-exe-high-cpu-consumption-and-memory-consumption-issue.aspx

But they've already applied the updates that should have corrected that issue.

IIRC, someone else has reported the same problem reappearing with WSUS 3.0 SP1;
perhaps there's been a regression?

Harry.

Lawrence Garvin [MVP]

unread,
Mar 5, 2008, 1:47:05 AM3/5/08
to

"Harry Johnston [MVP]" <ha...@scms.waikato.ac.nz> wrote in message
news:eZphoklf...@TK2MSFTNGP02.phx.gbl...


> Lawrence Garvin [MVP] wrote:
>
>>> This past Friday we upgraded our WSUS 2.0 environment to WSUS 3.0 SP1.
>>> Since
>>> the upgrade, we have experienced hundreds of systems becoming virutally
>>> unusable due to a memory leak with svchost. The temporary fix is to
>>> disable
>>> automatic updates. We had to do this across 7000 workstations because
>>> hundreds of systems are affec
>>
>> In fact the issue has existed for over a year now.
>>
>> Start here (from Jan 2007):
>> http://blogs.technet.com/wsus/archive/2007/01/17/update-on-wua-srvhost-exe-high-cpu-consumption-and-memory-consumption-issue.aspx
>
> But they've already applied the updates that should have corrected that
> issue.

Not if they just upgraded from WSUS 2.0 (RTM???) to WSUS 3.0 on Friday, and
the WUA hasn't been upgraded yet.


> IIRC, someone else has reported the same problem reappearing with WSUS 3.0
> SP1; perhaps there's been a regression?

That would be most unfortunate, but it's not impossible that something in
the SP1 version of the WUA v7.x client got duplicated from the SP1 version
of the WUA v5.8 client that had the same 'bug'.


--
Lawrence Garvin, M.S., MCBMSP, MCTS, MCP
Senior Data Architect, APQC, Houston, Texas
Microsoft MVP - Software Distribution (2005-2008)

My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

Harry Johnston [MVP]

unread,
Mar 5, 2008, 5:23:31 PM3/5/08
to
Lawrence Garvin [MVP] wrote:

>>> Start here (from Jan 2007):
>>> http://blogs.technet.com/wsus/archive/2007/01/17/update-on-wua-srvhost-exe-high-cpu-consumption-and-memory-consumption-issue.aspx
>>
>> But they've already applied the updates that should have corrected
>> that issue.
>
> Not if they just upgraded from WSUS 2.0 (RTM???) to WSUS 3.0 on Friday,
> and the WUA hasn't been upgraded yet.

The 3.0 version of the WUA came out for WSUS 2.0 some time ago - optional,
granted, but the OP said it had been installed.

Harry.

Adam F

unread,
Mar 5, 2008, 11:00:00 PM3/5/08
to
The 3.0 client and the hotfix has definitely been installed on every PC in
our environment. All of the working PC's have version 7.0.6000.374. The now
hundreds of machines experiencing the problem have 7.1.6001.65. We assume the
problem started once they received the 7.1 client since none of them had that
prior to the 3.0 SP1 upgrade.. We have heard from Microsoft that a relapse of
this problem has occurred this February and there is currently not a fix for
it. We were told that it is related to a bug with Windows Malicious Tool and
that we needed to decline every superceded version of the update. We declined
every version of the malicious tool and ran the server cleanup tool. This has
not helped us fix the affected clients at all. Our patch management solution
is still completely down as a result of this and has let to multiple people
at my company working 15+ hours a day trying to correct this problem. We are
desperate for a solution so if any body has any ideas please share.

Lawrence Garvin [MVP]

unread,
Mar 8, 2008, 10:18:38 PM3/8/08
to
"Adam F" <Ad...@discussions.microsoft.com> wrote in message
news:F690BD43-3547-4110...@microsoft.com...

> The 3.0 client and the hotfix has definitely been installed on every PC in
> our environment. All of the working PC's have version 7.0.6000.374. The
> now
> hundreds of machines experiencing the problem have 7.1.6001.65. We assume
> the
> problem started once they received the 7.1 client since none of them had
> that
> prior to the 3.0 SP1 upgrade..

Adam, if you believe you have a number of these clients demonstrating this
behavior with v7.1 of the WUA, then I would open a (FREE) ticket with PSS.

> We have heard from Microsoft that a relapse of
> this problem has occurred this February and there is currently not a fix
> for
> it

I've heard nothing that any such issue exists either, nor have I seen any
such behavior in any of the WSUS 3 SP1 testing that I did.

> We were told that it is related to a bug with Windows Malicious Tool and
> that we needed to decline every superceded version of the update.

Interesting... =WHICH= version of the MSRT is supposed to be the culprit.
I've heard nothing about any issues with any releases of the MSRT either.

> Our patch management solution
> is still completely down as a result of this and has let to multiple
> people
> at my company working 15+ hours a day trying to correct this problem. We
> are
> desperate for a solution so if any body has any ideas please share.

Obviously this is not good for your organization, but I've not seen any
other occurrences of this behavior, which makes it hard to believe it's
anything related to WSUS software or updates.

My best suggestion is the one above: Open a =security update= ticket (which
will be a no charge ticket) with Product Support Services. Obviously with
the svchost.exe failing as it is, it's impossible for you to apply required
security updates.


--
Lawrence Garvin, M.S., MCBMSP, MCTS(x4), MCP

Wonder

unread,
Mar 20, 2008, 1:03:02 PM3/20/08
to
Same issue started in our domain on the 13th of March. Only affecting 50-60
systems and the only imilarities between these systems is they all have
Office 2003. We have forced 5 Office updates from the WSUS server which
seems to have resolved the issue for now, but anticipate the issue to come
back. Any more info for the group would be great.

Lawrence Garvin [MVP]

unread,
Mar 20, 2008, 9:14:07 PM3/20/08
to
"Wonder" <Won...@discussions.microsoft.com> wrote in message
news:58A8FA99-4A47-4307...@microsoft.com...

> Same issue started in our domain on the 13th of March. Only affecting
> 50-60
> systems and the only imilarities between these systems is they all have
> Office 2003. We have forced 5 Office updates from the WSUS server which
> seems to have resolved the issue for now, but anticipate the issue to come
> back. Any more info for the group would be great.

I would suggest researching the entire sordid history of the WSUS SVCHOST
issues from last year via Google Groups.

As I recall Office 2003 was in the original mix, and you may have simply
re-opened that ancient can of worms, which was then fixed by applying the
requisite updates to Office 2003.

Mal the evil IT manager

unread,
Mar 31, 2008, 6:34:00 AM3/31/08
to
Hi
I have the same issue, just started on the 27th.
If the problem is caused by a combination of WSUS and Office, would holding
back on the office updates and just using WSUS for security patches serve as
a temporary workaround until MS come up with a fix? or is that just bad logic!
(I can't try it myself at the moment)

Lawrence Garvin [MVP]

unread,
Mar 31, 2008, 8:26:08 AM3/31/08
to
"Mal the evil IT manager" <Maltheevi...@discussions.microsoft.com>
wrote in message news:0E31FC59-29E8-494A-A2D7-
8A500E...@microsoft.com...

> I have the same issue, just started on the 27th.
> If the problem is caused by a combination of WSUS and Office, would
> holding
> back on the office updates and just using WSUS for security patches serve
> as
> a temporary workaround until MS come up with a fix? or is that just bad
> logic!
> (I can't try it myself at the moment)

If you can reproduce this issue on a FULLY patched client running the latest
WUA on WSUS SP1, then this is a *NEW* issue, and you should report it to
Product Support Services immediately.

If the client is not yet FULLY patched -- then you should first apply ALL
Office updates, and All Crit/Sec updates, reboot, and then test again.

Mal the evil IT manager

unread,
Mar 31, 2008, 9:51:01 AM3/31/08
to
Thanks for the reply
If I need to manually update all 1500 client computers with patches in
order to run WSUS, why do I need WSUS? ;-)

Lawrence Garvin [MVP]

unread,
Mar 31, 2008, 7:43:33 PM3/31/08
to
"Mal the evil IT manager" <Maltheevi...@discussions.microsoft.com>
wrote in message news:A0083AAE-9D0A-4E66...@microsoft.com...

> Thanks for the reply
> If I need to manually update all 1500 client computers with patches in
> order to run WSUS, why do I need WSUS? ;-)

Who said anything about having to manually update all 1500 client computers?

You asked this question:

>> > If the problem is caused by a combination of WSUS and Office, would
>> > holding
>> > back on the office updates and just using WSUS for security patches
>> > serve
>> > as
>> > a temporary workaround until MS come up with a fix? or is that just bad
>> > logic!

In a more direct way I'm telling you this is bad logic.

It's also relevant that this *known* issue is an ancient issue, and the only
*known* reason why anybody would be experiencing it today is because a
machine is missing one or more critical updates that fix this problem. (...
or... it's a new problem never before seen).

My recommendation is:

>> If the client is not yet FULLY patched -- then you should first apply ALL
>> Office updates, and All Crit/Sec updates, reboot, and then test again.

I didn't say clients (plural), I said =client= (singular).. the machine you
are using to diagnose and resolve this particular issue.

If, after doing that, you /still/ have the problem, then the problem is a
*NEW* problem, and nothing I provide you is going to help.

If this is a *NEW* problem, then you need to report it to Product Support
Services.

However, if you call PSS with an UNpatched system, they're going to tell you
what I just did... patch the machine, then call back.

Lawrence Garvin [MVP]

unread,
May 10, 2008, 6:18:29 PM5/10/08
to
"Adam F" <Adam F...@discussions.microsoft.com> wrote in message
news:EB720FCE-2516-4145...@microsoft.com...

> This past Friday we upgraded our WSUS 2.0 environment to WSUS 3.0 SP1.

Per a thread just updated in the Win2008/WSUS forums...

http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=3241867&SiteID=17

This appears to be traced (at least in one instance) to a defective CA
AntiVirus engine update.

--
Lawrence Garvin, M.S., MCITP, MCBMSP, MCTS(x4), MCP

jbl...@hotmail.com

unread,
May 20, 2008, 9:27:39 AM5/20/08
to
On May 11, 12:18 am, "Lawrence Garvin [MVP]" <ons...@postalias.news>
wrote:
> "Adam F" <Adam F...@discussions.microsoft.com> wrote in messagenews:EB720FCE-2516-4145...@microsoft.com...

>
>
>
>
>
> > This past Friday we upgraded our WSUS 2.0 environment to WSUS 3.0 SP1.
> > Since
> > the upgrade, we have experienced hundreds of systems becoming virutally
> > unusable due to a memory leak with svchost. The temporary fix is to
> > disable
> > automatic updates. We had to do this across 7000 workstations because
> > hundreds of systems are affected. We did not experience this at all prior
> > to
> > upgrading our WSUS servers. We have done a lot of research on this and we
> > have already performed the following steps:
>
> > 1. Making sure that WUA 3.0 is installed. In every case the client already
> > has the latest version of windows update agent.
> > 2. Install kb927891. This was released to all our workstations the middle
> > of
> > last year.
> > 3. Cleaned up the catroot folder. Some people on the internet have found
> > success by running a batch file that cleans up all the aspects of the
> > catroot
> > folder. I tried this and it temporarily fixed the problem. However, after
> > rebooting the problem came back.
>
> > Any suggestions would be greatly appreciated because the upgrade has
> > essentially broken out patch management solution. Please help.
>
> Per a thread just updated in the Win2008/WSUS forums...
>
> http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=3241867&Site...

>
> This appears to be traced (at least in one instance) to a defective CA
> AntiVirus engine update.
>
> --
> Lawrence Garvin, M.S., MCITP, MCBMSP, MCTS(x4), MCP
> Senior Data Architect, APQC, Houston, Texas
> Microsoft MVP - Software Distribution (2005-2008)
>
> MS WSUS Website:http://www.microsoft.com/wsus
> My Websites:http://www.onsitechsolutions.com;http://wsusinfo.onsitechsolutions.com
> My MVP Profile:http://mvp.support.microsoft.com/profile/Lawrence.Garvin- Hide quoted text -
>
> - Show quoted text -

Dear ,

We experiencing the same problem.
We use one "primary" WSUS 3.0 (not SP1) server and several downstream
server.
The primary was a fresh install.
For some downstream it was an upgrade from WSUS2.
We remark that the SVCHOST issue appear only on sites where we updated
the WSUS version.
To solve it (I hope definitively) we :
- run cleanup tool on downstream server
- Update WUA on faulty computer (mainly laptop)
- Download last update from MS site and install them manually.

For now, all seems back to normal.
I just want to be sure that the problem will not reappear for the next
patch release.

any comments are welcome and I would to know what is the cause of the
issue (may be the less number of languages on the downstream server
after the update?)

Best Regards,
Jerome

0 new messages