I have a runaway svchost.exe (service host) that is using 135 MB of memory. I want to know what is using up the memory and whether I can separate it out into it's own service host, so I can watch it by itself.
Before Windows Vista and the later improvements in Task Manager, you would have to use a cmd window and tasklist.exe to find which services were being hosted by which service host. Tasklist produces a list of all running processes:
Image Name PID Session Name Session# Mem Usage
=================== ======== ============ ========= ============
System Idle Process 0 Services 0 24 K
System 4 Services 0 1,612 K
smss.exe 408 Services 0 88 K
csrss.exe 632 Services 0 1,944 K
csrss.exe 684 Console 1 69,172 K
wininit.exe 692 Services 0 112 K
winlogon.exe 756 Console 1 1,268 K
services.exe 796 Services 0 5,764 K
lsass.exe 804 Services 0 7,236 K
lsm.exe 812 Services 0 1,624 K
svchost.exe 908 Services 0 4,416 K
Tasklist /svc returns all Services
Image Name PID Services
===================== ===== ==========================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 408 N/A
csrss.exe 632 N/A
csrss.exe 684 N/A
wininit.exe 692 N/A
winlogon.exe 756 N/A
services.exe 796 N/A
lsass.exe 804 EFS, KeyIso, ProtectedStorage, SamSs
lsm.exe 812 N/A
svchost.exe 908 DcomLaunch, PlugPlay, Power
svchost.exe 988 RpcEptMapper, RpcSs
svchost.exe 600 AudioSrv, Dhcp, eventlog,
HomeGroupProvider, lmhosts, wscsvc
svchost.exe 572 AudioEndpointBuilder, hidserv, Netman,
PcaSvc, SysMain, TrkWks, UxSms, Wlansvc,
svchost.exe 1060 EventSystem, fdPHost, FontCache, netprofm,
nsi, SstpSvc, WdiServiceHost
svchost.exe 1120 AeLookupSvc, Appinfo, BITS, Browser,
EapHost, IKEEXT, iphlpsvc, LanmanServer,
ProfSvc, RasMan, Schedule, SENS,
ShellHWDetection, Themes, Winmgmt, wuauserv
svchost.exe 1196 gpsvc
TrustedInstaller.exe 1228 TrustedInstaller
PID 572 svchost.exe is running quite high. If you find this svchost.exe in Task Manager, right click and choose Go To Service(s) then it will jump to the Services tab and highlight each of the services named on the right hand side. [This is a great improvement over the poor TaskMan console in Windows XP (which could have easily been updated in a service release during the years that Windows XP was being sold.. Tho there were ways to replace TaskMan with improved versions manually.]
When I restart the service SysMain - Superfetch, the working memory used by this svchost process drops significantly. So I want to run SysMain in its own process to watch it independently of the other processes. To do this apparently I need to run:
sc config servicename type= own there has to be a space after the type=.. so:
sc config SysMain type= own ... and running this gives me.. er.. failed.
[sc] OpenService failed 5
So if you get that, you don't have the elevated permission required to change the service. Close the cmd window and run cmd as Administrator instead. (Press the Start button and type 'cmd' then right click the cmd.exe when it appears, choose Run as Administrator from the context menu.)
Now it says:
[SC] ChangeServiceConfig SUCCESS
If you find the service in Regedit - HKLM\SYSTEM\CurrentControlSet\services\SysMain - you'll see that the Type REG_DWORD changes from 32 (0x100) to 16 (0x010) = shared and own respectively.
Restart the service. Tasklist should now show the service has been placed in its own process - 22832.
Superfetch: this was introduced in Windows Vista. It basically attempts to pre-empt which programs you use most frequently and then swap them in and out of the memory cache. So what if you use the computer like me.. have 3 browser windows with a total of 25 tabs, two Visual Studio instances, Word, Regedit, Explorer, TaskMan, Excel all open at the same time.. I think Superfetch is running to its max and killing my system. Now it's like working in treacle. Could it be that what was designed as a 'performance enhancement' is actually unable to keep up under heavy usage?
Windows 7 has a program called Resource Monitor, which is an updated perfmon.exe (Performance Monitor). This is a useful program - you can select every instance of Chrome for example and see what all the windows are doing... I've got one process 12544 which is opening Cookies, my $LogFile.. my user data cache for Chrome.. and is connecting to the following:
[1e100 = 10 to the power of 100... which is a 'Googol'...]
I'm going to explore Chrome's own TaskMan to see what's running on that PID.. seems it is the main base browser instance and not any of the tabs. Google keeping tabs on my usage...
I'm going to try living without Superfetch running for a bit... to see whether switching it off makes my laptop run any differently..