Hi Calls

     Norton will certainly block the SVCHOST.exe nasty. To make sure(For your Satisfaction) you can do some background check on the svchost.exe processes that are running in your computer. To do that you can goto the Task Manager --> goto processes (tab) --> click on show process from all users --> Now you can see the svchost.exe processes --> right click one by one and then select goto service(s) --> This will provide you the insight about that svchost.exe process --> You can see what services are running under the hood (check the Description) --> So by doing this you can make sure nothing malicious is running under the name of svchost.exe.

    Otherwise you can use the command tasklist /SVC in the command prompt to get the background info. 

---

SUBASH_PRABU wrote:

Hi Calls

     Norton will certainly block the SVCHOST.exe nasty.

 

Don't scare people unnecessarily. It is with overwhelming likelyhood a normal svchost.exe doing routine stuff.

 

Calls: can you check the event viewer and see if a system service was doing something special at that point? Could be the Windows defragmenter or another Windows service; they run under svchost.exe.

Hi Bombastus

     What i meant is, if anything malicious is hiding behind a legit system file or service Norton is having the capability to detect and remove such nasties.

     I had came across this fake SVCHOST.exe in the past in one of my friends computers. And the malicious file pretending to be legit svchost showed up in the task manager in Uppercase. And thats the reason i put it the same way in my post. And by the way scaring isn't my job...

Well I noticed the identified svchost.exe in the Norton History log entry had a PID associated with it. So I opened task manager, clicked show all process and found the correct svchost. Then I right clicked on it to see the associated services. There are 11 services that run using that svchost.exe
and the svchost shows the user name as system
the 11 services are
Audio endpoint builder
EMDMgt
Netman
PcaVc
Sysmain
Tablet Input Svc
TrkWks
UxSms
Wdi System Host
WPD Bus Enum
wdfsvs
all are currently running
I tried to google these and it sounds like they are all legit windows items.
But still leaves the question as to what was done to cause a disk write activity of 150MB?
I know it was NOT disk defrag, as tha happens on the 7th of each month

I opened the event viewer and looked at logs (except security log-it woukd not allow me to view)
In the Norton history the high disk write was logged at 4:03am. The closest thing I could find in the windows event viewer log was in the system log.
showed that at 4:05am Dhcp client ran.
But I see that many times in the log with out a high write disk notification. so I'm stumped as to what caused this event
: (

Hi Calls

      Is your Windows updates itself automatically y downloading updates or you insitiate them manually?

Because while updating the components(services) which are running under the svchost file might spike the memory usage for a bit of time, when the update is happening.

my windows updates are checked for and downloaded automatically. But I decide when to install them.
But if this highdisk write usage were du to windows updates, wouldn't that have shown in the windows event log?
I hope this is not indication of a rootkit
: (

Most likely it's nothing to worry about. Not malware-related, anyway; worst-case scenario you have an issue with Windows, but that's unlikely too. The numbers you mentioned aren't very spectacular, either. Your Norton product might think they are high, but they are really not.