Not what you were looking for? Ask our experts!
Reply
Regular Contributor
Calls
Posts: 1,984
Registered: ‎10-07-2009

"High Disk Write Usage by: Host Process for Windows Services"

[ Edited ]

NIS v 18.7.1.3

Vista Home Premium 32 bit with Vista SP2

IE8 Browser

 

I took a peak at my recent history and noticed an entry High Disk Write Usage by :Host Process for Windows Services.

 

So basically saying that svchost.exe did something around 4am today

I checked to see if the firewall let anything in or out on or about that sametime. Nothing was noted

 

The information on the logged item also said

"Disk Write Activity 715MB (total for this process"

 

So not really sure what this means and why it happened or if it is a sign of malicious behavior.

I know that sometimes virus/malware uses svchost.exe

 

So anything to be concerned about regarding this notification?

 

SUBASH_PRABU
Posts: 2,076
Kudos: 257
Solutions: 90
Registered: ‎05-31-2011

Re: "High Disk Write Usage by: Host Process for Windows Services"

Hi Calls

     Norton will certainly block the SVCHOST.exe nasty. To make sure(For your Satisfaction) you can do some background check on the svchost.exe processes that are running in your computer. To do that you can goto the Task Manager --> goto processes (tab) --> click on show process from all users --> Now you can see the svchost.exe processes --> right click one by one and then select goto service(s) --> This will provide you the insight about that svchost.exe process --> You can see what services are running under the hood (check the Description) --> So by doing this you can make sure nothing malicious is running under the name of svchost.exe.

    Otherwise you can use the command tasklist /SVC in the command prompt to get the background info. 

Super Spam Squasher
Bombastus
Posts: 1,786
Registered: ‎11-16-2009

Re: "High Disk Write Usage by: Host Process for Windows Services"


SUBASH_PRABU wrote:

Hi Calls

     Norton will certainly block the SVCHOST.exe nasty.

 

Don't scare people unnecessarily. It is with overwhelming likelyhood a normal svchost.exe doing routine stuff.

 

Calls: can you check the event viewer and see if a system service was doing something special at that point? Could be the Windows defragmenter or another Windows service; they run under svchost.exe.

SUBASH_PRABU
Posts: 2,076
Kudos: 257
Solutions: 90
Registered: ‎05-31-2011

Re: "High Disk Write Usage by: Host Process for Windows Services"

[ Edited ]

Hi Bombastus

     What i meant is, if anything malicious is hiding behind a legit system file or service Norton is having the capability to detect and remove such nasties.

     I had came across this fake SVCHOST.exe in the past in one of my friends computers. And the malicious file pretending to be legit svchost showed up in the task manager in Uppercase. And thats the reason i put it the same way in my post. And by the way scaring isn't my job...:robotwink:

Regular Contributor
Calls
Posts: 1,984
Registered: ‎10-07-2009

Re: "High Disk Write Usage by: Host Process for Windows Services"

Well I noticed the identified svchost.exe in the Norton History log entry had a PID associated with it. So I opened task manager, clicked show all process and found the correct svchost. Then I right clicked on it to see the associated services. There are 11 services that run using that svchost.exe
and the svchost shows the user name as system
the 11 services are
Audio endpoint builder
EMDMgt
Netman
PcaVc
Sysmain
Tablet Input Svc
TrkWks
UxSms
Wdi System Host
WPD Bus Enum
wdfsvs
all are currently running
I tried to google these and it sounds like they are all legit windows items.
But still leaves the question as to what was done to cause a disk write activity of 150MB?
I know it was NOT disk defrag, as tha happens on the 7th of each month
Super Spam Squasher
Bombastus
Posts: 1,786
Registered: ‎11-16-2009

Re: "High Disk Write Usage by: Host Process for Windows Services"

[ Edited ]

Check the event viewer entries for that time.

 

Open Start menu, type eventvwr in the search box. Check "Windows Logs" -> System especially. Scroll down until the relevant time.

 

And what is currently running isn't very interesting; many services that run under svchost.exe shut down when they are done with whatever it was they did.

 

Anyway, that disk usage isn't a sign of malicious activity per se. It doesn't even have to be "high" usage. NIS just thinks it is. Most likely it wat the optimal disk usage at the time.

Regular Contributor
Calls
Posts: 1,984
Registered: ‎10-07-2009

Re: "High Disk Write Usage by: Host Process for Windows Services"

I opened the event viewer and looked at logs (except security log-it woukd not allow me to view)
In the Norton history the high disk write was logged at 4:03am. The closest thing I could find in the windows event viewer log was in the system log.
showed that at 4:05am Dhcp client ran.
But I see that many times in the log with out a high write disk notification. so I'm stumped as to what caused this event
: (
SUBASH_PRABU
Posts: 2,076
Kudos: 257
Solutions: 90
Registered: ‎05-31-2011

Re: "High Disk Write Usage by: Host Process for Windows Services"

Hi Calls

      Is your Windows updates itself automatically y downloading updates or you insitiate them manually?

Because while updating the components(services) which are running under the svchost file might spike the memory usage for a bit of time, when the update is happening.

Regular Contributor
Calls
Posts: 1,984
Registered: ‎10-07-2009

Re: "High Disk Write Usage by: Host Process for Windows Services"

my windows updates are checked for and downloaded automatically. But I decide when to install them.
But if this highdisk write usage were du to windows updates, wouldn't that have shown in the windows event log?
I hope this is not indication of a rootkit
: (
Super Spam Squasher
Bombastus
Posts: 1,786
Registered: ‎11-16-2009

Re: "High Disk Write Usage by: Host Process for Windows Services"

Most likely it's nothing to worry about. Not malware-related, anyway; worst-case scenario you have an issue with Windows, but that's unlikely too. The numbers you mentioned aren't very spectacular, either. Your Norton product might think they are high, but they are really not.