• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs

Not what you are looking for? Ask the experts!

This forum thread needs a solution.

svchost.exe high disk read activity - Help?

Hi all,

I have recently been using a huge amount of broadband and was wondering is this the part of the reason why as I have been receiving the above Norton alert on a regular basis. I know very little regarding this type of thing but if anyone can provide any information it would be much appreciated. 

Many Thanks.



Re: svchost.exe high disk read activity - Help?

Hi zziplex:

The svchost.exe process is a generic host process for several individual Windows services like Windows Security Center, Windows Event Viewer, Windows Disk Defragmenter, etc..  I get the occasional performance alert (high disk read/write) for svchost.exe on my 32-bit Vista machine, and chances are you're seeing alerts for something harmless like a read/write by Windows Search when Windows is building a search index for your disk files.  The bleepingcomputer site has a tutorial called How to Determine What Services are Running Under a SVCHOST.EXE Process that might help you narrow down what hosted service is causing the high disk read/writes - assuming you can catch the high disk activity as it occurs.

You can view detailed information for your performance alert by going to Advanced | History | Show | Performance Alert, double-clicking on one of the alerts associated with svchost.exe, clicking the Copy to Clipboard link, and then pasting the results into a text editor like Notepad.

I've attached a .TXT file of one of my performance alerts for svchost.exe, but here's a short excerpt:

Filename: svchost.exe
Full Path: c:\windows\system32\svchost.exe
Actions performed: Suspicious actions performed: None
Developers Microsoft Corporation
Version 6.0.6001.18000
Performance Alert

Disk Read Activity

Disk Write Activity
74 MB (total for this process).

File Thumbprint - SHA:
File Thumbprint - MD5:

In this case, the svchost.exe file was signed by Microsoft and located in the default location for Vista (c:\windows\system32\svchost.exe) and if I search for the SHA256 hash of the file (d4f79d7bc639fe86ac68961e6273836b9d7af491773fd054395b33d317017beb) at www.VirusTotal.com the diagnostic report here shows a detection rate of 0/56 for 56 common antivirus scanners and gives a strong indication that my high disk writes were associated with a legitimate Windows svchost.exe file.

Just a word of caution, though, even if your svchost.exe file appears to be a legitimate Windows file.  Some malware will use the name "svchost.exe" to disguise itself (a VirusTotal search of the SHA256 hash should uncover this) or will even try to hide from antivirus programs by installing itself as part of a Windows service (see the bleepingcomputer article How Malware Hides and is Installed as a Service).  If you haven't already done so it would be prudent to run a second-opinion scan with the free Malwarebytes Anti-Malware (MBAM) to see if it can detect any any malware or suspicious PUPs (potentially unwanted programs) or PUMs (potentially unwanted modifications) that might have been missed by a Norton full system scan.  Decline the 14-day trial of the Premium (real-time protection) features during installation and use MBAM as an on-demand scanner.  Start with a standard Threat Scan using the default settings and move on to a deeper Custom Scan of all hard drives if the Threat Scan does not detect any problems.

If you have any questions or concerns about hidden malware that might not be detected by Norton and MBAM be sure to include your Windows OS and Norton product and version number (which can be found in your main Norton GUI at Support | About - the latest version of N360/NIS/NAV is currently v. in your next post.
32-bit Vista Home Premium SP2 * Firefox 34.0.5 * NIS 2013 v. * MBAM Premium 2.0.4
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS


Re: svchost.exe high disk read activity - Help?

zziplex : try eset poweliks removal tool and malware bytes anti rootkit beta , both should handle poweliks trojan. just a random guess at your problem. good luck!

This thread is closed from further comment. Please visit the forum to start a new thread.