Norton will certainly block the SVCHOST.exe nasty. To make sure(For your Satisfaction) you can do some background check on the svchost.exe processes that are running in your computer. To do that you can goto the Task Manager --> goto processes (tab) --> click on show process from all users --> Now you can see the svchost.exe processes --> right click one by one and then select goto service(s) --> This will provide you the insight about that svchost.exe process --> You can see what services are running under the hood (check the Description) --> So by doing this you can make sure nothing malicious is running under the name of svchost.exe.
Otherwise you can use the command tasklist /SVC in the command prompt to get the background info.
Norton will certainly block the SVCHOST.exe nasty.
Don't scare people unnecessarily. It is with overwhelming likelyhood a normal svchost.exe doing routine stuff.
Calls: can you check the event viewer and see if a system service was doing something special at that point? Could be the Windows defragmenter or another Windows service; they run under svchost.exe.
What i meant is, if anything malicious is hiding behind a legit system file or service Norton is having the capability to detect and remove such nasties.
I had came across this fake SVCHOST.exe in the past in one of my friends computers. And the malicious file pretending to be legit svchost showed up in the task manager in Uppercase. And thats the reason i put it the same way in my post. And by the way scaring isn't my job...
Well I noticed the identified svchost.exe in the Norton History log entry had a PID associated with it. So I opened task manager, clicked show all process and found the correct svchost. Then I right clicked on it to see the associated services. There are 11 services that run using that svchost.exe and the svchost shows the user name as system the 11 services are Audio endpoint builder EMDMgt Netman PcaVc Sysmain Tablet Input Svc TrkWks UxSms Wdi System Host WPD Bus Enum wdfsvs all are currently running I tried to google these and it sounds like they are all legit windows items. But still leaves the question as to what was done to cause a disk write activity of 150MB? I know it was NOT disk defrag, as tha happens on the 7th of each month
Open Start menu, type eventvwr in the search box. Check "Windows Logs" -> System especially. Scroll down until the relevant time.
And what is currently running isn't very interesting; many services that run under svchost.exe shut down when they are done with whatever it was they did.
Anyway, that disk usage isn't a sign of malicious activity per se. It doesn't even have to be "high" usage. NIS just thinks it is. Most likely it wat the optimal disk usage at the time.
I opened the event viewer and looked at logs (except security log-it woukd not allow me to view) In the Norton history the high disk write was logged at 4:03am. The closest thing I could find in the windows event viewer log was in the system log. showed that at 4:05am Dhcp client ran. But I see that many times in the log with out a high write disk notification. so I’m stumped as to what caused this event : (
Is your Windows updates itself automatically y downloading updates or you insitiate them manually?
Because while updating the components(services) which are running under the svchost file might spike the memory usage for a bit of time, when the update is happening.
my windows updates are checked for and downloaded automatically. But I decide when to install them. But if this highdisk write usage were du to windows updates, wouldn’t that have shown in the windows event log? I hope this is not indication of a rootkit : (
Most likely it's nothing to worry about. Not malware-related, anyway; worst-case scenario you have an issue with Windows, but that's unlikely too. The numbers you mentioned aren't very spectacular, either. Your Norton product might think they are high, but they are really not.
actually the amount of data indicated is 715mb. I put the incorrect amount in one of my posts. what is most concerning to is that I cannot find out what service wrote that amount. That is what scares me. Event log of windows shows nothing around the same time as the Norton log entery
Please realize that Performance Monitoring is designed as an aid to help users understand which current system activity might be contributing to a given system behavior. For example you might get a high CPU usage alert for Flash Player or your browser when a sudden slowdown occurs while watching a video. Perfomance Monitoring is not a malware detection component like Auto-Protect, even though it might spot some system issues secondary to a malware infection (and those would be major anomalies, not a single write to disk). Given that there seem to be no indications of malware on your system coming from any of the protection components of NIS, it seems unlikely that the Svchost process in this case is a malicious imposter. It was almost certainly a legitimate process that happened to be active enough to be noticed by Performance Monitoring. Svchost is a Windows process that runs in the background - you are unlikely to know about most of the things it is doing or, actually, they are doing, since there are several of them.
As I say the only thing that is really stumping me is that there was not any recorded event in the Windows event log. I know that was some advice given to check that log. But as I say nothing noted around that same time.
Not sure if this makes any difference, but Looking through my NORTON history log, I see similar entries of
High Disk Write Usage by Host Process for Windows Services
October 1 2011 Saturday for 169MB
December 6 Tuesday for 188mb
Feburary 14 Tuesday for 2MB
March 14 Wednesday for 63 MB
and then April 10 Tuesday for 715mb
so not a real clear pattern, thought it might be windows update Tuesday but not
No, it just needed to do something, but it was certainly something legitimate. Forget this thing; you are making an issue out of a non-issue. Turn the Norton performance monitoring off if needed; at the moment, it's the Norton performance monitoring that is causing you issues, not the disk writes svchost.exe did that day.
Besides, there doesn't have to be any entries in the event viewer, if it's a service that is constantly running that is causing the disk writes. Only starts and stops are logged there, but if it's an automatic service that is on 24/7 that increases its activity, it won't be logged. Could be Superfetch maybe.
Thanks, so superfetch would write that large amount to the disk? I think when I check with services were assocaited with that particular?svchost.exe, ther was something about superfetch
Yeah, Superfetch runs under a svchost.exe, and it has been known to do a lot of disk trashing. On Vista especially. It has been much improved on Windows 7, but if you Google vista superfetch disk thrashing you get something like 50000 results
It also runs constantly by default - it's set to Automatic, so you won't see start- and stop messages about it in the event viewer.
Calls wrote: so I think thats soubds like the source, eh?
Quite possible. In any case, there is no indication of malicious activity from that Norton high disk activity report. Chances are overwhelming that it is a Vista issue - or even more likely, no issue at all, just Windows processes doing their job.
