"High Disk Write Usage by: Host Process for Windows Services"

NIS v 18.7.1.3

Vista Home Premium 32 bit with Vista SP2

IE8 Browser

 

I took a peak at my recent history and noticed an entry High Disk Write Usage by :Host Process for Windows Services.

 

So basically saying that svchost.exe did something around 4am today

I checked to see if the firewall let anything in or out on or about that sametime. Nothing was noted

 

The information on the logged item also said

"Disk Write Activity 715MB (total for this process"

 

So not really sure what this means and why it happened or if it is a sign of malicious behavior.

I know that sometimes virus/malware uses svchost.exe

 

So anything to be concerned about regarding this notification?

 

Hi Calls

     Norton will certainly block the SVCHOST.exe nasty. To make sure(For your Satisfaction) you can do some background check on the svchost.exe processes that are running in your computer. To do that you can goto the Task Manager --> goto processes (tab) --> click on show process from all users --> Now you can see the svchost.exe processes --> right click one by one and then select goto service(s) --> This will provide you the insight about that svchost.exe process --> You can see what services are running under the hood (check the Description) --> So by doing this you can make sure nothing malicious is running under the name of svchost.exe.

    Otherwise you can use the command tasklist /SVC in the command prompt to get the background info. 


SUBASH_PRABU wrote:

Hi Calls

     Norton will certainly block the SVCHOST.exe nasty.

 

Don't scare people unnecessarily. It is with overwhelming likelyhood a normal svchost.exe doing routine stuff.

 

Calls: can you check the event viewer and see if a system service was doing something special at that point? Could be the Windows defragmenter or another Windows service; they run under svchost.exe.

Hi Bombastus

     What i meant is, if anything malicious is hiding behind a legit system file or service Norton is having the capability to detect and remove such nasties.

     I had came across this fake SVCHOST.exe in the past in one of my friends computers. And the malicious file pretending to be legit svchost showed up in the task manager in Uppercase. And thats the reason i put it the same way in my post. And by the way scaring isn't my job...:robotwink:

Well I noticed the identified svchost.exe in the Norton History log entry had a PID associated with it. So I opened task manager, clicked show all process and found the correct svchost. Then I right clicked on it to see the associated services. There are 11 services that run using that svchost.exe
and the svchost shows the user name as system
the 11 services are
Audio endpoint builder
EMDMgt
Netman
PcaVc
Sysmain
Tablet Input Svc
TrkWks
UxSms
Wdi System Host
WPD Bus Enum
wdfsvs
all are currently running
I tried to google these and it sounds like they are all legit windows items.
But still leaves the question as to what was done to cause a disk write activity of 150MB?
I know it was NOT disk defrag, as tha happens on the 7th of each month

Check the event viewer entries for that time.

 

Open Start menu, type eventvwr in the search box. Check "Windows Logs" -> System especially. Scroll down until the relevant time.

 

And what is currently running isn't very interesting; many services that run under svchost.exe shut down when they are done with whatever it was they did.

 

Anyway, that disk usage isn't a sign of malicious activity per se. It doesn't even have to be "high" usage. NIS just thinks it is. Most likely it wat the optimal disk usage at the time.

I opened the event viewer and looked at logs (except security log-it woukd not allow me to view)
In the Norton history the high disk write was logged at 4:03am. The closest thing I could find in the windows event viewer log was in the system log.
showed that at 4:05am Dhcp client ran.
But I see that many times in the log with out a high write disk notification. so I’m stumped as to what caused this event
: (

Hi Calls

      Is your Windows updates itself automatically y downloading updates or you insitiate them manually?

Because while updating the components(services) which are running under the svchost file might spike the memory usage for a bit of time, when the update is happening.

my windows updates are checked for and downloaded automatically. But I decide when to install them.
But if this highdisk write usage were du to windows updates, wouldn’t that have shown in the windows event log?
I hope this is not indication of a rootkit
: (

Most likely it's nothing to worry about. Not malware-related, anyway; worst-case scenario you have an issue with Windows, but that's unlikely too. The numbers you mentioned aren't very spectacular, either. Your Norton product might think they are high, but they are really not.

actually the amount of data indicated is 715mb. I put the incorrect amount in one of my posts.
what is most concerning to is that I cannot find out what service wrote that amount.
That is what scares me. Event log of windows shows nothing around the same time as the Norton log entery

Hi Calls,

 

Please realize that Performance Monitoring is designed as an aid to help users understand which current system activity might be contributing to a given system behavior.  For example you might get a high CPU usage alert for Flash Player or your browser when a sudden slowdown occurs while watching a video.  Perfomance Monitoring is not a malware detection component like Auto-Protect, even though it might spot some system issues secondary to a malware infection (and those would be major anomalies, not a single write to disk).  Given that there seem to be no indications of malware on your system coming from any of the protection components of NIS, it seems unlikely that the Svchost process in this case is a malicious imposter.  It was almost certainly a legitimate process that happened to be active enough to be noticed by Performance Monitoring.  Svchost is a Windows process that runs in the background - you are unlikely to know about most of the things it is doing or, actually, they are doing, since there are several of them.

Thanks all

As I say the only thing that is really stumping me is that there was not any recorded event in the Windows event log. I know that was some advice given to check that log. But as I say nothing noted around that same time.

 

Not sure if this makes any difference, but Looking through my NORTON history log, I see similar entries of

High Disk Write Usage by Host Process for Windows Services

 

October 1 2011 Saturday  for  169MB

December 6 Tuesday for 188mb

Feburary 14  Tuesday  for 2MB

March 14 Wednesday for 63 MB

and then April 10 Tuesday for 715mb

 

so not a real clear pattern, thought it might be windows update Tuesday but not

 so again kinda stumped  : (

 

Not a rootkit right?

No, it just needed to do something, but it was certainly something legitimate. Forget this thing; you are making an issue out of a non-issue. Turn the Norton performance monitoring off if needed; at the moment, it's the Norton performance monitoring that is causing you issues, not the disk writes svchost.exe did that day.

 

Besides, there doesn't have to be any entries in the event viewer, if it's a service that is constantly running that is causing the disk writes. Only starts and stops are logged there, but if it's an automatic service that is on 24/7 that increases its activity, it won't be logged. Could be Superfetch maybe.

Thanks, so superfetch would write that large amount to the disk?
I think when I check with services were assocaited with that particular?svchost.exe, ther was something about superfetch

Yeah, Superfetch runs under a svchost.exe, and it has been known to do a lot of disk trashing. On Vista especially. It has been much improved on Windows 7, but if you Google vista superfetch disk thrashing you get something like 50000 results

 

It also runs constantly by default -  it's set to Automatic, so you won't see start- and stop messages about it in the event viewer.

so I think thats soubds like the source, eh?
I think its the service in Vista that shows as sysmain


Calls wrote:
so I think thats soubds like the source, eh?



Quite possible. In any case, there is no indication of malicious activity from that Norton high disk activity report. Chances are overwhelming that it is a Vista issue - or even more likely, no issue at all, just Windows processes doing their job.