HuguesJohnson.com: svchost.exe Problems

For some time I was having problems with a file called svchost.exe on Windows 2000. It would crash and a bunch of Windows functions wouldn't work anymore (more on this in Symptoms). I did a lot of searching on this problem and all I ever found was information about the blaster virus. I never had this virus, let me say this again: never (more on this below). I found others who seemed to have the same problem as me but no solutions. So I started little page to document the steps I went through to find a cure.

This guide is organized as follows:
I. Introduction
    a. Symptoms
    b. I Have Never Had the Blaster Virus
    c. Information About svchost.exe
II. Attempts to Fix
    a. Search for Spyware
    b. Stopping the System Event Notification Service << success
III. The Rest
    a. Other Fixes
    b. Visitors' Email
    c. Support

It's pretty straightforward, I'd get a little popup that says:

Application popup: svchost.exe - Application Error : The instruction at "0x00000033" referenced memory at "0x00000033". The memory could not be "read".

Click on OK to terminate the program
Click on CANCEL to debug the program

The actual address values change of course, but the message was always the same. An "Information" entry was written in the Event Viewer (screenshot), which makes me wonder what constitutes an "Error".

Things that cause this file to crash:
1. Starting Internet Explorer
2. Reading HTML email in Outlook 2000
3. Right-clicking on the desktop
4. Clicking on a hyperlink in Internet Explorer
It's probably worth noting that I usually use Mozilla for web browsing and it never has this problem. If you're viewing this page in IE (which according to my stats about 70% of you are) I urge you to save whatever you're working on before your system crashes.

Once the crash occurs, I'll experience some or all of the following:
1. Start menu will not function.
2. System tray will not function.
3. Outlook.exe process will continue running after the application has been closed.
4. Internet Explorer will start but not be able to load a page or close.
5. Windows will not log off or shut down.
6. Any open instances of explorer will hang.
The only thing I could do at this point is hit the reset button.

After "upgrading" to IE6 SP1 the problem became worse, much worse. This used to happen about once every two weeks, after "upgrading" it happened once a day. How a problem with your web browser can cause the entire OS to become unstable is beyond me.. but I've been wondering that since IE4.

This seems like as good a place as any to describe my system:
Operating System: Windows 2000 Professional SP4
Processor: Intel Celeron 700 MHz
RAM: 512 MB
Video: NVIDIA GeForce2 MX
Sound: Sound Blaster Live!
Networking: Linksys 802.11g wireless network card
Notable applications installed:
    Internet Explorer 6 SP1
    Microsoft Outlook 2000 SP1
    Microsoft Visual Studio 6 SP5
    Java 2 SDK 1.4.2

Every search I do on "svchost crash", "svchost application error" and so on returns virtually nothing but links to articles about the blaster virus. I know this virus infected a ton of Windows 2000 systems and one of the primary signs of infection is svchost crashing. However, I have never had this virus. Why am I so sure of this?

1. I have a hardware firewall built into my router.
2. I run a software firewall (BlackIce) which is updated daily.
3. I run a virus scanner (PC-cillin) which is updated daily.
4. I regularly run Windows update.
5. I manually checked my hard drive for the blaster virus and all known variants, nothing found.
6. I manually checked my registry for all entries created by the blaster virus and all known variants, nothing found.
7. I downloaded Stinger from Network Associates just to have another scan, nothing found (screenshot).
8. I was occasionally experiencing this problem before the blaster virus even existed.
9. The blaster virus creates files in the c:\winnt\system32\wins\ directory, nothing there on my computer (screenshot). If you look at the screenshot you'll see the directory was created 6/7/2001, when I initially installed Windows 2000.. 2 full years before the blaster virus existed.
10. The blaster virus creates a registry key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows, I do not have that registry entry or anything even close to it (screenshot).

I am 100% certain I have never had the blaster virus. However, I'm also 100% confident someone will see this page and send me an email saying "Hey d00d, you're infected with the blaster virus". If you do this, be prepared to thoroughly explain why you believe I have this virus or I will be forced to mockingly reply to your email below.

svchost is process that runs other services. Rather than spend a lot of time writing my own description I'll just point to Microsoft knowledge base article 250320 which does a decent job describing this file. I'm running version 5.0.2134.1 which I suspect everyone with Windows 2000 SP4 is. According to my search with Microsoft, this is the newest version available for Windows 2000.

While searching for svchost fixes I also found a couple of usenet posting saying that this file can crash because of Spyware. Spyware is a fairly generic term and I'll admit that I don't always know what it means. When I first starting researching this problem (in spring 2003, before the blaster virus even existed) most of what I found was about Spyware. I did a thorough search and all I could find was something called C-DILLA. I had no idea what this was or where it came from. I tried to uninstall it but it was tough. I ended up having to go into the registry and manually remove all references to it.

After some more poking around I found that this C-DILLA program was installed by Turbo Tax. Intuit even issued an apology. Guess what, I ain't buying Turbo Tax again and I'd advise you to do the same.

Anyway, killing off this program didn't fix a thing so today I tried a program called Ad-aware. It found a bunch of stuff it considers to be Spyware (screenshot). However, I'm skeptical to let it start removing registry keys and stuff so I'm going to research everything it found and then remove it myself.

Here's some of what Ad-aware found that it doesn't like:

Hi-Wire Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : adagent.advertisementagent

Alexa Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}

Windows Object recognized!
Type : RegData
Data :
Rootkey : HKEY_USERS
Object : .DEFAULT\Software\Microsoft\MediaPlayer\Player\Settings
Value : Client ID
Data :

There were about 20 of those "Hi-Wire" entries, 1 "Alexa" entry, and a pair of Media Player entries. Hi-Wire is a free media player that some radio stations require you to install. I have installed this and but don't know why it's considered Spyware. Ad-aware has a "quarantine" feature I decided to try.. it froze up the first time I tried (screenshot) but worked fine the second.

Alright, so exactly 7 days after removing all the Spyware I got another svchost.exe crash. Of course over these 7 days I avoided using IE as much as possible. So I guess this wasn't the problem. On to something else..

So cutting back on using IE6 and logging off once a day helped but didn't cure the problem. Instead of getting a daily svchost crash I was getting a weekly one.

On my last crash I decided to hit "Cancel" instead of "OK" to fire up the Visual Studio debugger to see what happened. I looked at the call stack (screenshot) and saw that the process that actually generated the error was something called "SENS". svchost is just a host process to run other Windows services that reside in a dlls (see information above), svchost isn't what's crashing, just one of the services it hosts. svchost runs services in "groups" (see Microsoft knowledge base article 250320), this SENS process runs in the netsvcs group with a bunch of other internet services.

It's becoming clearer to me now.. this SENS process crashes and takes the rest of netsvcs down with it. This is why so many features of Windows stopped working. Run regedit and look under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost to see everything that's grouped into netsvcs.

So what the heck is SENS anyway? To quote Microsoft it "Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events." (also see screenshot of the service). I then checked my event log and eureka! Before every single svchost crash (and I mean every single one) there was the following event recorded:

Event Type: Information
Event Source: Tcpip
Event Category: None
Event ID: 4201
User: N/A
Description:
The system detected that network adapter Wireless-G PCI Adapter was connected to the network, and has initiated normal operation over the network adapter.

Now, this message appears in the event log maybe a thousand times. For some reason Windows thinks it's necessary to keep logging that my wireless network card was connected.

What happens if you stop the SENS service? Well, I just tried it and so far I can browse the internet, read email, and edit this web page without any problems. Maybe something really bad will happen from turning this service off but I doubt it.

>Rather than simply wait and see what happens, I decided to check if anyone else has disabled this service. Some guy and this other page both say it's OK to disable the SENS service. Being some guy with some page I'm biased to believe both of them.. but being a cynic I decided to also try a more "official" source. I checked a Microsoft TechNet guide to Windows services and it says:

Disabling this service has the following effects:

Win32 APIs IsNetworkAlive() and IsDestinationReachable() won't work well. These are mostly used by mobile applications and on portable computers.
SENS interfaces don't work properly. In particular, SENS' Logon/Logoff notifications will not work.
Internet Explorer 5.0 or later uses SENS on portable computers to trigger when to go offline or online (the "Work offline" prompt).
SyncMgr (Mobsync.exe) will not work properly. It depends on connectivity information and Network Connect/Disconnect and Logon/Logoff notifications from SENS.
COM+ EventSystem will try to notify SENS of some events, but will not be able to.

I'm pretty comfortable with these side effects. One of the two pages I linked above says that disabling this service might cause AutoUpdate to stop working, I have that turned off anyway.

Now the big question is: will this work for you? I'm afraid that I have to answer "maybe". Here's a checklist to see if this could work for your svchost problems:

Does this crash typically occur shortly after connecting to/disconnecting from the internet?
Open your Windows 2000 event log and search for your last few svchost crashes. Were they all immediately preceded by a tcpip message?
Is your computer a desktop?
Is your computer free of viruses/worms?

If you answered "yes" to all four then go ahead and try it. What's the worst that can happen, your computer will crash? If you're reading this page then it probably already is crashing on a regular basis.

Oh, and one more quick note.. if you disable this service there's a good chance it will startup next time you log-in, even if you set the startup to "manual". You'll have to set the startup mode to "disabled" to prevent it from starting automatically.

Update: Microsoft has released a non-public hotfix for this specific issue with the SENS service. Huge thanks go out to Josh Swain for finding this hotfix:

Having analyzed the user dump carefully, we found the svchost.exe process dump was caused by a known problem in our sens.dll. Please help download and apply the following hotfix on this server to solve this problem. The KB article has not been ready so far.

Package:
-----------------------------------------------------------
KB Article Number(s): 872971
Language: English
Platform: i386
Location:
(http://hotfixv4.microsoft.com/Windows%202000/sp5/Fix116958/2195/free/191819_ENU_i386_zip.exe)
Password: z5wLr9
NOTE: Be sure to include all text between '(' and ')' when navigating to this hot fix location!
NOTE: There are two .exe files in the downloaded file after extraction. The one with the "symbol" character in the file name is for debugging purposes only. Please do not install it. Install the other one.

Since this is not public yet you should install at your own risk. If this link doesn't work I have a mirror of the file here. Please try the Microsoft one first though, they have so much more bandwidth than I do. I'm utterly amazed at how many people have downloaded the patch from my site. It's not usually a brilliant idea to install Windows patches you downloaded from some dude's website. How do you know I didn't create this page as a way to sneak Trojans onto your PC?.

Since starting this page I've received several emails from visitors who have found other solutions to this problem. Well, solutions other than "reinstalling Windows".

I have received multiple emails about a known issue with HP drivers on Windows XP causing svchost crashes. The workaround is to disable the Windows Image Acquisition Service (WIA). There is supposedly a service pack being developed, see this HP support thread or this forum for more information.

Here are some other solutions that may work for you:

From: John Birket

I tried the following: Fresh W2K on a spare drive with SP4 and DCOM / RPC patches ( 823980 823182 & 824146 )tested all ok
Then started to add, one at a time, the software I normally use, i.e. Office 2K then other patches to bring W2K & Office 2K up to date. then IE6 SP1 and a patch then McAfee AV with latest dat files etc all ok at this point then McAfee firewall
AH HA - problem comes back !!!!!!!!!!!!!!!! Check & re-check fire wall settings - all look OK re-set defaults and carefully make choices as they pop up - still got problem.
uninstall McAfee firewall - ALL OK
install Kerios firewall - ALL STILL OK
decide to leave it at that - It's WORKING

So my problem seems to be with McAfee firewall. Sadly I would guess that not all of your contributors will find the same reason, but it may help find the real cause of this annoyance.

I don't know anything about the McAfee firewall but it seems possible that it could cause problems. A search on McAfee support for svchost turns up two articles about the firewall program: "What do I do if I Can't Access the Internet After Installing Personal Firewall/Plus?" and "What do I do if my computer locks up or freezes after installing Personal Firewall/Plus?". Both of these articles talk about the firewall "locking" applications (including svchost.exe). Both articles basically tell you to "unlock" these processes if you're having problems. If anyone is using McAfee firewall and having svchost or other internet problems I'd recommend reading those two articles to see if they apply to you.

From: Richard Hill

My problems started with installing the Firewall from McAfee � removing the firewall software did not resolve the problem� only by removing ALL of McAfee resolved the problem�.

That's disappointing that you had to uninstall all of McAfee to solve the problem. A search for "svchost" on McAfee still only returns the two articles mentioned above (and something about the nachi worm).

Of course I'd never recommend uninstalling a virus scanner but if you're having svchost problems and have tried everything else you might want to consider changing virus scanners to see if that fixes your problem. Oh, this should be obvious but make sure you disconnect from the internet before uninstalling any virus scanner and installing a new one.

Over on the email page there are numerous testimonials that McAfee is the cause of svchost problems. I can't personally vouch for that so I'll let the emails speak for themselves.

From: Waldo Hampton

Hi. I had a similar svchost problem. Thanks for the ideas I found on your website.
My solution was to DISABLE the Windows Image Acquisition (WIA) service.

The Windows Image Acquisition service is a process that is hosted by svchost (see here) and is needed for scanners and digital cameras. It's safe to disable but may prevent usage of those devices.

From: Mark Brand

Well, just before the problem started I had physically removed my Sound Blaster Live 5.1 PCI card to try it in a different (Linux) machine. I had put it back in the Windows 20000 machine before starting Windows again. I reasoned that since this was the only thing I had changed, I should pursue this line of inquiry. I checked that the card was properly inserted, and it was. There was no dust build-up either.

I then removed the sound card again, and started Windows. Windows started perfectly in normal mode. I then shut down nicely, put the sound card back in, and restarted. Windows continued to work perfectly. Problem solved.

I don't know enough about PCI cards to formulate a theory about why there was a problem, but it would appear that the machine in which the sound card had a short visit had changed something on the card which later surprised Windows in such a way that things went amuck with svchost.exe. Apparently, giving Windows the chance to start without the card, and then again with the card prompted Windows to do something it needed to do. I notice that other contributors mentioned various PCI devices as being related to the problem. Some may benefit from my observation that removing a card, starting windows, shutting down windows, putting the card back, and restarting windows may solve the problem. In any case, testing PCI cards in other machines may actually complicate the diagnosis on the problem machine.

There's more background on this on the email page. If you're experiencing svchost problems after installing a new device it would certainly be worth trying the steps above.

From: Rob Webster

I tried:
a new anti virus software. It found trojans but didn't cure the svchost problem.
ad aware, spybot and no adware. these removed some spyware but didn't solve my prolem

i then found x-clean on a magazine disk. it found and removed a "messenger service" running which wasn't "microsoft messenger".

Thanks for the suggestion, looks like this particular anti-spyware program found something the others didn't.

Received a bit more email than I expected so I moved it all over here so this page wouldn't take forever to load. Apparently some people are using something called "dial-up" to browse the internet :)

Everything on this site is free. I'll never use pop-ups or randomly generated ads to support it. If you've found something here to be especially helpful or entertaining please consider making a small donation. This can be done through a secure PayPal transaction or by purchasing one of the related items below. Thanks for visiting my little web page!