Windows Reference

Debugging svchost

Background
For some time I was having problems with a file called svchost.exe on Windows 2000. It would crash and a bunch of Windows functions wouldn't work anymore (more on this in Symptoms). I did a lot of searching on this problem and all I ever found was information about the blaster virus. I never had this virus, let me say this again: never (more on this below). I found others who seemed to have the same problem as me but no solutions. So I started little page to document the steps I went through to find a cure. 

This guide is organized as follows:
  I. Introduction
    a. Symptoms
    b. I Have Never Had the Blaster Virus
    c. Information About svchost.exe
  II. Attempts to Fix
    a. Search for Spyware
    b. Stopping the System Event Notification Service << success


Symptoms
It's pretty straightforward, I'd get a little popup that says:

Application popup: svchost.exe - Application Error : The instruction at "0x00000033" referenced memory at "0x00000033". The memory could not be "read".

Click on OK to terminate the program
Click on CANCEL to debug the program

The actual address values change of course, but the message was always the same. An "Information" entry was written in the Event Viewer (screenshot), which makes me wonder what constitutes an "Error".

Things that cause this file to crash:
  1. Starting Internet Explorer
  2. Reading HTML email in Outlook 2000
  3. Right-clicking on the desktop
  4. Clicking on a hyperlink in Internet Explorer
It's probably worth noting that I usually use Mozilla for web browsing and it never has this problem. If you're viewing this page in IE (which according to my stats about 70% of you are) I urge you to save whatever you're working on before your system crashes.

Once the crash occurs, I'll experience some or all of the following:
  1. Start menu will not function.
  2. System tray will not function.
  3. Outlook.exe process will continue running after the application has been closed.
  4. Internet Explorer will start but not be able to load a page or close.
  5. Windows will not log off or shut down.
  6. Any open instances of explorer will hang.
The only thing I could do at this point is hit the reset button.

After "upgrading" to IE6 SP1 the problem became worse, much worse. This used to happen about once every two weeks, after "upgrading" it happened once a day. How a problem with your web browser can cause the entire OS to become unstable is beyond me.. but I've been wondering that since IE4.  

This seems like as good a place as any to describe my system:
  Operating System: Windows 2000 Professional SP4
  Processor: Intel Celeron 700 MHz
  RAM: 512 MB
  Video: NVIDIA GeForce2 MX
  Sound: Sound Blaster Live!
  Networking: Linksys 802.11g wireless network card
  Notable applications installed:
    Internet Explorer 6 SP1
    Microsoft Outlook 2000 SP1
    Microsoft Visual Studio 6 SP5
    Java 2 SDK 1.4.2


I Have Never Had the Blaster Virus
Every search I do on "svchost crash", "svchost application error" and so on returns virtually nothing but links to articles about the blaster virus. I know this virus infected a ton of Windows 2000 systems and one of the primary signs of infection is svchost crashing. However, I have never had this virus. Why am I so sure of this? 

  1. I have a hardware firewall built into my router.
  2. I run a software firewall (BlackIce) which is updated daily.
  3. I run a virus scanner (PC-cillin) which is updated daily.
  4. I regularly run Windows update.
  5. I manually checked my hard drive for the blaster virus and all known variants, nothing found.
  6. I manually checked my registry for all entries created by the blaster virus and all known variants, nothing found.
  7. I downloaded Stinger from Network Associates just to have another scan, nothing found (screenshot).
  8. I was occasionally experiencing this problem before the blaster virus even existed.
  9. The blaster virus creates files in the c:\winnt\system32\wins\ directory, nothing there on my computer (screenshot). If you look at the screenshot you'll see the directory was created 6/7/2001, when I initially installed Windows 2000.. 2 full years before the blaster virus existed.
  10. The blaster virus creates a registry key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows, I do not have that registry entry or anything even close to it (screenshot). 

I am 100% certain I have never had the blaster virus. However, I'm also 100% confident someone will see this page and send me an email saying "Hey d00d, you're infected with the blaster virus". If you do this, be prepared to thoroughly explain why you believe I have this virus or I will be forced to mockingly reply.


Information About svchost.exe
svchost is process that runs other services. Rather than spend a lot of time writing my own description I'll just point to Microsoft knowledge base article 250320 which does a decent job describing this file. I'm running version 5.0.2134.1 which I suspect everyone with Windows 2000 SP4 is. According to my search with Microsoft, this is the newest version available for Windows 2000.


Search for Spyware
While searching for svchost fixes I also found a couple of usenet posting saying that this file can crash because of Spyware. Spyware is a fairly generic term and I'll admit that I don't always know what it means. When I first starting researching this problem (in spring 2003, before the blaster virus even existed) most of what I found was about Spyware. I did a thorough search and all I could find was something called C-DILLA. I had no idea what this was or where it came from. I tried to uninstall it but it was tough. I ended up having to go into the registry and manually remove all references to it. 

After some more poking around I found that this C-DILLA program was installed by Turbo Tax. Intuit even issued an apology. Guess what, I ain't buying Turbo Tax again and I'd advise you to do the same.

Anyway, killing off this program didn't fix a thing so today I tried a program called Ad-aware. It found a bunch of stuff it considers to be Spyware (screenshot). However, I'm skeptical to let it start removing registry keys and stuff so I'm going to research everything it found and then remove it myself. 

Here's some of what Ad-aware found that it doesn't like:

Hi-Wire Object recognized!
Type : RegKey
Data : 
Rootkey : HKEY_CLASSES_ROOT
Object : adagent.advertisementagent

Alexa Object recognized!
Type : RegKey
Data : 
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}

Windows Object recognized!
Type : RegData
Data : 
Rootkey : HKEY_USERS
Object : .DEFAULT\Software\Microsoft\MediaPlayer\Player\Settings
Value : Client ID
Data : 

There were about 20 of those "Hi-Wire" entries, 1 "Alexa" entry, and a pair of Media Player entries. Hi-Wire is a free media player that some radio stations require you to install. I have installed this and but don't know why it's considered Spyware. Ad-aware has a "quarantine" feature I decided to try.. it froze up the first time I tried (screenshot) but worked fine the second. 

Alright, so exactly 7 days after removing all the Spyware I got another svchost.exe crash. Of course over these 7 days I avoided using IE as much as possible. So I guess this wasn't the problem. On to something else..


Stopping the System Event Notification Service
So cutting back on using IE6 and logging off once a day helped but didn't cure the problem. Instead of getting a daily svchost crash I was getting a weekly one.

On my last crash I decided to hit "Cancel" instead of "OK" to fire up the Visual Studio debugger to see what happened. I looked at the call stack (screenshot) and saw that the process that actually generated the error was something called "SENS". svchost is just a host process to run other Windows services that reside in a dlls (see information above), svchost isn't what's crashing, just one of the services it hosts. svchost runs services in "groups" (see Microsoft knowledge base article 250320), this SENS process runs in the netsvcs group with a bunch of other internet services.

It's becoming clearer to me now.. this SENS process crashes and takes the rest of netsvcs down with it. This is why so many features of Windows stopped working. Run regedit and look under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost to see everything that's grouped into netsvcs.

So what the heck is SENS anyway? To quote Microsoft it "Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events." (also see screenshot of the service). I then checked my event log and eureka! Before every single svchost crash (and I mean every single one) there was the following event recorded:

Event Type: Information
Event Source: Tcpip
Event Category: None
Event ID: 4201
User: N/A
Description:
The system detected that network adapter Wireless-G PCI Adapter was connected to the network, and has initiated normal operation over the network adapter.

Now, this message appears in the event log maybe a thousand times. For some reason Windows thinks it's necessary to keep logging that my wireless network card was connected.

What happens if you stop the SENS service? Well, I just tried it and so far I can browse the internet, read email, and edit this web page without any problems. Maybe something really bad will happen from turning this service off but I doubt it.

>Rather than simply wait and see what happens, I decided to check if anyone else has disabled this service. Some guy and this other page both say it's OK to disable the SENS service. Being some guy with some page I'm biased to believe both of them.. but being a cynic I decided to also try a more "official" source. I checked a Microsoft TechNet guide to Windows services and it says:

Disabling this service has the following effects:
  • Win32 APIs IsNetworkAlive() and IsDestinationReachable() won't work well. These are mostly used by mobile applications and on portable computers.
  • SENS interfaces don't work properly. In particular, SENS' Logon/Logoff notifications will not work.
  • Internet Explorer 5.0 or later uses SENS on portable computers to trigger when to go offline or online (the "Work offline" prompt).
  • SyncMgr (Mobsync.exe) will not work properly. It depends on connectivity information and Network Connect/Disconnect and Logon/Logoff notifications from SENS.
  • COM+ EventSystem will try to notify SENS of some events, but will not be able to.

I'm pretty comfortable with these side effects. One of the two pages I linked above says that disabling this service might cause AutoUpdate to stop working, I have that turned off anyway.

Now the big question is: will this work for you? I'm afraid that I have to answer "maybe". Here's a checklist to see if this could work for your svchost problems:
  1. Does this crash typically occur shortly after connecting to/disconnecting from the internet?
  2. Open your Windows 2000 event log and search for your last few svchost crashes. Were they all immediately preceded by a tcpip message?
  3. Is your computer a desktop?
  4. Is your computer free of viruses/worms?
If you answered "yes" to all four then go ahead and try it. What's the worst that can happen, your computer will crash? If you're reading this page then it probably already is crashing on a regular basis.

Oh, and one more quick note.. if you disable this service there's a good chance it will startup next time you log-in, even if you set the startup to "manual". You'll have to set the startup mode to "disabled" to prevent it from starting automatically.

Update: Microsoft has released a non-public hotfix for this specific issue with the SENS service. Huge thanks go out to Josh Swain for finding this hotfix:

Having analyzed the user dump carefully, we found the svchost.exe process dump was caused by a known problem in our sens.dll. Please help download and apply the following hotfix on this server to solve this problem. The KB article has not been ready so far.

Package:
-----------------------------------------------------------
KB Article Number(s): 872971
Language: English
Platform: i386
Location:
(https://hotfixv4.microsoft.com/Windows%202000/sp5/Fix116958/2195/free/191819_ENU_i386_zip.exe [Edit: this link is broken now])
Password: z5wLr9
NOTE: Be sure to include all text between '(' and ')' when navigating to this hot fix location!
NOTE: There are two .exe files in the downloaded file after extraction. The one with the "symbol" character in the file name is for debugging purposes only. Please do not install it. Install the other one.

Since this is not public yet you should install at your own risk. If this link doesn't work I have a mirror of the file here. Please try the Microsoft one first though, they have so much more bandwidth than I do. I'm utterly amazed at how many people have downloaded the patch from my site. It's not usually a brilliant idea to install Windows patches you downloaded from some dude's website. How do you know I didn't create this page as a way to sneak Trojans onto your PC?.



Related