Debugging High Memory Usage in svchost.exe -k netsvcs on Windows Server 2008 R2: Service Analysis and Leak Fixes


2 views

When svchost.exe hosting multiple services consumes over 1GB RAM, we need to isolate the culprit. The services running under this instance are:

Appinfo, CertPropSvc, gpsvc, IKEEXT,
iphlpsvc, LanmanServer, ProfSvc, Schedule,
SENS, SessionEnv, ShellHWDetection,
Winmgmt, wuauserv

Download Sysinternals Process Explorer and:

1. Right-click the high-memory svchost.exe
2. Select "Properties" -> "Services" tab
3. Note the memory usage per service
4. Check "Threads" tab for spikes

From experience, these services often cause leaks:

  • Winmgmt (Windows Management Instrumentation): Try resetting the repository: 
    net stop winmgmt
winmgmt /resetrepository
net start winmgmt
  • wuauserv (Windows Update): Configure WSUS or disable: 
    sc config wuauserv start= disabled

Create a PowerShell monitoring script:

$svchost_pid = (Get-Process svchost | Where {$_.Modules.ModuleName -contains "netsvcs"}).Id
$counters = @(
    "\Process(svchost*)\Working Set",
    "\Process(svchost*)\Private Bytes"
)
Get-Counter -Counter $counters -SampleInterval 5 -MaxSamples 12 | 
Export-Csv -Path "C:\monitor\svchost_mem.csv" -NoTypeInformation

To run services in separate svchost instances:

sc config gpsvc type= own
sc config wuauserv type= own

This helps identify which service causes the leak after reboot.

When all else fails, capture a dump:

procdump -ma -n 3 -s 30 svchost.exe

Analyze with WinDbg:

!analyze -v
!heap -s
!address -summary

For Group Policy leaks (gpsvc):

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy]
"BackgroundPolicyProcessing"=dword:00000000

When a single svchost.exe -k netsvcs process consumes over 1GB RAM consistently on Windows Server 2008 R2 (Build 7601: SP1), we're dealing with either legitimate heavy service usage or more likely - a memory leak. The process hosts multiple critical services:

Appinfo, CertPropSvc, gpsvc, IKEEXT,
iphlpsvc, LanmanServer, ProfSvc, Schedule,
SENS, SessionEnv, ShellHWDetection,
Winmgmt, wuauserv

Here's a PowerShell script to monitor individual service memory usage within the shared process:


# Get memory usage per service in svchost
$processId = (Get-Process -Name svchost | Where-Object { $_.Modules.ModuleName -contains 'netsvcs' }).Id
$services = (tasklist /svc /fi "PID eq $processId" /fo csv | ConvertFrom-Csv)[0].Services -split ','

foreach ($service in $services) {
    $mem = (Get-WmiObject -Query "SELECT WorkingSet FROM Win32_Service WHERE Name='$service'").WorkingSet
    Write-Output "$service : $([math]::Round($mem/1MB,2)) MB"
}

From experience, these services frequently cause leaks:

  • wuauserv (Windows Update): Disable automatic updates on production servers
  • Winmgmt (WMI): Check for stuck WMI queries with WMIC /OUTPUT:C:\wmi.txt PROCESS LIST FULL
  • LanmanServer (File Sharing): Review SMB sessions with net session

For deep investigation, use Event Tracing for Windows:


# Start tracing
logman create trace "svchost_trace" -o "C:\traces\svchost.etl" -p "Microsoft-Windows-Kernel-Process" 0x10 -ow
logman start "svchost_trace"

# Reproduce issue, then stop
logman stop "svchost_trace"

# Convert to readable format
tracerpt "C:\traces\svchost.etl" -o "C:\traces\svchost.txt"
  1. Restart the problematic service (if identified): 
    net stop wuauserv & net start wuauserv
  2. Rebuild the WinSxS component store: 
    DISM /Online /Cleanup-Image /StartComponentCleanup
  3. Apply latest patches: 
    wusa.exe /quiet /norestart

For permanent resolution on Server 2008 R2:


# Create separate svchost instances for leak-prone services
sc config gpsvc type= own
sc config wuauserv type= own

# Then reboot the server