Sunday, January 28, 2018

Did svchost.exe behaviour change in Windows 10 Creators Update (Build 1703)?


Today I upgraded to the Creators Update by running setup from the ISO mounted locally. When I got back to my computer I opened Task Manager and saw my memory usage was a lot higher than it was previously (it's now almost 6GB memory usage at idle after logging in instead of 2-3GB with the previous Windows build) - the processes tab revealed that there were upwards of 60 different instances of svchost.exe running. This 6GB figure is just for process memory - not including memory used for caching or "standby".


I ran tasklist /svc to get a listing of which services were in which processes and it lists almost every svchost.exe instance as only having one running service contained within (with the exception of a handful of instances that are running a few system services).


Here's my output:


Image Name                     PID Services
========================= ======== ============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 440 N/A
csrss.exe 612 N/A
wininit.exe 700 N/A
csrss.exe 708 N/A
services.exe 776 N/A
lsass.exe 784 KeyIso, Netlogon, SamSs, VaultSvc
svchost.exe 888 PlugPlay
svchost.exe 908 BrokerInfrastructure, DcomLaunch, Power,
SystemEventsBroker
fontdrvhost.exe 936 N/A
svchost.exe 1000 RpcEptMapper, RpcSs
svchost.exe 104 LSM
winlogon.exe 544 N/A
fontdrvhost.exe 420 N/A
svchost.exe 1072 DeviceInstall
dwm.exe 1136 N/A
svchost.exe 1164 BFE, CoreMessagingRegistrar, MpsSvc
svchost.exe 1424 lmhosts
svchost.exe 1432 W32Time
svchost.exe 1440 nsi
svchost.exe 1448 wudfsvc
svchost.exe 1528 hidserv
svchost.exe 1628 Dhcp
svchost.exe 1716 Dnscache
svchost.exe 1748 EventLog
WUDFHost.exe 1792 N/A
svchost.exe 1908 TimeBrokerSvc
svchost.exe 1952 NlaSvc
NVDisplay.Container.exe 1968 NVDisplay.ContainerLocalSystem
svchost.exe 1324 Themes
svchost.exe 1596 ProfSvc
svchost.exe 1944 EventSystem
svchost.exe 1052 netprofm
svchost.exe 2116 StateRepository
svchost.exe 2256 SENS
svchost.exe 2296 AudioEndpointBuilder
svchost.exe 2304 FontCache
(etc)...

I know you can configure individual services to run in their own instance of svc with the sc config type= own command, but to my knowledge I've never run this command.


I took a quick look at Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and it looks like the Type key values for most of these services is missing the flag bit at 0x10 which controls if a service runs in its own svchost.exe instance or not. I wonder what could have effected this change.


Has anyone else observed this behaviour before or after installing Windows 10 Creators Update? If it is a default configuration change, will it have any implications on system performance or stability?


I suspect it will increase system stability because if a service crashes it won't bring down other services - but this comes at a massive cost of RAM - but I've never experienced a service crashing on me - or at least ever noticed it (instead the worst problem I've had is with wuauserv consuming 100% CPU for hours on end - and that's not a problem process isolation will solve).


(I just noticed: they finally added an address bar to the Registry Editor!)


Answer



Yes, this is a change in the Creators Update if you use a PC with more than 3.5GB of RAM. Here all services run in their own svchost.exe to better see which service causes issue or prevent crash of other services if a service crashes a svchost.exe.



If your PC has 3.5+ GB of memory, you may notice an increased number
of processes in Task Manager. While this change may look concerning at
first glance, many will be excited to find out the motivation behind
this change. As the number of preinstalled services grew, they began
to get grouped into processes known as service hosts (svchost.exe’s)
with Windows 2000. Note that the recommended RAM for PC’s for this
release was 256 MB, while the minimum RAM was 64MB. Because of the
dramatic increase in available memory over the years, the
memory-saving advantage of service hosts has diminished.
Accordingly, ungrouping services on memory-rich (3.5+ GB of RAM) PCs
running Windows now offers us the opportunity to do the following:



  • Increase reliability: When one service in a service host fails, all services in the service host fail. In other words, the service host
    process is terminated resulting in termination of all running
    services within that process.


  • Increase transparency: Task Manager will now give you a better view into what is going on behind the scenes. You can now see how much CPU,
    Memory, Disk & Network individual services are consuming.


    enter image description here


  • Increase security: Process isolation and individual permission sets for services will increase security.




So, don't worry, this is a good change in v1703 and everything is fine.


But there is a way to revert it. This was discovered by an user of a website that deals with Windows tweaking.


So, run regedit.exe, go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control and create a 32Bit DWORD SvcHostSplitThresholdInKB and set it to a large number (larger compared to your install RAM).


No comments:

Post a Comment

hard drive - Leaving bad sectors in unformatted partition?

Laptop was acting really weird, and copy and seek times were really slow, so I decided to scan the hard drive surface. I have a couple hundr...