So far since August 1st according the Activity Monitor the svhost.exe
program has sent (From Microsoft) 994 MB to my computer. 523 MB has accured since August 20th. Is there some program that will show which service(s) ares responsible for this activity? I am never happy when activity is
taking place on my computer and I do not know exactly what it is and what is responsible for it. I have brought this up before.
On Tue, 8/27/2024 12:52 PM, Bill Bradshaw wrote:
So far since August 1st according the Activity Monitor the svhost.exe
program has sent (From Microsoft) 994 MB to my computer. 523 MB has
accured since August 20th. Is there some program that will show
which service(s) ares responsible for this activity? I am never
happy when activity is taking place on my computer and I do not know
exactly what it is and what is responsible for it. I have brought
this up before.
Unless the machine never reboots, the PID on the guilty SVCHOST
will change on each reboot.
If you know the PID, then
tasklist /svc
will show the identities of the items inside the SVCHOST.
An example would be DoSvc, which is Delivery Optimization Service.
One Windows 10 computer can serve a Cumulative to another Windows 10 computer, in your same computer room. But that would likely not
count as WAN activity, which is presumably what your bandwidth
counter is identifying.
But after-the-fact activity, once you've rebooted, the PID if
recorded would have no value at all in identifying a guilty party.
You could use TCPView, to display realtime activity. Sort
by packets sent or packets received.
https://learn.microsoft.com/en-us/sysinternals/downloads/tcpview
And Process Explorer provides more info than Task Manager, or
at least the info can be convenient.
https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer
[Picture] Holding the mouse over an entry, shows some launch
information
https://i.postimg.cc/xCQg8n15/Process-Explorer-SVCHOST.gif
Sysinternals Process Monitor may have been recording network events
too, at one time, but the last time I used it, I got no network
events in the trace (finger problem?). The ETW stream for that, may
have been what Microsoft was using for their own copy of "Wireshark" (Microsoft Version).
The difference between Wireshark (no process info) and Process Monitor (process info), is the process info. You could associate an executable
with a packet, which is normally pretty hard to do. I would provide
a link, if I thought it would not be a waste of your time. But it's
another tool, if and when it works. A downside in modern times, is the
use of CDNs like "Akamai" to disguise who you are and what you're
doing.
The trace I took, where packet capture worked, virtually all the
external addresses were Akamai (not Microsoft as they should have
been).
Paul
Paul wrote:
On Tue, 8/27/2024 12:52 PM, Bill Bradshaw wrote:
So far since August 1st according the Activity Monitor the svhost.exe
program has sent (From Microsoft) 994 MB to my computer. 523 MB has
accured since August 20th. Is there some program that will show
which service(s) ares responsible for this activity? I am never
happy when activity is taking place on my computer and I do not know
exactly what it is and what is responsible for it. I have brought
this up before.
Unless the machine never reboots, the PID on the guilty SVCHOST
will change on each reboot.
If you know the PID, then
tasklist /svc
will show the identities of the items inside the SVCHOST.
An example would be DoSvc, which is Delivery Optimization Service.
One Windows 10 computer can serve a Cumulative to another Windows 10
computer, in your same computer room. But that would likely not
count as WAN activity, which is presumably what your bandwidth
counter is identifying.
But after-the-fact activity, once you've rebooted, the PID if
recorded would have no value at all in identifying a guilty party.
You could use TCPView, to display realtime activity. Sort
by packets sent or packets received.
https://learn.microsoft.com/en-us/sysinternals/downloads/tcpview
And Process Explorer provides more info than Task Manager, or
at least the info can be convenient.
https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer
[Picture] Holding the mouse over an entry, shows some launch
information
https://i.postimg.cc/xCQg8n15/Process-Explorer-SVCHOST.gif
Sysinternals Process Monitor may have been recording network events
too, at one time, but the last time I used it, I got no network
events in the trace (finger problem?). The ETW stream for that, may
have been what Microsoft was using for their own copy of "Wireshark"
(Microsoft Version).
The difference between Wireshark (no process info) and Process Monitor
(process info), is the process info. You could associate an executable
with a packet, which is normally pretty hard to do. I would provide
a link, if I thought it would not be a waste of your time. But it's
another tool, if and when it works. A downside in modern times, is the
use of CDNs like "Akamai" to disguise who you are and what you're
doing.
The trace I took, where packet capture worked, virtually all the
external addresses were Akamai (not Microsoft as they should have
been).
Paul
I have the programs Process Monitor and Wireshark.
On August 24th Microsoft updated Microsoft Edge.
On August 27th Microsoft updated Microsoft Edge Webview2 Runtime.
I am pretty sure that all of the downloads are somehow associated with the Microsoft Edge Cache Server.
I use Firefox and not Edge so I want to stop these downloads for Edge. I have tried stopping the Edge services but that does not seem to help.
There is a lot of pids associated with svchost.exe
<Bill>
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 361 |
Nodes: | 16 (2 / 14) |
Uptime: | 123:25:28 |
Calls: | 7,716 |
Files: | 12,861 |
Messages: | 5,727,955 |