Results 1 to 4 of 4
  1. #1
    New Lounger
    Join Date
    Nov 2014
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Question Remote Procedure Call Question

    Running WIN XP SP2. I am using PROCESS MONITOR to view activity on my PC - and in doing so i notice that while sitting idle, the monitor shows about 20 activities PER SECOND all originating from SVCHOST PID 904 which on my system is REMOTE PROCEDURE CALL - here is an example of the program stack for one item:

    0 ntkrnlpa.exe ntkrnlpa.exe + 0x65808 0x8053c808 G:\WINDOWS\system32\ntkrnlpa.exe
    1 ADVAPI32.dll ADVAPI32.dll + 0xe32e 0x77dde32e G:\WINDOWS\system32\ADVAPI32.dll
    2 ADVAPI32.dll ADVAPI32.dll + 0xe36e 0x77dde36e G:\WINDOWS\system32\ADVAPI32.dll
    3 ADVAPI32.dll ADVAPI32.dll + 0x7054 0x77dd7054 G:\WINDOWS\system32\ADVAPI32.dll
    4 rpcss.dll rpcss.dll + 0x77a7 0x76a877a7 g:\windows\system32\rpcss.dll
    5 rpcss.dll rpcss.dll + 0xb6cb 0x76a8b6cb g:\windows\system32\rpcss.dll
    6 rpcss.dll rpcss.dll + 0xb3a5 0x76a8b3a5 g:\windows\system32\rpcss.dll
    7 rpcss.dll rpcss.dll + 0x1184f 0x76a9184f g:\windows\system32\rpcss.dll
    8 rpcss.dll rpcss.dll + 0x8e4b 0x76a88e4b g:\windows\system32\rpcss.dll
    9 rpcss.dll rpcss.dll + 0x12b97 0x76a92b97 g:\windows\system32\rpcss.dll
    10 rpcss.dll rpcss.dll + 0x12a9d 0x76a92a9d g:\windows\system32\rpcss.dll
    11 rpcss.dll rpcss.dll + 0xe4ab 0x76a8e4ab g:\windows\system32\rpcss.dll
    12 rpcss.dll rpcss.dll + 0x11e12 0x76a91e12 g:\windows\system32\rpcss.dll
    13 rpcss.dll rpcss.dll + 0x11e66 0x76a91e66 g:\windows\system32\rpcss.dll
    14 rpcss.dll rpcss.dll + 0x11e7b 0x76a91e7b g:\windows\system32\rpcss.dll
    15 rpcss.dll rpcss.dll + 0xc1d7 0x76a8c1d7 g:\windows\system32\rpcss.dll
    16 rpcss.dll rpcss.dll + 0x11de7 0x76a91de7 g:\windows\system32\rpcss.dll
    17 RPCRT4.dll RPCRT4.dll + 0x9dc9 0x77e79dc9 G:\WINDOWS\system32\RPCRT4.dll
    18 RPCRT4.dll RPCRT4.dll + 0x8321a 0x77ef321a G:\WINDOWS\system32\RPCRT4.dll
    19 RPCRT4.dll RPCRT4.dll + 0x836ee 0x77ef36ee G:\WINDOWS\system32\RPCRT4.dll
    20 RPCRT4.dll RPCRT4.dll + 0x988c 0x77e7988c G:\WINDOWS\system32\RPCRT4.dll
    21 RPCRT4.dll RPCRT4.dll + 0x97f1 0x77e797f1 G:\WINDOWS\system32\RPCRT4.dll
    22 RPCRT4.dll RPCRT4.dll + 0x971d 0x77e7971d G:\WINDOWS\system32\RPCRT4.dll
    23 RPCRT4.dll RPCRT4.dll + 0xbd0d 0x77e7bd0d G:\WINDOWS\system32\RPCRT4.dll
    24 RPCRT4.dll RPCRT4.dll + 0xbb6a 0x77e7bb6a G:\WINDOWS\system32\RPCRT4.dll
    25 RPCRT4.dll RPCRT4.dll + 0x6784 0x77e76784 G:\WINDOWS\system32\RPCRT4.dll
    26 RPCRT4.dll RPCRT4.dll + 0x6c22 0x77e76c22 G:\WINDOWS\system32\RPCRT4.dll
    27 RPCRT4.dll RPCRT4.dll + 0x6a3b 0x77e76a3b G:\WINDOWS\system32\RPCRT4.dll
    28 RPCRT4.dll RPCRT4.dll + 0x6c0a 0x77e76c0a G:\WINDOWS\system32\RPCRT4.dll
    29 kernel32.dll kernel32.dll + 0xb50b 0x7c80b50b G:\WINDOWS\system32\kernel32.dll

    The process looks like this and just keeps on repeating infinitely:
    7:10:25.6937245 AM svchost.exe 904 RegCloseKey HKLM\SOFTWARE\Microsoft\Ole SUCCESS 688
    7:10:25.6937382 AM svchost.exe 904 RegQueryValue HKCR\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\AuthenticationLevel NAME NOT FOUND Length: 144 688
    7:10:25.6937530 AM svchost.exe 904 RegQueryValue HKCR\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\RemoteServerName NAME NOT FOUND Length: 144 688
    7:10:25.6937645 AM svchost.exe 904 RegQueryValue HKCR\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\SRPTrustLevel NAME NOT FOUND Length: 144 688
    7:10:25.6937866 AM svchost.exe 904 RegCloseKey HKCR\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820} SUCCESS 688
    7:10:25.6937980 AM svchost.exe 904 RegOpenKey HKCR\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820} SUCCESS Desired Access: Read 688
    7:10:25.6938223 AM svchost.exe 904 RegOpenKey HKCR\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\InprocHandler32 NAME NOT FOUND Desired Access: Maximum Allowed 688
    7:10:25.6938363 AM svchost.exe 904 RegOpenKey HKCR\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\InprocHandlerX86 NAME NOT FOUND Desired Access: Maximum Allowed 688
    7:10:25.6938567 AM svchost.exe 904 RegCloseKey HKCR\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820} SUCCESS 688
    7:10:25.6939318 AM svchost.exe 904 RegOpenKey HKLM\Software\Microsoft\COM3 SUCCESS Desired Access: Read 688
    7:10:25.6940008 AM svchost.exe 904 RegQueryValue HKLM\SOFTWARE\Microsoft\COM3\REGDBVersion SUCCESS Type: REG_BINARY, Length: 8, Data: 0C 00 00 00 00 00 00 00 688
    7:10:25.6959028 AM svchost.exe 904 RegCloseKey HKLM\SOFTWARE\Microsoft\COM3 SUCCESS 688
    7:10:25.6959480 AM svchost.exe 904 RegOpenKey HKLM\Software\Microsoft\COM3 SUCCESS Desired Access: Read 688
    7:10:25.6959718 AM svchost.exe 904 RegQueryValue HKLM\SOFTWARE\Microsoft\COM3\REGDBVersion SUCCESS Type: REG_BINARY, Length: 8, Data: 0C 00 00 00 00 00 00 00 688
    7:10:25.6959966 AM svchost.exe 904 RegCloseKey HKLM\SOFTWARE\Microsoft\COM3 SUCCESS 688
    7:10:25.6960218 AM svchost.exe 904 RegOpenKey HKCU\Software\Classes SUCCESS Desired Access: Read 688
    7:10:25.6960550 AM svchost.exe 904 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 688
    7:10:25.6960701 AM svchost.exe 904 RegOpenKey HKCU\Software\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820} NAME NOT FOUND Desired Access: Read 688
    7:10:25.6960829 AM svchost.exe 904 RegOpenKey HKCR\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820} SUCCESS Desired Access: Read 688
    7:10:25.6961050 AM svchost.exe 904 RegQueryKey HKCR\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820} SUCCESS Query: Name 688
    7:10:25.6961296 AM svchost.exe 904 RegOpenKey HKCU\Software\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\TreatAs NAME NOT FOUND Desired Access: Query Value 688
    7:10:25.6961472 AM svchost.exe 904 RegOpenKey HKCR\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\TreatAs NAME NOT FOUND Desired Access: Query Value 688
    7:10:25.6961614 AM svchost.exe 904 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 688
    7:10:25.6961735 AM svchost.exe 904 RegOpenKey HKCU\Software\Classes SUCCESS Desired Access: Read 688
    7:10:25.6962034 AM svchost.exe 904 RegCloseKey HKCR\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820} SUCCESS 688
    7:10:25.6962145 AM svchost.exe 904 RegQueryKey HKCU\Software\Classes SUCCESS Query: Name 688
    7:10:25.6962277 AM svchost.exe 904 RegOpenKey HKCU\Software\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820} NAME NOT FOUND Desired Access: Read 688
    7:10:25.6962394 AM svchost.exe 904 RegOpenKey HKCR\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820} SUCCESS Desired Access: Read 688
    7:10:25.6962620 AM svchost.exe 904 RegQueryKey HKCR\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820} SUCCESS Query: Name 688
    7:10:25.6962846 AM svchost.exe 904 RegOpenKey HKCU\Software\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\InprocServer32 NAME NOT FOUND Desired Access: Maximum Allowed 688
    7:10:25.6963028 AM svchost.exe 904 RegOpenKey HKCR\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\InprocServer32 NAME NOT FOUND Desired Access: Maximum Allowed 688
    7:10:25.6963165 AM svchost.exe 904 RegQueryKey HKCR\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820} SUCCESS Query: Name 688
    7:10:25.6963377 AM svchost.exe 904 RegOpenKey HKCU\Software\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\InprocServerX86 NAME NOT FOUND Desired Access: Maximum Allowed 688

    IS THIS NORMAL? any ideas how to stop it? THANK YOU Other than this I have no odd activity on my PC at all, and all processes seem to run normally, no errors in the event viewer at all.

  2. #2
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,203
    Thanks
    49
    Thanked 989 Times in 919 Posts
    SVCHOST runs a lots of Windows services and we need to know which one it is. You should be able to view the starting command for PID 904 using Process Explorer.

    cheers, Paul

  3. #3
    Super Moderator Rick Corbett's Avatar
    Join Date
    Dec 2009
    Location
    South Glos., UK
    Posts
    2,143
    Thanks
    101
    Thanked 580 Times in 464 Posts
    {8BC3F05E-D86B-11D0-A075-00C04FB68820} is the CLSID for Windows Management Instrumentation (WMI).

    The continual reads and subsequent results of NAME NOT FOUND in both HKCR and HKCU suggest the root keys for the WMI class ID in both hives are OK but there may something amiss with the sub-keys.

    It might be an idea to run the WMI diagnostics script after checking that the WMI service is up and running. The WMI diagnostics script (utility) can be obtained from TechNet: WMI Diagnosis Utility.

    Hope this helps...

    PS - WMI issues like this often showed up as DCOM 10010 errors so check Event Viewer. If found, a fix was implemented in Win XP SP3. (I note the OP is running SP2.) See DCOM Error 10010 in the Event logs and SLUGGISH server performance for more info.

  4. #4
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,203
    Thanks
    49
    Thanked 989 Times in 919 Posts
    Recursive lookup of registry keys will produce the "not found" messages, it's not a problem.

    cheers, Paul

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •