TCPSVCS.EXE @ 100% utilization

Discussion in 'NOD32 version 2 Forum' started by chuckenheimer, Sep 5, 2004.

Thread Status:
Not open for further replies.
  1. chuckenheimer

    chuckenheimer Registered Member

    Joined:
    May 11, 2004
    Posts:
    46
    Location:
    Houston, Texas
    Can anyone tell me why when after I install the latest version of NOD32 that my TCPSVCS.EXE stays at 100% utilization? If I uninstall NOD32 then everything returns to normal. I'm thinking this is a setting I'm using but haven't a clue as to which one it is and want to figure this out before moving forward with any further program installations on my system.

    On a fresh image with NOD32 this doesn't immediately happen until after I've either run a scan or set a setting because once it happens, I cannot do anything else but uninstall NOD32. If I allow just NOD32's uninstallation routine to remove the application, when I reboot and reinstall NOD32, the TCPSVCS.EXE reading in Task Manager pegs 100% utilization again. But if I reimage my opsys partition to just before installing NOD32, I can reinstall and TCPSVCS.EXE doesn't immediately peg 100%. It's only, as I say, after I've either run a scan or set a setting, which one I do not know.

    Any ideas are welcome. Thanks!
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Please send an email to support@nod32.com and place a link to this thread. If you do not hear from Eset within 3 days (allows for weekends), please advise us here...

    Let us know how you go…

    Cheers :D
     
  3. chuckenheimer

    chuckenheimer Registered Member

    Joined:
    May 11, 2004
    Posts:
    46
    Location:
    Houston, Texas
    Done. Thanks!
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    A recommended procedure in this case is to restart Windows in Safe mode and carry out an in-depth analysis with the on-demand scanner.
     
  5. chuckenheimer

    chuckenheimer Registered Member

    Joined:
    May 11, 2004
    Posts:
    46
    Location:
    Houston, Texas
    Marcos,

    Thanks for that advice. After reinstalling and rebooting twice to make sure NOD was properly installed (with TCPSVCS.EXE @ 100% CPU utilization it sure slows the system down), I booted to Safe Mode. I was able to initialize the NOD32 component but wanting to perfomr the In-Depth Analysis scan, I tried to access the Control Center when I was given an error message that the NOD32 kernel was unable to be accessed.

    So, I'm trying to figure out how to do the In-Depth Analysis scan from the NOD32 UI and haven't much knowledge here. Truthfully, in the past NOD has worked flawlessly for me without incident. Granted, I haven't done much experimenting with the options but generally set most all of them and have been happy with the protection so far.

    BTW, I've searched MS on TCPSVCS.EXE @ 100% CPU utilization and the general information I see is related to DHCP trying to access the network card with a protocol being unbound. I set up my File & Print Sharing to use only the NWLink protocol and disable both the TCP/IP (V. 4) and MS IP (V. 6). This doesn't seem to make any difference at this point but I am curious as to whether you have seen this behavior before and what your observations are as to the true cause of the condition.

    I'm going to drop back to a good backup image just before the installation of NOD and experiment from there. Without any understanding of what is causing NOD to influence the run away TCPSVCS.EXE, I'm really shooting in the dark and guessing. If I knew better what the problem was, I may be able to better chase this down.

    Thanks again for your help.
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Since CC cannot be run in Safe mode, run the on-demand scanner and in the setup, select all objects and methods for analysis. If you want to scan every single file, click Extensions and select all files to scan.
     
  7. chuckenheimer

    chuckenheimer Registered Member

    Joined:
    May 11, 2004
    Posts:
    46
    Location:
    Houston, Texas
    Marcos,

    Well, I'm free of any infection at this point but still I don't know why the Simple TCP/IP Services is freaking out. I've removed that component from the system and things seem to be just fine. At this point I haven't a clue why this is happening but feel only that NOD is showing up a problem but may not be causing it.

    I suppose my next query would be to see if anyone is running NOD and the Simple TCP/IP service. The only application I have added lately to the mix is RemoteScan. I'm beginning to focus on it now to see what interaction it may be having with TCP/IP because it's a new program to me but I recall when sorting my way through the modifications it made to my system and seeing something that may be related. It's only a hunch at this point but I sure could use some direction.

    Would you know of any tool that might be helpful in my chasing this down? Maybe a forum to visit, or something?

    Thanks again and wish me luck.
     
  8. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    hi, i had the same problem, although it was only using 50% of my cpu[3ghz]
    i just changed the start up of this process from auto to manual.
    it only happehed with win xp sp2 for me. this process never ran before on my machine.

    all is fine now. i believe this runs in conjuction with snmp.exe
     
  9. chuckenheimer

    chuckenheimer Registered Member

    Joined:
    May 11, 2004
    Posts:
    46
    Location:
    Houston, Texas
    Sweetie,

    Hey, thanks for sharing. I'm thinking this is certainly a SP2 related issue. Whether it's NOD32's responsibility to look into this further I cannot say but I can say at this point that I've dropped back to an image file of my system just before the application of SP2. Installed NOD32 and no TCPSVCS.EXE pegging of the CPU. Knowing this, I've just applied SP2 to this configuration and am waiting for it to finish as we speak.

    I, of course, did the same as you by setting the Simple TCP/IP service to Manual and for the installation of SP2 I have the service stopped. I think this will give me a test bed where I can have NOD32 installed and functioning virginly (sorry, but I don't really know how to phrase this concept better) and will afterward reenable the Simple TCP/IP service. If there is a problem, then I will have chased it down to this situation.

    What do you mean that your system is functioning properly. How does this relate to SNMP.EXE and if you were to need any functions provided to the Simple TCP/IP service, how would you manage. In other words, can you start the Simple TCP/IP service and have your system function without the CPU being pegged as 100% utilization? This anomaly really loads down my XP2100 CPU and I cannot work like this.

    Finally, I would like for the NOD32 people to report this to MS in hopes the situation will be attended to faster. I suppose I could never start the Simple TCP/IP process but that is not the way the opsys should function, i.e. without that service.

    Thanks for chiming in because that means I'm not the lone wolf out here. <G>
     
  10. chuckenheimer

    chuckenheimer Registered Member

    Joined:
    May 11, 2004
    Posts:
    46
    Location:
    Houston, Texas
    It is now my clear belief that the Add/Remove Windows Component function fouls the TCPSVCS.EXE file and causes the race condition.

    I went through the process of disabling the Simple TCP/IP service prior to the application of SP2. Rebooted and was able to start/stop this service without incident. So now I'm thinking it has to do with something else.

    When I then went to the Add/Remove Windows Component and selected Networking Services I saw that the Simple TCP/IP service was ticked as if it needed to be installed. Clearly the service was already on the system because I had been starting and stoping it beforehand so I don't know why A/R WC was offering it to me as an installable service. Something is amiss here.

    Anyway, stop the presses! I went to my XPP SP1 machine and saw the Simple TCP/IP service was not installed. Ticking this check box and allowing the installation to continue, I immediately began to see the race condition of TCPSVCS.EXE occur. Now that is strange indeed. So, I know it isn't related ot SP2 at all.

    Clearly the culprit in this experiment is the A/R WC function. Some way or another using this function fouls the service. I'm not savvy enough to know what I'm seeing but would hope someone might point me to the correct place to follow up on this matter. NOD32 merely exposes the problem because on my SP1 machine I have the latest NOD32 updated so necessarily once I installed the Simple TCP/IP service then the condition was ripe for the anomaly to occur. This may be in some manner related to NOD32 and I'm hoping that my investigation has shown the problem because I would like to have this resolved and don't know how best to go about it.

    Anyone have any suggestions?

    Thanks.
     
  11. Bandicoot

    Bandicoot Eset Staff

    Joined:
    Mar 23, 2004
    Posts:
    297
    Location:
    California
    Hello Chuckenheimer (and everyone else),

    Have you previously had Norton AV running on your machine? I've noticed from several users of NOD32 that it still leaves some stuff in the registry which messes with NOD, causing tcpsvcs.exe to run at start-up, continuously, using something like 98% of the CPU.

    If there is still some record of Norton appearing in the registry, you might like to follow the instructions here...
    http://service1.symantec.com/SUPPORT/nav.nsf/docid/2001092114452606
    and see how you get on.

    If I'm wide of the mark and you haven't had Norton installed before... I'm sorry... just trying to offer some ideas.

    Bandicoot. :D
     
  12. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Thanks for your input Mr Coot, good to see you wandering the halls of Wilders, hopefully we'll see some results with your suggestions :D

    Cheers :D
     
  13. chuckenheimer

    chuckenheimer Registered Member

    Joined:
    May 11, 2004
    Posts:
    46
    Location:
    Houston, Texas
    Good morning all,

    Well, after some reflection upon last nights efforts and some really good sleep, I find that I'm still at a loss to describe the problem completely and correctly.

    First, after installing WinXP Pro, w/SP1 slipstreamed into the CD-ROM, onto my desktop, I can say that I was able to use A/R WC to install the Simple TCP/IP service with it not immediately pegging the CPU utilization as viewed from Task Manager. Also, I know, too, that I could then install NOD32 and similarly manipulate the stop/start of Simple TCP/IP service without incident. Getting out of logical sequence here for a moment, I can now say that what I saw on the laptop (w/SP1 applied and NOD32 installed) after I used A/R WC wizard to install the Simple TCP/IP service and it immediately pegging the CPU must have been related but I'm not exactly sure how in light of me having been able to start/stop the Simple TCP/IP service on the desktop with SP1 and NOD32 applied without incident.

    So, with the desktop, being in almost the exact situation as the laptop, and with SP1 and NOD32 being installed, etc., the fact that I was able to start/stop the Simple TCP/IP service without incident means there must be some sort of configuration difference to account for the fact that on the laptop when using A/R WC wizard to install the Simple TCP/IP service that afterward the service immediately pegged the CPU, because as I recall this was NOT the case with the desktop until I applied SP2. And the real puzzle is that I was able to apply SP2 to the desktop and still start/stop the Simple TCP/IP service without incident. Weird.

    On the desktop it was not until I tried to use the A/R WC wizard that the TCPSVCS.EXE problem showed itself, and that did not happen until after I noticed that the wizard was offering me installation of the Simple TCP/IP service with the checkbox having a tick in it that I knew there was a problem because that service was already installed on the box. Why the A/R WC wizard thought the Simple TCP/IP service was not on the box I don't know but this, too, is a strange event. This is what is so puzzling because at this point I unticked the Simple TCP/IP checkbox and actually used the A/R WC wizard to install the new Peer to Peer services that became available AFTER I had applied SP2. And the way I managed that was to untick the checkbox for Simple TCP/IP Service and only allow the wizard to install Peer to Peer service alone. Still the race condition did not become evident at this point and I was able to still start/stop the Simple TCP/IP service without incident. Being bold, it was here that I tried to use the A/R WC wizard to "install" the Simple TCP/IP service (which as I said was already on the box starting/stopping without incident) that I saw the race condition with TCPSVCS.EXE begin.

    So, if anyone can make heads or tales of this then have at it. I'm supposing that what this situation means is that until I find what exactly is causing this race condition with TCPSVCS.EXE then I must disable this service completely. From here I'm going to google TCPSVCS.EXE and then check the MS Knowledge Base for any hits and see what I can find. And, I guess my final observation is that NOD32 being installed is not really relevant to the matter until whatever it is that happens to cause the A/R WC wizard to spoil something and this then causes TCPSVCS.EXE to peg the CPU.

    Well, now that I've probably confused everyone with my findings, I suppose I will have to leave this question for those more technical advanced than I and just stop the Simple TCP/IP service until an answer can be found. Thanks for lending me your collective ears for now I will sink back into lurkerdom.

    Oh yeah, Bandicoot, I have never utilized Norton products except in the Window 3.x period. Symantec and I don't get along very well.

    Later.

    P.S. I've tried to edit this post for clarity about 4 times now and this is the best that I could do. <g>
     
    Last edited: Sep 7, 2004
  14. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Hi Chuckenheimer,

    I don't know if this will help, but I had a different component going near 100% CPU caused by interaction with AMON here
     
  15. chuckenheimer

    chuckenheimer Registered Member

    Joined:
    May 11, 2004
    Posts:
    46
    Location:
    Houston, Texas
    Devinco,

    Hey thanks for that reference. It's interesting that you see a similar high CPU utilization just after installing NOD32. Apparently the installation of NOD has allowed this CPU race condition to become evident, mine in Simple TCP/IP service and yours in the speech application.

    Doing some more searching I see that Simple TCP/IP service opens ports 7,9,13,17,19 and I don't yet know what interaction this may be having with NOD, if any. You seem to have focused on AMON which may be helpful to me but don't yet know that either.

    I'm hoping either Marcos or someone from Eset may jump in and add some further information for us. Otherwise, I'm stuck with disabling the Simple TCP/IP service permanently. Truthfully, I don't use those in my setup, merely had them enabled just as an experiment so I think I can do without them.

    These types of events are what puzzle me and cause me to doubt the solidity of my configuration, so I'd like to put this matter to rest with a resolution. So, until I do.....

    Thanks!
     
  16. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Well you could experiment with AMON to further isolate the problem as I did.
    But if you don't NEED a service, it is a good idea to shut it down. Not only does it use up valuable resources, it presents a vulnerability that is unecessary. Now that you have gone this far, I would try to isolate it further before killing it.
     
  17. chuckenheimer

    chuckenheimer Registered Member

    Joined:
    May 11, 2004
    Posts:
    46
    Location:
    Houston, Texas
    Devinco,

    Yes, I suppose you are right. I continue to fiddle with this issue despite its circuitous nature, I find myself running around and around without producing results.

    I can say that during one of my experiments earlier that having seen the CPU race condition in TCPSVCS.EXE that I used A/R WC wizard to reinstall the service. I do not recall with specificity but do know that afterward the CPU race condition was resolved. That was really surprising but just in line with some advice I'd seen given to another user who seemed to be bothered with a similar problem. Don't recall the date but I will say the posts I've been seeing are in 2002, and related to WinNT platforms. Hmmph.

    You might know that I first saw a problem involving A/R WC wizard after applying SP2 when I then attempted to remove MSN Explorer. That was a particularly weird development in that the wizard wanted not only the original WinXP CD, but it wanted the SP2 CD! The wizard was looking for a file but because of the way the SP2 d/l file works, those subdirectories and files were removed upon successful installation of the SP. That left me scratching my head and wondering why the A/R WC wizard found it necessary to go searching for a SP2 file. I never solved that riddle either.

    Finally, I'm back to the pre-SP2 installation image and experimenting very slowly and documenting my steps. But what I find interesting is that more people around here haven't chimed in with a Me, too. comment. I'm not sure if its that people here in this forum don't have these types of problems (don't go searching for them either, I suppose) or they are smart enough to get themselves out of fixes they get themselves into without asking for help.

    Anyway, I'm glad to be here and particularly glad to see Eset has a good presence here, too. Truthfully, I've never had much of a problem with NOD32 at all. After it's installed it just seems to work and I try to be particularly careful about my meanderings on the web. What concerned me the most was thinking that I may have needed to change AV software but I'd already been there, done that and was glad to get back to NOD for its simplicity and competence. Granted I still have a bunch of learning to completely understand the options available but it appears this is the exact forum for discussing these issues. Just look at the topics that jump to the top.

    I'm hoping someone is benefitting from my experimenting. Thanks for being around.
     
  18. Turpster

    Turpster Registered Member

    Joined:
    Sep 16, 2004
    Posts:
    31
    Location:
    Mercersburg, PA
    Chuckenheimer,

    I have the same exact problem. I have gone to great lengths to fix it - with no success. So, I started again from scratch with a clean Windows XP Prof SP2 installation (slipstreamed a CD). Everything was working fine until I installed Nod32 (latest version). My cpu spiked to 60 to 100% after Nod32 install.

    I found that if you exclude TCPSVCS.exe under IMON>Setup>Misc>Exclusion that everything returns to normal. However, this probably means that I have opened a huge hole in my security coverge......

    I don't want to disable TCPSVCS because of this summary I found:

    Description:
    tcpsvcs.exe is a part of Microsoft Windows networking components. This essential system process is initiated when the computer uses special TCP/IP networking services such as DHCP, Simple TCP and print services. This program is important for the stable and secure running of your computer and should not be terminated.

    Author: Microsoft Corp.
    Part Of: Microsoft Windows Operating System​

    Nor do I really want to exclude it under IMON - so, I too, am at a loss.

    I emailed Eset about two weeks ago and well...... No response from them on this issue.
     
    Last edited: Sep 16, 2004
  19. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Can you send a further email, in the mean time I will see if I can have someone look into this...

    Cheers :D
     
  20. Turpster

    Turpster Registered Member

    Joined:
    Sep 16, 2004
    Posts:
    31
    Location:
    Mercersburg, PA
    Email on its way...... Thanks!
     
  21. Turpster

    Turpster Registered Member

    Joined:
    Sep 16, 2004
    Posts:
    31
    Location:
    Mercersburg, PA
    Update - Got response from Eset today. They said to keep tcpsvcs.exe in the exclude list of IMON while the developers investigate this problem.

    I will post any possible solutions they provide me once they have had a chance to look into this issue.
     
  22. zac

    zac Guest

  23. chuckenheimer

    chuckenheimer Registered Member

    Joined:
    May 11, 2004
    Posts:
    46
    Location:
    Houston, Texas
    OK, everybody, I'm finally back. I'm now at the point where I am no longer installing SP2 just yet. There are more problems than just the one I've posted here. If you're curious you might try this:

    Go to the Add/Remove Windows Components utility and remove / reinstall the MSN Explorer program and see what happens on the install (request for the SP2 CD-ROM) which leaves the system sparfarkled.

    If you manipulate the Network Services portion of the utility but either adding or removing services, you will find that just by allowing the utility to function in some manner sparfarkles your opsys configuration and requires you drop back to an earlier image file or reinstall. I just don't trust that portion of SP2 yet and won't jeopardize my working system with this niggle under the covers.

    BTW, I'm working on another issue with regard to my m/b chipset driver updates so I will not check back here too frequently but I am interested in the thread so I hope I'm subscribed.

    Thanks again!
     
  24. chuckenheimer

    chuckenheimer Registered Member

    Joined:
    May 11, 2004
    Posts:
    46
    Location:
    Houston, Texas
    Zac.

    Yeah, that might be a related problem. Thanks for the heads up.

    Turpster,

    My true take on this is that NOD32 only shows up the problem and that this CPU race condition is not limited to SP2, it has occurred on my SP1 machine, too.

    As to the necessity of the Simple TCP/IP services, I don't believe it is necessary as MS would have you believe. In fact, I've disabled ALL of the network services and my machines functions correctly but, then again, I know I'm not in a configuration that would require these networking services.

    Later.
     
  25. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Thanks

    Yes, it is ALWAYS good to see what is going on and what the remedy is, no matter how long the thread gets, the longer the better in some cases… ;)

    Keep keeping us in the loop…

    Cheers :D
     
Thread Status:
Not open for further replies.