PDA

View Full Version : spoolsv.exe using excessive cpu



dirtbag
01-03-2007, 09:39 PM
As title suggests, I have been finding that spoolsv.exe has been using excessive cpu usage nearly all the time its on (i have been disabling it between print jobs)
I have researched on the net and tried everything I have found, unisntalling all the printers, cancelling all the job queues (there is usually nothing in the queues), deleting spool files out of windows/system32/printers/spool etc.
I downloaded regmon and ran it for about 15 seconds, and it is full of spoolsv.exe just accesssing keys over and over, heres a small exert out of it:

148 0.02839160 spoolsv.exe:564 OpenKey HKCU SUCCESS Access: 0x2001F
149 0.02840529 spoolsv.exe:564 OpenKey HKCU\Printers\Connections\,,.,DISPLAYV1 NOT FOUND
150 0.02855139 spoolsv.exe:564 CreateKey HKCU\Printers\DevModePerUser SUCCESS Access: 0x2001F
151 0.02856257 spoolsv.exe:564 CloseKey HKCU SUCCESS
152 0.02857235 spoolsv.exe:564 QueryKey HKCU\Printers\DevModePerUser SUCCESS Subkeys = 0
153 0.02859246 spoolsv.exe:564 QueryValue HKCU\Printers\DevModePerUser\\\.\DISPLAYV1 NOT FOUND
158 0.02868661 spoolsv.exe:564 CloseKey HKCU\Printers\DevModePerUser SUCCESS
159 0.02895340 spoolsv.exe:564 QueryValue HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage\B ind BUFFER OVERFLOW
160 0.02897491 spoolsv.exe:564 QueryValue HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage\B ind BUFFER OVERFLOW
165 0.02905481 spoolsv.exe:564 QueryValue HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage\B ind SUCCESS "\Device\{A7E7F648-F43D-4D16-A18B-10614D9E9EC8}"
175 0.02939871 spoolsv.exe:564 OpenKey HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Param eters\Interfaces\{9971CCF9-6EC6-46E8-9269-FB0C06098085} SUCCESS Access: 0x20019
176 0.02941240 spoolsv.exe:564 QueryValue HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Param eters\Interfaces\{9971CCF9-6EC6-46E8-9269-FB0C06098085}\EnableDHCP SUCCESS 0x0
180 0.02946436 spoolsv.exe:564 QueryValue HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Param eters\Interfaces\{9971CCF9-6EC6-46E8-9269-FB0C06098085}\DhcpServer SUCCESS "255.255.255.255"
181 0.02947498 spoolsv.exe:564 QueryValue HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Param eters\Interfaces\{9971CCF9-6EC6-46E8-9269-FB0C06098085}\DhcpServer SUCCESS "255.255.255.255"
182 0.02948615 spoolsv.exe:564 CloseKey HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Param eters\Interfaces\{9971CCF9-6EC6-46E8-9269-FB0C06098085} SUCCESS
186 0.02960767 spoolsv.exe:564 CreateKey HKLM\System\CurrentControlSet\Services\Tcpip\Param eters SUCCESS Access: 0x20019
187 0.02963198 spoolsv.exe:564 OpenKey HKLM\System\CurrentControlSet\Services\DnsCache\Pa rameters SUCCESS Access: 0x20019
188 0.02964511 spoolsv.exe:564 OpenKey HKLM\Software\Policies\Microsoft\Windows NT\DnsClient NOT FOUND
193 0.02972696 spoolsv.exe:564 QueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Param eters\Hostname SUCCESS "amd64"
194 0.02973730 spoolsv.exe:564 QueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Param eters\Hostname SUCCESS "amd64"
195 0.02974903 spoolsv.exe:564 CloseKey HKLM\System\CurrentControlSet\Services\Tcpip\Param eters SUCCESS
196 0.02976663 spoolsv.exe:564 CloseKey HKLM\System\CurrentControlSet\Services\DnsCache\Pa rameters SUCCESS
200 0.02986190 spoolsv.exe:564 CreateKey HKLM\System\CurrentControlSet\Services\Tcpip\Param eters SUCCESS Access: 0x20019
201 0.02988145 spoolsv.exe:564 OpenKey HKLM\System\CurrentControlSet\Services\DnsCache\Pa rameters SUCCESS Access: 0x20019
205 0.02996638 spoolsv.exe:564 OpenKey HKLM\Software\Policies\Microsoft\Windows NT\DnsClient NOT FOUND
206 0.02998063 spoolsv.exe:564 OpenKey HKLM\Software\Policies\Microsoft\System\DNSClient NOT FOUND
207 0.02999012 spoolsv.exe:564 QueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Param eters\Domain SUCCESS ""
208 0.02999878 spoolsv.exe:564 QueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Param eters\Domain SUCCESS ""
212 0.03006276 spoolsv.exe:564 CloseKey HKLM\System\CurrentControlSet\Services\Tcpip\Param eters SUCCESS
213 0.03007226 spoolsv.exe:564 CloseKey HKLM\System\CurrentControlSet\Services\DnsCache\Pa rameters SUCCESS
214 0.03024714 spoolsv.exe:564 QueryValue HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage\B ind BUFFER OVERFLOW
218 0.03029826 spoolsv.exe:564 QueryValue HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage\B ind BUFFER OVERFLOW
219 0.03031195 spoolsv.exe:564 QueryValue HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage\B ind SUCCESS "\Device\{A7E7F648-F43D-4D16-A18B-10614D9E9EC8}"
234 0.03093019 spoolsv.exe:564 OpenKey HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Param eters\Interfaces\{9971CCF9-6EC6-46E8-9269-FB0C06098085} SUCCESS Access: 0x20019
235 0.03094248 spoolsv.exe:564 QueryValue HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Param eters\Interfaces\{9971CCF9-6EC6-46E8-9269-FB0C06098085}\EnableDHCP SUCCESS 0x0
236 0.03096036 spoolsv.exe:564 QueryValue HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Param eters\Interfaces\{9971CCF9-6EC6-46E8-9269-FB0C06098085}\DhcpServer SUCCESS "255.255.255.255"
240 0.03101567 spoolsv.exe:564 QueryValue HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Param eters\Interfaces\{9971CCF9-6EC6-46E8-9269-FB0C06098085}\DhcpServer SUCCESS "255.255.255.255"
241 0.03102880 spoolsv.exe:564 CloseKey HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Param eters\Interfaces\{9971CCF9-6EC6-46E8-9269-FB0C06098085} SUCCESS
242 0.03116290 spoolsv.exe:564 CreateKey HKLM\System\CurrentControlSet\Services\Tcpip\Param eters SUCCESS Access: 0x20019
246 0.03122855 spoolsv.exe:564 OpenKey HKLM\System\CurrentControlSet\Services\DnsCache\Pa rameters SUCCESS Access: 0x20019
247 0.03124168 spoolsv.exe:564 OpenKey HKLM\Software\Policies\Microsoft\Windows NT\DnsClient NOT FOUND
248 0.03125202 spoolsv.exe:564 QueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Param eters\Hostname SUCCESS "amd64"
249 0.03127297 spoolsv.exe:564 QueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Param eters\Hostname SUCCESS "amd64"
253 0.03130985 spoolsv.exe:564 CloseKey HKLM\System\CurrentControlSet\Services\Tcpip\Param eters SUCCESS
254 0.03131906 spoolsv.exe:564 CloseKey HKLM\System\CurrentControlSet\Services\DnsCache\Pa rameters SUCCESS
258 0.03138639 spoolsv.exe:564 CreateKey HKLM\System\CurrentControlSet\Services\Tcpip\Param eters SUCCESS Access: 0x20019
259 0.03140790 spoolsv.exe:564 OpenKey HKLM\System\CurrentControlSet\Services\DnsCache\Pa rameters SUCCESS Access: 0x20019
260 0.03141936 spoolsv.exe:564 OpenKey HKLM\Software\Policies\Microsoft\Windows NT\DnsClient NOT FOUND
261 0.03144255 spoolsv.exe:564 OpenKey HKLM\Software\Policies\Microsoft\System\DNSClient NOT FOUND
265 0.03148780 spoolsv.exe:564 QueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Param eters\Domain SUCCESS ""
266 0.03149646 spoolsv.exe:564 QueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Param eters\Domain SUCCESS ""
267 0.03150652 spoolsv.exe:564 CloseKey HKLM\System\CurrentControlSet\Services\Tcpip\Param eters SUCCESS
272 0.03161323 spoolsv.exe:564 CloseKey HKLM\System\CurrentControlSet\Services\DnsCache\Pa rameters SUCCESS
273 0.03167218 spoolsv.exe:564 OpenKey HKCU SUCCESS Access: 0x20019
274 0.03168196 spoolsv.exe:564 OpenKey HKCU\Printers\Connections\,,.,DISPLAYV1 NOT FOUND
278 0.03172861 spoolsv.exe:564 CloseKey HKCU SUCCESS
279 0.03176577 spoolsv.exe:564 OpenKey HKCU SUCCESS Access: 0x20019
280 0.03178924 spoolsv.exe:564 OpenKey HKCU\Printers\Connections SUCCESS Access: 0x20019
284 0.03183980 spoolsv.exe:564 OpenKey HKCU\Printers\Connections\,,.,DISPLAYV1 NOT FOUND
285 0.03184930 spoolsv.exe:564 CloseKey HKCU\Printers\Connections SUCCESS
286 0.03186886 spoolsv.exe:564 CloseKey HKCU SUCCESS

and so on and so on.

Any help on this matter would be greatly appreciated, as im starting to pull my hair out over the matter, most problems I have been able to fix with a simple google/forum search, but this one has me beaten!

edit: running XP pro SP2

Speedy Gonzales
01-03-2007, 10:07 PM
Looks like this prob is common when something is waiting to be printed in queue.

Have u scanned for trojans etc as a trojan / backdoor also uses this filename.

Do a search on the hdd.

See how many files u have called spoolsv.exe and what folder theyre in.

dirtbag
01-03-2007, 11:30 PM
Yea, i figured the same about the queued job, but I have already tried everything to do with that, cancelling all the queues, removing all the printers, removing files from system32/spool/printers (which has never contained anything when I have looked), under printers settings told it to send straight to printer without spooling, the printer I work with is a brother 2070n on a home network.

Just searched and it found spoolsv.exe in 5 places:
c:\windows\$ntservicepackuninstall$
c:\windows\prefetch
c:\windows\system32
c:\windows\servicepackfiles\i386
c:\windows\$hf_mig$\KB896423\sp2qfe

whilst the problem has been present I have had over different periods of time AVG free, bitdefender 9 and finally nod32 running without them every finding anything suspicous with spoolsv.exe, these were kept up to date, and my computer scanned every week automatically, along with manual scans with spybot and adaware.

rob_on_guitar
02-03-2007, 01:09 PM
I recently had this problem with the spoolsv.exe using up to 98% of my cpu.

I actually found I had not set my printer up correctly (actually in the printer settings).

I ended up uninstalling all printers and reinstalling them from scratch and now it goes fine.

Speedy Gonzales
02-03-2007, 01:22 PM
Just searched and it found spoolsv.exe in 5 places:
c:\windows\$ntservicepackuninstall$
c:\windows\prefetch
c:\windows\system32
c:\windows\servicepackfiles\i386
c:\windows\$hf_mig$\KB896423\sp2qfe

.

Hmm if your system is up to date with updates, I just did a search as well, the only spoolsv.exe on this is c:\windows\system32 (XP SP2)

It doesnt show any of the other folders/files above.

Have a read of this (http://groups.google.co.nz/group/microsoft.public.security/browse_thread/thread/18c8da8846f656c9/ca10601c5f6983e4%23ca10601c5f6983e4)

dirtbag
02-03-2007, 02:29 PM
Was yours updated from SP1 or was has it always been an SP2 install? Mine may be there because windows does a bad job at cleaning up after itself after I installed SP2 how ever many moons ago. And it being in prefetch is explainable, so only suspicous place is the "c:\windows\$hf_mig$\KB896423\sp2qfe" location.

Trying what that thread suggested just made my computer lock up and then logout.

I ran a sigverif and spoolsv.exe came back as properly signed etc aswell.

Speedy Gonzales
02-03-2007, 02:35 PM
That could be 1 reason why, my SP2 is installed when I reinstall XP (its slipstreamed on the CD).

But, you're right the c:\windows\$hf_mig$\KB896423\sp2qfe entry
maybe suss.

dirtbag
02-03-2007, 06:55 PM
$hf_mig$ is full of folder names starting with KB, so im guessing its some form of windows update cache?

Its 215MB, and originally created on the date that I last installed XP on this machine.

Within c:\windows\$hf_mig$\KB896423 there are 4 things, the folder sp2qfe, another folder update and two files, spmsg.dll and spuninst.exe, this makes me think its less suss that originally thought

Speedy Gonzales
02-03-2007, 07:11 PM
Yup I think theyre safe too, most probably installed, after u updated to SP2 from SP1.

Only other thing as said already, it maybe the printer, or its not configured properly.