Svchost.exe uses 100% CPU when Windows XP updates via WSUS

Although this problem will diminish in time with more powerful PC’s being released to the market, there are still situations where you might run into a performance problem when a client scans against WSUS.

By default a client will scan every 22 hours for updates when connected to a WSUS Server. This default time can be changed

Next I will discuss the factors that can influence scanning performance on a client:

1. Hardware. Single Core machines are more likely to take longer to finish detection.

Recommendation: Use Dual Core Machines

2. MSI Version. MSI is used during the scanning. Office updates have the detection logic within the MSI package, so the Windows Update Agent hands the metadata off to MSI where MSI then checks for the products\features installed and will see if the update is applicable. So it’s a known performance issue when MSI 3 is scanning against a bunch of Office updates.

Recommendation: always use the latest MSI Agent. You can check the version of MSI.DLL to find out what engine is installed:

[C:\WINNT\SYSTEM32\MSI.DLL]

Company Name: Microsoft Corporation

File Description: Windows Installer

Product Version: 3.1.4001.5512

File Version: 3.1.4001.5512

URL to download MSI 4.5 https://support.mirosoft.com/kb/942288

3. The detection data is saved into the DataStore which is located here: c:\windows\softwaredistribution. During a detection data is written constantly into the Store. This is why you should add the SoftwareDistribution Folder into the exclusion list of your AntiVirus Software.

4. Windows Update Agent. This handles the detection logic of the updates that are about to be installed. This update is crucial because detection logic is revised with every version by our product team and performance is tweaked regularly.

Recommendation: Download and install the latest WUA: https://support.microsoft.com/kb/949104

5. The amount of updates available on the WSUS Server.

This is a very important concept to understand. On the WSUS Server we have Updates which can have 3 states. DECLINED, NOT APPROVED, APPROVED

Detection on a client works like this: The client (Wuaueng.dll) initiates a Metadata sync with the Server. Basically it asks for a list of updates that are available on the WSUS Server (For this the Client Web Service is used). The Server compiles a list of those updates and sends them back to the client. Then the actual detection takes place. MSXML3.DLL and MSI.DLL go through the XML Data for updates that are needed on the client. Once he is done, he will compile a new list and send this to the WSUS Server which will trigger the download.

This whole process takes time and computing power. The client will ONLY parse APPROVED and NOT APPROVED Updates. This means that if updates are not specifically declined the Client needs to touch each update to check if it is applicable for him or not.

Recommendation:

1. Declined all Superseeded Updates. Superseeded updates have newer updates that replace them, thus making them obsolete. This is the most important tweak. Pay special attention to Office 2003 Updates. There is a great number of these updates, which are the primary source for bad client performance

2. Try to minimize the amount of Updates that have a NOT APPROVED state. Either decline them or approve them.

6. WSUS Server Maintenance:

A good Server Maintenance will also improve performance on the clients.

Running monthly cleanup scripts will help eliminate expired updates and will also decline superseeded ones.

Here are a few tools to help with the process:

1. The clean-up wizard in WSUS should be run at least once per month. This can be automated using scripts:

WSUS 3.0
https://wsus.codeplex.com/releases/view/17612

Powershell script

https://www.peetersonline.nl/index.php/powershell/wsus-cleanup-with-powershell/

2. Below is a reindexing script that will help WSUS search faster through the database (also ran once a month):

https://www.microsoft.com/technet/scriptcenter/scripts/sus/server/susvvb01.mspx?mfr=true

These steps should offer noticeable improvements to the detection time of your clients.

If you have any questions, please use the comment section below.

Tudor Dimboianu

Platforms Core Team