I have a Windows 2003 Server R2 Standard Edition, Service Pack 2 that has begun "hanging". Server Specs HP ProLiant ML370 G5 Dual Intel Xeon E5320 (8 Cores) 4GB RAM Windows 2003 R2, Service Pack 2 Terminal Server Sunbelt Software VIPRE Enterprise Antivirus software During normal operation, users will slowly start to get disconnected from the server and be unable to reconnect. The console will become unresponsive and ther server has to be hard rebooted. What I have found is a SVCHOST process whose RAM usage starts to grow rapidly and eventually "hangs" the server. If I kill the process the server recovers and performs normally as the who thing starts over. The SVCHOST has the following services registered: Application Experience Lookup Service COM+ Event System Help and Support Server Workstation Network Location Awareness (NLA) RasMan Schedule SENS Windows Management Instrumentation Computer Browser Net Logon File Replication Service The SVCHOST starts out at boot-up using about 18MB RAM, after about 45 minutes it is using about 45MB RAM, at a little over an hour it is using 85MB, 90 minutes it is using 135MB and 2 hours it is using 225MB+ (at 5am this morning after being booted up for 15 hours it was using 625MB) As long as I kill the process BEFORE it hit 100MB of RAM usage, all of the services start correctly. However, once the process exceeds 100MB of RAm, the SERVER service will failed to start with an ACCESS DENIED error, once that happens I am forced to reboot the server because there are no shares. When the system hangs, it doesn't log any errors in the event log that relate to the cause. It does log errors related to the symptoms of the crash (Winlogon errors, etc). About 4 weeks ago, we had an issue with the server spontaneously rebooting. It turned out to be faulty Broadcom NIC drivers. We replaced the drivers and the reboots stopped. (I only bring it up as additonal information) Also, we has an employee load the fake Sysinternals AntiVirus software on "her computer". She has a thin client ... Our A/V caught it and cleaned it. Subsequent scans of the server have been clean, but I can't help wondering if that may be related to the issue we are experiencing now. Any suggestions would be greatly appreciated. Robert Branch

From the server, can you launch SysInternals ProcessExplorer (procexp.exe) to determine which SVCHOST this service is spawned from? It will reveal the parent which is spawning ths SVCHOST & you'll be able to identify what is the root cause.

Run tasklist /svc to list which services are associated with the appropriate PID. svchost.exe 1488 DcomLaunch, TermService svchost.exe 1532 RpcSs svchost.exe 1780 AudioSrv, Browser, CryptSvc, Dhcp, dmserver, ERSvc, EventSystem, helpsvc, LanManServer, lanmanworkstation, Netman, Nla, Schedule, seclogon, SENS, ShellHWDetection, srservice, Themes, TrkWks, W32Time, winmgmt, wuauserv, WZCSVC svchost.exe 1872 Dnscache svchost.exe 260 LmHosts, RemoteRegistry, SSDPSRV Once you have the PID and the lists of services you can now determine the specific service by stoping the various services until the CPU goes down. Here's a list of all services that run under svchost. http://networkadminkb.com/kb/Knowledge%20Base/Windows2003/Windows%202003%20Default%20SVCHost%20Services.aspx

Also try from a clean boot. 1. Click Start, click Run, type "msconfig" (without quotation marks) in the Start Search box, and then press Enter. 2. Click the "Services" tab, check the "Hide All Microsoft Services" box and click "Disable All" 3. Click the "Startup" tab, click "Disable All" and click "OK". Then, restart the computer. Regards, Dave Patrick .... Microsoft Certified Professional -Microsoft MVP [Windows]