In looking at SYSINTERNALS process explorer on both my laptop and desktop, there is a difference where the SDAV processes are placed. On my laptop, where I have the pctssvc issues, all of the processes run under the SYSTEM process with pctsgui running under the pctssvc process, i.e. pctssvc has a + next to it which when opened shows pctsgui running.
On my desktop, however, both pctsauxs and pctssvc run as equal processes under the SYSTEM process whereas the pctsgui process runs under the EXPLORER process.
As I have no control over where these processes execute could this be a reason why pctssvc on my laptop is causing problems.
Results 21 to 30 of 40
Thread: pctsSvc.exe and high CPU
03-26-2012, 12:38 PM #21Member
- Join Date
- Mar 2008
Last edited by alanedgecombe; 03-26-2012 at 12:42 PM.
03-26-2012, 10:39 PM #22
This could be the issue since it is out of the ordinary. I am not sure why the pctsgui.exe (i.e. the user interface) parent process is pctsSvc.exe. You can check if this is indeed the case, by right clicking the process and choosing Properties with Process Explorer.
You can see the parent process of pctsGui.exe in the screenshot below of my desktop PC. All screenshots were taken from Process Explorer 15.13.
03-27-2012, 06:36 AM #23Member
- Join Date
- Mar 2008
I am using the same version of Process Explorer as you and when I check the parent of pctsgui it is indeed pctssvc. I guess the question that needs resolving therefore, is why is this the case and if this is incorrect, how is it resolved? Also the only difference between your 'paths' (of pctsgui properties) and mine is that the Command Line path has /hideGUI appended to it.
Last edited by alanedgecombe; 03-27-2012 at 06:41 AM.
03-27-2012, 09:25 PM #24
How is it resolved?
Thatís a good question. I was going to suggest ending the process of pctsGui.exe and then starting a new instance of it from Process Explorer so that its parent is then Process Explorer (using the File-->Run option of Process Explorer) just to see what happens, but canít do so for the following reason.
This isnít possible since pctsGui.exe canít be shut down by usual means of Task Manager or Process Explorer (which makes sense since malware would likely want to do this to enable an easier compromise of the PC). I can shut down it down using either GMER or Process Hacker but this seems overkill and far from a best practice.
I may have found out why your process tree for Spyware Doctor differs from mine. From what I can tell, it is because your version of Spyware Doctor starts at Windows boot up. I have mine set so that I can start it manually after Windows has started. I do this since I am using Symantec Norton Internet Security 2012 as my primary anti-malware solution.
I have 2 user accounts on my PC (1 is a standard user, 1 is an administrator). Using the standard account, start PC Tools using Windows (via the Start menu)(the icons and interface of Windows are actually powered by explorer.exe), this is the reason I believe my initial screenshots differ from yours.
I am starting PC Tools using explorer.exe (without realizing it since I am using the user interface of Windows to start Spyware Doctor), I believe this is why pctsGui.exe is a child of explorer.exe
Leaving the standard account logged in, I switched user to the admin account. This simulated booting the PC up as normal (since this is a new user logging in).
pctsGui.exe is now a child of pctsSvc.exe as I predicted since PC Tools is starting when Windows is starting for this new user.
See the new screenshots below:
My screenshot now also shows the command line parameter of /hideGUI
I donít think this is the source of your issue since when using the admin account with PC Tools, my CPU was at the usual 0% usage. Running a Smart Update and then a quick scan showed no abnormally high CPU usage. After the scan, CPU usage is still normal.
The /hideGUI option I suspect hides the taskbar icon beside the clock because in my standard user account, it wasnít there before switching to the admin account. When I returned to the standard account the icon was back. pctsGui.exe is still running as a child of pctsSvc.exe in the standard account since the admin account has been logged out.
Again, I am typing this and using my PC as normal with no high CPU usage. Sorry for not being able to determine the root cause of the high CPU usage but from what I can tell, this parent and child process relationship between the PC Tools services appears to be expected behavior (i.e. by design). It isnít causing an issue for my PC. Perhaps we have narrowed down the root cause by ruling this process relationship out as the issue?
I use 2 Windows accounts simply for security reasons. I use the standard account for daily use and only need to enter my admin password to run some programs as admin e.g. Process Explorer (it works better in admin mode) and for running older programs.
If I need to install a program, I will install it using the admin account and then use the program from the standard account. If malware should compromise my PC, it won't be a total compromise since the infection will only have user and not admin privileges (unless I give the infection my admin password, which is unlikely since Windows UAC will request the password, I won't enter it if I wasn't expecting a password prompt or if I don't recognize the asking program.)
I don't recommend this approach for everybody since it can be a little more frustrating to use at first but the extra security it provides is reassuring to me.
I hope this further information is of some assistance. I am sorry that we still havenít determined what the actual issue is.
Thanks for your update.
03-28-2012, 04:08 PM #25Member
- Join Date
- Mar 2008
Thanks for your comprehensive note and the time taken to try and resolve this issue. The SD function, however, starts at the same time on both my Laptop and desktop PC's but only my laptop has it running under pctssvc. The only difference between the startup processes on each PC is that the desktop goes straight into Windows and my laptop requests a password to be entered before starting, however the user is 'administrator'. I will remove the password request from the laptop and see what difference that makes, if any.
As for the 'hide' parameter, I'm not sure what that does as the SD logo does appear on my Task Bar anyway. Still let me do the password change as that then is the last difference I can see between the 2 PC's. If that resolves the problem then something is wrong somewhere as that should not make any difference, but let me check it first.
I will report back when I have done it and seen what effect it has.
As an aside, how did you get the screenshots to be entered here as when I tried I had no 'Paste' function after I captured the screen.
03-28-2012, 10:27 PM #26
Thanks for the update.
As you mention, I don’t think the password prompt would cause this issue. Please remember to turn if back on after you have tested if turning it off makes a difference.
I used the Windows 7 Snipping tools to create the screenshots:
This tool is also included with Windows Vista. With Windows XP, you still need to use the Print Screen button on the keyboard and then paste the contents into MS Paint (this approach still works in Windows Vista and Windows 7).
I then uploaded the pictures to my Photobucket account ( http://photobucket.com/ )
When creating the above post, I then chose, Insert Image and paste the link to the appropriate image stored in my Photobucket account. I then choose the “Preview” button for the post to ensure the picture included is the correct one and is readable. This is a long process but gives a good result.
Let me know how you progress with the issue. I am looking forward to the new PC Tools build. I will upgrade from the 184.108.40.2062 build when it is released (even though I am not experiencing any issues, new builds are even better than previous builds).
Last edited by jimboc007; 04-03-2012 at 09:50 PM. Reason: Fixed spelling error
03-31-2012, 03:31 PM #27Member
- Join Date
- Mar 2008
As I thought changing the access method into my system by removing the password requirement did not resolve anything. I am still getting times when pctssvc goes into high cpu usage. One thing I have seen which I did not mention before is the amount of disk bytes that are being read and written. Since my last re-boot, about 24 hours ago, the number of I/O Bytes Read by pctssvc is just over the 2GB mark whilst the number of I/O Write Bytes is 1.3GB. These numbers seem extremely high with the Bytes Read number increasing during the time the CPU is enjoying itself at 100%. The Write Bytes increases after the cpu cycles have returned to normal. The number of Network Bytes sent and received in the same period was 5k and 13k respectively.
Do these numbers have any significance at all do you think? It may certainly point to why the CPU increases during this time if there is disk read activity taking place too. Just something else to throw into the equation!
04-03-2012, 09:47 PM #28
Thanks for your update and apologies for not replying sooner.
I have left Spyware Doctor running with all IntelliGuards enabled on my PC for some time and the number of reads is about 20,000, the equivalent of 141 MB. This is a lot since I have not run a scan at all on my PC and PC Tools has simply been idling on my PC during this time. Here are the relevant screenshots from Process Explorer:
These numbers may be the reason for the high CPU usage, perhaps Spyware Doctor is struggling to read some data from your hard disk is using a lot of CPU time/power to complete the read operation as soon as possible.
This is just an educated guess. I am not aware of the particular internal details of the operation of the PC Tools anti-malware engine (I only know what is shown in their user guide and in online help articles, just like everyone else).
The only steps that I can suggest to reduce this number of disk reads would to be defragment your computer’s hard disk (you probably already do so on a regular basis).
The steps to do this for Windows XP are contained in the following link:
This should reduce the number of disk reads since the hard disk will not have to search around its data platters (the spinning disks that make up your hard drive) for data since it will be consolidated in one area on the disk.
It is possible that some of the data on your hard disk is corrupted (through no fault of your own, this simply happens with everyday use).
A scan with Checkdisk can find and repair such corruption. The steps for running it are detailed in the following knowledge base article:
This scan can take from 1 to 3 hours typically (the larger the hard disk, the more time it takes).
I run a defragmentation on my Windows 7 PC about every 2 weeks (since I move a lot of data back and forward).
I run a Windows Checkdisk on the computer once per month (since I have on total, 2.6 Terabyte (TB) of storage space inside this computer (1x 600 GB hard disk and 1x 2 TB storage drive (both internal)). it takes about 5 hours to fully scans these drives with Checkdisk.
The Checkdisk always finds and corrects minor corruption (I don’t see a way or preventing this from occurring). I never notice the effects of any corruption that is/was present.
The above are suggestions that may work to reduce or eliminate this issue of large numbers of disk reads. If they don’t work to resolve it, I have run out of suggestions for the original issue.
If I can be of further assistance, please let me know. Please keep me updated with any further progress/ideas or observations you may encounter. I would be very interested to know what resolves this issue.
Last edited by jimboc007; 04-03-2012 at 09:49 PM. Reason: Added clearer image
04-05-2012, 11:28 AM #29Member
- Join Date
- Mar 2008
Thanks for your note. I do a defrag about once a week and make sure that I also run a registry cleaner too. Both are Auslogics products. I also run Glary Utilities about once a fortnight or so as well. Malwarebytes as I mentioned before also gets run about once a week so I do try to make sure that my PC is kept as clean as possible and as virus free as possible.
I hadn't run a CHKDSK for quite a while so ran that yesterday and it found +- 390 minor errors and made some file corrections, but unfortunately that has still not made any difference at all. Pctssvc still runs about every 20 minutes and for about 30 seconds a time taking 100% CPU. The only other thing I could do, would be to run Process Monitor and capture what is actually happening during the time pctssvc is running and pass that on to PCTools support to have a look at if that would be of any use at all. For that I would kill all unnecessary processes and just capture what is happening for it to run. Would that be of any benefit?
As for the disk read/writes, since I did the CHKDSK yesterday the system has been running for about 20 hours with Read Bytes at 1.9GB and Reads I/O at 809k and Write Bytes at 1.3GB and Write I/O at 137k somewhat more than your system. The number of Disk Reads is 77k. My system only has a 60GB disk with about 6GB free.
Apart from that I have no other observations. What I may try again is another CHKDSK to see what that shows, in case there is a track that is failing maybe and pctssvc manages to hit that track for some data at a particular time causing the issue. The only other thing I can do after all of that would be to delete SD completely, run Registry clean, run registry and disk defrag and to then reload SD and see what that does. By defragging after deleting it would hopefully ensure data was distributed differently on the disk and then rule out bad sectors or tracks. Maybe I need to do that with the newer version rather than the current one. The trouble is whether I would have removed all of the product before reloading. Is there a complete uninstall process that would ensure all items relating to SD get removed?
Your thoughts would be appreciated on any of the above. Thanks.
04-05-2012, 10:57 PM #30
Your routine for defragmenting and malware scanning seems absolutely to me. Please keep up this diligent work, I have a similar routine too.
Running Process Monitor is indeed a great idea, I would like to suggest filtering the activity trace as follows (it will make understanding the long list of activity from pctsSvc.exe easier to understand.
Open Process Monitor
Click the “File” menu (in the top left corner and un-tick “Capture Events” (we are not ready to capture events just yet)
Click the Filter menu near the top of the windows and choose the submenu option, Filter.
Press Reset if there are already filters enabled.
From the dropdown menu, select “Process Name”. From the next drop menu, choose “is” and enter pctsSvc.exe in the text box. Then click the “Add” button (see screenshot below that shows all of these steps completed):
You should now have blank Process Monitor window.
Resume recording the registry/file/process/thread/network/profile events activity by clicking the “File” menu (in the top left corner and tick “Capture Events”
The Process Monitor window will now begin to fill with information. You can narrow down the information further using the registry/file/process/thread/network/profile event buttons at the top of the window (shown below)
Killing all unnecessary processes would also be of benefit while capturing this log but should not make too much difference since we have filtered the output of Process Monitor to only show the PC Tools Security service. However to eliminate all other 3rd party processes from suspicion and interfering with PC Tools, I would still recommend killing them as you suggested.
If you have run CheckDisk with the options shown below in the screenshot, it would have already marked any bad sectors as bad and would have marked them so that the drive does not write to them further. You can view the event log of the CheckDisk using the Event Viewer (Control Panel->Administrative Tools->Event Viwer->Windows Logs->Application) to determine what if any sectors were marked as bad (the result of the CheckDisk is shown in the Event Viewer)
Look for events with names as wininit and checkdisk at the time you performed the check disk.
Your recommendation of completely removing PC Tools Spyware Doctor and running the optimization/cleanup tasks sounds like a good idea and definitely worth a try. I like the order of the steps you have chosen to get maximum benefit from them.
As for removing Spyware Doctor totally, the most thorough method I know is as follows (I always use it before upgrading to a new version/build of Spyware Doctor):
Open Control Panel
Open Add/Remove Programs
Uninstall PC Tools Spyware Doctor
Delete the location where Spyware Doctor was installed (by default, C:\Program Files\PC Tools Security )
Use the Search utility of Windows XP to locate any remaining traces, search your C Drive for files containing PC Tools in their names, delete any files and folders that you know were used by PC Tools. Run another search for files with security in their names, again delete only the files known to be used by PC Tools (usually easy to tell since they stored in a folder called PC Tools but will usually be a subfolder of C:\Documents and Settings\YourUserName\Local and/or C:\Program Files\Common Files
Finally remove any remaining PC Tools driver using the hidden driver removal steps by Device Manager that I pointed out earlier in this thread to you:
Restart your computer and re-install a version of Spyware Doctor of your choosing.
Please find below the full list of PC Tools Hidden drivers currently installed on my Windows 7 PC:
I hope the above information answers your questions in sufficient detail, if not, I would be happy to provide any further information you require.
Please let us know how you progress with the steps that you have suggested.
Last edited by jimboc007; 06-10-2012 at 08:02 PM.