A few months ago a client reported that all their computers started becoming slow at times, my first thought was a virus on the network because it was ALL the computers and they had been infected with CryptoWall previously, however a lot of scanning with their AV and additional programs found nothing.
When ever we got control of their computers we couldn't find any viruses, we couldn't see the problem, so I started looking elsewhere.
All their profile data is redirected to the servers, so I started looking at the network.
They're in a nice serviced building who take care of the cabling and a bunch of the sockets will only connect at 100Mb, they also have old Netgear switches. I'm no fan of Netgear,we've had a tonne of problems with Netgear equipment over the years and much prefer Cisco gear.
Unfortunately replacing the switches wasn't an option without sufficient proof they were at fault so the search continued. Whilst I was attending a scheduled visit I took a look at the computers and found that one instance of svchost.exe was using over 1Gb of RAM!
Loading up Process Explorer from Sysinternals, I managed to track down what was consuming the RAM. Surprisingly it was Windows Update! Windows freaking UPDATE!
Why the heck would it consume all that memory, almost constantly? A bit of digging and it seems like late last year/early this year others started having the same problems with Windows Update with no real reason found, no update in particular causing this.
The only thing I could find was to change the default Windows Update GPO's to tell Windows to check for updates less often than once an hour which is the default, I set it to 22hours which was the max allowed as there is also a ± 2hour variance in the schedule. (When I remember the exact setting I'll update this post, sorry).
Within a day they reported their computers were noticeably better! Well except one PC which even after removing from any OU's to prevent the GPO's from applying and rebooting many times, made no difference to it, disabling Windows Updates on that machine does help, but its no fix, its a bodge. Removing it from the domain, readding, reinitializing Windows Updates, etc still no joy, so this sucker is being reinstalled soon, for now its a scheduled task to start Windows Updates overnight and stopping it during working hours. Horrible non-standard fix (read as bodge), but sometimes a tech's gotta do what a tech's gotta do.
Post a Comment