I have several computers running BOINC. One computer runs only BOINC - it is not used for anything else. It runs an Intel E6600 Core 2 and is set to run 100% of the time on BOINC.

That works for about 3 minutes. Then, Windows Task Manager shows that a program called svchost.exe with a User Name of SYSTEM takes over 50% of my CPU activity. This leave the two BOINC applets that I am running sharing the other 50%. I go in and end the process, and the program goes away, allowing BOINC to use 100% of the CPU. Then, about 3 to 5 minutes later, svchost.exe restarts and takes over CPU again. I have had this problem on other computers, but when I kill off the svchost program, it remains killed off.

I am no computer expert, and I have no idea why it is doing this to me on one computer. Can anyone help me? Is there some background Microsoft program (or a local service) that I can disable to get this to stop?

you want to get process explorer from sysinternals (now owned by MS) to investigate what is going on:
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Thanks frankhagen. I did as you suggested and ran the software. Keeping in mind that I know almost nothing about the internal workings of computers, I found the following:

The dll that is running is "ADVAPI32.dll!CryptVerifySignatureW+0x17", whatever that means. I killed it and it came back. Then, I went in and Suspended it. That seems to have stopped it. However, I have no idea if that is a process that I want to suspend. The name (CryptVerifySignature) sounds very official, like it is protecting me from something. I'm a little skeptical of the name but don't want to be fooled into wasting CPU. Any thoughts? So far so good.

highlight it and hit ctrl+m

hard to find out from here what's going on..

Thanks frankhagen. I don't know why it works, but it works. Where Task Manager would only stop it for a few minutes, Process Explorer has stopped it for a few hours and counting. I'd have been out of luck without your help. Thanks again.

Gregg, which anti-virus are you running on that computer?

Um, yeah... what he said.

First, make sure it's svchost.exe and not svchosts.exe. The one with an extra "s" is a trojan.

Svchost.exe is used by services to establish internet connection. One of its primary jobs is to load the hosts file. If you are using anti-malware software that loads entries into the hosts file (or have a worm that loads entries into the hosts file), svchost will take about 5-20 minutes to run. When it does run, it usually takes about 95-99% of a core. It runs at a very high priority. That is normal. (Annoying, but normal.) Some antivirus / anti-malware software that tweaks the firewall settings or other network settings can apparently also set svchost to do its thing.

First and foremost, what antivirus / anti-malware software are you running. If you say "none", you've probably just answered your question. Even if you never surf the web (spyware, virus) or install anything (trojan), you can get the creeping crud. By definition, a "worm" is self replicating. The normal replication is to send out a blanket ping signal on the vulnerable port, and then attach to and copy itself to any computer that responds. You still have to keep your system up to date, and have antivirus software. If the machine just sits there, a freeware antivirus and firewall program should protect it just fine. (Make *sure* you do some reading on other sites and use something good and legit, not "rogue".)

One last thing, check your hosts file. It will be in the windows directory, under system32\drivers\etc\. (The location seems the same in 64-bit Vista.) Open it with notepad. (Be careful if you edit it. It *cannot* be saved as a .txt or .doc file.) It will start with a block of text. After that, you should only see one or two entries. One will be "127.0.0.1 localhost". You may also see "::1 localhost".

If you see more, that's reason for concern, if you didn't do it yourself. Look through the names. Entries are read right to left. The right is the "English name" entry it gets from what you type in a web browser. The left is a numeric IP. It will resolve the address on the right to the IP on the left. This is done locally, with no Domain Name Resolution request to your ISP server.

If the IP addresses are 127.0.0.1, this is the loopback address that is in the hardware of your (and every) network card. It's an industry standard, dummy "test" address. This can be good or bad. If the address is something else, that means something is trying to re-direct your traffic, which is why svchost.exe is running. (See, I was going somewhere with this! ) Look at the network names.

If the names look, like malware sites (random strings of letters and numbers), and bad porn sites (trust me, these *will* be obvious! ), and they go to the local loopback (127.0.0.1), that is any anti-malware software you have trying to protect you. This is a simple trick to redirect known bad sites to the local loopback, so your computer cannot reach them. In this case, let the svchost run. It's for the good of your PC. Yes, it can take 20 minutes or more.

If the names are company names, most commonly Microsoft sites, search engines (Google, Yahoo), and anti-malware companies (Symantec, McCaffee, Grisoft, CATrust, ZoneLabs), something is trying to keep you from getting to support / malware sites, and that's bad. That's a sure sign of infection.

So, check your AV software, make sure it's updating. Make sure you're getting updates from Microsoft. Check your hosts file.

OK?

Mike