Now this issue is truly interesting. For starters, who will actually notice that some Windows service is producing permanent internet traffic? Secondly it was really kinda hard to find out what was causing the download.
I don’t know which Windows versions do have this scenario, but I’m guessing Windows XP and all later versions are “affected”. I’ve experienced it with Windows 7 x64 and Windows 7 x64 with SP1.
It hasn’t been the first time that I had noticed something was causing traffic for which I couldn’t come up with an explanation.
While I’m on holiday my main computer will keep running however pretty much idle – I can connect via VNC and check emails and instant messengers. I also get a daily report email from my router which includes the amount of incoming and outgoing bytes.
So this one time I noticed that the incoming data was round about 1GB – needless to say I was away not using the computer. This amount kept showing up for the following days on which I was still out of town.
What could cause such an amount of traffic? There were no downloads going on, incoming emails were at a minimum, so I was ruling out other programs one by one. Instant messenger clients, IRC clients, browsers (I actually even suspected Facebook, because they had introduced AJAX and other re-loading content techniques – even though 1GB was really a lot). No effect, the data was still coming in.
On the way of finding the culprit I was using NetLimiter, which is a really cool piece of software btw. Primarily the software can be used for limiting network bandwidth for certain programs, processes and threads (hence its name). However it will also show the currently used bandwidth (upload as well as download) for all programs, processes and threads (down to every single socket).
One way of stopping this would be using NetLimiter to limit the connection of the appropriate process. But since I wanted to get to the bottom if it, I kept on digging.
NetLimiter gave me the name of the program and the PID of the process that was causing the traffic: at that time svchost.exe was tanking at a constant rate of 70K/s.
svchost.exe is the “Host Process for Windows Services”, so everything you see running when you look at services.msc is done by svchost.exe. Since this program is essential for Windows and running more than just one service, I can’t just kill it and be done with it. I had to find out, which service was actually the one responsible.
With the help of this post I found a command that lists all services connected to svchost.exe and a special PID:
tasklist /svc /fi "imagename eq svchost.exe"
Among other PIDs I got this result for a PID (of which I deleted the last digits):
| Image Name | PID | Services |
|---|---|---|
| =========== | === | ================ |
| svchost.exe | 10** | AeLookupSvc, Appinfo, AppMgmt, BITS, Browser, gpsvc, iphlpsvc, LanmanServer,MMCSS, ProfSvc, Schedule, SENS, ShellHWDetection, Themes, Winmgmt, wuauserv |
So that was already narrowing it down to 16 services. Not great but just another step towards the goal. Another obstacle that made this difficult for me is, that I am using a German Windows. Even though the result list of the tasklist call is the same, services.msc will list the services by their German name. You can actually find the German service by translating the short name from the result list and looking for a similar service (I will paste a translation table later on).
During my search for fellow people with the same problem, I stumbled across the mention post. The dude solved the problem by disabling BITS (Background Intelligent Transfer Service), which sounded promising but didn’t solve it for me. I went through the list one by one (fearing that it might be a combination of services that was causing the traffic) and finally got lucky with iphlpsvc. The IP Helper Service service is doing stuff for IPv6 connections and tunneling, which I’m not using anyway.
So after disabling the IP Helper this horror story was finally over and I could save 1GB of download per day ;).
As promised, here’s a list with the equivalent German names.
The titles of the result list provided by the tasklist command are:
Abbildname PID Dienste
And the full service names are (I’m only listing those that are run by that PID):
| Service shortname | English name | German name |
|---|---|---|
| AeLookupSvc | Application Experience | Anwendungserfahrung |
| Appinfo | Application Information | Anwendungsinformationen |
| AppMgmt | Application Management | Anwendungsverwaltung |
| BITS | Background Intelligent Transfer Service | Intelligenter Hintergrundübertragungsdienst |
| Browser Computer | Browser | Computerbrowser |
| gpsvc | Group Policy Client | Gruppenrichtlinienclient |
| iphlpsvc | IP Helper Service | IP-Hilfsdienst |
| LanmanServer | Server | Server |
| MMCSS | Multimedia Class Scheduler | Multimediaklassenplaner |
| ProfSvc | User Profile Service | Benutzerprofildienst |
| Schedule | Task Scheduler | Aufgabenplanung |
| SENS | System Event Notification Service | Benachrichtigungsdienst für Systemereignisse |
| ShellHWDetection | Shell Hardware Detection | Shellhardwareerkennung |
| Themes | Themes | Designs |
| Winmgmt | Windows Management Instrumentation | Windows-Verwaltungsinstrumentation |
| wuauserv | Windows Update | Windows Update |
So yeah, whatever the IP Helper service is doing, it is bugging me no more. I hope this post is useful to anyone else out there :).
Thank you very much for your solution
Ip helper cost me a few bucks wasting my traffic…till i landed in your website
It worked successfully!
Thank u so much
followed ur steps to find out the service.. disabling iphelper worked successfully to stop that unnecassary bandwidth loss.
Big thanks! Really helpful, appreciated the relentless digging and end up the bandwidth eater is out of the way!
Thanks you so much for your guide. It saved a lot of my money. 🙂
I just installed windows 10 on win 7 and saw i=that web was sow,from task manager found out svchost -the culprit.Thanks for the post finaly stopped the bits and now no consumption of data from svchost.
got the same problem, and i have disabled BITS. and it works fine for me.
I’ve had the same problem. I’ve been blocking svchost with netbalancer but can I do that forever? I too would like to know what’s being downloaded and why, since it’s eating up my limited data when I let it run.
I was checking a way to disable svchost fully.. fortunately without disabling i could find a way to limit it .. http://www.windowstechinfo.com/2015/05/how-to-limit-svchost-exe-downloading-constantly-eating-all-my-bandwidth-using-netbalancer.html
Hi, Harald ! Do you have any idea what caused such excessive usage ? Is it the service itself ? Оr some software using it ?
@mahmood:
Thank you for your comment and letting us know that BITS solved your problem.
Concerning the issue about the IP address you discovered: BITS is just a service that can be used be any sort of software (if you use the Windows SDK you can program your own software that uses BITS). So the IP address you found out about is merely the server part of some software that used BITS.
An extensible task manager (e.g. Process Manager) might give you insights about the original service caller.
Thanks for the guide. It was useful for me too as I found the BITS was
the suspect. So when stop the service, the download suddenly ends…
However this is a workaround.
Fortunately, this service has no dependecy (as you note). It itself depends on two other important services “COM+ event system” and “Remote procedure call”.
Still I wonder how can we pinpoint why this services is trying to download huge things! Using performance monitor, I see that this services is connected to an IP address. Using ripe.net, I searched the IP but it was a global IP and have no idea what is that! In other word, I expected to resolve the IP address and see that the destination is microsoft.com (or another well known web site).
Do you have any idea on how to narrow the bug finding procedure?
Nachdem das Problem bei mir vor 3 Tagen plötzlich aufgetreten ist, konnte ich es mit der Hilfe Ihres Artikels nun endlich beseitigen. Bei einer mir zur Verfügung stehenden Bandbreite von nur ca. 6-8kByte/s, lastete der Dienst meinen gesamten Datenverkehr aus – surfen war so gänzlich unmöglich (was vorher schon langsam genug ging).
Bei mir war übrigens BITS der Verursacher.