High CPU from System/ashWebSv.exe. Has strange AshWebSv.ws log messages.

Every few days the System and ashWebSv.exe process start using about 40-50% CPU each. I am not sure what starts this problem, but I am using Firefox typically when it happens and suddenly the sites are somewhat accessible with many not working at all. I attempted to search this forum for a similar case but could not find one.

I did notice that I should check to see what it is scanning. I have been using FileMon previously, but did not think of using the “avast! On-Access Scanner” window. Next time it does this I will check.

Unfortunately, I had already attempted to stop the process using the services.msc and using “Stop On-Access Protection” from the right click menu. By the time I checked the On-Access Scanner (I will do this first next time), it showed the process as not running (even though it still was) and the only option was “Terminate” which did not work. Interestingly, after I clicked Terminate it allowed me to click Start again, but that did not seem to have any effect on the running processes.

FYI: I have been using Process Explorer and FileMon to try to determine the cause of the problem. One thing FileMon did show was that AshWebSrv.exe was logging to AshWebSv.ws quite a bit. Even though the size and last modified date of the file was not being updated, the file was getting the following lines over and over:

***Server: too many winsock errors (776). Re-listening the sockets!
***Server: accept() failed with Winsock_Error: Winsock: (10038) An operation was attempted on something that is not a socket.

To give you an idea of how much it is writing these messages, the log file was at 3030 lines when it started and it is now at 7942 all with that same error message over and over (with two empty lines in between each set)

I am still able to use the computer just fine, and generally the Web works fine after I start messing with it. The 100% CPU problem doesn’t seem to be slowing the machine down at all.

Here are some details:

Windows XP SP3
Core 2 Duo (maybe why my machine isn’t slowing down)
Avast Home 4.8.1229
Virus DB 080914-0
Firefox 2.x

Also, I put my computer in stand-by mode quite regularly.

In closing, the AshWebSv.ws is now at 9687 lines :stuck_out_tongue:

Help from Lukas will be welcome…

I too have been having 50% CPU usage as viewed in the Task Manager. My computer also has a computer memory leak that gets worse every hour. I end up having to reboot to end the AshWebSv.exe service. This CPU hog is affecting my computers ability to process heavy graphic images and to run multiple applications.

I have a similar computer to the guy in the original post with about 2GB of memory.
I am using Firefox 3.01, IE 7, etc…

This is a serious issue and needs addressing. If this serious flaw cannot be fixed I will have to uninstall and discontinue using apps from avast.

Any help appreciated.
Thanks.

Hi, what about firewalls ? Do you guys have any ? I have seen similar problems with Ashampoo.

Do you have any other security program installed and running in background? Antispyware?

Thanks for coming Lukas :wink:

add another report

ashwebsv.exe is using over 50% of the CPU and “system” is now using the balance.

I have shutdown the providers. No change. 3 hours later ashwebsv is still thrashing.

Can’t stop the process from task manager.

Moving to reboot as the final option.

Update: It took a few days but it occurred again. I checked the avast! On-Access Scanner window and for “Web Shield” it reported that it last scanned www.telegraph.co.uk had scanned 35956 and had a runtime of 3:23:39:22. I tried the “terminate” button first this time, but it did not work. The on-access scanner window appears like the provider is closed, but the process is still running in the background.

However, I did verify that I am able to use the internet again after attempting to terminate the process. While it is still running at 50/50% CPU, I am now access any site and, of course, post to this forum. One thing I will note, however, is that I am able to access computers on my local just fine even before I attempt to terminate the process. I did not try to access a web site by IP, but I can try that next time it happens. I do however typically access computers on my network via a DNS name that resolves from my router.

Since that log was talking about winsock errors, I attempted to disconnect all network devices in the Network Connections window. After doing that, the System process went back down to near 0% CPU usage. However, the ashwebsv.exe process is still using 50% of the CPU. I have a dual core machine so that is why it only uses 50%.

Update (because I don’t feel like rewriting this ;D) – While the System CPU is now at near 0%, my network connection seems completely dead. ((I started saving this post in a text file when I noticed this))

Update again – TCPView is showing Ashwebsv.exe with a lot of listening connections open. all on port 12080, which is strange as I don’t think it should be able to have two entries in TCPView with the same local IP and port. Here is the detail:

ashWebSv.exe:3120 TCP 127.0.0.1:12080 0.0.0.0:0 LISTENING
<<previous line repeats about 150 times>>
ashWebSv.exe:3120 TCP 127.0.0.1:12080 127.0.0.1:12720 ESTABLISHED
ashWebSv.exe:3120 TCP 127.0.0.1:12080 127.0.0.1:12722 CLOSE_WAIT
ashWebSv.exe:3120 TCP 127.0.0.1:12080 127.0.0.1:12723 CLOSE_WAIT
ashWebSv.exe:3120 TCP 127.0.0.1:12080 127.0.0.1:12721 CLOSE_WAIT
ashWebSv.exe:3120 TCP 127.0.0.1:12080 127.0.0.1:12724 CLOSE_WAIT
ashWebSv.exe:3120 TCP 127.0.0.1:12080 127.0.0.1:12726 CLOSE_WAIT
ashWebSv.exe:3120 TCP 127.0.0.1:12080 127.0.0.1:12719 CLOSE_WAIT
ashWebSv.exe:3120 TCP 127.0.0.1:12080 127.0.0.1:12735 CLOSE_WAIT
ashWebSv.exe:3120 TCP 127.0.0.1:12080 127.0.0.1:12727 CLOSE_WAIT
ashWebSv.exe:3120 TCP 127.0.0.1:12080 127.0.0.1:12728 CLOSE_WAIT
ashWebSv.exe:3120 TCP 127.0.0.1:12080 127.0.0.1:12718 CLOSE_WAIT
ashWebSv.exe:3120 TCP 127.0.0.1:12080 127.0.0.1:12733 CLOSE_WAIT

As always, the following entry is appearing quickly in the ashwebsv.ws log file:

***Server: too many winsock errors (64368). Re-listening the sockets!
***Server: accept() failed with Winsock_Error: Winsock: (10038) An operation was attempted on something that is not a socket.

The log is now at over 26000 lines. I think I might set up a ‘tail -f’ to cronolog to get an idea of when these entries are appearing. If they have been appearing over the last week, it may be something that has to build up over a few days to take effect.

((Edit: I did not restart my computer until after I finished the entire above post. Made a small edit to make sure it did not seem like I saw the TCPView errors after I restarted, when in-fact I saw them before I restarted.))

@lukor & Tech: I use the Windows firewall. I am running no other security software except for PeerGuardian which I have had disabled for a few weeks (it is running though). I am also running Hamachi.

After I installed SP3 I stopped being able to use remote desktop. Not sure if that’s related.

Also, I am running a tail -f on that .ws log file with cronolog to get an idea of how early these entries start appearing.

Update again -- TCPView is showing Ashwebsv.exe with a lot of listening connections open. all on port 12080, which is strange as I don't think it should be able to have two entries in TCPView with the same local IP and port.

I think that is a reasonable assumption.

How about you give us a baseline screen shot of your TCPView before the problem occurs.

Tail of the AshWebSv.ws file:

***Server: too many winsock errors (17796). Re-listening the sockets!
***Server: accept() failed with Winsock_Error: Winsock: (10038) An operation was attempted on something that is not a socket.

Filesize is: 3,354KB and growing…

is there a way to stop this without a reboot?

Are you using any P2P software on your system or any streaming connection?

Hi,
definitely something went fairly wrong.

The “re-listening the sockets!” error line appears when the accept( ) in webshield gives many errors - which usually means, something (from our experience it frequently was a LSP based firewall (propably not now) or other LSP plugin) has corrupted the listening socket inside webshield. WebShield tries to accept connections in the cycle, blocking on accept() - well it is select() but that does not make a big difference - when no connections are waiting. Since the socket is probably corrupted, this happens very quickly with an error code. After a bunch of error results, WebShield concludes that the sockets it listens at is corrupted and tries to recover by closing all its sockets and listening again (on a new one).

To me it seems that the same “thing” that corrupts the listening sockets also prevents the socket from being completely closed and this is why it stays in the TcpView log. It seems to me like a corrupted Winsock stack in WebShield’s memory. This can happen Winsock plugins (LSP), but surely it may be a memory corruption of some sort from a different source.

Could you please create a memory dump of WebShield and upload to avast ftp? (you will have to disable avast self-protection to do it).

Have you also tried userdump.exe? (the command-line program) Sometimes, it works better.

http://public.avast.com/~vlk/userdump.exe

The syntax is
userdump.exe ashWebSv.exe c:\ashWebSv.dmp
(producing dump file in the root of C:\ drive)

Also, make sure you’re logged on as administrator before doing this.

I assume, WebShield will be cycling in the listen/accept/error/re-listing branch eating all available CPU it gets, but at if will at least tell us what other (if any) software is loaded inside WS.
thanks.

lukas

C:>userdump.exe ashWebSv.exe c:\ashWebSv.dmp
User Mode Process Dumper (Version 1.0)
Copyright (c) 1999 Microsoft Corp. All rights reserved.

Dumping process 1640 (ashWebSv.exe) to
c:\ashWebSv.dmp…
The process could not be dumped.
Access is denied.

I was logged in as administrator

Self protection turned off ?

Dump is 357,073 lines… is there somewhere I should e-mail it?

Yes, mail it. Better, zip the file and send the archive :wink:

The dump is a binary file, so I’m not sure how you count the number of “lines”. I’d say it should be rather big to be sent by e-mail…
I suggest to upload it to to our FTP: ftp://ftp.avast.com/incoming

I want to report High CPU use from ashWebSv, but only of Avast! 4.8. ashWebSv of Avast! 4.7 is just working fine, with normal CPU use.

uploaded to incoming FTP 97.03MB :slight_smile: Have fun with it.

my money is on a p2p program that is starting those connections.