Svchost.exe is a generic wrapper program for windows system services. You will see several of them running at any time on your machine, each can have more than one service under them. To get details on what services run under each process, you can run "tasklist /svc". When you get the crash notification, you should check the event log for Service Control Manager events for services that have stopped unexpectedly. Once you know what services are impacted, you can try to narrow down what might be the problem. Also, while the popup is up, you can grab the memory dumps out of the temp folders for debugging if you know what you are doing. That way you can look a the stack trace to find a better idea of what causes the error in the application.

To help prevent problems, for home users of XP, I would suggest also reducing the attack surface of your machine by disabling unnecessary and unsecure services. Here is a list below of what can be disabled.

Alerter
ClipBook
Computer Browser
Distributed Link Tracking Client
Distrubuted Transaction Coordinator
DNS Client
Fast User Switching Compatibility
Help and Support
Indexing Service
IPSEC services
Logical Disk Manager
Messener
Net Logon
Network DDE
NT LM Security Support Provider
Remote Registry
Removable Storage
Routing and Remote access
Secondary Login
Server
Shell Hardware Detection
SSDP Discovery Service
Task scheduler
Telnet
Terminal Services
Universal Plug and play device host (if not needed by hardware)
Volume Shadow Copy
WebClient

I have run an XP system connected to the internet with no firewalls, having all of these turned off, a few defense dept type of security registry hacks, plus having standard antivirus with definitions typically 1 month old, and never had a problem.

11/4/2008 12:35:20 PM - AmZ RemoteAccess Information None 20158 N/A THE-12A36E1A436 The user diny59@streamyx successfully established a connection to Streamyx using the device PPPoE4-0.
11/4/2008 12:34:26 PM - AmZ Service Control Manager Information None 7036 N/A THE-12A36E1A436 The IMAPI CD-Burning COM Service service entered the stopped state.
11/4/2008 12:34:20 PM - AmZ Service Control Manager Information None 7036 N/A THE-12A36E1A436 The IMAPI CD-Burning COM Service service entered the running state.
11/4/2008 12:34:20 PM - AmZ Service Control Manager Information None 7035 NT AUTHORITY\SYSTEM THE-12A36E1A436 The IMAPI CD-Burning COM Service service was successfully sent a start control.
11/4/2008 12:34:09 PM - AmZ Service Control Manager Error None 7034 N/A THE-12A36E1A436 The Ulead Burning Helper service terminated unexpectedly. It has done this 1 time(s).
11/4/2008 12:34:09 PM - AmZ Service Control Manager Error None 7034 N/A THE-12A36E1A436 The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
11/4/2008 12:34:09 PM - AmZ Service Control Manager Error None 7034 N/A THE-12A36E1A436 The lxcz_device service terminated unexpectedly. It has done this 1 time(s).
11/4/2008 12:34:09 PM - AmZ Service Control Manager Error None 7034 N/A THE-12A36E1A436 The PDEngine service terminated unexpectedly. It has done this 1 time(s).
11/4/2008 12:34:09 PM - AmZ Service Control Manager Error None 7034 N/A THE-12A36E1A436 The PDAgent service terminated unexpectedly. It has done this 1 time(s).
11/4/2008 12:34:09 PM - AmZ Service Control Manager Error None 7034 N/A THE-12A36E1A436 The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
11/4/2008 12:34:09 PM - AmZ Service Control Manager Error None 7034 N/A THE-12A36E1A436 The Capture Device Service service terminated unexpectedly. It has done this 1 time(s).\


From this system log it looks like any one of the above services might have a problem. Since most are not Microsoft related, I doubt system hotfixes are going to help you. You might need to look at software updates for the apps, or hope for better information in the Dr Watson log if the errors there are related. From my experience though if you get the popup error you had posted in your initial message, whatever is in Dr Watson is probably not related at all to this problem. You can open Dr Watson up (drwtsn32) and it shows the various events that have been captured and the source. If the source was not the same svchost.exe you are wasting your time looking at that. The events in Dr Watson might be old and not related, as by default it only captures 10 application crashes then stops capturing. I would think there would be an event in the system log for Dr Watson as well if it was involved. I would ensure all the software you use is compatible with Xp and your hardware and there are no known issues.

---

Added on November 4, 2008, 8:06 pmAlso from apps log i'm thinking it is capture service related to HPQCXS08. Do you have an HP scanner or printer installed or connected to this machine?

This post has been edited by nlinley: Nov 4 2008, 08:06 PM

Having the latest patches would always be a good idea and might be related to this problem. The KB958644 patch is new and should definitely be installed to overcome the associated vulnerabilities. The previous patch link you had provided in the thread is for an older patch with netapi32.dll version that the topic starter already had installed. So having them install it again wasn't really helping. Running windows update to get everything up to date would be a good idea to see if it solves the problem. However attacks against netapi32.dll vulnerabilities should effect more services, specifically lanmanserver and any of the many other services that frequently run in the same svchost.exe process, not just a svchost full of third party services.