My PC is running slow with so many svchost.exe in process, what is it?

(For the analysis of “svchost.exe”, I used my PC with Windows XP Professional Edition environment.)

What is “svchost.exe”?

According to Microsoft, “svchost.exe is a generic host process name for services that run from dynamic-link libraries (DLLs)”.

svchost.exe is a process that hosts various services in the OS. Upon OS startup, svchost.exe processes start various networks and services. The services started by svchost.exe are described in the following registry key.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost

What is svchost.exe process?

In summary, svchost.exe processes are embedded in the system and started when booting the system.

First I have listed svchost processes running for different services. In the command prompt, input “tasklist/SVC” to show the list.

Image Name                    PID Services
========================= ======== ===========================================
System Idle Process              0 N/A
System                           4 N/A
smss.exe                       316 N/A
csrss.exe                      424 N/A
wininit.exe                    484 N/A
csrss.exe                      504 N/A
services.exe                   540 N/A
lsass.exe                      568 KeyIso, SamSs
lsm.exe                        576 N/A
svchost.exe                    680 DcomLaunch, PlugPlay, Power
svchost.exe                    756 RpcEptMapper, RpcSs
svchost.exe                    816 AudioSrv, Dhcp, eventlog, lmhosts, wscsvc
svchost.exe                    848 AudioEndpointBuilder, Netman, PcaSvc,
SysMain, TrkWks, UxSms, Wlansvc, wudfsvc
svchost.exe                    892 Appinfo, BITS, EapHost, gpsvc, IKEEXT,
iphlpsvc, LanmanServer, ProfSvc, Schedule,
SENS, ShellHWDetection, Themes, Winmgmt,
wuauserv
svchost.exe                   1000 EventSystem, netprofm, nsi, WdiServiceHost
svchost.exe                    440 CryptSvc, Dnscache, LanmanWorkstation,
NlaSvc
winlogon.exe                   372 N/A
svchost.exe                   1100 BFE, DPS, MpsSvc
coreServiceShell.exe          1220 Amsp
uiWatchDog.exe                1300 N/A
conhost.exe                   1384 N/A
LMS.exe                       1428 LMS
coreFrameworkHost.exe         1456 N/A
conhost.exe                   1464 N/A
NitroPDFReaderDriverServi     1540 NitroReaderDriverReadSpool
SeaPort.exe                   1592 SeaPort
taskhost.exe                  1728 N/A
dwm.exe                       2060 N/A
explorer.exe                  2084 N/A
igfxtray.exe                  2420 N/A
hkcmd.exe                     2432 N/A
igfxpers.exe                  2444 N/A
cAudioFilterAgent64.exe       2456 N/A
ETDCtrl.exe                   2464 N/A
OnekeyStudio.exe              2492 N/A
utility.exe                   2500 N/A
Energy Management.exe         2532 N/A
igfxsrvc.exe                  2560 N/A
uiSeAgnt.exe                  2588 N/A
SugarSyncManager.exe          2652 N/A
GoogleUpdate.exe              2660 N/A
IAStorIcon.exe                2912 N/A
OnekeySupport.exe             2928 N/A
soffice.exe                   2936 N/A
svchost.exe                   2992 FontCache, SSDPSRV, upnphost
soffice.bin                   3000 N/A
PManage.exe                   2080 N/A
YouCamTray.exe                2296 N/A
jusched.exe                   2332 N/A
SearchIndexer.exe             2856 WSearch
IAStorDataMgrSvc.exe          3820 IAStorDataMgrSvc
UNS.exe                       3300 UNS
wmpnetwk.exe                  2844 WMPNetworkSvc
wuauclt.exe                   4580 N/A
notepad.exe                   3304 N/A
firefox.exe                   4248 N/A
plugin-container.exe          5100 N/A
notepad.exe                   3500 N/A
taskmgr.exe                   4548 N/A
cmd.exe                       2376 N/A
conhost.exe                   2356 N/A
tasklist.exe                  4348 N/A
WmiPrvSE.exe                  4392 N/A

The tasklist above shows there are nine svchost.exe instances running on my PC.

If you want to show only svchost.exe instances, type the following command in the command prompt:

tasklist /fi "imagename eq svchost.exe" /svc
Image Name                    PID Services
========================= ======== ===========================================
svchost.exe                    680 DcomLaunch, PlugPlay, Power
svchost.exe                    756 RpcEptMapper, RpcSs
svchost.exe                    816 AudioSrv, Dhcp, eventlog, lmhosts, wscsvc
svchost.exe                    848 AudioEndpointBuilder, Netman, PcaSvc,
SysMain, TrkWks, UxSms, Wlansvc, wudfsvc
svchost.exe                    892 Appinfo, BITS, EapHost, gpsvc, IKEEXT,
iphlpsvc, LanmanServer, MMCSS, ProfSvc,
Schedule, SENS, ShellHWDetection, Themes,
Winmgmt, wuauserv
svchost.exe                   1000 EventSystem, netprofm, nsi, WdiServiceHost
svchost.exe                    440 CryptSvc, Dnscache, LanmanWorkstation,
NlaSvc
svchost.exe                   1100 BFE, DPS, MpsSvc
svchost.exe                   2992 FontCache, SSDPSRV, upnphost

The tasklist is a great tool but does not provide detailed information on svchost.exe. Here is software for further analysis, “Process Explorer“, which helps troubleshoot problems with svchost.exe. The following description is what I have learned using this software.

Troubleshooting on svcshot problems

The problems broadly fall into the two categories below.

(I) svchost.exe instances use a lot of memory and CPU resources, which occasionally freezes the system.
(II) Security tools mistakenly detect svchost.exe instances.

Let’s take a close look at each category.

(I) svchost.exe instances use a lot of memory and CPU resources, which occasionally freezes the system.

You might have experienced that OS/software updates via the Internet take so long or that the system becomes slow as you keep using your PC for a while. One possible cause of this kind of problem is that a certain svchost.exe instance uses up the CPU.

Take the following actions using Process Explorer:

  1. Open the application and select svchost.exe instances in doubt.
    * Check ones with high values in “Private Bytes” and “Working Set”.
  2. Right-click and choose “Properties” to see the detail of the instance.
  3. Click “Services” tab in the Properties window, and you can see services registered in the process.
  4. Select a service in question to press “Stop” and see how the system goes.

I found out that update services were taking up a considerable amount of resources in my PC. Switching the update method from automatic to manual reduced the burden on the CPU.

(II) Security tools mistakenly detect svchost.exe instances.

Some svchost.exe processes are important to start the Windows system and keep it running. The system may become unstable if disabled, yet some hackers exploit it. There have been many reports of viruses under the name of “svchost.exe”.

Security software companies are apparently taking measures against “svcshot.exe” viruses, although it may well cause some of good programs to be detected as virus. So I would suggest services should be checked with Process Explorer.

  1. Following the procedure shown in the case (I), click “Services” tab in the Properties window and check services registered in the process.
  2. Search with search engines for the name of the services that you suspect are malicious programs.

If the services turn out to be malicious, you can try online security check services provided by security software companies such as Norton and VirusBuster.

Process Explorer is free software and you will lose nothing for downloading. This software is one of Window Sysinternals, reliable system utilities by Microsoft. I suggest you first install it to protect your PC from viruses.

This post is also available in other languages.