(For the analysis of “svchost.exe”, I used my PC with Windows XP Professional Edition environment.)
What is “svchost.exe”?
According to Microsoft, “svchost.exe is a generic host process name for services that run from dynamic-link libraries (DLLs)”.
svchost.exe is a process that hosts various services in the OS. Upon OS startup, svchost.exe processes start various networks and services. The services started by svchost.exe are described in the following registry key.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
What is svchost.exe process?
In summary, svchost.exe processes are embedded in the system and started when booting the system.
First I have listed svchost processes running for different services. In the command prompt, input “tasklist/SVC” to show the list.
Image Name PID Services ========================= ======== =========================================== System Idle Process 0 N/A System 4 N/A smss.exe 316 N/A csrss.exe 424 N/A wininit.exe 484 N/A csrss.exe 504 N/A services.exe 540 N/A lsass.exe 568 KeyIso, SamSs lsm.exe 576 N/A svchost.exe 680 DcomLaunch, PlugPlay, Power svchost.exe 756 RpcEptMapper, RpcSs svchost.exe 816 AudioSrv, Dhcp, eventlog, lmhosts, wscsvc svchost.exe 848 AudioEndpointBuilder, Netman, PcaSvc, SysMain, TrkWks, UxSms, Wlansvc, wudfsvc svchost.exe 892 Appinfo, BITS, EapHost, gpsvc, IKEEXT, iphlpsvc, LanmanServer, ProfSvc, Schedule, SENS, ShellHWDetection, Themes, Winmgmt, wuauserv svchost.exe 1000 EventSystem, netprofm, nsi, WdiServiceHost svchost.exe 440 CryptSvc, Dnscache, LanmanWorkstation, NlaSvc winlogon.exe 372 N/A svchost.exe 1100 BFE, DPS, MpsSvc coreServiceShell.exe 1220 Amsp uiWatchDog.exe 1300 N/A conhost.exe 1384 N/A LMS.exe 1428 LMS coreFrameworkHost.exe 1456 N/A conhost.exe 1464 N/A NitroPDFReaderDriverServi 1540 NitroReaderDriverReadSpool SeaPort.exe 1592 SeaPort taskhost.exe 1728 N/A dwm.exe 2060 N/A explorer.exe 2084 N/A igfxtray.exe 2420 N/A hkcmd.exe 2432 N/A igfxpers.exe 2444 N/A cAudioFilterAgent64.exe 2456 N/A ETDCtrl.exe 2464 N/A OnekeyStudio.exe 2492 N/A utility.exe 2500 N/A Energy Management.exe 2532 N/A igfxsrvc.exe 2560 N/A uiSeAgnt.exe 2588 N/A SugarSyncManager.exe 2652 N/A GoogleUpdate.exe 2660 N/A IAStorIcon.exe 2912 N/A OnekeySupport.exe 2928 N/A soffice.exe 2936 N/A svchost.exe 2992 FontCache, SSDPSRV, upnphost soffice.bin 3000 N/A PManage.exe 2080 N/A YouCamTray.exe 2296 N/A jusched.exe 2332 N/A SearchIndexer.exe 2856 WSearch IAStorDataMgrSvc.exe 3820 IAStorDataMgrSvc UNS.exe 3300 UNS wmpnetwk.exe 2844 WMPNetworkSvc wuauclt.exe 4580 N/A notepad.exe 3304 N/A firefox.exe 4248 N/A plugin-container.exe 5100 N/A notepad.exe 3500 N/A taskmgr.exe 4548 N/A cmd.exe 2376 N/A conhost.exe 2356 N/A tasklist.exe 4348 N/A WmiPrvSE.exe 4392 N/A
The tasklist above shows there are nine svchost.exe instances running on my PC.
If you want to show only svchost.exe instances, type the following command in the command prompt:
tasklist /fi "imagename eq svchost.exe" /svc
Image Name PID Services ========================= ======== =========================================== svchost.exe 680 DcomLaunch, PlugPlay, Power svchost.exe 756 RpcEptMapper, RpcSs svchost.exe 816 AudioSrv, Dhcp, eventlog, lmhosts, wscsvc svchost.exe 848 AudioEndpointBuilder, Netman, PcaSvc, SysMain, TrkWks, UxSms, Wlansvc, wudfsvc svchost.exe 892 Appinfo, BITS, EapHost, gpsvc, IKEEXT, iphlpsvc, LanmanServer, MMCSS, ProfSvc, Schedule, SENS, ShellHWDetection, Themes, Winmgmt, wuauserv svchost.exe 1000 EventSystem, netprofm, nsi, WdiServiceHost svchost.exe 440 CryptSvc, Dnscache, LanmanWorkstation, NlaSvc svchost.exe 1100 BFE, DPS, MpsSvc svchost.exe 2992 FontCache, SSDPSRV, upnphost
The tasklist is a great tool but does not provide detailed information on svchost.exe. Here is software for further analysis, “Process Explorer“, which helps troubleshoot problems with svchost.exe. The following description is what I have learned using this software.
Troubleshooting on svcshot problems
The problems broadly fall into the two categories below.
(I) svchost.exe instances use a lot of memory and CPU resources, which occasionally freezes the system.
(II) Security tools mistakenly detect svchost.exe instances.
Let’s take a close look at each category.
(I) svchost.exe instances use a lot of memory and CPU resources, which occasionally freezes the system.
You might have experienced that OS/software updates via the Internet take so long or that the system becomes slow as you keep using your PC for a while. One possible cause of this kind of problem is that a certain svchost.exe instance uses up the CPU.
Take the following actions using Process Explorer:
- Open the application and select svchost.exe instances in doubt.
* Check ones with high values in “Private Bytes” and “Working Set”.
- Right-click and choose “Properties” to see the detail of the instance.
- Click “Services” tab in the Properties window, and you can see services registered in the process.
- Select a service in question to press “Stop” and see how the system goes.
I found out that update services were taking up a considerable amount of resources in my PC. Switching the update method from automatic to manual reduced the burden on the CPU.
(II) Security tools mistakenly detect svchost.exe instances.
Some svchost.exe processes are important to start the Windows system and keep it running. The system may become unstable if disabled, yet some hackers exploit it. There have been many reports of viruses under the name of “svchost.exe”.
Security software companies are apparently taking measures against “svcshot.exe” viruses, although it may well cause some of good programs to be detected as virus. So I would suggest services should be checked with Process Explorer.
- Following the procedure shown in the case (I), click “Services” tab in the Properties window and check services registered in the process.
- Search with search engines for the name of the services that you suspect are malicious programs.
If the services turn out to be malicious, you can try online security check services provided by security software companies such as Norton and VirusBuster.
Process Explorer is free software and you will lose nothing for downloading. This software is one of Window Sysinternals, reliable system utilities by Microsoft. I suggest you first install it to protect your PC from viruses.
