Inside Windows – svchost.exe
Posted by William Diaz on July 1, 2011
Think of svchost.exe as a container for all the various services that run in Windows. An example of some these services are the Windows Task Scheduler, the DNS service, and the Plug & Play service. It use to be that all these services ran as programs (.exe) but Microsoft eventually decided to start moving all this functionality into the Dynamic Link Libraries (.dll), where they could run more efficiently. The only problem with this is that dlls cannot be launched like programs, they need to run from within an executable, hence the creation of the generic service host process.
Because svchost.exe is host to many services, you often see half a dozen or more svchost.exe’s running in the Windows Task Manager:
You can view all the various service by opening service.msc, but there is no way from here, or in the Windows XP Task Manager for that matter, to see which services are being hosted by any of the various svchost processes. To work around this, you can open the command shell and run tasklist /svc:
Alternatively, you can use Process Explorer from SysInternals. Simply hover the mouse icon over the svchost.exe process to see which services are running in it or open the process and go to the Services tab:
In Vista and Windows 7 the Task Manager has gone through some big changes and you can now associate an instance of svchost.exe with the services it is hosting. To do this, right-click on the process and select Go to Service(s). The Services tab will open and the services hosted by the instance of svchost will be highlighted:
Alternatively, you can go into the Services tab of Task Manager and link a service to an instance of svchost using the Process ID (PID).
Knowing this is important when troubleshooting instances of svchost consuming excessive CPU usage because you can go look at the individual services running and stop and start them. Furthermore, you can use Process Explorer to identify which thread is tied to which service that is causing the excessive CPU usage:
Lastly, it should be noted that the generic svchost process is a child of Services.exe. Some malware will try to disguise itself as svchost.exe but will do so not under the context of service.exe but as its own process under the guise of a user account: