Windows Explored

Everyday Windows Desktop Support, Advanced Troubleshooting & Other OS Tidbits

«
»

Inside Windows – svchost.exe

Posted by William Diaz on July 1, 2011


Think of svchost.exe as a container for all the various services that run in Windows. An example of some these services are the Windows Task Scheduler, the DNS service, and the Plug & Play service. It use to be that all these services ran as programs (.exe) but Microsoft eventually decided to start moving all this functionality into the Dynamic Link Libraries (.dll), where they could run more efficiently. The only problem with this is that dlls cannot be launched like programs, they need to run from within an executable, hence the creation of the generic service host process.

Because svchost.exe is host to many services, you often see half a dozen or more svchost.exe’s running in the Windows Task Manager:
image
You can view all the various service by opening service.msc, but there is no way from here, or in the Windows XP Task Manager for that matter, to see which services are being hosted by any of the various svchost processes. To work around this, you can open the command shell and run tasklist /svc:
image

Alternatively, you can use Process Explorer from SysInternals. Simply hover the mouse icon over the svchost.exe process to see which services are running in it or open the process and go to the Services tab:
image
In Vista and Windows 7 the Task Manager has gone through some big changes and you can now associate an instance of svchost.exe with the services it is hosting. To do this, right-click on the process and select Go to Service(s). The Services tab will open and the services hosted by the instance of svchost will be highlighted:
image
Alternatively, you can go into the Services tab of Task Manager and link a service to an instance of svchost using the Process ID (PID).

Knowing this is important when troubleshooting instances of svchost consuming excessive CPU usage because you can go look at the individual services running and stop and start them. Furthermore, you can use Process Explorer to identify which thread is tied to which service that is causing the excessive CPU usage:
image
Lastly, it should be noted that the generic svchost process is a child of Services.exe. Some malware will try to disguise itself as svchost.exe but will do so not under the context of service.exe but as its own process under the guise of a user account:
image

Advertisement

This entry was posted on July 1, 2011 at 10:33 am and is filed under Inside Windows. Tagged: . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

«
»
 
%d bloggers like this: