Tip: Understanding Windows Svchost.exe process


Question:

Information and help with Windows svchost.exe.

Answer:

What is the svchost.exe file?

Microsoft Windows executable file labeled as: "Generic Host Process for Win32 Services". This is a required Windows file and is used to load needed DLL files that are used with Microsoft Windows and Windows programs that run on your computer.

This file is located in either the c:\windows\system32 or c:\winnt\system32 directories depending on your version of Windows and may also be located in the dllcache directory if present.

Why do I have multiple svchost.exe processes running in Task Manager?

Multiple svchost.exe files are loaded when a program needs to be grouped from other Windows services. This is a normal operation of Windows and it is common to see three or four svchost.exe in the Task Manager processes.

Is svchost.exe a virus or trojan?

There are viruses that can infect this file and may run as a SVCHOST.EXE service. If you think your computer may be infected with a computer virus that is causing problems with this service, we recommend you update your virus protection program and visit the Microsoft Windows update page instead of attempting to manually fix the problem.

If your anti-virus protection software does not detect a virus or other malware your computer is not infected and the svchost.exe file is not a virus.

SVCHOST.EXE error with 0xe03c3a68 or computer crashes with this file when opening Microsoft Internet Explorer 

Users experiencing an error with the above memory address are infected with the blaster virus.

How can I remove svchost.exe?

This file is an important Windows file and needed by Windows. Removing this file would cause Windows to no longer function. If this file is infected with a virus your anti-virus program should be able to quarantine or delete the file.

How can I view what applications svchost is handling?

To determine what are in the svchost.exe file you will need either tlist.exe if you are running Windows 2000, or tasklist.exe if you are running Windows XP. Windows users can also view what is running under svchost through Windows defender.

Running the tlist program

Windows 2000 users can run this program by clicking Start / Run and type "command" or "cmd" and press enter. From the MS-DOS prompt, type "tlist -s" and press enter.

Windows XP users can run this program by clicking Start / Run and type "command" or "cmd" and press enter. From the MS-DOS prompt, type "tasklist /svc" and press enter.

* If you are unable to run or locate this file on the computer, see below steps on installing this file onto your computer. 

Tlist Windows 2000 Installation

If you do not have this file you will need to install the Microsoft Windows 2000 support tools. To do this, place the Windows 2000 CD into the computer and run setup.exe from \SUPPORT\TOOLS directory.

Tlist Windows XP Installation

Windows XP Home users will need to download the file Tasklist.exe.

Windows XP Professional users that are unable to locate this file can expand it from the i386 directory on their Windows XP Professional CD or download the file from the above link. Unfortunately, the Windows XP Home CD does not contain this file.

Example of what is seen in tlist:

Below is an example of what Windows 2000 would display for the svchost services. With tlist.exe or tasklist.exe you should see information similar to the below example.

444 svchost.exe Svcs: RpcSs
552 svchost.exe Svcs: EventSystem,Netman,NtmsSvc,RasMan,SENS,TapiSrv
792 svchost.exe Svcs: wuauserv

Viewing running processes through Windows defender

Microsoft Windows Defender is also capable of viewing all applications and processes running including those within svchost can be found through Windows Defender as explained below.

  1. These steps require that you have Windows Defender installed on your computer.
  2. Open Windows Defender if not already open by clicking Start, Programs, and clicking Windows Defender.
  3. Click Tools.
  4. Click Software Explorer.
  5. Click the down arrow next to Category and click Currently Running Programs.

Any "Microsoft Generic Host Process for Win32 Services" for Windows XP users or "Microsoft(R) Windows (R) 2000 Operating System" items listed in the list are portions of the svchost.



Here's a great tip, what if you wanted a program such as windows update to run under a specific svcghost process you could easily identify su as svchostAU.exe? Well here are the step to follow to do that.
  1. Click Start/Run, type CMD and then press Enter.
  2. Run the command "copy %windir%\system32\svchost.exe %windir%\system32\svchostAU.exe" and then press Enter.
  3. Click Start->Run, type Regedit and then press enter to open Registry Editor.
  4. Using Regedit to change the ImagePath for the wuauserv subkey at HKLM\SYSTEM\CurrentControlSet\Services\wuauserv from "%systemroot%\system32\svchost.exe -k netsvcs" to "%systemroot%\system32\svchostAU.exe -k netsvcs".
  5. Click Start/Run, type: services.msc and then press Enter. Right click the automatic updates service and select Stop (You will be able to find this option in the left pane of the page)
  6. Repeat to Start the service
  7. Run "tasklist -m wuauserv.dll" or "tlist -m wuauserv.dll" in the CMD window to verify that an svchostAU.exe is hosting wuauserv.dll