October 11, 2010
What is svchost.exe? Is svchost.exe spyware or a virus?
"Svchost.exe" (Generic Host Process for Win32 Services) is an integral part of Windows OS. It cannot be stopped or restarted manually. This process manages system services that run from dynamic link libraries (files with extension .dll). Examples for such system services are: "Automatic Updates", "Windows Firewall", "Plug and Play", "Fax Service", "Windows Themes" and many more.
At startup, Svchost.exe checks the services portion of the registry and constructs a list of services that it needs to load. Under normal conditions, multiple instances of Svchost.exe will be running simultaneously. Each Svchost.exe session can contain a grouping of services, so that many services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.
If the process svchost.exe uses high cpu resources, it is mostly due because the service "Automatic Updates" is downloading some new Windows update. But having a 99% or 100% cpu usage could be caused by downloads due of some hidden malware on your computer. Some malware like the Conficker worm changes the Windows Registry so that svchost loads the malware .dll file. In this case you only see the authentic svchost.exe process in the task manager!
The biggest problem now is identifying what services are being run on a particular svchost.exe instance… we’ll cover that below.
If you are curious what we’re talking about, just open up Task Manager and check the “Show processes from all users” box:
Checking From the Command Line (Vista or XP Pro)
If you want to see what services are being hosted by a particular svchost.exe instance, you can use the tasklist command from the command prompt in order to see the list of services.
tasklist /SVC
The problem with using the command line method is that you don’t necessarily know what these cryptic names refer to.
Checking in Task Manager in Vista
You can right-click on a particular svchost.exe process, and then choose the “Go to Service” option.
This will flip over to the Services tab, where the services running under that svchost.exe process will be selected:
The great thing about doing it this way is that you can see the real name under the Description column, so you can choose to disable the service if you don’t want it running.
Using Process Explorer in Vista or XP
You can use the excellent Process Explorer utility from Microsoft/Sysinternals to see what services are running as a part of a svchost.exe process.
Hovering your mouse over one of the processes will show you a popup list of all the services:
Or you can double-click on a svchost.exe instance and select the Services tab, where you can choose to stop one of the services if you choose.
Disabling Services
Open up Services from the administrative tools section of Control Panel, or type services.msc into the start menu search or run box.
Find the service in the list that you’d like to disable, and either double-click on it or right-click and choose Properties.
Change the Startup Type to Disabled, and then click the Stop button to immediately stop it.
You could also use the command prompt to disable the service if you choose. In this command “trkwks” is the Service name from the above dialog, but if you go back to the tasklist command at the beginning of this article you’ll notice you can find it there as well.
sc config trkwks start= disabled
At startup, Svchost.exe checks the services portion of the registry and constructs a list of services that it needs to load. Under normal conditions, multiple instances of Svchost.exe will be running simultaneously. Each Svchost.exe session can contain a grouping of services, so that many services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.
If the process svchost.exe uses high cpu resources, it is mostly due because the service "Automatic Updates" is downloading some new Windows update. But having a 99% or 100% cpu usage could be caused by downloads due of some hidden malware on your computer. Some malware like the Conficker worm changes the Windows Registry so that svchost loads the malware .dll file. In this case you only see the authentic svchost.exe process in the task manager!
The biggest problem now is identifying what services are being run on a particular svchost.exe instance… we’ll cover that below.
If you are curious what we’re talking about, just open up Task Manager and check the “Show processes from all users” box:
Checking From the Command Line (Vista or XP Pro)
If you want to see what services are being hosted by a particular svchost.exe instance, you can use the tasklist command from the command prompt in order to see the list of services.
tasklist /SVC
The problem with using the command line method is that you don’t necessarily know what these cryptic names refer to.
Checking in Task Manager in Vista
You can right-click on a particular svchost.exe process, and then choose the “Go to Service” option.
This will flip over to the Services tab, where the services running under that svchost.exe process will be selected:
The great thing about doing it this way is that you can see the real name under the Description column, so you can choose to disable the service if you don’t want it running.
Using Process Explorer in Vista or XP
You can use the excellent Process Explorer utility from Microsoft/Sysinternals to see what services are running as a part of a svchost.exe process.
Hovering your mouse over one of the processes will show you a popup list of all the services:
Or you can double-click on a svchost.exe instance and select the Services tab, where you can choose to stop one of the services if you choose.
Disabling Services
Open up Services from the administrative tools section of Control Panel, or type services.msc into the start menu search or run box.
Find the service in the list that you’d like to disable, and either double-click on it or right-click and choose Properties.
Change the Startup Type to Disabled, and then click the Stop button to immediately stop it.
You could also use the command prompt to disable the service if you choose. In this command “trkwks” is the Service name from the above dialog, but if you go back to the tasklist command at the beginning of this article you’ll notice you can find it there as well.
sc config trkwks start= disabled
About the Author:
Ifeanyi Emeka is the founder of this blog and also writes for Tech Forked. He is passionate about tech stuffs and loves customizing blogger themes.
Subscribe to:
Post Comments (Atom)