Where is it alright for svchost.exe to be?

Read the article that everyone's commenting on.
Subscribe to the RSS Feed for comments on this article.

Hi Leo. McAfee Security Center detected a copy of svchost.exe in c:\windows\. It said it was infected by a trojan. It presented me with several options including deleting it or quarantining it. I deleted it immediately, thinking svchost.exe is not important. Then I decided to research the file and found this site. The file is not located in the folders you specified but it is located in c:\windows\. So now I'm not so sure if I did the right thing by deleting it. What do you think?

Thanks!

hi leo,

i really need your help here i had been having this problem for 2 days now, as i'm connecting to the internet by using a moden provided by my broadband provider. my problem are:

1. suddenly an error message appear saying generic host process for win32 had encounter a problem and need to be closed. this happen when i'm surfing the net, it cause me to be disconnected from the net and i have to restart my computer for me to be able to connect again.
2. it happened on a time duration of 30min-2 hours time surfing the net.
3. error signature:
event type:BXE p1:svchost.exe

what i did try:
1. used system restore( didn't work )
2. scan my computer for viruses( using avast/symantec/spybot and even use fixblast )

i need a solution on solving this problem.

p/s i'm using window XP
thanx for the help

Word 97 and Excel 97 were loading very very slow. I found an additional svchost.exe file in C:\WINNT\SYSTEM32\WINS . After renaming this file everything worked fine. On changing the name back again Word and Excel loaded very very slow again. I scan the file with NAV but no virus was detected. What should I do with this file and do you know what it is and where it came from?

Thanks for your very useful website.

Mike

Plain and to the point about "svchost locations"
This file should ONLY BE THE C:\Windows\System32 directory AND in the C:\I386. If you do have more than one in ANY OTHER location, delete it, how can I tell you ask? Well, do a search for "svchost", when the search results are posted, there should only be a copy in the direcories stated above. If there are more than one elsewhere look at the DATE of that svchost file, thats a true giveaway, IE. the svchost files in the correct locations will have the date of the Oringal operating system. If there are later dates of the file in other locations is earlyer then delete them.

So you've covered in what locations svchost can be, what about process users? In the Task Manager, some of the svchost.exe instances list SYSTEM as the User Name, or NETWORK SERVICE or LOCAL SERVICE, which I'm sure is fine, but what if it listed the name of a log-in on that computer (or another computer too, I guess, but that would obviously be very bad :P )
This isn't happening right now, so I can't be %100 certain, but I seem to recall seeing such an occurance in the past. Could this be an easy way to spot a phoney svchost?

Thanks

why are there 7 svchost.exe's running at the same time but only 1 causes system failure? these 7 things
are 25% of my commit charge. its even worse when gaming! Please help!

macon

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You might want to look at this article:
http://ask-leo.com/what_is_svchost_and_why_is_there_more_than_one_copy_running.html

Leo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)

iD8DBQFGFbDWCMEe9B/8oqERAus4AJ9jOJcQ53ltV6C3HVXyxq/iN4eZGgCePKLw
zzgE5KImzpqTIgH3LQ+cBRU=
=4uLd
-----END PGP SIGNATURE-----

i have 5 SVCHOST.exe on my list, and one of them is pumping my CPU usage every time i am connected to internet, i tried to disable it but it reappeared every 10-15 secs after i disable.i did a search for it. Its on its original place which on win32 file. The user name for that "fake" SVCHOST.exe was SYSTEM.

Please note C:\Windows\svchost.exe is NOT a place where the file should be. I have had a trojan in that path, with two dozen different methods to start automatically when the computer is booted (like Startup item on start menu and lots of places on the registry). It was a backdoor and it was sending information back to the hacker. I managed to remove it within an hour of getting it (and unplugged network cable during the whole removal process so it didn't keep sending anything).

Please, I have the same problem as " Nicolas at April 29, 2007 10:49 AM" but I'm unable to remove it. I really tried everything but I cannot find the source of the infectation. Please tell me how to get rid of C:\Windows\svchost.exe (what is definitly not existing, but showing up after every restart)

To post a comment on "Where is it alright for svchost.exe to be?", please return to that article's main page.