Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How do I tell what svchost is doing?

Question:

I read through the articles on svchost and CPU utilization. I am wondering if the same goes for svchost and memory utilization. I have been trying to trace back to when this started and cannot. But, the problem is I have one svchost process that will accumulate very large amounts of physical and virtual memory (almost 2 GBs!) which slows my system down considerably. I have ended this process without my computer shutting down consistently, the process just restarts. Is there a way to trace the PID to the program executing this?

As I’ve discussed in prior articles, svchost is a required system component. It’s the “host” for a variety of “services”, hence the name – service host or svchost.

It gets complicated because there may be multiple copies of svchost.exe running, and each copy of svchost .exe may be hosting multiple services.

Why it’s organized that way is probably beyond mortal comprehension, but there are some tools and techniques to try and isolate which svchost is doing what.

]]>

“It’s the ‘host’ for a variety of ‘services’, hence the name …”

I’ll start with one of my favorite tools: Process Explorer (or just “procexp”). It’s a free download from Microsoft, and to sum it up it’s Task Manager on steroids. Download and run it.

Clicking on a column header in procexp will sort by the contents of that column. Here’s the top of the list on my laptop as I type this:

Process Explorer showing processes by VM usage

You can see that Firefox, Thunderbird, Snagit and of course a few copies of svchost are the top VM users on my machine right now. I’m guessing you did something similar to determine that svchost was taking up 2 gigabytes of virtual memory on yours.

Hover your mouse pointer over one of those svchost’s and you’ll get a very enlightening tooltip:

Process Explorer showing svchost tooltip

This is showing the list of services that this particular instance of svchost happens to be hosting. In this case the list is pretty long, but it’ll vary from svchost to svchost. Some may host only one, others – like this one – may host many different services.

You can view this same list by right clicking on the svchost.exe, selecting Properties, and then clicking on the Services tab:

Services listing of an instance of svchost.exe

So now we can see which svchost is taking up all your memory, and which services it specifically hosts.

Now what?

Trial and error, mostly.

If you’re lucky, the svchost that’s causing you problems only hosts one or a few services, because the next step is to simply try stopping the services one at a time (if you can), and seeing what happens.

As you can see in the properties dialog above, you can actually select one of the services that the svchost is hosting and stop it. That should release the resources that service is eating up. Now, not all services can, or should be stopped. Pay attention to the descriptive text that’s displayed for each.

If you can stop the service, and you notice that all of a sudden your svchost releases the 2GB of virtual memory, you’ve found your culprit.

What happens next, of course, depends on exactly what service that was, but it at least gives you additional direction for your investigation.

Even if you can’t determine exactly which service is causing the issue by stopping it, just knowing the list of services involved narrows down your search and may give you additional information you can use to diagnose the problem.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.