Svchost and Svchost.exe - Crashs, CPU maximization, viruses, exploits and more.

Home » Windows » Windows Components

Summary: Svchost (and Svchost.exe) is a required Windows component that often shows up in errors caused by viruses. Review Svchost, Svchost.exe, and how to stay safe.

Svchost and Svchost.exe - Crashes, CPU maximization, viruses, exploits and more.

I've discussed Svchost, aka Svchost.exe, in previous articles on Ask Leo!. Many people are witnessing a svchost.exe crash and it's actually quite amazing. Unfortunately, there's no single point of reference for svchost related problems. Rather than answering one single question, I'll try to cover a theme that can best be summed up as:

What's The Deal with SVCHOST?

•

Symptoms

Do any of these symptoms sound familiar?

• Your system becomes sluggish and you find that something called svchost or dllhost is taking nearly 100% of your CPU.
• Your system reports that svchost has performed an illegal operation and will be terminated. After that, various things fail to work properly, if at all.
• After you log in, your system automatically reboots in one minute.

If so, then it's almost certain that you either have a virus or your system is currently vulnerable to a particular type of exploit known as the "RPC buffer overflow". We'll look at addressing both.

But just what is svchost?

Let me tell you what it is not: On Windows XP, 2000, and 2003, svchost is not a virus. On those systems, svchost is a required system component. If you happen to successfully delete it, your system will not run. You'll be much worse off than before. (Win95, 98, and Me users, see Note 1.)

Do not delete svchost.exe. Don't even think about it. [Important: do not confuse svchost, which we are discussing here, with scvhost, which has two letters transposed. They are not the same thing. The presence of scvhost may indicate a virus.]

Svchost, which is short for "service host", is a core part of the operating system that provides support to many of the required services that are Windows. You can see all the copies of svchost and what services they are running by typing "tasklist / svc" in a command window. If you don't have tasklist, or just prefer not to use the command shell, you can use SysInternals Process Explorer instead. (Check out my previous article "What is Tasklist.exe, and why don't I have it?" for details.) On my machine, one copy of svchost is responsible for 30 separate services, another is hosting 4, and the remaining 3 host one service apiece.

What about this "RPC" thing that has vulnerabilities?

Same story. RPC, for Remote Procedure Call, is a core operating system service. Windows won't run without it. If you happen to successfully disable it, you're in deep trouble.

Do not disable the RPC service. Don't even think about it. (If you already did, see Note 2.)

So what do you do?

First, we have to understand that there are two possible problems:

• You could be infected with a virus.

• You could be under "attack" from an outside source attempting to exploit the RPC vulnerability.

It'll do you no good to get things all cleaned up only to get hit again the moment you connect to the internet, so we'll deal with the second point first.

Block the Vulnerability

The very first thing we have to do is plug the vulnerability. This will prevent some forms of re-infection, as well as some forms of attack, both of which can cause the problems we've been talking about.

If you're running Windows XP, you can turn on the Internet Connection Firewall. In Control Panel, select Network Connections, select the connection that corresponds to your internet connection, right click on that and select Properties, select the Advanced tab, and make sure that Protect my computer and network by limiting or preventing access to this computer from the Internet is checked.

If you're running behind a NAT router, you're probably already safe, but make sure that ports 135, 139, and 445 are not being forwarded to any computer on your network.

If you have some other kind of firewall, ensure that those same ports are blocked.

Update Your System

Install all of the latest service packs and patches. For Windows 2000, that means getting the latest service pack, as well as any additional patches. For Windows XP, that also means getting the latest service pack and any additional patches. (Note: If you've installed Windows XP Service Pack 1, Microsoft now recommends installing Service Pack 1a that corrects a couple of problems.) The whole process can be simplified to this: visit Windows Update, let it analyze your system, and then download and install all the updates suggested.

The single, most important update relating to our svchost / RPC problem is this one: A Buffer Overrun in RPCSS Could Allow an Attacker to Run Malicious Programs. Make certain that the patches listed there have been installed.

You're not done.

Scan for Viruses

To put it more completely, update your virus signatures to the latest possible and then scan for viruses. In fact, experience is showing that not all virus scanners are catching all viruses, so it would be in your best interest to use a second virus scanner as well.

You may not have a virus. But you may have contracted one as a result of the vulnerability.

There are several viruses that may result from this vulnerability. Some cannot be removed by the virus scanners' traditional mechanisms. If that happens to you then you'll need to download a special tool to remove that particular virus. Take the name of the virus identified by your scanner, visit the Symantec Anti-Virus Center, and search on that virus. Chances are, if there's a tool to remove they virus, they have it.

Scan for Spyware

There is anecdotal evidence that Spyware can also be associated with svchost related problems. Even if that's not accurate, it's a good idea to scan regularly anyway. Grab a copy of a tool such as Spybot Search and Destroy, or Ad-Aware.

Notes:

Note 1: Windows 95, 98, and Me users: Most of this article does not apply to you at all. You shouldn't be seeing the symptoms described here. If you do, or if you find svchost.exe on your machine, then you likely have a virus and should scan and clean immediately.

Note 2: If you've already disabled the RPC service, then Black Viper has a possible way to restore it. He also has instructions for stopping the 60 second shutdown as well.

Note 3: If you have a firewall such as ZoneAlarm, it may ask if it's ok for svchost to access the internet. It's probably ok to allow it. There is at least one legitimate service that svchost supports that does need to access the internet: the time service. It connects to time servers on the internet to ensure your clock is correct.

Updates

Finally, check back here for updates. SVCHOST has been the source of a lot of frustration for people, and I'll try to update this article as new information becomes available.

• 09-May-2004: Added note on scvhost misspelling, and the related link to the LSASS article.
• 12-May-2004: Added notes relating to Windows Service Pack 1a.
• 03-Dec-2005: Added a new article: Where is it alright for svchost.exe to be?.
• 10-May-2007: Added a new article: "How do I fix this high CPU usage svchost virus or whatever it is?"

Related Links:

• "What is svchost, and why is there more than one copy running?" Svchost is a component of Windows. It can be confusing because more than one copy is running, and it often shows up in errors caused by viruses.

• "svchost.exe error: svchost.exe has generated an error - now what do I do?" Svchost.exe is a Windows component that often shows up in error messages. Unfortunately, quite often when it does the news isn't good.

• Where is it alright for svchost.exe to be? Svchost.exe is frequently spoofed by viruses attempting to hide. The official copy should be in your Windows\system32 folder, but there may be others.

• What are "LSASS.EXE" and "Sasser" and how do I know if I'm infected? What do I do if I am? LSASS is a Windows component shown in error messages, often due to a virus infection such as Sasser. Learn about LSASS, LSASS.EXE and how to stay safe.

• What is tasklist.exe and why don't I have it? Tasklist.exe is a utility to examine your system's running programs. It's not on every version of Windows but a more powerful alternative is available.

• Black Viper - General Technical FAQ: RPC/SVCHOST
• Microsoft - A Description of Svchost in Windows 2000
• Microsoft - A Description of Svchost in Windows XP
• Symantec - Anti-Virus Center

• SysInternals - Process Explorer

Article C1927 - April 19, 2004