Helping people with computers... one answer at a time.
Svchost.exe, or just "svchost" is a Windows component. It's quite normal to have more than one copy running. Unfortunately, it's also the target of malware and often shows up in malware-related problems.
Fire up Process Explorer or Task Manager in Windows to view the running processes and you'll see something called "svchost.exe".
In fact, you'll see it listed several times.
As I write this, there are no less than 11 copies of svchost.exe running in my Windows 7 64-bit system.
To understand why this is expected, we need to understand a little bit about why svchost exists and what it does.
•
Service Host
Svchost, as the name implies, stands for Service Host.
Many components of the Windows operating system are actually implemented as what are called "services" - a fancy name for programs that run in the background and aren't necessarily associated with whomever is logged into the machine.
You can quickly see which services are running by typing NET START in a command window, or by right-clicking on your Computer icon, clicking on Manage, clicking on the small triangle next to Services and Applications to expand it, and then clicking on Services.
On my machine, "Net Start" shows me 76 running services on my machine. The Services interface shown above displays all installed services and an indication of whether they are running or not.
There are many things that are common to all services: how they start, how they interact with the system, and how they manage the administrivia of running a system service. Rather than writing a complete service from scratch, many are implemented as a type of program run by another program.
That "host" program is our friend svchost.exe.
Hosting services
Svchost.exe is designed to be the host for one or more actual services. It's the program that gets run, and when it gets run, it's instructed which service to run. The actual service is typically implemented in a DLL that svhost.exe accesses.
As it turns out, a single copy of svchost.exe can actually "host" several different services at once.
Hover your mouse pointer over one of the svchost.exe instances in Process Explorer and a tool tip will show you exactly which running services are being hosted by that particular copy of svchost:
In this example, the pop-up shows that this single instance of svchost.exe is actually hosting 18 separate services. Other instances typically host fewer, often only one. Which copy of svchost.exe hosts what service is a function of how the services relate to each other and when they are required by the rest of the system.
Svchost and malware
Because it's expected that there will be multiple copies of svchost.exe running and its workings are quite mysterious to the average computer user, malware authors have long leveraged the confusion around it to hide or at least obfuscate their doings.
-
In the past, the svchost.exe file itself was a popular target for direct compromise - malware would actually alter the program with their malicious code. Windows File Protection in later versions of Windows rendered this approach mostly ineffective.
-
Malware authors often try to install their malware as a service hosted by svchost.exe. Installing a service requires administrative access and is effectively blocked in most cases by limited user accounts in Windows XP and UAC in Windows Vista, 7 and later.
-
Malware is sometimes actually delivered in a file called svchost.exe, but placed in a non-standard location. When running, the malware looks like "just another svchost" unless examined more closely. (The correct location is in Windows\System32.)
-
Similar sounding names and typos have also been fairly common. "svhost.exe" and "svchosl.exe" might pass for "svchost.exe," unless you were looking carefully and noted the typos.
As I said, the confusion around svchost has become a tool that malware authors have used to to either worm their malicious code onto machines in the first place and/or try to hide its presence once installed.
Svchost.exe is not malware
I've seen a number of panicked questions that immediately jump to the conclusion that svchost.exe is, itself, malware.
That's simply not true.
Svchost.exe is a required system component and Windows will simply not run without it. If it becomes infected, it's possible that attempts to clean it up by deleting or quarantining it may result in a system that doesn't work.
As we've seen above, malware often tries to look like svchost, or it tries to run using svchost, but that doesn't mean that svchost.exe itself is malware.
(This is an update to an article originally published October 20, 2003.)
References
A description of Svchost.exe in Windows XP Professional Edition - Microsoft Support.
What is svchost.exe? - Microsoft. Written for Windows Vista, but applies to all recent versions.
Article C1852 - October 2, 2012 « »
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
April 10, 2004 6:47 PM
Well, step one is simply to take care in what sites you visit and software you download ... typically these downloads are given to you transparently be less-than-reputable vendors.
Second, tighten up your browser's security settings. This will prevent many.
Finally, Spy Bot does have have a monitoring function that will watch for, and block at your option, many of the bigger offenders. AdAware may also have something like this in their pay version. There's also a tool called StartupMonitor which can keep reins on what gets added to your startup (http://ask-leo.com/d-startupmonitor ).
Leo
April 12, 2004 10:10 AM
Running in a command window (WinXP home) the "NET START" command works; however, when I type "tasklist /svc" I get the folllowing error message"
['tasklist' is not recognized as
operable program or batch file.]
What am I doing wrong?
Thanks,
Allmen Quester
April 12, 2004 4:13 PM
Nothing. You probably have XP Home, which apparently doesn't have the tasklist command. I'll be writing up an article shortly on how to use Sysinternals Process Explorer (http://ask-leo.com/d-31017a ) to get the same information. In a nutshell, run procexp, doubleclick on a svchost instance, and then select the "services" tab, and it'll show what services that instance of svchost is hosting.
Leo
April 15, 2004 1:45 PM
Over the last few months, with increasing frequency, I receive the following message on my screen. It's in Norton Internet Security, but it's not the usual Alert Tracker screen I get when Norton detects an attempt to hack in. It's more like the screen I get when a new programme - like RealPlayer for example - tries to connect to the internet for the first time.
The message says:
A remote system is attempting to access Generic Host Processes for Win32 on your computer.
Application: C:\WINDOWS\system32\svchost.exe
Protocol: TCP (Inbound)
It also tells me the IP addrss of the computer from which the attempt is being made - I think it's diferent each time.
I have always asumed it's someone trying to hack in or plant a trojan or whatever it is these people do, and refused the connection, but, before I set a rule to always forbid such connections, I just wondered if it is a legitimate programme or something which I ought to be allowing for the good running of the computer.
April 15, 2004 1:51 PM
I'd set that always forbid rule. A remote computer should not be attempting to initate a conversation that way ... they're probably attempting to exploit a vulnerability in Windows (that's since been patched as well).
If you're curious, you can enter the IP address into a "reverse DNS" tool, such as http://ask-leo.com/d-reversedns and see a) if there is a host name for that address, and b) if the host name is something you recognize.
Leo