Helping people with computers... one answer at a time.
Svchost.exe, or just "svchost" is a Windows component. It's quite normal to have more than one copy running. Unfortunately, it's also the target of malware and often shows up in malware-related problems.
Fire up Process Explorer or Task Manager in Windows to view the running processes and you'll see something called "svchost.exe".
In fact, you'll see it listed several times.
As I write this, there are no less than 11 copies of svchost.exe running in my Windows 7 64-bit system.
To understand why this is expected, we need to understand a little bit about why svchost exists and what it does.
Svchost, as the name implies, stands for Service Host.
Many components of the Windows operating system are actually implemented as what are called "services" - a fancy name for programs that run in the background and aren't necessarily associated with whomever is logged into the machine.
You can quickly see which services are running by typing NET START in a command window, or by right-clicking on your Computer icon, clicking on Manage, clicking on the small triangle next to Services and Applications to expand it, and then clicking on Services.
On my machine, "Net Start" shows me 76 running services on my machine. The Services interface shown above displays all installed services and an indication of whether they are running or not.
There are many things that are common to all services: how they start, how they interact with the system, and how they manage the administrivia of running a system service. Rather than writing a complete service from scratch, many are implemented as a type of program run by another program.
That "host" program is our friend svchost.exe.
Svchost.exe is designed to be the host for one or more actual services. It's the program that gets run, and when it gets run, it's instructed which service to run. The actual service is typically implemented in a DLL that svhost.exe accesses.
As it turns out, a single copy of svchost.exe can actually "host" several different services at once.
Hover your mouse pointer over one of the svchost.exe instances in Process Explorer and a tool tip will show you exactly which running services are being hosted by that particular copy of svchost:
In this example, the pop-up shows that this single instance of svchost.exe is actually hosting 18 separate services. Other instances typically host fewer, often only one. Which copy of svchost.exe hosts what service is a function of how the services relate to each other and when they are required by the rest of the system.
Because it's expected that there will be multiple copies of svchost.exe running and its workings are quite mysterious to the average computer user, malware authors have long leveraged the confusion around it to hide or at least obfuscate their doings.
In the past, the svchost.exe file itself was a popular target for direct compromise - malware would actually alter the program with their malicious code. Windows File Protection in later versions of Windows rendered this approach mostly ineffective.
Malware authors often try to install their malware as a service hosted by svchost.exe. Installing a service requires administrative access and is effectively blocked in most cases by limited user accounts in Windows XP and UAC in Windows Vista, 7 and later.
Malware is sometimes actually delivered in a file called svchost.exe, but placed in a non-standard location. When running, the malware looks like "just another svchost" unless examined more closely. (The correct location is in Windows\System32.)
Similar sounding names and typos have also been fairly common. "svhost.exe" and "svchosl.exe" might pass for "svchost.exe," unless you were looking carefully and noted the typos.
As I said, the confusion around svchost has become a tool that malware authors have used to to either worm their malicious code onto machines in the first place and/or try to hide its presence once installed.
I've seen a number of panicked questions that immediately jump to the conclusion that svchost.exe is, itself, malware.
That's simply not true.
Svchost.exe is a required system component and Windows will simply not run without it. If it becomes infected, it's possible that attempts to clean it up by deleting or quarantining it may result in a system that doesn't work.
As we've seen above, malware often tries to look like svchost, or it tries to run using svchost, but that doesn't mean that svchost.exe itself is malware.
(This is an update to an article originally published October 20, 2003.)
A description of Svchost.exe in Windows XP Professional Edition - Microsoft Support.
What is svchost.exe? - Microsoft. Written for Windows Vista, but applies to all recent versions.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.