Home »
Windows
»
Windows Components
Summary: Svchost is a component of Windows. It can be confusing because more than one copy is running, and it often shows up in errors caused by viruses.
|
What is svchost, and why is there more than one copy running? |
Fire up Task Manager in Windows XP, hit the Processes tab, and you'll see among other processes something called "svchost.exe". Again and again. In fact I have 5 copies running on my machine as I type this.
•
Svchost, as the name implies, stands for "Service Host". Many components of the Windows operating system are implemented as what are called "services" - a fancy name for programs that run in the background and aren't necessarily associated with whomever is logged into the machine. You can quickly see which services are running by typing NET START in a command window or by looking in Control Panel, Administrative Tools, then Services.
A fair number of those services are implemented in DLLs rather than in stand-alone executables. But a DLL is only a library of functions that can be called by running programs - it can't be run on its own. Enter svchost. It's a standalone program whose job is to execute services that are implemented in DLLs.
You can see which copy of svchost is running what service by typing tasklist /svc in a Windows XP command window. On my machine, one copy of svchost is responsible for 30 separate services, another is hosting 4, and the remaining 3 have one apiece. Why this odd distribution? The only vague clue comes from Microsoft's documentation which says "this allows for better control and debugging." OK. Whatever.
Speaking of Microsoft, they have knowledge base articles on the subject. Svchost in Windows 2000 is described here, and in Windows XP here. Both descriptions include the specific registry keys that control what services are run and how they are grouped in different instances of svchost.
Related Articles
Svchost - A story of crashes, CPU maximization, viruses, exploits and more. Svchost (and Svchost.exe) is a required Windows component that often shows up in errors caused by viruses. Review Svchost, Svchost.exe, and how to stay safe.
svchost.exe error: svchost.exe has generated an error - now what do I do? Svchost.exe is a Windows component that often shows up in error messages. Unfortunately, quite often when it does the news isn't good.
What is Tasklist.exe, and why don't I have it? Tasklist.exe is a utility to examine your system's running programs. It's not on every version of Windows but a more powerful alternative is available.
Article C1852 - October 20, 2003
Tracy: sounds like the windows messenger *service* is still running and being attacked. This article: http://ask-leo.com/archives/000017.html has instructions for turning that service OFF, which you should do. Or visit Gibson Research (http://ask-leo.com/d-grc ) and grab "Shoot the Messenger" which does the same thing ... disables the service.
Good luck!
Leo
Posted by: Leo at April 5, 2004 10:41 AMI have SVCHOST and SVCHOST running in my system whenever i boot the system. And windows task manager shows 100% of my CPU is being used by these 2 process. when i disable / set the priority to below normal,the system doesn't allow the operations like COPY/PASTE/MOVE FOLDERS, etc.
Posted by: Lakshmish at April 9, 2004 12:07 AMCan you please help me ? And if you reply plz send me an email so i can see what is the problem :P btw. maybe there is a way to look why this process use 100% of my CPU ?
SVCHost is a required system component, so you can't adjust it's priority, or kill it. You either have or are being attacked by a virus. Check out the various comments in http://ask-leo.com/archives/000059.html - in short: update and patch Windows, update and run virus checking, and make sure you've got some kind of firewall in place.
Leo
Posted by: Leo at April 9, 2004 9:23 AMwindows xp pro,, i have a free DL of ad ware for finding spyware,,, i find about 7 per 24 hrs, always comet cursor and tracking something,, both are called data miners,, they arein my registy key and files,, ad ware get rid of them but they always come back,, how can i stop them from coming back
Posted by: marty at April 10, 2004 6:29 PMWell, step one is simply to take care in what sites you visit and software you download ... typically these downloads are given to you transparently be less-than-reputable vendors.
Second, tighten up your browser's security settings. This will prevent many.
Finally, Spy Bot does have have a monitoring function that will watch for, and block at your option, many of the bigger offenders. AdAware may also have something like this in their pay version. There's also a tool called StartupMonitor which can keep reins on what gets added to your startup (http://ask-leo.com/d-startupmonitor ).
Leo
Posted by: Leo at April 10, 2004 6:47 PMRunning in a command window (WinXP home) the "NET START" command works; however, when I type "tasklist /svc" I get the folllowing error message"
Posted by: Allmen Quester at April 12, 2004 10:10 AM['tasklist' is not recognized as
operable program or batch file.]
What am I doing wrong?
Thanks,
Allmen Quester
Nothing. You probably have XP Home, which apparently doesn't have the tasklist command. I'll be writing up an article shortly on how to use Sysinternals Process Explorer (http://ask-leo.com/d-31017a ) to get the same information. In a nutshell, run procexp, doubleclick on a svchost instance, and then select the "services" tab, and it'll show what services that instance of svchost is hosting.
Leo
Posted by: Leo at April 12, 2004 4:13 PMOver the last few months, with increasing frequency, I receive the following message on my screen. It's in Norton Internet Security, but it's not the usual Alert Tracker screen I get when Norton detects an attempt to hack in. It's more like the screen I get when a new programme - like RealPlayer for example - tries to connect to the internet for the first time.
The message says:
A remote system is attempting to access Generic Host Processes for Win32 on your computer.
Application: C:\WINDOWS\system32\svchost.exe
Protocol: TCP (Inbound)
It also tells me the IP addrss of the computer from which the attempt is being made - I think it's diferent each time.
I have always asumed it's someone trying to hack in or plant a trojan or whatever it is these people do, and refused the connection, but, before I set a rule to always forbid such connections, I just wondered if it is a legitimate programme or something which I ought to be allowing for the good running of the computer.
Posted by: John K at April 15, 2004 1:45 PMI'd set that always forbid rule. A remote computer should not be attempting to initate a conversation that way ... they're probably attempting to exploit a vulnerability in Windows (that's since been patched as well).
If you're curious, you can enter the IP address into a "reverse DNS" tool, such as http://ask-leo.com/d-reversedns and see a) if there is a host name for that address, and b) if the host name is something you recognize.
Leo
Posted by: Leo at April 15, 2004 1:51 PM