Helping people with computers... one answer at a time.

Svchost.exe, or just "svchost" is a Windows component. It's quite normal to have more than one copy running. Unfortunately, it's also the target of malware and often shows up in malware-related problems.

Fire up Process Explorer or Task Manager in Windows to view the running processes and you'll see something called "svchost.exe".

In fact, you'll see it listed several times.

As I write this, there are no less than 11 copies of svchost.exe running in my Windows 7 64-bit system.

To understand why this is expected, we need to understand a little bit about why svchost exists and what it does.

Multiple svchost.exe's running on my machine, viewed in Process Explorer

Service Host

Svchost, as the name implies, stands for Service Host.

Many components of the Windows operating system are actually implemented as what are called "services" - a fancy name for programs that run in the background and aren't necessarily associated with whomever is logged into the machine.

You can quickly see which services are running by typing NET START in a command window, or by right-clicking on your Computer icon, clicking on Manage, clicking on the small triangle next to Services and Applications to expand it, and then clicking on Services.

Services installed in Windows 7

On my machine, "Net Start" shows me 76 running services on my machine. The Services interface shown above displays all installed services and an indication of whether they are running or not.

There are many things that are common to all services: how they start, how they interact with the system, and how they manage the administrivia of running a system service. Rather than writing a complete service from scratch, many are implemented as a type of program run by another program.

That "host" program is our friend svchost.exe.

Hosting services

Svchost.exe is designed to be the host for one or more actual services. It's the program that gets run, and when it gets run, it's instructed which service to run. The actual service is typically implemented in a DLL that svhost.exe accesses.

As it turns out, a single copy of svchost.exe can actually "host" several different services at once.

Hover your mouse pointer over one of the svchost.exe instances in Process Explorer and a tool tip will show you exactly which running services are being hosted by that particular copy of svchost:

Services running in one specific instance of svchost.exe

In this example, the pop-up shows that this single instance of svchost.exe is actually hosting 18 separate services. Other instances typically host fewer, often only one. Which copy of svchost.exe hosts what service is a function of how the services relate to each other and when they are required by the rest of the system.

Svchost and malware

Because it's expected that there will be multiple copies of svchost.exe running and its workings are quite mysterious to the average computer user, malware authors have long leveraged the confusion around it to hide or at least obfuscate their doings.

  • In the past, the svchost.exe file itself was a popular target for direct compromise - malware would actually alter the program with their malicious code. Windows File Protection in later versions of Windows rendered this approach mostly ineffective.

  • Malware authors often try to install their malware as a service hosted by svchost.exe. Installing a service requires administrative access and is effectively blocked in most cases by limited user accounts in Windows XP and UAC in Windows Vista, 7 and later.

  • Malware is sometimes actually delivered in a file called svchost.exe, but placed in a non-standard location. When running, the malware looks like "just another svchost" unless examined more closely. (The correct location is in Windows\System32.)

  • Similar sounding names and typos have also been fairly common. "svhost.exe" and "svchosl.exe" might pass for "svchost.exe," unless you were looking carefully and noted the typos.

As I said, the confusion around svchost has become a tool that malware authors have used to to either worm their malicious code onto machines in the first place and/or try to hide its presence once installed.

Svchost.exe is not malware

I've seen a number of panicked questions that immediately jump to the conclusion that svchost.exe is, itself, malware.

That's simply not true.

Svchost.exe is a required system component and Windows will simply not run without it. If it becomes infected, it's possible that attempts to clean it up by deleting or quarantining it may result in a system that doesn't work.

As we've seen above, malware often tries to look like svchost, or it tries to run using svchost, but that doesn't mean that svchost.exe itself is malware.

(This is an update to an article originally published October 20, 2003.)

References

A description of Svchost.exe in Windows XP Professional Edition - Microsoft Support.

What is svchost.exe? - Microsoft. Written for Windows Vista, but applies to all recent versions.

Article C1852 - October 2, 2012 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

82 Comments
GLORIA
December 14, 2003 8:27 PM

QUESTION 1:
WHEN I START MY COMPUTER, THE COMPUTER SAYS :ERROR STARTING, MISSING .DLL FILE. HOW DO I RESTORE THE FILE?
QUESTION 2:
WHEN I SHUT DOWN MY COMPUTER, THE COMPUTER SAYS :NEED TO CLOSE SVCHOSTC PROGRAM. I WASN'T AWARE THAT I WAS RUNNING THE SVCHOSTC PROGRAM. HOW DO I CLOSE THE PROGRAM>

PLEASE HELP!

Leo
December 14, 2003 9:58 PM

Question 1: it depends entirely on the operating system version, the filename that should have been specified in the error message, and potentially the applications installed on your machine.

Question 2: svchostC is most likely a virus, I believe. Make sure you're runing a virus scanner, and that the signatures are up to date.

If you need more specific or detailed help, please submit your question here: http://ask-leo.com/askleo.html

Thanks!

Leo

jose luis
January 7, 2004 3:56 PM

I have a machine like a server, in this pc I`ve intalled dll's, this dlls are functions that make transactions in sql over acces. All work fine, but in any moment appears "error en svchost.exe" this error in the server machine. in the side of the client appear an error "error en internet".
What I can do? what is this error? how can I avoid this?
Please write me to mi e-mail. joseguero@yahoo.com
thank alot for the attention to this trouble.
atte. Jose Luis sanchez from Toluca, Mexico.

Rong
January 7, 2004 11:12 PM

Right now when ever I connect the internet, I will get the error message: svchost.exe error. Windows will terminate this program. After that I cannot get linked on any website, and my office2000 program will have trouble to run, like cannot run the "copy", "cut" and "paste" fuction, and cannot link to anyother file. What is wrong? what shall I do to avoid this? Please help me. Thanks!

Leo
January 8, 2004 5:34 PM

I'll point you all at http://ask-leo.com/askleo.html for those of you that need a quick and specific answer. Since this is so common, I'll try to come up with a general answer if I have the time to do the research.

In the mean time, I also encourage you to read http://ask-leo.com/archives/000056.html . Regardless of who you take this question to, there are some common bits of information that will help.

Leo

carlo
January 11, 2004 6:22 AM

When I connect the internet, I will get the error message: svchost.exe error. Windows will terminate this program. After that I cannot get linked on any website, and my office2000 program will have trouble to run, like cannot run the "copy", "cut" and "paste" fuction, and cannot link to anyother file. What is wrong? what shall I do to avoid this? Please help me. Thanks!

Leo
January 12, 2004 9:56 PM

Everyone who's having SVCHOST errors, please read this article: http://ask-leo.com/archives/000059.html

edd
January 18, 2004 5:05 AM

i can't copy and paste since i had the msblast and lovsan viruses.

emil me please on how to fix the problem, thanks

eddstanley@hotmail.com

hridya
January 28, 2004 11:12 AM

when i connect to the net after surfing for few minutes i get the svchost.exe error. its a msgbox, asking OK to terminate the program or Cancel to Debug. I am unable to find a solution. I have Win.2000. When u click on Cancel it opens a Visual studio window. I have already formatted the comp and even loaded the latest Internet Explorer version. The problem still persists.

Leo
January 28, 2004 11:18 AM

Please read this article: http://ask-leo.com/archives/000059.html

Leo

[ZN]-ShiftViper5
February 18, 2004 8:20 PM

On the task manager, I always see svchost.exe. I know that there are several of them, but there's one (listed as LOCAL SERVICE) that steadily takes up CPU usage. When it reaches 50-80%, my programs start to slow down. What causes this and how can I correct it?

2700 MHz, 768MB, 128M nVidia GeForce4 Ti4200-8x (0x0281)
Running Windows XP

Leo
February 18, 2004 9:20 PM

I'd use tasklist /svc, as documented in this article, to try and determine which svchost is causing your trouble, and what services it is attempting to provide. That may provide a clue. Naturally I'd also make sure you're up to date on service packs, windows update, virus checks and so on.

Leo

Bill
February 19, 2004 9:58 AM

Leo, thank you for your online forum. My laptop, Toshiba Satellite 1415-S173, cable modem, MS WiFi, Symantec AV and full Security suite has recently required longer and longer to boot. I have tried to find the bottleneck to no avail. Numerous tweak scripts, exhaustive startup manager trials. 1.5 to 2 minutes to get the logon screen and another 2+ to load the desktop. I just found in MS Sys Info, Sys Summary, Software Environment, Startup Programs.....each file is listed twice with NT AUTHORITY\SYSTEM one user and .DEFAULT the other user. This is true for every file listed. Any thoughts? Otherwise, the system performs quite nicely. thanks in advance

Leo
February 19, 2004 12:13 PM

Having everything listed twice certainly seems suspicious. I'd have you start with this article:
http://ask-leo.com/archives/000032.html it's about system slowdowns in general, but many of the same techniques apply. It also points to another article on controlling what happens at startup with instructions on how to use msconfig. I'm curious as to whether msconfig shows everything twice as well. You didn't mention running any spyware scanning software - that's also a frequent cause for startup issues. Again, the article I just referenced discusses that also.

Best of luck!

Leo

Kees
February 23, 2004 2:01 AM

Through Zone Alarm I learn that svchost.exe want to act as a server. Literally:
Do you want to allow Generic Host Process for Win32 services to act as a server?
Tech Inf.: source IP: 0.0.0.0:Port 5000
Application: svchost.exe
Version: 5.1.2600.0 (xpclient 010817-1148)

["More info" in ZoneAlarm does not really give one more understanding or "yes/no" advice.]

I guess I am not the only one who gets this Question. Pls mail... tks
Curious Kees

Thomas
February 23, 2004 2:00 PM

I'm using zone alarm too. and i choose "yes" - nothing bad happend since then.

Bien
February 24, 2004 6:12 PM

One of the svchost.exe's on my computer is making my computer's CPU run at 100%. It slows things down on my computer, even though I have good parts. Do you know what's going on?

Paul
February 24, 2004 6:51 PM

When I type tasklist /svchost I get the following message.

"tasklist not a known internal or external command, operable program or batch file"

I am running XP home on a Compaq presario notebook. The reason I would dearly like to run the program is that my PC is running at 100% busy even though there are no programs active and I am not connected to the net - or anything else.

Leo
February 24, 2004 8:22 PM

Recommend you follow the instructions here: http://ask-leo.com/archives/000059.html and the several good ideas in the comments that follow.

Leo

Leo
February 24, 2004 8:25 PM

Tasklist.exe is in \windows\system32 if present. You should be able to find it on your Windows XP CD as well.

Leo

Jay
February 25, 2004 3:16 AM

Everytime i connect to the internet... after 10 mins or 15... and "SVCHOST.exe - Application ERROR" appears... and when i click... OK my connection will stop responding... and if CANCEL it will debug... but still stop responding... what was it?!?! thanks!

Leo
February 25, 2004 8:21 AM

That's classic behaviour for one of the viruses that manifests as a SVCHOST error. Check out this article: http://ask-leo.com/archives/000059.html

Good luck!

Leo

David
February 26, 2004 9:34 AM

I have had many of the same errors that you all are talking about but that is just how it all started for me. I got so bad that I could not open any web pages.

what you all should try is got to the site that makes nortons anti-virus and look up

wn32.blaster
wn32.walchia.worm
wn32.walchia.a.worm
wn32.walchia.b.worm
wn32.walchia.c.worm
worm.lovsan.a

That is what I have found no my computer, and only one of them Nortons corp pro found.

Now I have a question. I am really new to all this computer tek stuff and so when nortons or avg could not fix the walchia worm I paniced and tryed to delete every thing to do with the svchost that I could. I deleted the svchost.dll but the svchost.exe would not delete for it was in use to I tryed everything to delete it. One thing that I wish that I do not do was I opened up the properties and at the time there was six (6) tabs and i changed every setting in there that could be changed.

Now I got rid of all the worms but my computer is not working right at all, i think that is has to do with what I did to the svchost.exe. I tried to reformat my computer using my windows XP but it told me that my files were corrupeted and it can not be done.

Please any info about how I can reformate my computer would help.

thank you for your time
david

David
February 26, 2004 9:37 AM

Jay trust me you had the blaster worm.....and it is a naste one too

You need to find a program called "FixBlaster" then you need to make sure that you have all the criticial windows updates and that will fix that problem.

Leo
February 26, 2004 9:45 PM

svchost.exe is actually an important and required system component. If attempting to resolve a virus issue has damaged it, that can easily explain all sorts of remaining bad behaviour, even after the virus has been eradicated. My recommendation is to run the system file checker (sfc). I mention it and how to run it in this article: http://ask-leo.com/archives/000053.html - it should repair any damaged files.

Good luck!

Leo

khalid
February 28, 2004 1:48 PM

Okay Leo, I need help, I am running winodws XP SP1 and print Spooler service disappered from Services list. There are no printers listed in printers folder. I cannot add printer. When trying to run the wizard I get Error: 'Operation could not be completed.'
I have deleted the print driver and cleaned the registery.
The only thing I can think of was I was trying to print .prn file from dos prompt and something remove spooler service.

Leo
February 28, 2004 4:47 PM

Yikes! I'd run the system file checker to see if that doesn't restore the spooler. I just posted an article on SFC: http://ask-leo.com/archives/000074.html

Good luck!

Leo

khalid
February 28, 2004 6:21 PM

Thank you,
I have done that; SFC replaced a DLL and I should have written down which one but did not. My spooler is still not back! any other suggestions

Mike
February 28, 2004 7:02 PM

I have a virus that attached itself to my svchhost.exe and svchoste.exe files, since they are running, I try to end process and then move the file to the virus valt (in AVG) - BUT when I end the process I am forced to reboot the machine.

anyone provide any assistance?

Im using WIN XP Home SP1 - thanks

Leo
February 28, 2004 7:07 PM

svchost is a required system file - the system can't run without it. You'll need to use one of the removal tools. I recommend symantec: http://ask-leo.com/d-symantecavc - it's also worth reading this article: http://ask-leo.com/archives/000059.html .

Good luck!

Leo

theresa darius
March 9, 2004 10:39 AM

i cant seem to get rid of my popups, i have used ad-ware 6.0 and spybot but these pop-ups keep coming back...sometimes 60 at a time...i think it is a virus that may have attached itself to my svchost.exe file, i want to remove them, how do i go about this....
help please Leo

Leo
March 9, 2004 1:06 PM

Well, you didn't say whether or not you've run an anti-virus check, so certainly do that. Also check out this article: http://ask-leo.com/archives/000059.html for more steps to take on the svchost problem (read the posted comments as well, many people contributed valuable info). You also didn't say what kind of popups. If you're running XP or Win2k you should disable the Windows Messenger Service (not the IM client, but the service.) I talk about that one in this article: http://ask-leo.com/archives/000017.html

Good luck!

Leo

Franz J. Polster
March 9, 2004 11:37 PM

I learnt about the existence of svchost.exe just
yesterday, when my Norman firewall, under Windows
XP professional, asked whether task
c:\windows\system32\svchost.exe should be allowed
outgoing communication with protocol UDP
to remote address 207.46.130.100.
What is the purpose of svchost.exe accessing
the internet? What if I deny access (which I did,
without observing any negative consequences)?
Who/What is behind 207.46.130.100 (Microsoft, I
guess!?!)?

Thanks for your reponse in advance

franz

Leo
March 10, 2004 9:30 AM

I'll assume you meant "Norton" firewall :-).

So, to find out what 207.46.130.100 is, I went to a command prompt, and typed the following:

ping -a 207.46.130.100

And it tells me that that IP address is "time.microsoft.com" ... so you are correct, it was Microsoft. That instance of svchost is supporting the time service, and has asked time.microsoft.com for the current time. You can change the server it uses, or turn off the auto time update completely, in the same place you set your PC's clock in Windows.

Leo

Ovi & Adi
March 13, 2004 9:44 AM

My computer is running really slow. A lot of CPU usage is taken by svchost. What can I do? Where can I look for the problem?
10X

idan
March 15, 2004 1:31 PM

Hello Leo !
I have a question for you:
I hav norton NIS+NAV installed on win xp pro, and it can't run anymore, when I restart windows it I can see the icon of nav and nis(with x) and after a few seconds they disapear and I can't run any norton application besides live update, which dosen't work as well. I even tried to install windows on another partition and re-install NIS before even conecting to the internet, and the same happens again... I did update all the leasts updates from microsoft update. I think its a virus, but I can't find it with the pre-installed nis that on the nis-setup-cd or with trend micro online antivirus or fixblast.exe...
is the rpcs service of svchost run is normal ?
if I tried to close it I get the 60secs countdown as in the blaster worm... should this service run by normal use? or is it some kind of virus?

thanks!

Leo
March 15, 2004 5:06 PM

rpcss is a normal service. Unfortunately it's also the service that had a vulnerability that virus writers exploited. You can read more about it, and try downloading the patch for that vulnerability from here: http://ask-leo.com/d-rpcvuln

Some variations of the viruses actually prevent virus scanners from updating, so it sounds like that's what you have. Try the patch above and see if that doesn't let you make progress.

Good luck!

Leo

chris
March 16, 2004 3:31 PM

i have a big problem. i have a 1.6 gig processor, and im constantly overloaded. the problem comes when C:windows/system32/svchost.exe gets pinged by a number of different ip adresses, and i get a pop up (ping) from different ip adresses that try to get my to pay 19.99 to www.windows-patch.info. i need a solution bad. can anybody help?

Leo
March 16, 2004 3:52 PM

Step one: turn off the windows messaging *service*. There's a paragraph with the quick steps on how to do that about 2/3rds down this article: http://ask-leo.com/archives/000017.html - then, get youself a good spyware scanning program (recommendations here: http://pugetsoundsoftware.com/recommend.html ).

Good luck!

Leo

Zeak Harbors
March 17, 2004 11:31 AM

I had one of the Walchia worms and it said my svchost.exe was infected. Norton tried to get rid of it but it was unable to get into the file. To fix this i restarted in safe mode and ended the process trees of all the svchosts running on my computer after that i looked up where there were located and deleted them. While this was happening my computer was shutting down because of the msblast. When i restarted no a lot works including microsoft explorer. I'm not sure how to restore the correct svchost. I hope you can help.

Leo
March 17, 2004 11:40 AM

svchost.exe is a required system file. Removing it is most definitely the *wrong* thing to do to try to resolve this problem, and is pretty much guaranteed to hose your system.

Assuming you're running XP, my recommendation: try system file checker first. http://ask-leo.com/archives/000074.html

If that gets your system somewhat runable, then follow get all the patches from Windows Update.

And definitely read the comments here ... there have been several good suggestions on how to proceed depending on your system, your connectivity, and what state of disarray you are in.

Good luck,

Leo

Tim Coley
March 20, 2004 1:22 AM

Norton recently told me that my svchost file was infected with "Download.Trojan". It could not be repaired, so I quarantined it, but what should I do now? If I can't repair it, then should I delete it?

Leo
March 20, 2004 11:36 AM

Or you can do nothing, if Norton no longer complains. It's typically OK to delete *the quarantined file* (NOT the *real* file). If you're not sure about the difference, then leaving it as quarantined should also be fine. Since SVCHOST is a required system file, deleting the wrong one could be a problem.

Leo

Korsaria
March 21, 2004 11:07 PM

I hava a big problem with svchost.exe. 2500 MHz, 512MB, 128M ATI Radeon 9600 Running Windows XP,
it work perfect about 5 min and then CPU usage become 100%. What can I do?

Richard
March 22, 2004 6:16 AM

Hi Leo
I've just encountered a similar problem to Korsaria. I have a Dell 2.4 Ghz + 512 Mb +80G HD running XP. I have Norton anti virus and also Norton Firewll but they have not been updated for a ouple of months.
this morning I found that every application was being interrupted and it would sit there and do nothing for about a minute before it stumbled on and then stopped again. I used task manager and found that the CPU was running at almost 100% with SYSTEM PROCESS. The only other thing that was running at this time was SVCHOST.EXE but this was not taking up much CPU time and was intermittant. Something is causing SYSTEM PROCESS to commandeer the CPU. Do You have any thoughts.
Many thanks
Richard

Leo
March 22, 2004 3:42 PM

My initial reaction is that you are both infected with a virus. Updating virus signatures frequently is a *must* in today's environment - I update nightly. Update those virus scanners and get the latest round of updates from Microsoft for your system.

Leo

Alex
March 23, 2004 2:06 PM

How do I capture the output from tasklist /svc before it disappears?

svchost.exe is constantly taking between 80 & 99% of processor & is bugging me.

If I can capture the output this will tell me which version of SVCHOST.EXE is running what programs, but how do I change them?

Leo
March 23, 2004 2:15 PM

try:
tasklist /svc | more
or
tasklist /svc >filename.txt

If your processor is pegged in svchost, you likely are infected with a virus, and need to run a virus scan or removal tool.

Leo

Alex
March 23, 2004 3:15 PM

Thanks Leo, going throught the pain of trying to ensure I have all the windows updates & just looked at the symantec security site for the worm removal tool. Printed it off, too tired to plough through that tonight.

Thanks for your advice, truly appreciated.

sakol nisarut
March 24, 2004 6:50 PM

when i use my notebook with battery. This running program "svchost.exe" are alway run and take a lot of power from my notebook!!
What and how should I do in this case?
Thank You for your comment.
Sakol Nisarut
sakol@sec.or.th

Sketch
March 25, 2004 1:49 AM

I have a Dell 2.0Ghz running on XP.
After I read the posted here,I tried TASKLIST /SVC on CMD window; but I've got only an error message saying:

'tasklist' is not recognized as an internal or external command, operable program or batch file.

Why is TASKLIST /SVC not working on my XP?
I'll appreciate your help.

Leo
March 25, 2004 9:33 AM

Tasklist is only in XP Pro, I'm guessing you have XP Home edition. You can copy it over from an XP Pro system, if you have access to one. You might also be able to find a copy on-line if you search.

Leo

Sketch
March 25, 2004 3:43 PM

Thank you, Leo. Yes, mine is XP Home.
While searching for TASKLIST.EXE, I found great free tools from the following site:

http://www.sysinternals.com/ntw2k/utilities.shtml

Free tools of this sites such as Process Explorer, TCPView, FileMon, RegMon seem very good.
Would you check them out and give me opinion?
I'll appreciate again.

Leo
March 25, 2004 3:45 PM

I *highly* recommend sysinternals. In fact, you'll find them mentioned in several of my articles, and on my recommendations page. The tools you list are part of my "take everywhere with me" arsenal :-).

Leo

diz_jays
March 27, 2004 2:56 AM

my sygate peronal pro firewall tipes that it is a critical problem and blocks incomming messages to svchost.exe. firewall desdcribes it in that way: 03/26/2004 20:56:08 Intrusion Detection System Critical Incoming TCP 192.168.11.52 192.168.11.191 svchost.exe 4 03/26/2004 20:56:08 03/26/2004 20:56:08
is it wrong if firewall blocks these connectings?

Leo
March 27, 2004 10:19 AM

No, it looks like the firewall is doing its job. Further, based on the IP addresses, it looks like one of the other computers on your network may be infected with a virus.

Leo

andrei
March 29, 2004 10:39 AM

I think I`ve closed one of svchost and from that I have some errors that appear on my screen... at numeber of error 10053 and 10054... how can I put the svchost again... I`ve installed the windows again and no effect. If I`ve written wrong, please scuse me, I am from ROMANIA and I have 11 years old. Can I fix the problem????

sham
March 30, 2004 8:02 AM

my computer is infected by virus w32.WlechiaB.Wrom .
when ever i run antivirus say virus found in c:\windows\system32\drivers\svchost.exe.

how to over come this.
i searched on net i founf some thing saying run given exe it will delete the file infected, is it ok?

waiting for u'r reply.

THANKS IN ADVANCE.

Leo
March 30, 2004 9:16 AM

No way to know, since you didn't say where you found it. There are such tools ... I would start at Symantec's anti-virus site and download one from there. http://ask-leo.com/d-symantecavc

Best of luck,

Leo

Lereno
March 31, 2004 8:01 PM

I'm having problems with IEXPLORE.EXE and EXPLORER.EXE...
I think both are corrupted, because when i'm opening certain folders with images or photos or even larger number of files it goes like this:
- "EXPLORER.EXE (or sometimes IEXPLORE.EXE) generated errors and will going to close"

how can i solve this problem?
I think just reinstalling Windows is not enough, so i appreciated if you could give me an answer.

Big Thankx

Lereno from Portugal

p.s - i've got Windows XP Professional(sorry about my English!!!)

Leo
March 31, 2004 8:10 PM

First, I'd try the system file checker:
http://ask-leo.com/archives/000074.html - then I'd make sure you had an up to date virus scan.

Leo

SAMIR
April 1, 2004 1:43 AM

THE SOLUTION SI PATCH "KB823980". I HAWE DO THAT BEFORE 7 DAYS AND NOW I DO NOT HAVE ANY PROBLEM WITH MY COMPUTER. THANK YOU "LEO".
SAMIR, BOSNIA & HERZEGOVINA

steve
April 2, 2004 3:48 AM

Hello

itried to conecct to mIRC and it says i have a trojan ??? ive ran spy-bot , ada-awre and norton2004 i also have a personal firewall enabled , how do i find the trojan thats lurking on my system please ?? i run winXPpro thanx for your assistance

steve

Leo
April 2, 2004 4:45 PM

Good question. Does mIRC give you any information as to *what* trojan it thinks you have? You might also try an additional virus scanner (there are several free ones on the net that make for a good second tier scanner).

Leo

adrian3k
April 3, 2004 4:12 AM

Hi. I have a question...
I have four SVCHOST.EXE running after restarting computer ... but after 1hour (or more) one of them is using my CPU in 99% ... when i disable it i can't COPY/PASTE/MOVE FOLDERS, etc.
Can you please help me ? And if you reply plz send me an email so i can see what is the problem :P btw. maybe there is a way to look why this process use 99% of my CPU ?

Leo
April 3, 2004 9:21 AM

That's most certainly a virus. Check out the article and subsequent comments here: http://ask-leo.com/archives/000059.html

Good luck!

Leo

adrian3k
April 3, 2004 2:55 PM

thx Leo ... i solve my problem myself :)
This was the attack on the RPC to run commands :) I think it was Gaobot attack from LAN network :)
antivirus + patches for xp + little time ... and i solve the problem :)
btw. nice site - keep up the good work :)

Kyle
April 3, 2004 3:19 PM

Hey Leo, I got a question for yah...(obviously). I run windows xp, and for some reason or another, after I reboot my compt, my task bar gets locked up and I am no longer able to use it. I can still minimize programs and alt+tab back into them. I just cannot see them on my taskbar...mainly because it will later dissaper after running a few progams...IE games and such. I ran norton...nothing found...ran spy bot, search and destroy...found a few things, didnt fix my problem. I got the latest xp updates and such. But when i opend up my task manager, and ended svchost, my taskbar came back up and was working fine. svchost does not mainly take up alot of my cpu, but it does have it's spikes at moments where it will shoot up. Any idea what might be going on?

Leo
April 3, 2004 7:22 PM

Is the task bar still visible when the problem happens? I'm wondering if it's jsut auto-hidden? Right click on an unused area on the task bar, hit properties (you may need to unlock the taskbar), and check the auto-hide and on-top settings.

Leo

MyXPUser
April 5, 2004 1:13 AM

Hi There...

I has a problem with my PC's,
I'm using WinXP Pro, and i had this Generic Host Process For Win32 Services. Where each time the dialog box pop up, i try to close it and there is a dialog box tell that the PCs need to shut down. After a few times faced this problem i try to find a solution in internet and found out it is a MSblast. i been search a file named MSBlast.exe but did not found it. finally i found out that the generic host.... actually point to the svchost.exe.
can anyone help me to settle my problem???plzzz???

Thanks.

Tracy
April 5, 2004 8:18 AM

Question. I had the common problem of recieving about a dozen popups every 5 minutes. I installed the STOPzilla pop-up Blocker and the pop ups stopped. However, I now have a problem that is just as bad as the pop up ads. Whenever I'm online I can hear the audible sound that alerts me that a pop-up has been blocked. But about twice per hour this results in a major slow or complete freeze of my system. What could be the cause?

Gustavo
April 5, 2004 9:35 AM

Hi. I have a question...
I have four SVCHOST.EXE running after restarting computer ... but after 1hour (or more) one of them is using my CPU in 100% ... when i disable it i can't COPY/PASTE/MOVE FOLDERS, etc.
Can you please help me ? And if you reply plz send me an email so i can see what is the problem :P btw. maybe there is a way to look why this process use 100% of my CPU ?

Leo
April 5, 2004 9:48 AM

http://ask-leo.com/archives/000059.html
and
http://ask-leo.com/d-blkrpc

should both be helpful.

Good luck.

Leo

Leo
April 5, 2004 10:41 AM

Tracy: sounds like the windows messenger *service* is still running and being attacked. This article: http://ask-leo.com/archives/000017.html has instructions for turning that service OFF, which you should do. Or visit Gibson Research (http://ask-leo.com/d-grc ) and grab "Shoot the Messenger" which does the same thing ... disables the service.

Good luck!

Leo

Lakshmish
April 9, 2004 12:07 AM

I have SVCHOST and SVCHOST running in my system whenever i boot the system. And windows task manager shows 100% of my CPU is being used by these 2 process. when i disable / set the priority to below normal,the system doesn't allow the operations like COPY/PASTE/MOVE FOLDERS, etc.
Can you please help me ? And if you reply plz send me an email so i can see what is the problem :P btw. maybe there is a way to look why this process use 100% of my CPU ?

Leo
April 9, 2004 9:23 AM

SVCHost is a required system component, so you can't adjust it's priority, or kill it. You either have or are being attacked by a virus. Check out the various comments in http://ask-leo.com/archives/000059.html - in short: update and patch Windows, update and run virus checking, and make sure you've got some kind of firewall in place.

Leo

marty
April 10, 2004 6:29 PM

windows xp pro,, i have a free DL of ad ware for finding spyware,,, i find about 7 per 24 hrs, always comet cursor and tracking something,, both are called data miners,, they arein my registy key and files,, ad ware get rid of them but they always come back,, how can i stop them from coming back

Leo
April 10, 2004 6:47 PM

Well, step one is simply to take care in what sites you visit and software you download ... typically these downloads are given to you transparently be less-than-reputable vendors.

Second, tighten up your browser's security settings. This will prevent many.

Finally, Spy Bot does have have a monitoring function that will watch for, and block at your option, many of the bigger offenders. AdAware may also have something like this in their pay version. There's also a tool called StartupMonitor which can keep reins on what gets added to your startup (http://ask-leo.com/d-startupmonitor ).

Leo

Allmen Quester
April 12, 2004 10:10 AM

Running in a command window (WinXP home) the "NET START" command works; however, when I type "tasklist /svc" I get the folllowing error message"
['tasklist' is not recognized as
operable program or batch file.]
What am I doing wrong?
Thanks,
Allmen Quester

Leo
April 12, 2004 4:13 PM

Nothing. You probably have XP Home, which apparently doesn't have the tasklist command. I'll be writing up an article shortly on how to use Sysinternals Process Explorer (http://ask-leo.com/d-31017a ) to get the same information. In a nutshell, run procexp, doubleclick on a svchost instance, and then select the "services" tab, and it'll show what services that instance of svchost is hosting.

Leo

John K
April 15, 2004 1:45 PM

Over the last few months, with increasing frequency, I receive the following message on my screen. It's in Norton Internet Security, but it's not the usual Alert Tracker screen I get when Norton detects an attempt to hack in. It's more like the screen I get when a new programme - like RealPlayer for example - tries to connect to the internet for the first time.

The message says:
A remote system is attempting to access Generic Host Processes for Win32 on your computer.
Application: C:\WINDOWS\system32\svchost.exe
Protocol: TCP (Inbound)

It also tells me the IP addrss of the computer from which the attempt is being made - I think it's diferent each time.

I have always asumed it's someone trying to hack in or plant a trojan or whatever it is these people do, and refused the connection, but, before I set a rule to always forbid such connections, I just wondered if it is a legitimate programme or something which I ought to be allowing for the good running of the computer.

Leo
April 15, 2004 1:51 PM

I'd set that always forbid rule. A remote computer should not be attempting to initate a conversation that way ... they're probably attempting to exploit a vulnerability in Windows (that's since been patched as well).

If you're curious, you can enter the IP address into a "reverse DNS" tool, such as http://ask-leo.com/d-reversedns and see a) if there is a host name for that address, and b) if the host name is something you recognize.

Leo

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.