Ask Leo!

Where is it alright for svchost.exe to be?

Home » Windows

I was told that the file svchost.exe should only exist in the windows\system32 directory. I was also told that if I find it in another directory, it is part of a virus. I have WinXP and found the svchost.exe file in the windows\system32 directory. However, I also found it in the windows\ServicePackFile\i386 directory and in the windows\$NtServicePackUnistall$ directory. Is this a problem? Should I delete the svchost.exe files in the non system32 directories?

Indeed, you were told correctly ... kind of.

I just took a look at my machine, and found all those copies and one more. Fortunately they are not the result of a virus, and you and I are quite safe.

Let's look a little more closely as to why.

One of the ways that viruses try to hide is to give themselves the same name as important or critical system files, like svchost.exe, but then place themselves in a different location on your machine. That way you might be afraid to delete them, for fear of deleting the wrong one, or you might not even notice that it's running because of its familiar name.

As you and I have seen, the file svchost.exe can, in fact, live in several places and be ok. Let's enumerate what those locations are, and why they're ok.

"One of the ways that viruses try to hide is to give themselves the same name as important or critical system files..."

For purposes of this discussion, I'm going to assume that Windows is installed into C:\Windows.

C:\Windows\System32 - the first and most obvious, this is the running copy of Windows itself. This is where you were told correctly - this is the only copy of svchost.exe that should actually be running. How do you find out? You'll need to grab a copy of Process Explorer from SysInternals.com. In current versions of that tool, simply hovering the mouse over any of the "svchost.exe" listed there will display the full path. If your Windows is installed in c:\windows, then svchost.exe should be "c:\windows\system32\svchost.exe".

C:\Windows\ServicePackFiles\i386 - this directory contains the most recent service pack installed on your machine. svchost.exe was one of the files updated, so it's located here. This is just a copy of the files - I believe the files here are used when new software is installed or when you run the system file checker. This Microsoft Knowledgebase article points out that it's possible to burn these files to a CD and remove them from your system.

C:\Windows\$NtServicePackUninstall$ - if present, this directory contains the previous copies of files that were saved when the service pack was installed. Thus it contains the old version of svchost.exe. You can delete this folder, but only if you are absolutely certain you'll never uninstall the service pack. (I'd probably burn it to CD first, just in case.)

C:\I386 - if present, this directory contains a copy of your Windows Installation CD, and hence would also have a copy of svchost.exe. I've discussed this extensively in other articles, most recently: So just what *is* the I386 directory anyway?.

Those four locations are all valid places to find a file called "svchost.exe". Note that only one of them, C:\Windows\System32\svchost.exe, should actually be running. The rest are various forms of backup associated with installing and upgrading Windows.

So what if you find a svchost.exe somewhere else? It could be the result of a virus. Your very first step should always be to run an up-to-date anti-virus scan. Most will take care of the problem safely.

If they do not, things are less clear. You can try renaming or removing the file (make a backup copy on floppy or somewhere else first, just in case). But ultimately, I would probably consider scanning again with an additional, different anti-virus product. Once again I'd emphasize that the virus database should be up to date, as new viruses appear every day.

Related:

More articles about: Windows

Article Useful? Link to it from your own website; just copy/paste this HTML:

Article 9488 | Posted December 2, 2005

Recent Comments

I have read your article on the svchost.exe and checked my system. I found it in the System32 folder, the ServicePackFiles folder and then also in this folder: C\Windows\Prefetch, is this a virus??

Thank you

Posted by: Mel at October 16, 2007 02:19 PM

I am having a problem i have not seen on the internet at all. scvhost.exe has rooted itself in windows/win32/oobe/scvhost.exe...not only has not one article on the internet show it in that directory but it makes the computer absolutley go beserk. the only way to keep my computer responding is to keep task manager open. if I close it 100's of svchost open and cause a reboot. i cant seem to find a way to stop it.

Posted by: steve at November 1, 2007 03:39 AM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As the article indicates, that's highly suspicious of a virus, and you need to
run an *up to date* anti-virus scan with a good scanner.

Leo


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFHLKngCMEe9B/8oqERAvalAJ0f3Ul6p9PaN3jOKgC1Dvbe+UDogQCeIcCc
Mct8FOdYq47SJpJp+RcCx/k=
=HHTz
-----END PGP SIGNATURE-----

Posted by: Leo A. Notenboom at November 3, 2007 10:03 AM

"Windows cannot find 'E:\windows\svchost.exe'. Make sure you typed the
name correctly, and then try again. To search for a file, click Start
button, and then click Search.

i tried everythin...as you have said(maybe not)
i even tried updating my windows xp and hotfix and those kinda stuff...but the problem reappears everytime i started my windows....i need help terribly...."

The same thing has happened to me. How do I fix this?

Posted by: skiddlepins at November 26, 2007 02:59 AM

What if it's located C:\Documents and Settings\BACK UP MY DOCs\SvcHost.exe is this normal?

Posted by: Chike at December 7, 2007 07:51 AM

Thanks Leo, I was having a problem with svchost.exe taking up all of my CPU.
Turned out after using the Process Explorer you recommended that it was the HP printer and software I installed a while ago. A network polling service was hogging all of the CPU through svchost.exe. I turned off the automatic service and fixed the problem.

Andrea

Posted by: Andrea Mahoney at January 25, 2008 11:09 AM

i was threatened w/ this "svchost" cause i saw it in a USB i plugged in the computer. i deleted the thing at my C drive but it keeps on recoming so i stopped all processes having svchost.exe and deleted all svchost files found in my pc. After I read this, im troubled. It looks like I really need the svchost.exe in the folder system32... What shall I do? Thanks for the help.

Posted by: wilson bucaoto at March 14, 2008 07:21 AM

Hi Leo,

I have BitDefender which tells me I have that my
C:\WINDOWS\system32\=>:svchost.exe is infected with a Trojan.Generic.138368. Bit defender can't seem to get rid of it, same goes for Norton 360. I thought it was ok to have the svchost.exe. in this location...Any ideas?

Carol

Posted by: Carol at April 28, 2008 06:08 AM

Hello Leo, I have the same Problem with Bitdefender and Trojan.Generic.138368 - like Carol !!
LoloXP

Posted by: LoloXP at May 6, 2008 06:44 AM

I found a SVCHOST.EXE-2d5fbd18.pf located in C:\windows\Prefetch. Should I delete it? I regularly run an up tp date Symantec anti virus scan as well "spyware terminator" and it hasn't noted this as a virus. Thanks

Posted by: Steve C. at June 16, 2008 11:09 AM

Post a comment on "Where is it alright for svchost.exe to be?":






(Email Address will not be published.)

Remember Me?

By popular demand...
my tip jar
Cuppa Joe
Buy Leo a Latte!


New!

RSS feed Subscribe to the RSS Feed specifically for comments on this article.

Before commenting, please...

Please wait. Your comment is being processed ...


Ask Your Question:


ask-leo.com
Web

Archives

By Category
By Date

Advertisers

Advertise on Ask Leo!

««   »»

Question? - Ask Leo!
Who is Leo?
Link to Leo!

Terms, Conditions & Privacy