Helping people with computers... one answer at a time.

Svchost.exe is frequently spoofed by viruses attempting to hide. The official copy should be in your Windows\system32 folder, but there may be others.

I was told that the file svchost.exe should only exist in the windows\system32 directory. I was also told that if I find it in another directory, it is part of a virus. I have WinXP and found the svchost.exe file in the windows\system32 directory. However, I also found it in the windows\ServicePackFile\i386 directory and in the windows\$NtServicePackUnistall$ directory. Is this a problem? Should I delete the svchost.exe files in the non system32 directories?

Indeed, you were told correctly ... kind of.

I just took a look at my machine, and found all those copies and one more. Fortunately they are not the result of a virus, and you and I are quite safe.

Let's look a little more closely as to why.

One of the ways that viruses try to hide is to give themselves the same name as important or critical system files, like svchost.exe, but then place themselves in a different location on your machine. That way you might be afraid to delete them, for fear of deleting the wrong one, or you might not even notice that it's running because of its familiar name.

As you and I have seen, the file svchost.exe can, in fact, live in several places and be ok. Let's enumerate what those locations are, and why they're ok.

"One of the ways that viruses try to hide is to give themselves the same name as important or critical system files..."

For purposes of this discussion, I'm going to assume that Windows is installed into C:\Windows.

C:\Windows\System32 - the first and most obvious, this is the running copy of Windows itself. This is where you were told correctly - this is the only copy of svchost.exe that should actually be running. How do you find out? You'll need to grab a copy of Process Explorer from In current versions of that tool, simply hovering the mouse over any of the "svchost.exe" listed there will display the full path. If your Windows is installed in c:\windows, then svchost.exe should be "c:\windows\system32\svchost.exe".

C:\Windows\ServicePackFiles\i386 - this directory contains the most recent service pack installed on your machine. svchost.exe was one of the files updated, so it's located here. This is just a copy of the files - I believe the files here are used when new software is installed or when you run the system file checker. This Microsoft Knowledgebase article points out that it's possible to burn these files to a CD and remove them from your system.

C:\Windows\$NtServicePackUninstall$ - if present, this directory contains the previous copies of files that were saved when the service pack was installed. Thus it contains the old version of svchost.exe. You can delete this folder, but only if you are absolutely certain you'll never uninstall the service pack. (I'd probably burn it to CD first, just in case.)

C:\I386 - if present, this directory contains a copy of your Windows Installation CD, and hence would also have a copy of svchost.exe. I've discussed this extensively in other articles, most recently: So just what *is* the I386 directory anyway?.

Those four locations are all valid places to find a file called "svchost.exe". Note that only one of them, C:\Windows\System32\svchost.exe, should actually be running. The rest are various forms of backup associated with installing and upgrading Windows.

So what if you find a svchost.exe somewhere else? It could be the result of a virus. Your very first step should always be to run an up-to-date anti-virus scan. Most will take care of the problem safely.

If they do not, things are less clear. You can try renaming or removing the file (make a backup copy on floppy or somewhere else first, just in case). But ultimately, I would probably consider scanning again with an additional, different anti-virus product. Once again I'd emphasize that the virus database should be up to date, as new viruses appear every day.

Article C2477 - December 2, 2005 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

January 20, 2006 2:57 PM

Hi Leo

I've done what you suggested and it worked perfectly. I haven't got the 100% cpu usage eny more. Thanks a lot for your help

Christian G
February 8, 2006 11:11 AM

Great artice, unfortunately it didn't help me. All my five SVCHOST.EXE files where in the right directory. But I could just shut down the one process that used 50 % of the CPU. I then got the one minute to shutdown warning. But that was easily avoided by typing shutdown -a in the run window. My computer ran smoother then, but I still experience a bit lag in certain games like Battlefield 2.

February 27, 2006 8:31 PM

I just did a scan for svchost.exe
I not only found it in /system32 and /servicepack/i386 but also in /prefetch

I'm assuming the one in /prefetch is a virus

February 27, 2006 8:34 PM

Not neccesarily. Prefetch is a valid place for it to be, but it's also ok to delete it from there. It'll probably come back. Prefetch is a performance optimization for loading windows.

March 9, 2006 5:10 AM

Hi Leo. I found a copy of svchost in the directory C:/Windows/System32/wins/SVCHOST.EXE
What i should do??
This svchost file in property windows says:
TCP/IP Trivial file transfer daemon...What is this?

April 1, 2006 6:49 AM

Hi Leo, I have Trend Micro installed and I keep getting a message that the virus TROJ_DLOADR.AD has been found in C;/windows/system32/directx/svchost.exe. The PC-cillin software always quarantines the file but I keep getting the message at various times when I try to connect to the internet. The good news is that the anti virus software seems to be working. The bad news is there is something on the computer that keeps installing a bad copy of svchost.exe in the directx directory. Any ideas on how to identify what is installing this bad copy of svchost?

April 23, 2006 4:20 PM

I solved the problem. Windows Xp Pro SP 1.

In my case is Windows Update. I just turn off Automatic Updates. No more svchost 100% CPU. Now the problem is: I have to do manually updates.

May 3, 2006 10:08 AM

I found a svchost.exe in my programs directory (C:/program/svchost/svchost.exe) which couldn't be removed since the system was using it somehow. I also saw that I had blocked it with my firewall. When I released the block for a short period of time it immediatley began connecting to a computer in Holland. I then blocked it again and searched for registry keys with that path name. It turns out the keys were about the eMando remote control software. After removing the keys I could delete the file. Shortly before this a buddy of mine had his pokeraccounts robbed for about $6000 and his hard drive erased, which was probably the result of this very file. Thanks to Leo for helping me identify the trojan.

May 11, 2006 6:33 PM

I had the same problem with the Trojan installing a fake “svchost.exe” in the directX folder. What I did first was:

Using the free online virus scanner kaspersky which can be downloaded from:

After scanning found the “usbadpt32.dll” to be a Trojan which was located in the
c:\windows\system32 directory.

This was a pain to delete because Xp would not allow me to delete the DLL.
Steps that I had to take in order to delete this virus was the following:

1). Using the "eXtended Task manager.exe" program which you can try out
for 21 days free. I searched for the module name "usbadpt32.dll".

2). When found I told the program to unload the module.

3). Using the program name "registry crawler" I did a search for:


4). When found I deleted all keys associated with this DLL.

5). I deleted the file name "svchost.exe" which the virus used located
in the directory "c:\windows\system32\directX".

6). Restarted the system.

7). Upon entering windows I deleted the "usbadpt32.dll" from the directory


May 16, 2006 7:50 PM

Process Explorer is great. I've been looking for an application like this for a long time. I have 5 svchost.exe running and they are all from the legit directory. I'm glad to finally confirm this.

June 3, 2006 7:12 AM

Hi Leo. McAfee Security Center detected a copy of svchost.exe in c:\windows\. It said it was infected by a trojan. It presented me with several options including deleting it or quarantining it. I deleted it immediately, thinking svchost.exe is not important. Then I decided to research the file and found this site. The file is not located in the folders you specified but it is located in c:\windows\. So now I'm not so sure if I did the right thing by deleting it. What do you think?


August 15, 2006 9:30 AM

hi leo,

i really need your help here i had been having this problem for 2 days now, as i'm connecting to the internet by using a moden provided by my broadband provider. my problem are:

1. suddenly an error message appear saying generic host process for win32 had encounter a problem and need to be closed. this happen when i'm surfing the net, it cause me to be disconnected from the net and i have to restart my computer for me to be able to connect again.
2. it happened on a time duration of 30min-2 hours time surfing the net.
3. error signature:
event type:BXE p1:svchost.exe

what i did try:
1. used system restore( didn't work )
2. scan my computer for viruses( using avast/symantec/spybot and even use fixblast )

i need a solution on solving this problem.

p/s i'm using window XP
thanx for the help

September 6, 2006 7:27 AM

Word 97 and Excel 97 were loading very very slow. I found an additional svchost.exe file in C:\WINNT\SYSTEM32\WINS . After renaming this file everything worked fine. On changing the name back again Word and Excel loaded very very slow again. I scan the file with NAV but no virus was detected. What should I do with this file and do you know what it is and where it came from?

Thanks for your very useful website.


November 19, 2006 7:17 AM

Plain and to the point about "svchost locations"
This file should ONLY BE THE C:\Windows\System32 directory AND in the C:\I386. If you do have more than one in ANY OTHER location, delete it, how can I tell you ask? Well, do a search for "svchost", when the search results are posted, there should only be a copy in the direcories stated above. If there are more than one elsewhere look at the DATE of that svchost file, thats a true giveaway, IE. the svchost files in the correct locations will have the date of the Oringal operating system. If there are later dates of the file in other locations is earlyer then delete them.

November 28, 2006 8:26 AM

So you've covered in what locations svchost can be, what about process users? In the Task Manager, some of the svchost.exe instances list SYSTEM as the User Name, or NETWORK SERVICE or LOCAL SERVICE, which I'm sure is fine, but what if it listed the name of a log-in on that computer (or another computer too, I guess, but that would obviously be very bad :P )
This isn't happening right now, so I can't be %100 certain, but I seem to recall seeing such an occurance in the past. Could this be an easy way to spot a phoney svchost?


April 4, 2007 10:03 PM

why are there 7 svchost.exe's running at the same time but only 1 causes system failure? these 7 things
are 25% of my commit charge. its even worse when gaming! Please help!


Leo Notenboom
April 5, 2007 7:31 PM

Hash: SHA1

You might want to look at this article:

Version: GnuPG v1.4.6 (MingW32)


April 14, 2007 11:15 AM

i have 5 SVCHOST.exe on my list, and one of them is pumping my CPU usage every time i am connected to internet, i tried to disable it but it reappeared every 10-15 secs after i disable.i did a search for it. Its on its original place which on win32 file. The user name for that "fake" SVCHOST.exe was SYSTEM.

April 29, 2007 10:49 AM

Please note C:\Windows\svchost.exe is NOT a place where the file should be. I have had a trojan in that path, with two dozen different methods to start automatically when the computer is booted (like Startup item on start menu and lots of places on the registry). It was a backdoor and it was sending information back to the hacker. I managed to remove it within an hour of getting it (and unplugged network cable during the whole removal process so it didn't keep sending anything).

July 10, 2007 6:18 AM

Please, I have the same problem as " Nicolas at April 29, 2007 10:49 AM" but I'm unable to remove it. I really tried everything but I cannot find the source of the infectation. Please tell me how to get rid of C:\Windows\svchost.exe (what is definitly not existing, but showing up after every restart)

August 4, 2007 12:51 PM

I have a relatively new computer, with Vista operating system. How is any of your advice about svchost.exe changed for Vista users?

August 11, 2007 8:06 AM

My question is basically the same as Nicholas's, Ken's and Kim's. I require info on how to get rid of the files that shouldn't be there and how to know which files should be running and which shouldn't (svchost.exe). So, can you please, help me.


August 16, 2007 1:23 PM

I used PRT Perlovga Removal Tool which I found at this site:

I'm not sure how reliable this site and it's program is. I used it to get rid of the temp1.exe and temp2.exe virusses. Appearantly it also does help against svchost.exe virus problem.

I now get this at start up:

Windows cannot find 'E:\windows\svchost.exe'. Make sure you typed the
name correctly, and then try again. To search for a file, click Start
button, and then click Search.

and after clicking "okay" I get this:

Could not load or run 'E:\WINDOWS\svchost.exe' specified in registry.
Make sure the file exists on your computer or remove the reference to
it in the registry.

Well, svchost is now only in E:\windows\system32

I'm guessing I should go into the registry and get out that HKEY to svchost in E:\windows\


August 16, 2007 1:25 PM

Ow..ehm..HOW do I change things in the registry..? (How do I even GET in the registry..?!)

August 20, 2007 2:26 AM

i have a problem with my pc,after entering my password the pc monitor will show a black screen then after some few sec it will then display svchost property.My question is what is this and how do i solve the problem?

G. Georgie
August 23, 2007 11:06 AM

My PC was acting very slow, I went to the task manager and many svchost.exe, I researched and found out it is a virus or malware, so deleted all svchost.exe from the registry by mistake, and my lap top is xp proffessional sp2, I can not connect to the internet, because I noticed that there is nothing in the network communication ( no LAN or Wireless, also no volume control in the lower right corner, and when I try to open norton, it will not allow me to open it, when I open a word document and try to mimize it to the system tray, it disappears. what should I do to restore it back to it's previous state?

August 27, 2007 10:20 PM

Cool guys..

There is a problem that was identified by Microsoft.

The Svchost.exe process may spike the CPU usage to 100 percent during update detection or update installation. Also, the Svchost.exe process causes the computer to stop responding for various lengths of time.

If that fits your issue, you may wish to try this hotfix from Microsoft. MS Help and Support(

I had the same problem and noticed that wuauclt was also running - Microsoft's autoupdate.

A little background on svchost


Richard Wagner
August 29, 2007 12:22 PM

The true svchost.exe file in Windows/system32 has version number 5.1.2600.2180 and a length of 14,336 bytes.

The bad file in Windows/inf has a version number of and a length of 15,872 bytes. This file has the same name, svchost.exe but cannot be altered or removed and it propagates it's spyware relentlessly.

September 12, 2007 11:53 PM

Windows cannot find 'E:\windows\svchost.exe'. Make sure you typed the
name correctly, and then try again. To search for a file, click Start
button, and then click Search.

i tried you have said(maybe not)
i even tried updating my windows xp and hotfix and those kinda stuff...but the problem reappears everytime i started my windows....i need help terribly....

October 16, 2007 2:19 PM

I have read your article on the svchost.exe and checked my system. I found it in the System32 folder, the ServicePackFiles folder and then also in this folder: C\Windows\Prefetch, is this a virus??

Thank you

November 1, 2007 3:39 AM

I am having a problem i have not seen on the internet at all. scvhost.exe has rooted itself in windows/win32/oobe/scvhost.exe...not only has not one article on the internet show it in that directory but it makes the computer absolutley go beserk. the only way to keep my computer responding is to keep task manager open. if I close it 100's of svchost open and cause a reboot. i cant seem to find a way to stop it.

Leo A. Notenboom
November 3, 2007 10:03 AM

Hash: SHA1

As the article indicates, that's highly suspicious of a virus, and you need to
run an *up to date* anti-virus scan with a good scanner.


Version: GnuPG v1.4.7 (MingW32)


November 26, 2007 2:59 AM

"Windows cannot find 'E:\windows\svchost.exe'. Make sure you typed the
name correctly, and then try again. To search for a file, click Start
button, and then click Search.

i tried you have said(maybe not)
i even tried updating my windows xp and hotfix and those kinda stuff...but the problem reappears everytime i started my windows....i need help terribly...."

The same thing has happened to me. How do I fix this?

December 7, 2007 7:51 AM

What if it's located C:\Documents and Settings\BACK UP MY DOCs\SvcHost.exe is this normal?

Andrea Mahoney
January 25, 2008 11:09 AM

Thanks Leo, I was having a problem with svchost.exe taking up all of my CPU.
Turned out after using the Process Explorer you recommended that it was the HP printer and software I installed a while ago. A network polling service was hogging all of the CPU through svchost.exe. I turned off the automatic service and fixed the problem.


wilson bucaoto
March 14, 2008 7:21 AM

i was threatened w/ this "svchost" cause i saw it in a USB i plugged in the computer. i deleted the thing at my C drive but it keeps on recoming so i stopped all processes having svchost.exe and deleted all svchost files found in my pc. After I read this, im troubled. It looks like I really need the svchost.exe in the folder system32... What shall I do? Thanks for the help.

April 28, 2008 6:08 AM

Hi Leo,

I have BitDefender which tells me I have that my
C:\WINDOWS\system32\=>:svchost.exe is infected with a Trojan.Generic.138368. Bit defender can't seem to get rid of it, same goes for Norton 360. I thought it was ok to have the svchost.exe. in this location...Any ideas?


May 6, 2008 6:44 AM

Hello Leo, I have the same Problem with Bitdefender and Trojan.Generic.138368 - like Carol !!

Steve C.
June 16, 2008 11:09 AM

I found a located in C:\windows\Prefetch. Should I delete it? I regularly run an up tp date Symantec anti virus scan as well "spyware terminator" and it hasn't noted this as a virus. Thanks

August 6, 2008 11:55 AM

was having the svchost.exe problem not only taking up 100% of my cpu usage but also popping up all kinds of porn in a non-explorer window not detectable as an application. With the process explorer I found a copy of svchost.exe running from a suspicious directory C:\\svchost.exe lol. Renamed the file. Restarted the computer. Problem solved. Now to delete that little bastard...

August 13, 2008 7:07 AM

Had the same problem as Shack...using 100% of CPU, pop-up porn in non-explorer window and wouldn't let me delete C:\\ Renamed file, restarted computer and deleted file and folder successfully. This killed it off!

Leslie Handcock
August 26, 2009 5:57 AM

Hello Leo,
I just read your comments on Svchost.exe after checking my running processes. I had stopped a couple of proccesses earler today as they were not familiar and were .exe files.
On looking through my running system files I have
Svchost.exe running on the following instances at once:
-Local Service
-Local Service
-Network service
-Network service
-Network service
-Local service.
That is a total of 12 instances of it running in my processes at once.
I reinstalled my win xp just 2 weeks ago after I found it crashing and my enti virus Trend micro not responding.
Since reinstal my modem was changed last weekend (Friday Evening) and my username and password were changed in the security system of the wireless modem (I keep wireless broadcasting off and use a lead to plug the modem into the PC)
Since I noticed it cannot run a full system scan and last time stayed at 99% complete after 46 hours.
It seems like a lot of Svchost.exe files/processs to be running. Is there any way I an be sure of which ones to end or delete?
With many thanks.

September 14, 2009 4:10 AM

As I can see here, many ppl still have problems with creepy svchost named viruses...
Well, there are really 4 places, where svchost can be stored, that is ok. But as said in the article above, only the one in System32 folder should be running.
So good way to discover svchost.exe viruses is to obtain list of actually running processes called svchost.exe and then read the path (if it is other than System32, it is a virus).
It is quite a creepy process on Windows platform, so I am going to code auto-removal utility for this purpose. I will send the link to the final product later :).

November 23, 2009 1:16 PM

When I open the task manager I see

SVCHOST.EXE Network Service
SVCHOST.EXE System------------> 22,260 KB!!
SVCHOST.EXE Network Service
SVCHOST.EXE Local Service
SVCHOST.EXE Local Service

Do you think my computer is ok?

December 12, 2009 8:12 PM

my svchost.exe is running on 50CPU, and Bitdefender tells me it's infected by trojan virus. Bitdefender deletes it, but I seems to keep coming back. Also I'm having problems with Generic Malware virus, and Rootkik, Bitdefender seems to be powerless. I NEED A WAY TO REMOVE THESE PLEASE HELP

Sounds like you need this article: How do I remove a virus?

December 26, 2009 4:20 AM


Darrel Z
January 8, 2010 1:07 PM

I have svchost.exe.hdmp file located on my C:\Documents and Settings\local\Temp|WERa04e.dir00 folder. based on what I've read, this is proably a virus and should be removed? It has disabled my antivirus software. darrel

"svchost.exe.hdmp" is not the same as "svchost.exe", so you cannot make the same assumptions about where it's alright to be, and you cannot assume that it is a virus. a ".hdmp" file is a file used by Windows Error Reporting, and may be totally valid. I recommend you make sure your anti-malware tools are up to date.

February 8, 2010 4:14 AM

Even your svchost.exe is located in C:\Windows\System32 it could host and run a virus .dll! Study the Conficker worm which just add a Registry entry, and svchost loads this worm on the next Windows startup. I suggest the free Svchost Analyzer to verify all the .dll's started from svchost.exe

March 11, 2010 12:59 PM

Hi. I have the svchost.exe only in the places you mentioned above. But, in Task Manager it says there are 9 running. It says some are running by SYSTEM and others running by LOCAL SERVICE, and you only mentioned 4. If there was more svchost.exes in other places, how could I find them? Or do you know if I have a virus?

It is quite common to have more that one copy of SVCHOST running - which is different than the number and location of the SVCHOST.EXE files. More here: What is svchost, and why is there more than one copy running?

Dan Ambroise
September 28, 2010 1:51 PM

i have an svchost.exe in c:\documents and settings\my name\application data\microsoft\
i delete it and it keeps coming back.
i scan it for viruses but nothing shows up.
i started to notice it when it started requesting access to the internet. i block it every time.
this directory also contains a .bat file which can delete all svchost.exe files in this directory.

Joaquin Closet
December 26, 2011 6:54 PM

After reading this article, I typed "svchost.exe" into my Winows XP search mechanism. In addition to the four places mentioned in your article, I also found one in a folder entitled C:\WINDOWS\ERDNT\cache. I don't know if this means anything or not, but both of my virus checking programs (Avast and Malwarebytes) did not identify it as a problem.

Carver Smith
February 11, 2012 1:00 PM

I just reinstall Win7 Home Prem. from a Gateway hidden partition ( 3rd time ). It is not connected to the internet yet as I had other problems. I un-hid everything and I have 2 different size Svchost.exe. one 26.5k in \windows\system32 and one 20k in \windows
Malware bytes earlier complained about the windows one. Had it remove it and compuer was funny. Any thoughts? Just downloaded the analyzer and will run that. I'm wondering if the reload from DVDs and then the hidden partition have done the same thing.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to to ask your question.