Helping people with computers... one answer at a time.
Svchost.exe is frequently spoofed by viruses attempting to hide. The official copy should be in your Windows\system32 folder, but there may be others.
•
Indeed, you were told correctly ... kind of.
I just took a look at my machine, and found all those copies and one more. Fortunately they are not the result of a virus, and you and I are quite safe.
Let's look a little more closely as to why.
•
One of the ways that viruses try to hide is to give themselves the same name as important or critical system files, like svchost.exe, but then place themselves in a different location on your machine. That way you might be afraid to delete them, for fear of deleting the wrong one, or you might not even notice that it's running because of its familiar name.
As you and I have seen, the file svchost.exe can, in fact, live in several places and be ok. Let's enumerate what those locations are, and why they're ok.
For purposes of this discussion, I'm going to assume that Windows is installed into C:\Windows.
C:\Windows\System32 - the first and most obvious, this is the running copy of Windows itself. This is where you were told correctly - this is the only copy of svchost.exe that should actually be running. How do you find out? You'll need to grab a copy of Process Explorer from SysInternals.com. In current versions of that tool, simply hovering the mouse over any of the "svchost.exe" listed there will display the full path. If your Windows is installed in c:\windows, then svchost.exe should be "c:\windows\system32\svchost.exe".
C:\Windows\ServicePackFiles\i386 - this directory contains the most recent service pack installed on your machine. svchost.exe was one of the files updated, so it's located here. This is just a copy of the files - I believe the files here are used when new software is installed or when you run the system file checker. This Microsoft Knowledgebase article points out that it's possible to burn these files to a CD and remove them from your system.
C:\Windows\$NtServicePackUninstall$ - if present, this directory contains the previous copies of files that were saved when the service pack was installed. Thus it contains the old version of svchost.exe. You can delete this folder, but only if you are absolutely certain you'll never uninstall the service pack. (I'd probably burn it to CD first, just in case.)
C:\I386 - if present, this directory contains a copy of your Windows Installation CD, and hence would also have a copy of svchost.exe. I've discussed this extensively in other articles, most recently: So just what *is* the I386 directory anyway?.
Those four locations are all valid places to find a file called "svchost.exe". Note that only one of them, C:\Windows\System32\svchost.exe, should actually be running. The rest are various forms of backup associated with installing and upgrading Windows.
So what if you find a svchost.exe somewhere else? It could be the result of a virus. Your very first step should always be to run an up-to-date anti-virus scan. Most will take care of the problem safely.
If they do not, things are less clear. You can try renaming or removing the file (make a backup copy on floppy or somewhere else first, just in case). But ultimately, I would probably consider scanning again with an additional, different anti-virus product. Once again I'd emphasize that the virus database should be up to date, as new viruses appear every day.
Article C2477 - December 2, 2005 « »
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
February 8, 2010 4:14 AM
Even your svchost.exe is located in C:\Windows\System32 it could host and run a virus .dll! Study the Conficker worm which just add a Registry entry, and svchost loads this worm on the next Windows startup. I suggest the free Svchost Analyzer http://www.neuber.com/free/svchost-analyzer/ to verify all the .dll's started from svchost.exe
March 11, 2010 12:59 PM
Hi. I have the svchost.exe only in the places you mentioned above. But, in Task Manager it says there are 9 running. It says some are running by SYSTEM and others running by LOCAL SERVICE, and you only mentioned 4. If there was more svchost.exes in other places, how could I find them? Or do you know if I have a virus?
12-Mar-2010
September 28, 2010 1:51 PM
i have an svchost.exe in c:\documents and settings\my name\application data\microsoft\
i delete it and it keeps coming back.
i scan it for viruses but nothing shows up.
i started to notice it when it started requesting access to the internet. i block it every time.
this directory also contains a .bat file which can delete all svchost.exe files in this directory.
December 26, 2011 6:54 PM
After reading this article, I typed "svchost.exe" into my Winows XP search mechanism. In addition to the four places mentioned in your article, I also found one in a folder entitled C:\WINDOWS\ERDNT\cache. I don't know if this means anything or not, but both of my virus checking programs (Avast and Malwarebytes) did not identify it as a problem.
February 11, 2012 1:00 PM
I just reinstall Win7 Home Prem. from a Gateway hidden partition ( 3rd time ). It is not connected to the internet yet as I had other problems. I un-hid everything and I have 2 different size Svchost.exe. one 26.5k in \windows\system32 and one 20k in \windows
Malware bytes earlier complained about the windows one. Had it remove it and compuer was funny. Any thoughts? Just downloaded the analyzer and will run that. I'm wondering if the reload from DVDs and then the hidden partition have done the same thing.