Summary: Svchost.exe is frequently spoofed by viruses attempting to hide. The official copy should be in your Windows\system32 folder, but there may be others.
I was told that the file svchost.exe should only exist in the windows\system32 directory. I was also told that if I find it in another directory, it is part of a virus. I have WinXP and found the svchost.exe file in the windows\system32 directory. However, I also found it in the windows\ServicePackFile\i386 directory and in the windows\$NtServicePackUnistall$ directory. Is this a problem? Should I delete the svchost.exe files in the non system32 directories?
Indeed, you were told correctly ... kind of.
I just took a look at my machine, and found all those copies and one more. Fortunately they are not the result of a virus, and you and I are quite safe.
Let's look a little more closely as to why.
•
One of the ways that viruses try to hide is to give themselves the same name as important or critical system files, like svchost.exe, but then place themselves in a different location on your machine. That way you might be afraid to delete them, for fear of deleting the wrong one, or you might not even notice that it's running because of its familiar name.
As you and I have seen, the file svchost.exe can, in fact, live in several places and be ok. Let's enumerate what those locations are, and why they're ok.
For purposes of this discussion, I'm going to assume that Windows is installed into C:\Windows.
C:\Windows\System32 - the first and most obvious, this is the running copy of Windows itself. This is where you were told correctly - this is the only copy of svchost.exe that should actually be running. How do you find out? You'll need to grab a copy of Process Explorer from SysInternals.com. In current versions of that tool, simply hovering the mouse over any of the "svchost.exe" listed there will display the full path. If your Windows is installed in c:\windows, then svchost.exe should be "c:\windows\system32\svchost.exe".
C:\Windows\ServicePackFiles\i386 - this directory contains the most recent service pack installed on your machine. svchost.exe was one of the files updated, so it's located here. This is just a copy of the files - I believe the files here are used when new software is installed or when you run the system file checker. This Microsoft Knowledgebase article points out that it's possible to burn these files to a CD and remove them from your system.
C:\Windows\$NtServicePackUninstall$ - if present, this directory contains the previous copies of files that were saved when the service pack was installed. Thus it contains the old version of svchost.exe. You can delete this folder, but only if you are absolutely certain you'll never uninstall the service pack. (I'd probably burn it to CD first, just in case.)
C:\I386 - if present, this directory contains a copy of your Windows Installation CD, and hence would also have a copy of svchost.exe. I've discussed this extensively in other articles, most recently: So just what *is* the I386 directory anyway?.
Those four locations are all valid places to find a file called "svchost.exe". Note that only one of them, C:\Windows\System32\svchost.exe, should actually be running. The rest are various forms of backup associated with installing and upgrading Windows.
So what if you find a svchost.exe somewhere else? It could be the result of a virus. Your very first step should always be to run an up-to-date anti-virus scan. Most will take care of the problem safely.
If they do not, things are less clear. You can try renaming or removing the file (make a backup copy on floppy or somewhere else first, just in case). But ultimately, I would probably consider scanning again with an additional, different anti-virus product. Once again I'd emphasize that the virus database should be up to date, as new viruses appear every day.
Related:
-
Ask Leo! - I run Anti-Virus software, why do I still sometimes get infected?
-
Ask Leo! - What is the System File Checker, and how do I run it?
-
Microsoft - Files and Folders Are Added to Your System After Service Pack Is Installed
-
Microsoft - How to Remove Windows XP Service Pack 1 Folders
Article C2477 - December 2, 2005
What if it's located C:\Documents and Settings\BACK UP MY DOCs\SvcHost.exe is this normal?
Posted by: Chike at December 7, 2007 7:51 AMThanks Leo, I was having a problem with svchost.exe taking up all of my CPU.
Turned out after using the Process Explorer you recommended that it was the HP printer and software I installed a while ago. A network polling service was hogging all of the CPU through svchost.exe. I turned off the automatic service and fixed the problem.
Andrea
Posted by: Andrea Mahoney at January 25, 2008 11:09 AMi was threatened w/ this "svchost" cause i saw it in a USB i plugged in the computer. i deleted the thing at my C drive but it keeps on recoming so i stopped all processes having svchost.exe and deleted all svchost files found in my pc. After I read this, im troubled. It looks like I really need the svchost.exe in the folder system32... What shall I do? Thanks for the help.
Posted by: wilson bucaoto at March 14, 2008 7:21 AMHi Leo,
I have BitDefender which tells me I have that my
C:\WINDOWS\system32\=>:svchost.exe is infected with a Trojan.Generic.138368. Bit defender can't seem to get rid of it, same goes for Norton 360. I thought it was ok to have the svchost.exe. in this location...Any ideas?
Carol
Posted by: Carol at April 28, 2008 6:08 AMHello Leo, I have the same Problem with Bitdefender and Trojan.Generic.138368 - like Carol !!
Posted by: LoloXP at May 6, 2008 6:44 AMLoloXP
I found a SVCHOST.EXE-2d5fbd18.pf located in C:\windows\Prefetch. Should I delete it? I regularly run an up tp date Symantec anti virus scan as well "spyware terminator" and it hasn't noted this as a virus. Thanks
Posted by: Steve C. at June 16, 2008 11:09 AMwas having the svchost.exe problem not only taking up 100% of my cpu usage but also popping up all kinds of porn in a non-explorer window not detectable as an application. With the process explorer I found a copy of svchost.exe running from a suspicious directory C:\google.com\svchost.exe lol. Renamed the file. Restarted the computer. Problem solved. Now to delete that little bastard...
Posted by: Stack at August 6, 2008 11:55 AMHad the same problem as Shack...using 100% of CPU, pop-up porn in non-explorer window and wouldn't let me delete C:\google.com\svchost.com. Renamed file, restarted computer and deleted file and folder successfully. This killed it off!
Posted by: Steamer at August 13, 2008 7:07 AMHello Leo,
Posted by: Leslie Handcock at August 26, 2009 5:57 AMI just read your comments on Svchost.exe after checking my running processes. I had stopped a couple of proccesses earler today as they were not familiar and were .exe files.
On looking through my running system files I have
Svchost.exe running on the following instances at once:
-System
-System
-Local Service
-Local Service
-Network service
-System
-Network service
-System
-System
-Network service
-System
-Systm
-Local service.
That is a total of 12 instances of it running in my processes at once.
I reinstalled my win xp just 2 weeks ago after I found it crashing and my enti virus Trend micro not responding.
Since reinstal my modem was changed last weekend (Friday Evening) and my username and password were changed in the security system of the wireless modem (I keep wireless broadcasting off and use a lead to plug the modem into the PC)
Since I noticed it cannot run a full system scan and last time stayed at 99% complete after 46 hours.
It seems like a lot of Svchost.exe files/processs to be running. Is there any way I an be sure of which ones to end or delete?
With many thanks.
Leslie
As I can see here, many ppl still have problems with creepy svchost named viruses...
Posted by: Processor-Dev1l at September 14, 2009 4:10 AMWell, there are really 4 places, where svchost can be stored, that is ok. But as said in the article above, only the one in System32 folder should be running.
So good way to discover svchost.exe viruses is to obtain list of actually running processes called svchost.exe and then read the path (if it is other than System32, it is a virus).
It is quite a creepy process on Windows platform, so I am going to code auto-removal utility for this purpose. I will send the link to the final product later :).