Helping people with computers... one answer at a time.

Svchost.exe is frequently spoofed by viruses attempting to hide. The official copy should be in your Windows\system32 folder, but there may be others.

I was told that the file svchost.exe should only exist in the windows\system32 directory. I was also told that if I find it in another directory, it is part of a virus. I have WinXP and found the svchost.exe file in the windows\system32 directory. However, I also found it in the windows\ServicePackFile\i386 directory and in the windows\$NtServicePackUnistall$ directory. Is this a problem? Should I delete the svchost.exe files in the non system32 directories?

Indeed, you were told correctly ... kind of.

I just took a look at my machine, and found all those copies and one more. Fortunately they are not the result of a virus, and you and I are quite safe.

Let's look a little more closely as to why.

One of the ways that viruses try to hide is to give themselves the same name as important or critical system files, like svchost.exe, but then place themselves in a different location on your machine. That way you might be afraid to delete them, for fear of deleting the wrong one, or you might not even notice that it's running because of its familiar name.

As you and I have seen, the file svchost.exe can, in fact, live in several places and be ok. Let's enumerate what those locations are, and why they're ok.

"One of the ways that viruses try to hide is to give themselves the same name as important or critical system files..."

For purposes of this discussion, I'm going to assume that Windows is installed into C:\Windows.

C:\Windows\System32 - the first and most obvious, this is the running copy of Windows itself. This is where you were told correctly - this is the only copy of svchost.exe that should actually be running. How do you find out? You'll need to grab a copy of Process Explorer from SysInternals.com. In current versions of that tool, simply hovering the mouse over any of the "svchost.exe" listed there will display the full path. If your Windows is installed in c:\windows, then svchost.exe should be "c:\windows\system32\svchost.exe".

C:\Windows\ServicePackFiles\i386 - this directory contains the most recent service pack installed on your machine. svchost.exe was one of the files updated, so it's located here. This is just a copy of the files - I believe the files here are used when new software is installed or when you run the system file checker. This Microsoft Knowledgebase article points out that it's possible to burn these files to a CD and remove them from your system.

C:\Windows\$NtServicePackUninstall$ - if present, this directory contains the previous copies of files that were saved when the service pack was installed. Thus it contains the old version of svchost.exe. You can delete this folder, but only if you are absolutely certain you'll never uninstall the service pack. (I'd probably burn it to CD first, just in case.)

C:\I386 - if present, this directory contains a copy of your Windows Installation CD, and hence would also have a copy of svchost.exe. I've discussed this extensively in other articles, most recently: So just what *is* the I386 directory anyway?.

Those four locations are all valid places to find a file called "svchost.exe". Note that only one of them, C:\Windows\System32\svchost.exe, should actually be running. The rest are various forms of backup associated with installing and upgrading Windows.

So what if you find a svchost.exe somewhere else? It could be the result of a virus. Your very first step should always be to run an up-to-date anti-virus scan. Most will take care of the problem safely.

If they do not, things are less clear. You can try renaming or removing the file (make a backup copy on floppy or somewhere else first, just in case). But ultimately, I would probably consider scanning again with an additional, different anti-virus product. Once again I'd emphasize that the virus database should be up to date, as new viruses appear every day.

Article C2477 - December 2, 2005 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

52 Comments
Alex_lx
January 20, 2006 2:57 PM

Hi Leo

I've done what you suggested and it worked perfectly. I haven't got the 100% cpu usage eny more. Thanks a lot for your help

Christian G
February 8, 2006 11:11 AM

Great artice, unfortunately it didn't help me. All my five SVCHOST.EXE files where in the right directory. But I could just shut down the one process that used 50 % of the CPU. I then got the one minute to shutdown warning. But that was easily avoided by typing shutdown -a in the run window. My computer ran smoother then, but I still experience a bit lag in certain games like Battlefield 2.

Evelyn
February 27, 2006 8:31 PM

I just did a scan for svchost.exe
I not only found it in /system32 and /servicepack/i386 but also in /prefetch

I'm assuming the one in /prefetch is a virus

Leo
February 27, 2006 8:34 PM

Not neccesarily. Prefetch is a valid place for it to be, but it's also ok to delete it from there. It'll probably come back. Prefetch is a performance optimization for loading windows.

Manuel
March 9, 2006 5:10 AM

Hi Leo. I found a copy of svchost in the directory C:/Windows/System32/wins/SVCHOST.EXE
What i should do??
This svchost file in property windows says:
TCP/IP Trivial file transfer daemon...What is this?

Mike
April 1, 2006 6:49 AM

Hi Leo, I have Trend Micro installed and I keep getting a message that the virus TROJ_DLOADR.AD has been found in C;/windows/system32/directx/svchost.exe. The PC-cillin software always quarantines the file but I keep getting the message at various times when I try to connect to the internet. The good news is that the anti virus software seems to be working. The bad news is there is something on the computer that keeps installing a bad copy of svchost.exe in the directx directory. Any ideas on how to identify what is installing this bad copy of svchost?

Manuel
April 23, 2006 4:20 PM

I solved the problem. Windows Xp Pro SP 1.

In my case is Windows Update. I just turn off Automatic Updates. No more svchost 100% CPU. Now the problem is: I have to do manually updates.

Bjorn
May 3, 2006 10:08 AM

I found a svchost.exe in my programs directory (C:/program/svchost/svchost.exe) which couldn't be removed since the system was using it somehow. I also saw that I had blocked it with my firewall. When I released the block for a short period of time it immediatley began connecting to a computer in Holland. I then blocked it again and searched for registry keys with that path name. It turns out the keys were about the eMando remote control software. After removing the keys I could delete the file. Shortly before this a buddy of mine had his pokeraccounts robbed for about $6000 and his hard drive erased, which was probably the result of this very file. Thanks to Leo for helping me identify the trojan.

Bad
May 11, 2006 6:33 PM

I had the same problem with the Trojan installing a fake “svchost.exe” in the directX folder. What I did first was:

Using the free online virus scanner kaspersky which can be downloaded from:

http://www.kaspersky.com/virusscanner

After scanning found the “usbadpt32.dll” to be a Trojan which was located in the
c:\windows\system32 directory.

This was a pain to delete because Xp would not allow me to delete the DLL.
Steps that I had to take in order to delete this virus was the following:

1). Using the "eXtended Task manager.exe" program which you can try out
for 21 days free. I searched for the module name "usbadpt32.dll".

2). When found I told the program to unload the module.

3). Using the program name "registry crawler" I did a search for:

"usbadpt32.dll"

4). When found I deleted all keys associated with this DLL.

5). I deleted the file name "svchost.exe" which the virus used located
in the directory "c:\windows\system32\directX".

6). Restarted the system.

7). Upon entering windows I deleted the "usbadpt32.dll" from the directory
C:\windows\system32.

DONE!

Dave
May 16, 2006 7:50 PM

Process Explorer is great. I've been looking for an application like this for a long time. I have 5 svchost.exe running and they are all from the legit directory. I'm glad to finally confirm this.

Army
June 3, 2006 7:12 AM

Hi Leo. McAfee Security Center detected a copy of svchost.exe in c:\windows\. It said it was infected by a trojan. It presented me with several options including deleting it or quarantining it. I deleted it immediately, thinking svchost.exe is not important. Then I decided to research the file and found this site. The file is not located in the folders you specified but it is located in c:\windows\. So now I'm not so sure if I did the right thing by deleting it. What do you think?

Thanks!

terrence
August 15, 2006 9:30 AM

hi leo,

i really need your help here i had been having this problem for 2 days now, as i'm connecting to the internet by using a moden provided by my broadband provider. my problem are:

1. suddenly an error message appear saying generic host process for win32 had encounter a problem and need to be closed. this happen when i'm surfing the net, it cause me to be disconnected from the net and i have to restart my computer for me to be able to connect again.
2. it happened on a time duration of 30min-2 hours time surfing the net.
3. error signature:
event type:BXE p1:svchost.exe

what i did try:
1. used system restore( didn't work )
2. scan my computer for viruses( using avast/symantec/spybot and even use fixblast )

i need a solution on solving this problem.

p/s i'm using window XP
thanx for the help

Mike
September 6, 2006 7:27 AM

Word 97 and Excel 97 were loading very very slow. I found an additional svchost.exe file in C:\WINNT\SYSTEM32\WINS . After renaming this file everything worked fine. On changing the name back again Word and Excel loaded very very slow again. I scan the file with NAV but no virus was detected. What should I do with this file and do you know what it is and where it came from?

Thanks for your very useful website.

Mike

Rod
November 19, 2006 7:17 AM

Plain and to the point about "svchost locations"
This file should ONLY BE THE C:\Windows\System32 directory AND in the C:\I386. If you do have more than one in ANY OTHER location, delete it, how can I tell you ask? Well, do a search for "svchost", when the search results are posted, there should only be a copy in the direcories stated above. If there are more than one elsewhere look at the DATE of that svchost file, thats a true giveaway, IE. the svchost files in the correct locations will have the date of the Oringal operating system. If there are later dates of the file in other locations is earlyer then delete them.

Tristan
November 28, 2006 8:26 AM

So you've covered in what locations svchost can be, what about process users? In the Task Manager, some of the svchost.exe instances list SYSTEM as the User Name, or NETWORK SERVICE or LOCAL SERVICE, which I'm sure is fine, but what if it listed the name of a log-in on that computer (or another computer too, I guess, but that would obviously be very bad :P )
This isn't happening right now, so I can't be %100 certain, but I seem to recall seeing such an occurance in the past. Could this be an easy way to spot a phoney svchost?

Thanks

charles
April 4, 2007 10:03 PM

why are there 7 svchost.exe's running at the same time but only 1 causes system failure? these 7 things
are 25% of my commit charge. its even worse when gaming! Please help!

macon

Leo Notenboom
April 5, 2007 7:31 PM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You might want to look at this article:
http://ask-leo.com/what_is_svchost_and_why_is_there_more_than_one_copy_running.html

Leo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)

iD8DBQFGFbDWCMEe9B/8oqERAus4AJ9jOJcQ53ltV6C3HVXyxq/iN4eZGgCePKLw
zzgE5KImzpqTIgH3LQ+cBRU=
=4uLd
-----END PGP SIGNATURE-----

Alex
April 14, 2007 11:15 AM

i have 5 SVCHOST.exe on my list, and one of them is pumping my CPU usage every time i am connected to internet, i tried to disable it but it reappeared every 10-15 secs after i disable.i did a search for it. Its on its original place which on win32 file. The user name for that "fake" SVCHOST.exe was SYSTEM.

Nicolas
April 29, 2007 10:49 AM

Please note C:\Windows\svchost.exe is NOT a place where the file should be. I have had a trojan in that path, with two dozen different methods to start automatically when the computer is booted (like Startup item on start menu and lots of places on the registry). It was a backdoor and it was sending information back to the hacker. I managed to remove it within an hour of getting it (and unplugged network cable during the whole removal process so it didn't keep sending anything).

Ken
July 10, 2007 6:18 AM

Please, I have the same problem as " Nicolas at April 29, 2007 10:49 AM" but I'm unable to remove it. I really tried everything but I cannot find the source of the infectation. Please tell me how to get rid of C:\Windows\svchost.exe (what is definitly not existing, but showing up after every restart)

Kim
August 4, 2007 12:51 PM

I have a relatively new computer, with Vista operating system. How is any of your advice about svchost.exe changed for Vista users?

Alb
August 11, 2007 8:06 AM

My question is basically the same as Nicholas's, Ken's and Kim's. I require info on how to get rid of the files that shouldn't be there and how to know which files should be running and which shouldn't (svchost.exe). So, can you please, help me.

Thanks.

Pilot
August 16, 2007 1:23 PM

I used PRT Perlovga Removal Tool which I found at this site:

http://en.sergiwa.com/modules/mydownloads/singlefile.php?cid=2&lid=4

I'm not sure how reliable this site and it's program is. I used it to get rid of the temp1.exe and temp2.exe virusses. Appearantly it also does help against svchost.exe virus problem.

I now get this at start up:

------------------------
E:\windows\svchost.exe
------------------------
Windows cannot find 'E:\windows\svchost.exe'. Make sure you typed the
name correctly, and then try again. To search for a file, click Start
button, and then click Search.
------------------------


and after clicking "okay" I get this:


------------------------
Desktop
------------------------
Could not load or run 'E:\WINDOWS\svchost.exe' specified in registry.
Make sure the file exists on your computer or remove the reference to
it in the registry.
------------------------

Well, svchost is now only in E:\windows\system32

I'm guessing I should go into the registry and get out that HKEY to svchost in E:\windows\

right?

Pilot
August 16, 2007 1:25 PM

Ow..ehm..HOW do I change things in the registry..? (How do I even GET in the registry..?!)

blaze
August 20, 2007 2:26 AM

i have a problem with my pc,after entering my password the pc monitor will show a black screen then after some few sec it will then display svchost property.My question is what is this and how do i solve the problem?

G. Georgie
August 23, 2007 11:06 AM

My PC was acting very slow, I went to the task manager and many svchost.exe, I researched and found out it is a virus or malware, so deleted all svchost.exe from the registry by mistake, and my lap top is xp proffessional sp2, I can not connect to the internet, because I noticed that there is nothing in the network communication ( no LAN or Wireless, also no volume control in the lower right corner, and when I try to open norton, it will not allow me to open it, when I open a word document and try to mimize it to the system tray, it disappears. what should I do to restore it back to it's previous state?

Sunil
August 27, 2007 10:20 PM

Cool guys..

There is a problem that was identified by Microsoft.


QUOTE
The Svchost.exe process may spike the CPU usage to 100 percent during update detection or update installation. Also, the Svchost.exe process causes the computer to stop responding for various lengths of time.


If that fits your issue, you may wish to try this hotfix from Microsoft. MS Help and Support(http://support.microsoft.com/?scid=kb%3Ben-us%3B932494&x=11&y=10)

I had the same problem and noticed that wuauclt was also running - Microsoft's autoupdate.

A little background on svchost

GL...

Richard Wagner
August 29, 2007 12:22 PM

The true svchost.exe file in Windows/system32 has version number 5.1.2600.2180 and a length of 14,336 bytes.

The bad file in Windows/inf has a version number of 1.0.0.1 and a length of 15,872 bytes. This file has the same name, svchost.exe but cannot be altered or removed and it propagates it's spyware relentlessly.

burn
September 12, 2007 11:53 PM

Windows cannot find 'E:\windows\svchost.exe'. Make sure you typed the
name correctly, and then try again. To search for a file, click Start
button, and then click Search.

i tried everythin...as you have said(maybe not)
i even tried updating my windows xp and hotfix and those kinda stuff...but the problem reappears everytime i started my windows....i need help terribly....

Mel
October 16, 2007 2:19 PM

I have read your article on the svchost.exe and checked my system. I found it in the System32 folder, the ServicePackFiles folder and then also in this folder: C\Windows\Prefetch, is this a virus??

Thank you

steve
November 1, 2007 3:39 AM

I am having a problem i have not seen on the internet at all. scvhost.exe has rooted itself in windows/win32/oobe/scvhost.exe...not only has not one article on the internet show it in that directory but it makes the computer absolutley go beserk. the only way to keep my computer responding is to keep task manager open. if I close it 100's of svchost open and cause a reboot. i cant seem to find a way to stop it.

Leo A. Notenboom
November 3, 2007 10:03 AM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As the article indicates, that's highly suspicious of a virus, and you need to
run an *up to date* anti-virus scan with a good scanner.

Leo


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFHLKngCMEe9B/8oqERAvalAJ0f3Ul6p9PaN3jOKgC1Dvbe+UDogQCeIcCc
Mct8FOdYq47SJpJp+RcCx/k=
=HHTz
-----END PGP SIGNATURE-----

skiddlepins
November 26, 2007 2:59 AM

"Windows cannot find 'E:\windows\svchost.exe'. Make sure you typed the
name correctly, and then try again. To search for a file, click Start
button, and then click Search.

i tried everythin...as you have said(maybe not)
i even tried updating my windows xp and hotfix and those kinda stuff...but the problem reappears everytime i started my windows....i need help terribly...."

The same thing has happened to me. How do I fix this?

Chike
December 7, 2007 7:51 AM

What if it's located C:\Documents and Settings\BACK UP MY DOCs\SvcHost.exe is this normal?

Andrea Mahoney
January 25, 2008 11:09 AM

Thanks Leo, I was having a problem with svchost.exe taking up all of my CPU.
Turned out after using the Process Explorer you recommended that it was the HP printer and software I installed a while ago. A network polling service was hogging all of the CPU through svchost.exe. I turned off the automatic service and fixed the problem.

Andrea

wilson bucaoto
March 14, 2008 7:21 AM

i was threatened w/ this "svchost" cause i saw it in a USB i plugged in the computer. i deleted the thing at my C drive but it keeps on recoming so i stopped all processes having svchost.exe and deleted all svchost files found in my pc. After I read this, im troubled. It looks like I really need the svchost.exe in the folder system32... What shall I do? Thanks for the help.

Carol
April 28, 2008 6:08 AM

Hi Leo,

I have BitDefender which tells me I have that my
C:\WINDOWS\system32\=>:svchost.exe is infected with a Trojan.Generic.138368. Bit defender can't seem to get rid of it, same goes for Norton 360. I thought it was ok to have the svchost.exe. in this location...Any ideas?

Carol

LoloXP
May 6, 2008 6:44 AM

Hello Leo, I have the same Problem with Bitdefender and Trojan.Generic.138368 - like Carol !!
LoloXP

Steve C.
June 16, 2008 11:09 AM

I found a SVCHOST.EXE-2d5fbd18.pf located in C:\windows\Prefetch. Should I delete it? I regularly run an up tp date Symantec anti virus scan as well "spyware terminator" and it hasn't noted this as a virus. Thanks

Stack
August 6, 2008 11:55 AM

was having the svchost.exe problem not only taking up 100% of my cpu usage but also popping up all kinds of porn in a non-explorer window not detectable as an application. With the process explorer I found a copy of svchost.exe running from a suspicious directory C:\google.com\svchost.exe lol. Renamed the file. Restarted the computer. Problem solved. Now to delete that little bastard...

Steamer
August 13, 2008 7:07 AM

Had the same problem as Shack...using 100% of CPU, pop-up porn in non-explorer window and wouldn't let me delete C:\google.com\svchost.com. Renamed file, restarted computer and deleted file and folder successfully. This killed it off!

Leslie Handcock
August 26, 2009 5:57 AM

Hello Leo,
I just read your comments on Svchost.exe after checking my running processes. I had stopped a couple of proccesses earler today as they were not familiar and were .exe files.
On looking through my running system files I have
Svchost.exe running on the following instances at once:
-System
-System
-Local Service
-Local Service
-Network service
-System
-Network service
-System
-System
-Network service
-System
-Systm
-Local service.
That is a total of 12 instances of it running in my processes at once.
I reinstalled my win xp just 2 weeks ago after I found it crashing and my enti virus Trend micro not responding.
Since reinstal my modem was changed last weekend (Friday Evening) and my username and password were changed in the security system of the wireless modem (I keep wireless broadcasting off and use a lead to plug the modem into the PC)
Since I noticed it cannot run a full system scan and last time stayed at 99% complete after 46 hours.
It seems like a lot of Svchost.exe files/processs to be running. Is there any way I an be sure of which ones to end or delete?
With many thanks.
Leslie

Processor-Dev1l
September 14, 2009 4:10 AM

As I can see here, many ppl still have problems with creepy svchost named viruses...
Well, there are really 4 places, where svchost can be stored, that is ok. But as said in the article above, only the one in System32 folder should be running.
So good way to discover svchost.exe viruses is to obtain list of actually running processes called svchost.exe and then read the path (if it is other than System32, it is a virus).
It is quite a creepy process on Windows platform, so I am going to code auto-removal utility for this purpose. I will send the link to the final product later :).

Joseph
November 23, 2009 1:16 PM

When I open the task manager I see

SVCHOST.EXE System
SVCHOST.EXE Network Service
SVCHOST.EXE System------------> 22,260 KB!!
SVCHOST.EXE Network Service
SVCHOST.EXE Local Service
SVCHOST.EXE Local Service
SVCHOST.EXE System

Do you think my computer is ok?

Marko
December 12, 2009 8:12 PM

my svchost.exe is running on 50CPU, and Bitdefender tells me it's infected by trojan virus. Bitdefender deletes it, but I seems to keep coming back. Also I'm having problems with Generic Malware virus, and Rootkik, Bitdefender seems to be powerless. I NEED A WAY TO REMOVE THESE PLEASE HELP

Sounds like you need this article: How do I remove a virus?
Leo
14-Dec-2009

Rs
December 26, 2009 4:20 AM

C:\windows\system32

Darrel Z
January 8, 2010 1:07 PM

I have svchost.exe.hdmp file located on my C:\Documents and Settings\local\Temp|WERa04e.dir00 folder. based on what I've read, this is proably a virus and should be removed? It has disabled my antivirus software. darrel

"svchost.exe.hdmp" is not the same as "svchost.exe", so you cannot make the same assumptions about where it's alright to be, and you cannot assume that it is a virus. a ".hdmp" file is a file used by Windows Error Reporting, and may be totally valid. I recommend you make sure your anti-malware tools are up to date.
Leo
09-Jan-2010

Alex
February 8, 2010 4:14 AM

Even your svchost.exe is located in C:\Windows\System32 it could host and run a virus .dll! Study the Conficker worm which just add a Registry entry, and svchost loads this worm on the next Windows startup. I suggest the free Svchost Analyzer http://www.neuber.com/free/svchost-analyzer/ to verify all the .dll's started from svchost.exe

Conor
March 11, 2010 12:59 PM

Hi. I have the svchost.exe only in the places you mentioned above. But, in Task Manager it says there are 9 running. It says some are running by SYSTEM and others running by LOCAL SERVICE, and you only mentioned 4. If there was more svchost.exes in other places, how could I find them? Or do you know if I have a virus?

It is quite common to have more that one copy of SVCHOST running - which is different than the number and location of the SVCHOST.EXE files. More here: What is svchost, and why is there more than one copy running?
Leo
12-Mar-2010

Dan Ambroise
September 28, 2010 1:51 PM

i have an svchost.exe in c:\documents and settings\my name\application data\microsoft\
i delete it and it keeps coming back.
i scan it for viruses but nothing shows up.
i started to notice it when it started requesting access to the internet. i block it every time.
this directory also contains a .bat file which can delete all svchost.exe files in this directory.

Joaquin Closet
December 26, 2011 6:54 PM

After reading this article, I typed "svchost.exe" into my Winows XP search mechanism. In addition to the four places mentioned in your article, I also found one in a folder entitled C:\WINDOWS\ERDNT\cache. I don't know if this means anything or not, but both of my virus checking programs (Avast and Malwarebytes) did not identify it as a problem.

Carver Smith
February 11, 2012 1:00 PM

I just reinstall Win7 Home Prem. from a Gateway hidden partition ( 3rd time ). It is not connected to the internet yet as I had other problems. I un-hid everything and I have 2 different size Svchost.exe. one 26.5k in \windows\system32 and one 20k in \windows
Malware bytes earlier complained about the windows one. Had it remove it and compuer was funny. Any thoughts? Just downloaded the analyzer and will run that. I'm wondering if the reload from DVDs and then the hidden partition have done the same thing.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.