Svchost.exe
Encyclopedia
In the Windows NT
family of operating system
s, svchost.exe (Service Host, or SvcHost) is a system process
which hosts multiple Windows service
s. Its executable image, %SystemRoot%\System32\Svchost.exe or %SystemRoot%\SysWOW64\Svchost.exe (for 32-bit services running on 64-bit systems) runs in multiple instances, each hosting one or more services. It is essential in the implementation of so-called shared service processes, where a number of services can share a process in order to reduce resource consumption.
(DLLs). Such service's registry key must have a value named ServiceDll under the Parameters subkey, pointing to the respective service's DLL file. Their ImagePath definition is of the form %SystemRoot%\System32\svchost.exe -k netsvcs: all the services sharing the same SvcHost process specify the same parameter, having a single entry in the SCM
's database. The first time that a SvcHost process is launched with a specific parameter, it looks for a value of the same name under the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost key, which it interprets as a list of service names. Then, it notifies the SCM of all the services that it hosts. SCM doesn't launch a second SvcHost process for any of those received services: instead, it simply sends a "start" command to the respective SvcHost process containing the name of the service that should be launched within its context, and whose respective DLL SvcHost loads.
Grouping multiple services into a single process conserves computing resources. However, if one of the services causes an unhandled exception, the entire process may crash. In addition, identifying component services can be more difficult for end users. In Windows NT 5.1 (XP) and later editions, the tasklist command with the /svc switch includes a list of component services in each process. In Windows 6.0 (Vista) and later, a "Services" tab in Windows Task Manager
includes a list of services and their groups and Process IDs (PIDs). Microsoft's Sysinternals
Process Explorer
also provides information about services running under svchost.exe processes.
often uses a process name of "svchost.exe" to disguise itself. Determining the image path of a process, and its invoking command line, can help identify software masquerading in this way, and help locate the actual program file which is running under the assumed process name of "svchost.exe" (Windows allows multiple processes to all display the same name). Some malware inject a .dll file into the authentic svchost process, for example Win32/Conficker worm.
The April 30, 2007 release of Windows Server Update Services
3.0 led to reports of svchost.exe issues, including 100% CPU usage, memory hogging, and excessive laptop fan/power usage.
Windows NT
Windows NT is a family of operating systems produced by Microsoft, the first version of which was released in July 1993. It was a powerful high-level-language-based, processor-independent, multiprocessing, multiuser operating system with features comparable to Unix. It was intended to complement...
family of operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
s, svchost.exe (Service Host, or SvcHost) is a system process
Process (computing)
In computing, a process is an instance of a computer program that is being executed. It contains the program code and its current activity. Depending on the operating system , a process may be made up of multiple threads of execution that execute instructions concurrently.A computer program is a...
which hosts multiple Windows service
Windows Service
On Microsoft Windows operating systems, a Windows service is a long-running executable that performs specific functions and which is designed not to require user intervention. Windows services can be configured to start when the operating system is booted and run in the background as long as...
s. Its executable image, %SystemRoot%\System32\Svchost.exe or %SystemRoot%\SysWOW64\Svchost.exe (for 32-bit services running on 64-bit systems) runs in multiple instances, each hosting one or more services. It is essential in the implementation of so-called shared service processes, where a number of services can share a process in order to reduce resource consumption.
Implementation
Services run in SvcHost are implemented as dynamically-linked librariesDynamic-link library
Dynamic-link library , or DLL, is Microsoft's implementation of the shared library concept in the Microsoft Windows and OS/2 operating systems...
(DLLs). Such service's registry key must have a value named ServiceDll under the Parameters subkey, pointing to the respective service's DLL file. Their ImagePath definition is of the form %SystemRoot%\System32\svchost.exe -k netsvcs: all the services sharing the same SvcHost process specify the same parameter, having a single entry in the SCM
Service Control Manager
Service Control Manager is a special system process under Windows NT family of operating systems, which starts, stops and interacts with Windows service processes. It is located in %SystemRoot%\services.exe executable...
's database. The first time that a SvcHost process is launched with a specific parameter, it looks for a value of the same name under the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost key, which it interprets as a list of service names. Then, it notifies the SCM of all the services that it hosts. SCM doesn't launch a second SvcHost process for any of those received services: instead, it simply sends a "start" command to the respective SvcHost process containing the name of the service that should be launched within its context, and whose respective DLL SvcHost loads.
Grouping multiple services into a single process conserves computing resources. However, if one of the services causes an unhandled exception, the entire process may crash. In addition, identifying component services can be more difficult for end users. In Windows NT 5.1 (XP) and later editions, the tasklist command with the /svc switch includes a list of component services in each process. In Windows 6.0 (Vista) and later, a "Services" tab in Windows Task Manager
Task manager
A task manager is a program used to provide information about the processes and programs running on a computer, as well as the general status of the computer. It can also be used to terminate processes and programs, as well as change the processes priority...
includes a list of services and their groups and Process IDs (PIDs). Microsoft's Sysinternals
Sysinternals
Windows Sysinternals is a part of the Microsoft TechNet website which offers technical resources and utilities to manage, diagnose, troubleshoot, and monitor a Microsoft Windows environment. Originally, the Sysinternals website was created in 1996 and was operated by the company Winternals...
Process Explorer
Process Explorer
Process Explorer is a freeware computer program for Microsoft Windows created by Sysinternals, which has been acquired by Microsoft Corporation....
also provides information about services running under svchost.exe processes.
Security issues
Because svchost.exe is used as a common system process, some malwareMalware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
often uses a process name of "svchost.exe" to disguise itself. Determining the image path of a process, and its invoking command line, can help identify software masquerading in this way, and help locate the actual program file which is running under the assumed process name of "svchost.exe" (Windows allows multiple processes to all display the same name). Some malware inject a .dll file into the authentic svchost process, for example Win32/Conficker worm.
The April 30, 2007 release of Windows Server Update Services
Windows Server Update Services
- External links :* * * – contains many detailed documents on WSUS operation, known issues, and troubleshooting* - German WSUS-Community * - Control installation of WSUS updates from command line...
3.0 led to reports of svchost.exe issues, including 100% CPU usage, memory hogging, and excessive laptop fan/power usage.
See also
- Service Control ManagerService Control ManagerService Control Manager is a special system process under Windows NT family of operating systems, which starts, stops and interacts with Windows service processes. It is located in %SystemRoot%\services.exe executable...
- List of Microsoft Windows components
- Windows NT Startup ProcessWindows NT Startup ProcessThe Windows NT startup process is the process by which Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003 operating systems initialize...
External links
- Microsoft Support Page on svchost.exe
- What is Svchost.exe and is it safe? - Detailed Explanation of Svchost.exe and tools to further review the process.
- How to find processes behind svchost.exe
- All information about svchost.exe