Unlocking the Mysteries of 'Svchost.exe'
Svchost.exe, which you'll find in the WINDOWS\System32 folder, launches at startup and loads any services from dynamic-link libraries (DLLs) that the Registry tells it to run. Svchost.exe can, and usually does, run several instances of itself at any given time, each instance running several associated services.
When you use some common tools, such as the Task Manager, you can see Svchost.exe running, but you can't see the specific services. Svchost.exe also shows up when you use Windows XP Pro's DOS-like utility Task List (Start/Run/cmd, then type TASKLIST at the command prompt). When you use the SVC switch with Task List (type TASKLIST /SVC at the command prompt), you can see the names of the processes within each service.
These common methods show you some, but often not enough, information about Svchost.exe services.
You can use an unlikely utility to get the details you're looking for: Microsoft's own Windows Defender (a free, beta anti-spyware tool) actually has a little-known feature that provides detailed information about each instance of Svchost.exe running, and all the services therein.
In Windows Defender, click Tools, then choose Software Explorer. In the Category drop-down menu, choose "Currently Running Programs" or "Network Connected Programs." In either or both of those categories, you'll probably find items called "Microsoft Generic Host Process for Win32 Services"--- these are the Svchost.exe instances. By clicking on one instance in the left pane, you'll see details in the right.
You can match these individual "Microsoft Generic Host Process for Win32 Services" instances with Svchost.exe instances in the TASKLIST /SVC list most easily by matching Process IDs. In the command prompt version, the services are abbreviated--- for example, you might see AudioSrv and BITS. But when you look in the associated "Services" item in Windows Defender, those are spelled out--- Windows Audio and Background Intelligent Transfer Service."
Best of all, each "Host Process" in Defender is Classified as "Allowed" or "Not Yet Classified." Any process that's "not allowed" will be blocked or terminated (one hopes) by Windows Defender.
If you don't currently have (or want) Windows Defender, but still want details on Svchost.exe services, you can download the excellent and free Process Explorer from Sysinternals.
See also: "Identifying Mysterious "Services" in a previous issue of the Langa List.
(This tip is a modified excerpt from the LangaList newsletter.)
12 Comments:
You can also use Process explorer, which lets you see which services were started by which svchost.exe.
Dude you misspelled the 2nd word in your post. It's "shows" not "shoes" as in what you wear on your feet... but "appears" might be a better word than the other two anyway.
The real mystery to me though, is why Microsoft doesn't just make it simple for the average user to see what's running on their system. It shouldn't take installing other software or jumping through hoops. If a 3rd party is capable of making a free software that works as well as Process Explorer, what's Microsoft's excuse for not just programming something similar into Windows in the first place? Oh and then they had to go and buy Sysinternals which were the makers of the free software Process Explorer and Autoruns.
Justin, I agree with that process explorer info. not only is Prosess explorer good but there are a bunch more sysinternals.com tools that are great as well
Vista features a new tab in task manager that shows details about running services. At least one reason to go vista.
Just a warning about Windows Defender Beta 2. My company experienced a problem where 25 users had there machines locking up to the point they could not pull up the task manager because 'Svchost.exe' was using all available CPU cycles. Windows Defender was the source of the problem.
Just a warning about Windows Defender Beta 2. My company experienced a problem where 25 users had there machines locking up to the point they could not pull up the task manager because 'Svchost.exe' was using all available CPU cycles. Windows Defender was the source of the problem.
hi there,
sysinternals' process explorer is now part of MS's own tools -- I'm think that the next version of Task Manager will be the Process Explorer.
Let's wait......
BR,
~A
BV's site has been unavailable for some time but it's been archived at various locations including:
http://web.archive.org/web/*/http://www.blackviper.com
http://web.archive.org/web/20050401033600/www.blackviper.com/WIN2K/servicecfg.htm
http://web.archive.org/web/20050401040248/www.blackviper.com/WIN2K/win2k.htm
Make sure to have javascript enabled or you'll have to fiddle (technical term) with the links to make them work.
====
The services page is available here:
http://majorgeeks.com/page.php?id=12
http://www.dead-eye.net/WinXP%20Services.htm
http://home.cfl.rr.com/alexpb/servicecfg.htm
Links to BV's information plus numerous other articles about services and processes can be found at:
http://processlist.cabspace.com/articles.html
Can you tell us how to tell which is abused by a virus?
Very good read, thanks! You explained a lot!
in windows xp, start->run->cmd /k tasklist /svc
Be very wary of Black Viper's Process lists, as many of his recommendations for what processes to terminate dates back to Win XP Service Pack 0, and anyone running Service Pack 2 will undoubtedly be unable to terminate some services he recommends to terminate, and you may be doing yourself more harm than good by terminating some of these. Its hard to tell aa good suggestion from a bad one on his site, but one thing i can tell you, is that if you disable every one of the services he disables, chances are youre going to have to have his technical abilities to be able to cope with the problems that arise for you, for example, if you turn off the Help and Support service, you cant use Help and Support, sounds obvious, but be ready for things like that. if you turn off the "Server" service because youre "not running a server" you may end up experiencing alot of issues, things such as file sharing will be affected or unable to run until you restart it. If you disable Terminal Services, you wont be able to switch users anymore, or use the XP welcome screen (assumption, i havent tested the latter), so be ready for that as well. If you turn off Wireless Zero Configuration, and then buy a wireless router and network card in a year, it may take you a while to figure out why they wont work.
Those are just a few examples. No, you dont necessarily need to be running all that stuff, but the reason they turn it all on by default is so you can do whatever you want to do. If you turn off half the services on a friends computer, then all of a sudden they cant play their new game or use their new DVD burner, either they have to learn how to turn those services back on, or you have to turn them back on.
When in doubt, dont touch, it doesnt do all that much in improving performance anyways, just have over 512mb ram and dont worry about it, there are far bigger resource hogs/security holes to worry about, such as Norton Internet Security 200x, one of the biggest performance destroying programs created by man, or Internet Explorer 6 and ActiveX, one of the biggest security holes in Microsoft history, if not the biggest.
Post a Comment
Links to this post:
Create a Link
<< Home