What is Svchost.exe?

infoJust exactly what is this svchost.exe, and why do I have so many of them listed in Task Manager?

At some point in your computing experience, you will encounter Windows Task Manager (Windows Vista, Windows XP and Windows 2000 only).  You can bring up the Task Manager by right-clicking on your Taskbar and then clicking on Task Manager.  Looking at the Applications tab, you will see a short list of the open programs you have running:

Screen capture of Running Processes

Then you notice the Processes Tab where you see a much longer list of names you don't recognize.  You may find it odd that there are several svchost.exe’s appearing there.  (You may have to check the box at the bottom of the Task Manager window, "Show processes from all users" before you will see the list of svchost's.)  It looks like this:

List of running processes

Notice the column directly to the right of Image Name.  It is PID, or Process ID.  This is a process identifying number.  Note, for instance, that one of the process IDs of one of the svchost listings is 1288.  In Windows Vista, you can go to the next tab, Services, and you will see the process ID's next to each service. 

List of running services

Notice all of the different services running as process ID 1288.  You've just identified all of the services running in that service host. 

What is a service? According to Vista's help file, "a service is a computer program or process that runs in the background and provides support to other programs."  

And what is svchost.exe? “Svchost.exe” is the file name for the generic Windows process called Service Host which resides in \Windows\System32\.  Since it acts as a host (think of a host as a container), it can collect multiple services together and run them in a common environment.  This results in a more efficient arrangement since it reduces boot time and system overhead by eliminating the need to run dozens of separate services, each in their own memory spaces.  Different groups of Windows services have different requirements in terms of system access and security, which is why separate instances of svchost.exe are needed. 

Why might I want to identify what is running in a service host?  If you are reading this article, you are probably trying to do some troubleshooting.  Perhaps your machine is running slowly and you are looking at the process list to find what process is using so much of your processor power.  You may notice that a svchost has your CPU (Central Processing Unit - your processor) usage pegged at 100% or nearly so.  You can use the information in this article to track down exactly what service is behaving so badly.

Windows Defender

If you aren't running Vista, there is another way to get the information about what is running in a particular service host.  Windows Defender's Software Explorer will tell you also.  Windows Defender is built into Vista, so those of you who have Vista can do this too.  For those not running Vista, you can download Windows Defender from Microsoft if you are running Windows XP with Service Pack 2.  It is Microsoft's excellent antispyware tool, and it is free for those running Genuine Windows.  You can get it here.

Once installed, you will find Windows Defender in your list of All Programs.  Open it up, go to Tools, then select Software Explorer.  In that Window, under Category, select "Currently Running Programs."  In that listing, you will see multiple instances of service hosts.  In Windows XP, these will be called Microsoft Generic Host Process for Win32 Services.  In Windows Vista, the name is a bit friendlier, "Microsoft Host Process for Windows Services: #" where # is the Process ID number.  Here's what that looks like:

Isn’t svchost.exe a virus too?

There are at least 2 worms and one virus that masquerade as this legitimate Windows file.

  1. W32.Welchia.Worm (see article at Symantec here)

  2. W32.Assarm@mm (see article at Symantec here)

  3. W32/Jeefo (see article at McAfee here)

  4.  

  5. Ensure that your antivirus software is updated, run a virus scan and you should be adequately protected from the above.

    So you can see that having multiple instances of ‘svchost.exe’ in Windows Task Manager is quite normal and one less thing you need to worry about - always a good thing!