Identify Loaded SVCHOST.EXE in Windows Task List
Author: Raymond23 Aug
Many times I’ve been asked what is svchost or svchost.exe that’s loaded in Windows?
Svchost as the name implies stands for “Service Host“. Many of components of the Windows operating system are implemented as what are called “services“, a fancy name for programs that run in the background and aren’t necessarily associated with whomever is logged into the machine. A fair number of those services are implemented in DLLs rather than in stand-alone executables. Since DLL can’t run on its own, svchost is the one that loads the DLL.
Problem with svchost.exe nowadays is the common disguise used by malware to hide its presence from the user. As you can see from the image below, the svchost.exe doesn’t show up much information in Windows Task Manager. You wouldn’t even know if it is loading a legitimate DLL or not…
Here’s how to identify what’s really running as Svchost.exe on Windows XP Professional.
In command prompt, type the command below and hit enter.
The service name is displayed on the right side of the tasklist result.
To do a final match up of the somewhat cryptic service name to something more meaningful, you’ll need to go to the service browser in Windows. An easy way to get there when running XP is to right click on “My Computer“, and select “Manage“. This opens the “Computer Management” application. On the left side you’ll see a variety of locations, but in this case, you’ll need the last one, “Services and Applications“. Expand that (use the +), and click on the first item, “Services“.
Now comes the tricky part. You’ll need to guess to try to match the human readable name of the service with Windows name of the service. For example, one of the named services in the list on my computer was PID 1404, Dnscache. I looked through the lists of names and the most likely service was “DNS Client“. I double clicked on the entry which shows the properties for that service:
The “Service Name” exactly matches what I was looking for: Dnscache. Now I know that PID 1404 is the Dnscache service.
What you want to see there is that the executable that is being run is “svchost.exe”. In this case, PID 1404 is the DNS Client service. If you’re not using Windows XP Professional, you might not have the “tasklist.exe” to display the task list. You can download tasklist.exe from here.
If you find it too troublesome, of course there’s an easier way. Use Process Explorer by Sysinternals. Just move your mouse over on top of the svchost.exe and a balloon message will tell you the service name.
Technorati Tags: scvhost, svchost.exe, process, services, task manager
: Copying this article to your website is strictly NOT allowed. However, if you like this article, you can use the HTML code below to directly link to this article.
Related Articles
Identify Loaded rundll32.exe in Windows Task List How To Identify Fonts Being Used In Images How To Identify Good or Bad StartUp Programs Fix Windows Task Manager With Missing Tabs and Menu Know What Invisible Files is Opened on Your System Learn How To Identify Phishing and Spam Emails How To Find Out The Name Of A Color
Top incoming search terms for this post
tasklist svchost - svchost tasklist - svchost list - svchost - list svchost - cc SvcHost - cc svc host - ccSvc host - identify svchost processes - tasklist svchost exe - what is svchost.exe in windows xp - svchost exe tasklist - identifying svchost.exe - SVCHOST MALWARE - show svchost - svchost exe windows xp - ccSVC.host - svchost.exe - svchost.exe pid - list svchost processes - windows task list - PID 1404 - svchost.exe tasklist - cc.svc.host - task manager processes - pid svchost.exe - identifying PID - svchost show - cc svc host error - svchost.exe list - cc.svchost - identify the web by windows category - cc svchost errors - svchost task list - SVCHOST.EXE malware - 11 svchost.exe in task manager - svchost show running - how to list svchost - techwindows.cc.co - list svchost.exe - identify pid - cc:svc host - windows 2000 professional operating system svchost.exe problem - svchost.exe tasklist - how to remove cc svc host - how to investigate svchost.exe - 11 svchost - identify svchost - windows identify svchost - identify PID xp -
Categories
Recent Comments
- Mohamed: thanx raymond
- kapil: its me ray
- drunk: http://img10.imageshack.us/img10/6992/clipboard01od.png steam username (kingmax_pc) sorry
- drunk: http://img10.imageshack.us/img10/6992/clipboard01od.png - Cheers
- norman: Thanks for this opportunity Ray.
- Raymond: Hi Raymond Thanks again for
- MTLGOD: Hi Raymond, I am Happy
- Ben: Hi Raymond, i was a
- klrk: steam account : klrkdekira i'll post
- Vatsal: me me i need it.....
Ads
Friends
Archives
Translate
 |  |  |  |  |  |  |
 |  |  |  |  |  |  |
 |  |  |  |  |  |  |
 |  |  |  |  |  |  |
 |  |  |  |  |  |  |
 |  |  |  |  |  |  |
Have computer technical problems? Get FREE help from Raymond.CC FORUM
22 Responses for "Identify Loaded SVCHOST.EXE in Windows Task List"
Thanx Raymond!
OMFG I AM SO GREATFUL TO GO HERE!!! I HAVE HAD THIS PROBLEM FOR MONTHS EVERY SINCE I GOT VISTA THANK YOU YAY OMFG YOU ARE GREAT IVE BEEN LOOKING FOR A SOLUTION FOR A LONG TIME THANK YOU!!!!
Thanks Raymond!!!!!!!! I also got this problem since a month ago…I dont know how to diffrentiate the real svchost.exe…This post might help…lol
[...] Problem with svchost.exe nowadays is the common disguise used by malware to hide its presence from the user. As you can see from the image below, the svchost.exe doesn’t show up much information in Windows Task Manager. You wouldn’t even know if it is loading a legitimate DLL or not… Here’s how to identify what’s really running as Svchost.exe on Windows XP Professional. (more…) [...]
Raymond, this article is very informative!
Raymond, you always post good articules.
Thanx raymond, U all shuld try tu dig, they’re six comment and 4 diggs, Raymond has really asssisted us and we should be appreciative.
Please dig after reading this
Very Nice Post .. always wondered about that.
Thanks Nerve, more diggs would be appreciated.
@ChAnGsTaLiCiOuS
under VISTA it is quite easier to identify, just mark the svchost.exe, push the right button and choose “go to service” (rough translation since I use the german version).
Good article. Where’s the printable version?
- anon
or you can simply use process explorer from microsoft. http://www.microsoft.com/technet/sysinternals/Utilities/ProcessExplorer.mspx
Brijesh, it’s the same thing. Sysinternals is the original name and it has been bought over by Microsoft.
[...] Read the Full Article: Identify Loaded SVCHOST.EXE in Windows Task List [...]
This has been a really useful article. Thanks for bringing this tip to my attention.
[...] Identify Loaded SVCHOST.EXE in Windows Task List » Raymond.CC Blog (tags: todo commands antivirus malware reference troubleshooting tutorial tech windows svchost) [...]
[...] I’ve written a guide on how to identify svchost.exe in your Windows and here’s another process that might be showing in your Windows Task List but you [...]
Thanks Ray
Hey Raymond i would like to add a tricky part
if your service host which is called SVCHOST.EXE loaded more than 25,000kb it means that it is sending (hosting) out something but if less thats okay .
in easy words if your svchost.exe has high Mem Usage over 25,000kb kill it.
Thanks for sharing this. But, how can we remove the svchost.exe file ?
More interesting would be the process with PID 1232. DNS Client in this case is obvious.
It\\\’s been a while since this article was written, but as of Dec 2008, you can easily discover process ID in task manager. It is a column you can add to the display under the View menu on the process tab.
Malware often lists rubbish or N/A in the tasklist report in dos. So, once you know which svchost.exe items are reporting rubbish, it\\\’s easy to correlate them to the bad boys in task manager.
Leave a reply