Many times I’ve been asked what is svchost or svchost.exe that’s loaded in Windows?
Svchost as the name implies stands for “Service Host“. Many of components of the Windows operating system are implemented as what are called “services“, a fancy name for programs that run in the background and aren’t necessarily associated with whomever is logged into the machine. A fair number of those services are implemented in DLLs rather than in stand-alone executables. Since DLL can’t run on its own, svchost is the one that loads the DLL.
Problem with svchost.exe nowadays is the common disguise used by malware to hide its presence from the user. As you can see from the image below, the svchost.exe doesn’t show up much information in Windows Task Manager. You wouldn’t even know if it is loading a legitimate DLL or not…
Here’s how to identify what’s really running as Svchost.exe on Windows XP Professional.
In command prompt, type the command below and hit enter.
The service name is displayed on the right side of the tasklist result.
To do a final match up of the somewhat cryptic service name to something more meaningful, you’ll need to go to the service browser in Windows. An easy way to get there when running XP is to right click on “My Computer“, and select “Manage“. This opens the “Computer Management” application. On the left side you’ll see a variety of locations, but in this case, you’ll need the last one, “Services and Applications“. Expand that (use the +), and click on the first item, “Services“.
Now comes the tricky part. You’ll need to guess to try to match the human readable name of the service with Windows name of the service. For example, one of the named services in the list on my computer was PID 1404, Dnscache. I looked through the lists of names and the most likely service was “DNS Client“. I double clicked on the entry which shows the properties for that service:
The “Service Name” exactly matches what I was looking for: Dnscache. Now I know that PID 1404 is the Dnscache service.
What you want to see there is that the executable that is being run is “svchost.exe”. In this case, PID 1404 is the DNS Client service. If you’re not using Windows XP Professional, you might not have the “tasklist.exe” to display the task list. You can download tasklist.exe from here.
If you find it too troublesome, of course there’s an easier way. Use Process Explorer by Sysinternals. Just move your mouse over on top of the svchost.exe and a balloon message will tell you the service name.
Related posts:
Exelence! thanks so much!
It\\\’s been a while since this article was written, but as of Dec 2008, you can easily discover process ID in task manager. It is a column you can add to the display under the View menu on the process tab.
Malware often lists rubbish or N/A in the tasklist report in dos. So, once you know which svchost.exe items are reporting rubbish, it\\\’s easy to correlate them to the bad boys in task manager.
More interesting would be the process with PID 1232. DNS Client in this case is obvious.
Thanks for sharing this. But, how can we remove the svchost.exe file ?
Hey Raymond i would like to add a tricky part
if your service host which is called SVCHOST.EXE loaded more than 25,000kb it means that it is sending (hosting) out something but if less thats okay .
in easy words if your svchost.exe has high Mem Usage over 25,000kb kill it.
Thanks Ray
[...] I’ve written a guide on how to identify svchost.exe in your Windows and here’s another process that might be showing in your Windows Task List but you [...]
[...] Identify Loaded SVCHOST.EXE in Windows Task List » Raymond.CC Blog (tags: todo commands antivirus malware reference troubleshooting tutorial tech windows svchost) [...]
This has been a really useful article. Thanks for bringing this tip to my attention.
[...] Read the Full Article: Identify Loaded SVCHOST.EXE in Windows Task List [...]
Brijesh, it’s the same thing. Sysinternals is the original name and it has been bought over by Microsoft.
or you can simply use process explorer from microsoft. microsoft.com/technet/sysinternals/Utilities/ProcessExplorer.mspx
Good article. Where’s the printable version?
- anon
@ChAnGsTaLiCiOuS
under VISTA it is quite easier to identify, just mark the svchost.exe, push the right button and choose “go to service” (rough translation since I use the german version).
Thanks Nerve, more diggs would be appreciated.
Very Nice Post .. always wondered about that.
Thanx raymond, U all shuld try tu dig, they’re six comment and 4 diggs, Raymond has really asssisted us and we should be appreciative.
Please dig after reading this
Raymond, you always post good articules.
Raymond, this article is very informative!
[...] Problem with svchost.exe nowadays is the common disguise used by malware to hide its presence from the user. As you can see from the image below, the svchost.exe doesn’t show up much information in Windows Task Manager. You wouldn’t even know if it is loading a legitimate DLL or not… Here’s how to identify what’s really running as Svchost.exe on Windows XP Professional. (more…) [...]
Thanks Raymond!!!!!!!! I also got this problem since a month ago…I dont know how to diffrentiate the real svchost.exe…This post might help…lol
OMFG I AM SO GREATFUL TO GO HERE!!! I HAVE HAD THIS PROBLEM FOR MONTHS EVERY SINCE I GOT VISTA THANK YOU YAY OMFG YOU ARE GREAT IVE BEEN LOOKING FOR A SOLUTION FOR A LONG TIME THANK YOU!!!!
Thanx Raymond!