Home > Computer > Identify Loaded SVCHOST.EXE in Windows Task List

Identify Loaded SVCHOST.EXE in Windows Task List

Posted By Raymond In Category: Computer

Aug
23
2007
Donate

Many times I’ve been asked what is svchost or svchost.exe that’s loaded in Windows?

Svchost as the name implies stands for “Service Host“. Many of components of the Windows operating system are implemented as what are called “services“, a fancy name for programs that run in the background and aren’t necessarily associated with whomever is logged into the machine. A fair number of those services are implemented in DLLs rather than in stand-alone executables. Since DLL can’t run on its own, svchost is the one that loads the DLL.

Problem with svchost.exe nowadays is the common disguise used by malware to hide its presence from the user. As you can see from the image below, the svchost.exe doesn’t show up much information in Windows Task Manager. You wouldn’t even know if it is loading a legitimate DLL or not…
What is svchost.exe
Here’s how to identify what’s really running as Svchost.exe on Windows XP Professional.


In command prompt, type the command below and hit enter.


The service name is displayed on the right side of the tasklist result.
remove svchost.exe

To do a final match up of the somewhat cryptic service name to something more meaningful, you’ll need to go to the service browser in Windows. An easy way to get there when running XP is to right click on “My Computer“, and select “Manage“. This opens the “Computer Management” application. On the left side you’ll see a variety of locations, but in this case, you’ll need the last one, “Services and Applications“. Expand that (use the +), and click on the first item, “Services“.
How to delete svchost

Now comes the tricky part. You’ll need to guess to try to match the human readable name of the service with Windows name of the service. For example, one of the named services in the list on my computer was PID 1404, Dnscache. I looked through the lists of names and the most likely service was “DNS Client“. I double clicked on the entry which shows the properties for that service:
investigate svchost.exe
The “Service Name” exactly matches what I was looking for: Dnscache. Now I know that PID 1404 is the Dnscache service.

What you want to see there is that the executable that is being run is “svchost.exe”. In this case, PID 1404 is the DNS Client service. If you’re not using Windows XP Professional, you might not have the “tasklist.exe” to display the task list. You can download tasklist.exe from here.

If you find it too troublesome, of course there’s an easier way. Use Process Explorer by Sysinternals. Just move your mouse over on top of the svchost.exe and a balloon message will tell you the service name.
Process Explorer discover svchost service name

[ Download Process Explorer ]


Related posts:
  • Windows Vista Flip 3D Alt+Tab Task Switcher in Windows XP
  • How To Identify Fonts Being Used In Images
  • How To Identify Video Card (The Manual Way)
  • A Huge List Of All Linux, BSD, and Windows LiveCDs and LiveDVDs
  • How to Identify Fake Torrents Uploaded by Anti-Piracy Organizations
    • wan_tp

      Thanx Raymond!

    • ChAnGsTaLiCiOuS

      OMFG I AM SO GREATFUL TO GO HERE!!! I HAVE HAD THIS PROBLEM FOR MONTHS EVERY SINCE I GOT VISTA THANK YOU YAY OMFG YOU ARE GREAT IVE BEEN LOOKING FOR A SOLUTION FOR A LONG TIME THANK YOU!!!!

    • http://zzz mohazamin

      Thanks Raymond!!!!!!!! I also got this problem since a month ago…I dont know how to diffrentiate the real svchost.exe…This post might help…lol

    • Pingback: The Malaysian Blogosphere » Blog Archive » Raymond.CC: Identify Loaded SVCHOST.EXE in Windows Task List

    • Mike M

      Raymond, this article is very informative!

    • Nestor®

      Raymond, you always post good articules.

    • Nerve

      Thanx raymond, U all shuld try tu dig, they’re six comment and 4 diggs, Raymond has really asssisted us and we should be appreciative.
      Please dig after reading this

    • http://www.darndem.com Kmuzu

      Very Nice Post .. always wondered about that.

    • http://www.raymond.cc/ Raymond

      Thanks Nerve, more diggs would be appreciated.

    • Alien_77

      @ChAnGsTaLiCiOuS

      under VISTA it is quite easier to identify, just mark the svchost.exe, push the right button and choose “go to service” (rough translation since I use the german version).

    • anon

      Good article. Where’s the printable version?

      - anon

    • Brijesh

      or you can simply use process explorer from microsoft. http://www.microsoft.com/technet/sysinternals/Utilities/ProcessExplorer.mspx

    • http://www.raymond.cc/ Raymond

      Brijesh, it’s the same thing. Sysinternals is the original name and it has been bought over by Microsoft.

    • Pingback: Identify Loaded SVCHOST.EXE in Windows Task List | Tech Tips

    • Max

      This has been a really useful article. Thanks for bringing this tip to my attention.

    • Pingback: links for 2007-09-11 « Where Is All This Leading To?

    • Pingback: Identify Loaded rundll32.exe in Windows Task List » Raymond.CC Blog

    • j.Smith

      Thanks Ray

    • http://ineasywords Sam Ahmed

      Hey Raymond i would like to add a tricky part

      if your service host which is called SVCHOST.EXE loaded more than 25,000kb it means that it is sending (hosting) out something but if less thats okay .

      in easy words if your svchost.exe has high Mem Usage over 25,000kb kill it.

    • http://www.google.com Simon

      Thanks for sharing this. But, how can we remove the svchost.exe file ?

    • Arek

      More interesting would be the process with PID 1232. DNS Client in this case is obvious.

    • Robert

      It\\\’s been a while since this article was written, but as of Dec 2008, you can easily discover process ID in task manager. It is a column you can add to the display under the View menu on the process tab.
      Malware often lists rubbish or N/A in the tasklist report in dos. So, once you know which svchost.exe items are reporting rubbish, it\\\’s easy to correlate them to the bad boys in task manager.

    Copyright © 2005-2012 - Raymond.CC Blog