svchost.exe: the service host in Windows operating system tests

If your Windows system is running properly, you probably have no reason to use the Task Manager or monitor in­di­vid­ual processes and services. PC users rarely have to track running services or back­ground ap­pli­ca­tions, just like car owners rarely need to look under the hoods of their cars. However, it’s a good idea to learn the basics of system mon­i­tor­ing and fa­mil­iar­ize yourself with the most important system programs, es­pe­cial­ly if you rely on your computer for work. After all, problems often appear at the most in­op­por­tune moments. You should monitor running processes if you ex­pe­ri­ence one of the following problems:

• In­ex­plic­a­bly high usage of system resources, such as an extremely high CPU load
• Programs crashing or windows freezing
• You suspect viruses on your machine
• You can’t open programs that have been installed correctly

The svchost.exe process im­me­di­ate­ly stands out when you check your running ap­pli­ca­tions. You’ll usually see multiple instances of it running, and sometimes even several dozen instances. The name of the program is an ab­bre­vi­a­tion of service host. That means it’s a software program that can be used by other programs or services. As a result, the source program behind the process you're mon­i­tor­ing is not im­me­di­ate­ly rec­og­niz­able.

In principle, several services can also be combined in one process. However, for powerful computers, Windows usually runs a separate process for each service. This makes it easier to dis­tin­guish between the in­di­vid­ual processes. This is an advantage when a process “crashes,” meaning it enters an undefined state. In such cases, the failed task can then be closed without affecting other programs.

You may be wondering why ad­di­tion­al software is necessary to start services in the first place. The reason has to do with gains in ef­fi­cien­cy and specific concepts such as Dynamic Link Libraries (DLLs). DLLs use svchost.exe to run a service. Generally speaking, these libraries consist of code that can be used by different software ap­pli­ca­tions and dy­nam­i­cal­ly in­te­grat­ed (linked) if necessary. First, this saves disk space because not every software program has to include the functions in the library. Second, it promotes mod­u­lar­i­ty. DLLs can be cus­tomized and updated re­gard­less of the software being used.

Thanks to their unique prop­er­ties, dynamic libraries support ordinary programs that require extensive code to run in­de­pen­dent­ly. They also solve the problem that certain program resources (such as embedded functions) typically cannot be directly con­trolled by other programs. The system primarily uses DLLs to provide functions that are required by multiple programs.

If you determine that an svchost.exe process is re­spon­si­ble for problems in your system, there are several ways to inspect it.

One effective tool is the Windows Task Manager, which you typically access using the keyboard shortcut Ctrl + Shift + Esc. Al­ter­na­tive­ly, you can type “Task Manager” in the search box and launch the app from the search results.

The Task Manager has several tabs. The Processes view opens by default. It displays the per­cent­age of system resources being used for each running process, including CPU usage, memory uti­liza­tion, network uti­liza­tion and disk uti­liza­tion. You can change how the list is sorted by clicking a column's header. The processes are named after the as­so­ci­at­ed programs. In Windows 10, svchost.exe processes start with “Service Host,” followed by the de­scrip­tion of the service currently running. In earlier versions of Windows, the name svchost.exe appeared directly in the list of processes.

All services can be viewed with the Services system app. To open this app, simply go to the “Run” dialog box from the Start menu (Windows icon) and enter the following:

You can select Prop­er­ties from the context menu of each service listed. This window displays the path to the linked ex­e­cutable file. The name of the service and a brief de­scrip­tion are also displayed. That way you can determine the function of the service. On the De­pen­den­cies tab, you can view other services that are dependent on the service.

If you don’t mind using the command line tool, the taskliste.exe program is a good al­ter­na­tive. The program comes pre-installed on Windows 10 and is very easy to use. In previous versions, a similar software program was called “tlist.exe.” Start by opening Command Prompt (cmd.exe). To see a list of all instances of svchost.exe with the as­so­ci­at­ed process ID and the services running inside each instance, type the following command into the Windows command line:

Microsoft offers third-party freeware such as the Process Explorer developed by well-known author and Windows insider Mark Russi­novich. The program is similar in ap­pear­ance to the Task Manager, but has a much more extensive range of features. For example, you can easily see which processes have invoked other processes. In addition, you can right-click to open a context menu for more detail. For example, you can view not only the program as­so­ci­at­ed with a process, but also the registry entry. Yet another option is to submit software directly to the Virus­To­tal platform for in­spec­tion.

The svchost.exe process often appears sus­pi­cious when you’re in­spect­ing a malware-infected system. One reason for this is that the un­der­ly­ing service is not always im­me­di­ate­ly rec­og­niz­able. In addition, you can't rule out the pos­si­bil­i­ty that malware is ex­ploit­ing the function of the process and attaching itself to it. Cy­ber­crim­i­nals have often taken advantage of the fact that the process is so common.

It’s not easy to determine which processes are le­git­i­mate. Start by checking whether the process is spelled correctly. For example, malware often uses similar-looking spellings like scvhost.exe or svhost.exe. You can also use the method described above to view the path to the ex­e­cutable file. The file must always be located in the “\Windows\System32\” directory, otherwise it’s not a le­git­i­mate system process.

The linked services offer further clues. If these services are known Windows system functions, it’s very unlikely that malware is the cause of your problems. The “Details” tab in the Task Manager provides further in­for­ma­tion. In the prop­er­ties, you can view the digital signature (cer­tifi­cate) of the orig­i­na­tor for svchost.exe, the issuer should always be Microsoft.

If a program with a graphical user interface stops re­spond­ing, it may be helpful to manually terminate the as­so­ci­at­ed process. It’s also possible that you ac­ci­den­tal­ly launched several instances of a program by double-clicking the program icon several times. Here too, you can end the processes so that you can return to using the program as usual. You can close processes like svchost.exe in the Task Manager. To do this, go to Processes view and simply right-click the process and choose “End task.”

If a svchost.exe instance is still causing problems even after a restart, you have the option of manually disabling the process in the Services app. But before doing this, you should determine the function of the service you want to disable, if possible. Otherwise, there’s a risk that the system may not function properly when you restart your computer.

As you can see, svchost.exe is a com­plete­ly normal yet very unique process. It runs in multiple instances for good reason. It doesn’t mean that your system isn’t working properly or infected with malware. You can now view the purpose of each in­di­vid­ual process rel­a­tive­ly easily in the Windows Task Manager. And if necessary, you can manually terminate svchost.exe just like any other process.