The svchost.exe process often appears suspicious when you’re inspecting a malware-infected system. One reason for this is that the underlying service is not always immediately recognizable. In addition, you can't rule out the possibility that malware is exploiting the function of the process and attaching itself to it. Cybercriminals have often taken advantage of the fact that the process is so common.
It’s not easy to determine which processes are legitimate. Start by checking whether the process is spelled correctly. For example, malware often uses similar-looking spellings like scvhost.exe or svhost.exe. You can also use the method described above to view the path to the executable file. The file must always be located in the “\Windows\System32\” directory, otherwise it’s not a legitimate system process.
The linked services offer further clues. If these services are known Windows system functions, it’s very unlikely that malware is the cause of your problems. The “Details” tab in the Task Manager provides further information. In the properties, you can view the digital signature (certificate) of the originator for svchost.exe, the issuer should always be Microsoft.