SVCHOST.exe and the mystery behind it.

Often, when i boot my Windows XP-SP2 operating system, the first thing i notice is a huge CPU utilization by a process called as SVCHOST.exe.The process infact almost sucks up my entire CPU percentage.Therefore to gain an insight into what exactly goes on, i thought of dugging up about SVCHOST.exe. This post is all what i have learnt about this process till now.

Svchost

Leo Notenboom says “On Windows XP, 2000, and 2003, SVCHOST is not a virus. On those systems SVCHOST is a required system component. If you happen to successfully delete it, your system will not run. You’ll be much worse off than before.”

Also read:Computer Viruses: How do they work?

The svchost.exe file is located in the folder C:\Windows\System32.

During startup process of Windows, Svchost.exe which is located in the above mentioned folder checks the services portion of the registry in order to construct a list of various services that it needs to load post startup. Its perfectly normal to have multiple instances of Svchost.exe run at the same time. In such a scenario each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.

SVCHOST stands for Service Host. By typing “tasklist /svc” at the command prompt ( type without quotes) you can actually see all the copies of svchost and what services they are running.

The most important things to remember about SVCHOST are that it is not a virus (it is SCVHOST that can be treated as a virus but not SVCHOST) and that this program is important for the stable and secure running of your computer and should not be terminated.

To learn more about SVCHOST, please refer to Microsoft Website

Cheers,

Vaibhav

Advertisements

10 Responses

  1. I used to be surprised why my computer is so slow and what is this SVCHOST after readin i got the answer … gud info carry on writin such usefull stuff .

  2. I actually terminated the most demanding svchost process last time and the result is that my computer lost sound after that, or in other words, the system seems to be muted after that.

    It reverts back after a reboot though.

  3. Hi

    I am not sure you can conculde just by seeing the process name that the system is not infected .Infact a good trojan/virus author might use any of the anti-detection mechanisms or nternal data structures, or API hooking functions to protect the trojan from detection
    and a good trojan can inject itself into the basic processes of Windows like winlogon or SVChost etc and execute threads for downloading or sending your private information

    A first step would be to monitor the winshark packets both inbound and outboundand check is there any unknown activity going on.If you have a 2 way firewall to stop the activity

    next step would be download the sysinternals tools like process explorer,monitor and see what all the dlls and threads are hooked in the svchost processess and launch Depends (sysinternals) tool and check for the more info …
    t
    hese are only the basic steps … you have to dig more if you want to investigate more 😉

    anyways I hope your machine is not infected 😉

    Regards
    mitmwatcher

  4. Thanks for this informative article. I also always used to kill that process coz of the common misconception that its a virus 🙂

    Prateek
    Muziboo.com

  5. svchost is a threat when it runs under the name of administrator/user, it should run under system, network service, or local service. Anyhow that threat has a solution. Read my post Getting Rid of svchost virus

  6. Hi ……….

    I cann’t acces orkut in my system when i type orkut.com in addres bar then i a box with a laugh is opening….
    ” Foool orkut is Banned in this system, Can u gus who done this … Then i used to go to Task manager and select the Svchost.exe running in user and press the Endprocess is there any other alternatives for this….

  7. […] SVCHOST.exe and the mystery behind it. […]

  8. I finally found the answer! Thanks!

  9. […] Also read: SVCHOST.exe and the mystery behind it. […]

  10. Very helpful article, thanks for posting. I though it was a virus before reading this!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: