How to determine what services are running under a SVCHOST.EXE process
By Lawrence Abrams
Table of Contents
Watch the Windows Vista and Windows 7 SVCHOST companion video here!
Introduction
A very common question we see here at Bleeping Computer involves people concerned that there are too many SVCHOST.EXE processes running on their computer. The confusion typically stems from a lack of knowledge about SVCHOST.EXE, its purpose, and Windows services in general. This tutorial will clear up this confusion and provide information as to what these processes are and how to find out more information about them. Before we continue learning about SVCHOST, lets get a small primer on Windows services.
Services are Windows programs that start when Windows loads and that continue to run in the background without interaction from the user. For those familiar with Unix/Linux operating systems, Windows services are similar to *nix daemons. For the most part Windows services are executable (.EXE) files, but some services are DLL files as well. As Windows has no direct way of executing a DLL file it needs a program that can act as a launcher for these types of programs. In this situation, the launcher for DLL services is SVCHOST.EXE, otherwise known as the Generic Host Process for Win32 Services. Each time you see a SVCHOST process, it is actually a process that is managing one or more distinct Windows DLL services.
Outlined below are three methods, depending on your Windows version, to see what services a SVCHOST.EXE process is controlling on your computer as well as some advanced technical knowledge about svchost for those who are interested.
Determining the services running under a SVCHOST.EXE process using Process Explorer
Process Explorer, from Sysinternals, is a process management program that allows you to see the running processes on your computer and a great deal of information about each process. One of the nice features of Process Explorer is that it also gives you the ability to see what services a particular SVCHOST.EXE process is controlling.
First you need to download Process Explorer from the following site:
Process Explorer
Download the file and save it to your hard drive. When it has finished downloading, extract the file into its own folder and double-click on the procexp.exe to start the program. If this is your first time running the program, it will display a license agreement. Agree to the license agreement and the program will continue. When it is finished loading you will be presented with a screen containing all the running processes on your computer as shown in the figure below. Remember that the processes you see in this image will not be the same as what is running on your computer.
Process Explorer Screen
Scroll through the list of processes until you see the SVCHOST.EXE
process(es). To find out which services are running within a particular
SVCHOST.EXE process we need to examine the properties for the process.
To do this double-click SVCHOST.EXE entry in Process Explorer and you
will see the properties screen for the process like in the image below.
SVCHOST.EXE Properties
Finally, to view the services running in this process, click on the Services tab. You will now see a screen similar to the one below.
Services Tab
This window displays the services that are being managed by this
particular SVCHOST.EXE process. As you can see the SVCHOST.EXE that we
are currently looking at in this tutorial is managing the DCOM Server
Process Launcher and Terminal Services.
Using this method you can determine what services a SVCHOST.EXE process is controlling on your computer.
Determining the services running under a SVCHOST.EXE process using Task List
For those who like to tinker around in a Windows command prompt/console window, and have Windows XP Pro or Windows 2003, there is a Windows program called tasklist.exe that can be used to list the running processes, and services, on your computer. To use task list to see the services that a particular SVCHOST.EXE process is loading, just follow these steps:
1. Click on the Start button and then click on the Run menu command.
2. In the Open: field type cmd and press enter.
3. You will now be presented with a console window. At the command prompt type tasklist /svc /fi "imagename eq svchost.exe" and press the enter key. You will see a list of the processes on your computer as well as the services that a SVCHOST.EXE process is managing. This can be seen in the image below.
TaskList /svc output
When you are done examining the output, you can type exit and press the enter key to close the console window.
Determining the services running under a SVCHOST.EXE process in Windows Vista and Windows 7
Windows Vista and Windows 7 have enhanced their Windows Task Manager and one of its features allows us to easily see what services are being controlled by a particular SVCHOST.EXE process. To start, simply start the task manager by right clicking on the task bar and then selecting Task Manager. When Task Manager opens click on the Processes tab. You will now be presented with a list of processes that your user account has started as shown in the image below.
.
Windows 7's Current User Processes
We, though, need to see all of the processes running on the computer. To do this click on the button labeled Show All Processes. When you do this, Windows may prompt you to allow authorization to see all the processes as shown below.
Show all Processes Confirmation
Press the Continue button and the Task Manager will
reload, but this time showing all the processes running in the operating
system. Scroll down through the list of processes until you see the
SVCHOST processes as shown in the image below.
All Windows 7 Processes
Right-click on a SVCHOST process and select the Go to Service(s)
menu option. You will now see a list of services on your computer with
the services that are running under this particular SVCHOST process
highlighted. Now you can easily determine what services a particular
SVCHOST process is running in Windows Vista or Windows 7.
Determining the services running under a SVCHOST.EXE process in Windows 8
The Windows 8 Task Manager makes it much easier to find what services are running under a particular SVCHOST.exe instance. To access the Task Manager, type Task Manager from the Windows 8 Start Screen and then click on the Task Manager option when it appears in the search results. This will open the basic Task Manager as shown in the screenshot below.
To see the list of processes, click on the More details option.
Scroll down until you see the Windows Processes category and look for the Service Host entries as shown in the image below.
Next to each Service Host row process will be a little arrow. Click on this arrow to expand that particular Service Host entry to see what services are running under it.
Under the expanded Service Host, you will now see the list of services that is running under it. This allows you to easily determine what services a particular SVCHOST process is managing in Windows 8.
Advanced Information about SVCHOST.EXE
Now that we know that a single SVCHOST.EXE process can load and manage multiple services, what determines what services are grouped together under a SVCHOST instance? These groups are determined by the settings in the following Windows Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SVCHOST
Under this key are a set of values that group various services together under one name. Each group is a REG_MULTI_SZ Registry value that contains a list of service names that belong to that group. Below you will see standard groups found in XP Pro.
Each of the service names in these groups corresponds to a service entry under the Windows Registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
Under each of these service entries there is a Parameters subkey that contains a ServiceDLL value which corresponds to the DLL that is used to run the service.
When Windows loads it begins to start services that are set to enabled and have an automatic startup. Some services are started using the SVCHOST.exe command. When Windows attempts to start one of these types of services and there is currently not a svchost instance running for that services group, it will create a new SVCHOST instance and then load the DLL associated with the service. If on the other hand, there is already a SVCHOST process running for that group it will just load the new service using that existing process. A service that uses SVCHOST to initialize itself, provides the name of the group as a parameter to svchost.exe command. An example would be:
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
In the above command line, the svchost process will look up the ServiceDLL associated with the service name from the DcomLaunch group and load it.
This can be confusing, so let's use an example. There is a Windows service called Distributed Link Tracking Client which has a service name TrkWks. If we examine the table above, we can see that the TrkWks service is part of the netsvcs group. If we look at the Registry key for this service we see that it's ServiceDLL is %SystemRoot%\system32\trkwks.dll. Therefore, using this information and what we learned above, we know that the executable command for the TrkWks service must be:
C:\WINDOWS\system32\svchost.exe -k netsvcs
When the TrkWks service is started Windows will check to see if there is a SVCHOST process for the netsvcs group already created. If not it will create an instance of one to handle services in the netsvcs group. The SVCHOST process for netsvcs will then start the service by executing the %SystemRoot%\system32\trkwks.dll. Once the DLL has been loaded by SVCHOST the service will then be in a started state.
Conclusion
Now that you understand what SVCHOST.EXE is and how it manages certain Windows services, seeing multiple instances in your process list should no longer be a mystery or a concern. It is not uncommon to see numerous SVCHOST entries, sometimes upwards to 8 or 9 entries, running on your computer. If you are concerned with what is running under these processes, simply use the steps described above to examine their services. If you are unsure what a particular service does and need help, feel free to ask any question you may have in of our Windows forums.
- Introduction
- Determining the services running under a SVCHOST.EXE process using Process Explorer
- Determining the services running under a SVCHOST.EXE process using TaskList
- Determining the services running under a SVCHOST.EXE process in Windows Vista and Windows 7
- Determining the services running under a SVCHOST.EXE process in Windows 8
- Advanced Information about SVCHOST.EXE
- Conclusion
Watch the Windows Vista and Windows 7 SVCHOST companion video here!
Introduction
A very common question we see here at Bleeping Computer involves people concerned that there are too many SVCHOST.EXE processes running on their computer. The confusion typically stems from a lack of knowledge about SVCHOST.EXE, its purpose, and Windows services in general. This tutorial will clear up this confusion and provide information as to what these processes are and how to find out more information about them. Before we continue learning about SVCHOST, lets get a small primer on Windows services.
Services are Windows programs that start when Windows loads and that continue to run in the background without interaction from the user. For those familiar with Unix/Linux operating systems, Windows services are similar to *nix daemons. For the most part Windows services are executable (.EXE) files, but some services are DLL files as well. As Windows has no direct way of executing a DLL file it needs a program that can act as a launcher for these types of programs. In this situation, the launcher for DLL services is SVCHOST.EXE, otherwise known as the Generic Host Process for Win32 Services. Each time you see a SVCHOST process, it is actually a process that is managing one or more distinct Windows DLL services.
Outlined below are three methods, depending on your Windows version, to see what services a SVCHOST.EXE process is controlling on your computer as well as some advanced technical knowledge about svchost for those who are interested.
Determining the services running under a SVCHOST.EXE process using Process Explorer
Process Explorer, from Sysinternals, is a process management program that allows you to see the running processes on your computer and a great deal of information about each process. One of the nice features of Process Explorer is that it also gives you the ability to see what services a particular SVCHOST.EXE process is controlling.
First you need to download Process Explorer from the following site:
Process Explorer
Download the file and save it to your hard drive. When it has finished downloading, extract the file into its own folder and double-click on the procexp.exe to start the program. If this is your first time running the program, it will display a license agreement. Agree to the license agreement and the program will continue. When it is finished loading you will be presented with a screen containing all the running processes on your computer as shown in the figure below. Remember that the processes you see in this image will not be the same as what is running on your computer.
Process Explorer Screen
SVCHOST.EXE Properties
Services Tab
Using this method you can determine what services a SVCHOST.EXE process is controlling on your computer.
Determining the services running under a SVCHOST.EXE process using Task List
For those who like to tinker around in a Windows command prompt/console window, and have Windows XP Pro or Windows 2003, there is a Windows program called tasklist.exe that can be used to list the running processes, and services, on your computer. To use task list to see the services that a particular SVCHOST.EXE process is loading, just follow these steps:
1. Click on the Start button and then click on the Run menu command.
2. In the Open: field type cmd and press enter.
3. You will now be presented with a console window. At the command prompt type tasklist /svc /fi "imagename eq svchost.exe" and press the enter key. You will see a list of the processes on your computer as well as the services that a SVCHOST.EXE process is managing. This can be seen in the image below.
TaskList /svc output
Determining the services running under a SVCHOST.EXE process in Windows Vista and Windows 7
Windows Vista and Windows 7 have enhanced their Windows Task Manager and one of its features allows us to easily see what services are being controlled by a particular SVCHOST.EXE process. To start, simply start the task manager by right clicking on the task bar and then selecting Task Manager. When Task Manager opens click on the Processes tab. You will now be presented with a list of processes that your user account has started as shown in the image below.
.Windows 7's Current User Processes
Show all Processes Confirmation
All Windows 7 Processes
Determining the services running under a SVCHOST.EXE process in Windows 8
The Windows 8 Task Manager makes it much easier to find what services are running under a particular SVCHOST.exe instance. To access the Task Manager, type Task Manager from the Windows 8 Start Screen and then click on the Task Manager option when it appears in the search results. This will open the basic Task Manager as shown in the screenshot below.
To see the list of processes, click on the More details option.
Scroll down until you see the Windows Processes category and look for the Service Host entries as shown in the image below.
Next to each Service Host row process will be a little arrow. Click on this arrow to expand that particular Service Host entry to see what services are running under it.
Under the expanded Service Host, you will now see the list of services that is running under it. This allows you to easily determine what services a particular SVCHOST process is managing in Windows 8.
Advanced Information about SVCHOST.EXE
Now that we know that a single SVCHOST.EXE process can load and manage multiple services, what determines what services are grouped together under a SVCHOST instance? These groups are determined by the settings in the following Windows Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SVCHOST
Under this key are a set of values that group various services together under one name. Each group is a REG_MULTI_SZ Registry value that contains a list of service names that belong to that group. Below you will see standard groups found in XP Pro.
|
Group Name
|
Services in the group
|
| LocalService | Alerter, WebClient, LmHosts, RemoteRegistry, upnphost, SSDPSRV |
| NetworkService | DnsCache |
| netsvcs |
6to4, AppMgmt, AudioSrv, Browser, CryptSvc, DMServer, DHCP, ERSvc, EventSystem, FastUserSwitchingCompatibility, HidServ, Ias, Iprip, Irmon, LanmanServer, LanmanWorkstation, Messenger, Netman, Nla, Ntmssvc, NWCWorkstation, Nwsapagent, Rasauto, Rasman, Remoteaccess, Schedule, Seclogon, SENS, Sharedaccess, SRService, Tapisrv, Themes, TrkWks, W32Time, WZCSVC, Wmi, WmdmPmSp, winmgmt, TermService, wuauserv, BITS, ShellHWDetection, helpsvc, xmlprov, wscsvc, WmdmPmSN |
| rpcss | RpcSs |
| imgsvc | StiSvc |
| termsvcs | TermService |
| HTTPFilter | HTTPFilter |
| DcomLaunch | DcomLaunch, TermService |
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
Under each of these service entries there is a Parameters subkey that contains a ServiceDLL value which corresponds to the DLL that is used to run the service.
When Windows loads it begins to start services that are set to enabled and have an automatic startup. Some services are started using the SVCHOST.exe command. When Windows attempts to start one of these types of services and there is currently not a svchost instance running for that services group, it will create a new SVCHOST instance and then load the DLL associated with the service. If on the other hand, there is already a SVCHOST process running for that group it will just load the new service using that existing process. A service that uses SVCHOST to initialize itself, provides the name of the group as a parameter to svchost.exe command. An example would be:
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
In the above command line, the svchost process will look up the ServiceDLL associated with the service name from the DcomLaunch group and load it.
This can be confusing, so let's use an example. There is a Windows service called Distributed Link Tracking Client which has a service name TrkWks. If we examine the table above, we can see that the TrkWks service is part of the netsvcs group. If we look at the Registry key for this service we see that it's ServiceDLL is %SystemRoot%\system32\trkwks.dll. Therefore, using this information and what we learned above, we know that the executable command for the TrkWks service must be:
C:\WINDOWS\system32\svchost.exe -k netsvcs
When the TrkWks service is started Windows will check to see if there is a SVCHOST process for the netsvcs group already created. If not it will create an instance of one to handle services in the netsvcs group. The SVCHOST process for netsvcs will then start the service by executing the %SystemRoot%\system32\trkwks.dll. Once the DLL has been loaded by SVCHOST the service will then be in a started state.
Conclusion
Now that you understand what SVCHOST.EXE is and how it manages certain Windows services, seeing multiple instances in your process list should no longer be a mystery or a concern. It is not uncommon to see numerous SVCHOST entries, sometimes upwards to 8 or 9 entries, running on your computer. If you are concerned with what is running under these processes, simply use the steps described above to examine their services. If you are unsure what a particular service does and need help, feel free to ask any question you may have in of our Windows forums.
LibreOffice
Firefox
No comments:
Post a Comment