How to determine what services are running under a SVCHOST.EXE process
A very common question we see here at Bleeping Computer involves people concerned that there are too many SVCHOST.EXE processes running on their computer. The confusion typically stems from a lack of knowledge about SVCHOST.EXE, its purpose, and Windows services in general. This tutorial will clear up this confusion and provide information as to what these processes are and how to find out more information about them. Before we continue learning about SVCHOST, lets get a small primer on Windows services.
Services are Windows programs that start when Windows loads and that continue to run in the background without interaction from the user. For those familiar with Unix/Linux operating systems, Windows servers are similar to *nix daemons. For the most part Windows services are executable (.EXE) files, but some services are DLL files as well. As Windows has no direct way of executing a DLL file it needs a program that can act as a launcher for these types of programs. In this situation, the launcher for DLL services is SVCHOST.EXE, otherwise known as the Generic Host Process for Win32 Services. Each time you see a SVCHOST process, it is actually a process that is managing one or more distinct Windows DLL services.
Outlined below are three methods, depending on your Windows version, to see what services a SVCHOST.EXE process is controlling on your computer as well as some advanced technical knowledge about svchost for those who are interested.
Process Explorer, from Sysinternals, is a process management program that allows you to see the running processes on your computer and a great deal of information about each process. One of the nice features of Process Explorer is that it also gives you the ability to see what services a particular SVCHOST.EXE process is controlling.
First you need to download Process Explorer from the following site:
Download the file and save it to your hard drive. When it has finished downloading, extract the file into its own folder and double-click on the procexp.exe to start the program. If this is your first time running the program, it will display a license agreement. Agree to the license agreement and the program will continue. When it is finished loading you will be presented with a screen containing all the running processes on your computer as shown in the figure below. Remember that the processes you see in this image will not be the same as what is running on your computer.
Process Explorer Screen
Scroll through the list of processes until you see the SVCHOST.EXE process(es). To find out which services are running within a particular SVCHOST.EXE process we need to examine the properties for the process. To do this double-click SVCHOST.EXE entry in Process Explorer and you will see the properties screen for the process like in the image below.
Finally, to view the services running in this process, click on the Services tab. You will now see a screen similar to the one below.
This window displays the services that are being managed by this particular SVCHOST.EXE process. As you can see the SVCHOST.EXE that we are currently looking at in this tutorial is managing the DCOM Server Process Launcher and Terminal Services.
Using this method you can determine what services a SVCHOST.EXE process is controlling on your computer.
For those who like to tinker around in a Windows command prompt/console window, and have Windows XP Pro or Windows 2003, there is a Windows program called tasklist.exe that can be used to list the running processes, and services, on your computer. To use task list to see the services that a particular SVCHOST.EXE process is loading, just follow these steps:
1. Click on the Start button and then click on the Run menu command.
2. In the Open: field type cmd and press enter.
3. You will now be presented with a console window. At the command prompt type tasklist /svc /fi “imagename eq svchost.exe” and press the enter key. You will see a list of the processes on your computer as well as the services that a SVCHOST.EXE process is managing. This can be seen in the image below.
TaskList /svc output
When you are done examining the output, you can type exit and press the enter key to close the console window.
Windows vista has enhanced their Windows Task Manager and one of its features allows us to easily see what services are being controlled by a particular SVCHOST.EXE process. To start, simply start the task manager by right clicking on the task bar and then selecting Task Manager. When Task Manager opens click on the Processes tab. You will now be presented with a list of processes that your Vista user account has started as shown in the image below.
Vista’s Current User Processes
We, though, need to see all of the processes running on the computer. To do this click on the button labeled Show All Processes. When you do this Windows Vista will prompt you to allow authorization to see all the processes as shown below.
Show all Vista Processes Confirmation
Press the Continue button and the Vista task manager will reload, but this time showing all the processes running in the operating system. Scroll down through the list of processes until you see the SVCHOST processes as shown in the image below.
All Vista Processes
Right-click on a SVCHOST process and select the Go to Service(s) menu option. You will now see a list of services on your computer with the services that are running under this particular SVCHOST process highlighted. Now you can easily determine what services a particular SVCHOST process is running in Windows Vista.
Now that we know that a single SVCHOST.EXE process can load and manage multiple services, what determines what services are grouped together under a SVCHOST instance? These groups are determined by the settings in the following Windows Registry key:
Under this key are a set of values that group various services together under one name. Each group is a REG_MULTI_SZ Registry value that contains a list of service names that belong to that group. Below you will see standard groups found in XP Pro.
Services in the group
|LocalService||Alerter, WebClient, LmHosts, RemoteRegistry, upnphost, SSDPSRV|
|netsvcs||6to4, AppMgmt, AudioSrv, Browser, CryptSvc, DMServer, DHCP,
ERSvc, EventSystem, FastUserSwitchingCompatibility, HidServ, Ias,
Iprip, Irmon, LanmanServer, LanmanWorkstation, Messenger, Netman,
Nla, Ntmssvc, NWCWorkstation, Nwsapagent, Rasauto, Rasman, Remoteaccess,
Schedule, Seclogon, SENS, Sharedaccess, SRService, Tapisrv, Themes, TrkWks,
W32Time, WZCSVC, Wmi, WmdmPmSp, winmgmt, TermService, wuauserv,
BITS, ShellHWDetection, helpsvc, xmlprov, wscsvc, WmdmPmSN
Each of the service names in these groups corresponds to a service entry under the Windows Registry key:
Under each of these service entries there is a Parameters subkey that contains a ServiceDLL value which corresponds to the DLL that is used to run the service.
When Windows loads it begins to start services that are set to enabled and have an automatic startup. Some services are started using the SVCHOST.exe command. When Windows attempts to start one of these types of services and there is currently not a svchost instance running for that services group, it will create a new SVCHOST instance and then load the DLL associated with the service. If on the other hand, there is already a SVCHOST process running for that group it will just load the new service using that existing process. A service that uses SVCHOST to initialize itself, provides the name of the group as a parameter to svchost.exe command. An example would be:
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
In the above command line, the svchost process will look up the ServiceDLL associated with the service name from the DcomLaunch group and load it.
This can be confusing, so let’s use an example. There is a Windows service called Distributed Link Tracking Client which has a service name TrkWks. If we examine the table above, we can see that the TrkWks service is part of the netsvcs group. If we look at the Registry key for this service we see that it’s ServiceDLL is %SystemRoot%\system32\trkwks.dll. Therefore, using this information and what we learned above, we know that the executable command for the TrkWks service must be:
C:\WINDOWS\system32\svchost.exe -k netsvcs
When the TrkWks service is started Windows will check to see if there is a SVCHOST process for the netsvcs group already created. If not it will create an instance of one to handle services in the netsvcs group. The SVCHOST process for netsvcs will then start the service by executing the %SystemRoot%\system32\trkwks.dll. Once the DLL has been loaded by SVCHOST the service will then be in a started state.
Now that you understand what SVCHOST.EXE is and how it manages certain Windows services, seeing multiple instances in your process list should no longer be a mystery or a concern. It is not uncommon to see numerous SVCHOST entries, sometimes upwards to 8 or 9 entries, running on your computer. If you are concerned with what is running under these processes, simply use the steps described above to examine their services.