What is svchost, and why is there more than one copy running?
Fire up Task Manager in Windows XP, hit the processes tab, and you'll see among other processes something called "svchost.exe". Again and again. In fact I have 5 copies running on my machine as I type this.
•Svchost as the name implies stands for "Service Host". Many of components of the Windows operating system are implemented as what are called "services" - a fancy name for programs that run in the background and aren't necessarily associated with whomever is logged into the machine. You can quickly see which services are running by typing "NET START" in a command window or by looking in Control Panel, Administrative Tools, then Services.
A fair number of those services are implemented in DLLs rather than in stand-alone executables. But a DLL is only a library of functions that can be called by running programs - it can't be run on its own. Enter svchost. It's a standalone program whose job is to execute services that are implemented in DLLs.
You can see which copy of svchost is running what service by typing "tasklist /svc" in a Windows XP command window. On my machine one copy of svchost is responsible for 30 separate services, another is hosting 4, and the remaining 3 have one apiece. Why this odd distribution? The only vague clue comes from Microsoft's documentation which says "this allows for better control and debugging." OK. Whatever.
Speaking of Microsoft, they have knowledge base articles on the subject. Svchost in Windows 2000 is described here, and in Windows XP here. Both descriptions include the specific registry keys that control what services are run and how they are grouped in different instances of svchost.
Svchost and Svchost.exe - Crashes, CPU maximization, viruses, exploits and more.
Many people are witnessing a svchost.exe crash and it's actually quite amazing. Unfortunately there's no single point of reference for svchost related problems. Rather than answering one single question I'll try to cover a theme that can best be summed up as:
What's The Deal with SVCHOST?Symptoms
Do any of these symptoms sound familiar?
If so, then it's almost certain that you either have a virus or your system is currently vulnerable to a particular type of exploit known as the "RPC buffer overflow". We'll look at addressing both.
- Your system becomes sluggish and you find that something called svchost or dllhost is taking nearly 100% of your CPU.
- Your system reports that svchost has performed an illegal operation and will be terminated. After that various things fail to work properly, if at all.
- After you log in, your system automatically reboots in one minute.
But just what is svchost?
Let me tell you what it is not: On Windows XP, 2000, and 2003, svchost is not a virus. On those systems svchost is a required system component. If you happen to successfully delete it, your system will not run. You'll be much worse off than before. (Win95, 98 and Me users, see Note 1.)
Do not delete svchost.exe. Don't even think about it. [Important: do not confuse svchost, which we are discussing here, with scvhost, which has two letters transposed. They are not the same thing. The presence of scvhost may indicate a virus.]
Svchost, which is short for "service host", is a core part of the operating system that provides support to many of the required services that areWindows. You can see all the copies of svchost and what services they are running by typing "tasklist /svc" in a command window.