How To Identify What Programs Started svchost.exe in Windows
I've been on a mission to decrease windows startup time and increase performance of my new Vista Computer. I have cut down on the number of services that need to be started and have been making some pretty good progress. I often check task manager to see how many process are running, and constantly see several svchost.exe processes.
How can I find out what is starting this process?
I can understand your confusion with svchost.exe. It seems like it's a "mystery" process that continues to multiply the longer Windows is running. But there is good reason why this process exists.
Some Components of Windows, that are implemented as Services, are known as Programs (executable) and run the background. These Programs are known as stand alone programs.
Another type of program exist, known as DLL's, which are a library of functions, that can not be implemented as a Service and run in the background on it's own. Because of this, a program named svchost.exe exist to run programs, implemented as DLL's, as a service.
Still confused? Let's take a visual look and see what programs (DLL's) are running that have been started by svchost.exe.
Open a command prompt and enter:
tasklist /svc /FI "IMAGENAME eq svchost.exe"
The above command will list all the svchost.exe processes and display the programs (DLL's) that have been started by svchost.exe.
Below is the output from my Computer (I have formatted so it can be viewed easily):
C:\Users\wtn>tasklist /svc /FI "IMAGENAME eq svchost.ex"e
Image Name PID Services
=========== ==== ========
svchost.exe 768 DcomLaunch, PlugPlay
svchost.exe 828 RcSs
svchost.exe 856 WinDefend
svchost.exe 1012 Audiosrv, Dhcp, Eventlog, lmhosts, wscsvc
svchost.exe 1036 AudioEndpointBuilder, Netman, PcaSvc,
SysMain, TrkWks, UxSms, WdiSystemHost,
Wlansvc, WPDBusEnum, wudfsvc
svchost.exe 1048 AeLookupSvc, BITS, EapHost, gpsvc,
LanmanServer, MMCSS, ProfSvc, RasMan,
Schedule, seclogon, SENS, ShellHWDetection,
Themes, Winmgmt, wuauserv
svchost.exe 1224 EventSystem, fdPHost, FDResPub,
LanmanWorkstation, netprofm, nsi, SSDPSRV,
upnphost, W32Time, wcncsvc, WebClient
svchost.exe 1404 CryptSvc, Dnscache, KtmRm, NlaSvc, TapiSrv
svchost.exe 1608 BFE, DPS
svchost.exe 2000 stisvc
svchost.exe 340 WerSvc
Notice, I have ten instances of svchost.exe running with some of them responsible for starting multiple programs. You can clearly see what the programs are, such as Dnscache, Schedule, and. Windefend.
It's unknown as to exactly how and why svchost.exe runs in this fashion, but it may be for performance and troubleshooting (debugging) reasons.
Since the outout also displays the PID (Process Identification), you can then look at task Manager and see how much CPU and Memory each svchost process is consuming.
If you are not a fan of the command prompt, you can use the tool Process Explorer for identifing processes started by svchost.exe.
With Process Explorer, just mouse over the process and it will display all the services running inside svchost,exe. To get more information such as, CPU, memory, etc, right click on the process and select Properties.
To get more information such as, CPU, memory, etc, right click on the process and select Properties.
As you can see svchost.exe is one process you do not want to kill or prevent from starting.
Filed under Windows Tips, Windows Vista Tips by 
Leave a Comment
Comments on How To Identify What Programs Started svchost.exe in Windows
Thanks for the info mate, I have a quite a few svchost.exe instances running, but now I know it's alright.
I think you have failed your mission, you have Vista LOL, sorry, thats low
hello,
Please i have been having the svchost/exe error on my system and it is giving me so much cause for worry, please can u send me the the detail infomation on how i can solve the problem. Thank you as i anticipation your reply. Bye.
I ran this also I use windows XP SP2, and says not recognized. I copy and pasted and am savvy as well.
Thanks! Ran it here as quoted and worked well.
Something is calling SVChost which in turn tries to access the internet. This could be a trojan or something else undesirable, so I want to know what program is calling the SVChost. May be earthlink, who only does my Email these days, but they do weird things to verify if you are "On". Real Player trys to run a constant message board, that I hope I got shut off.
I tried the command line approach above, and it runs. In a flash. Then closes. No time to read what it says. Why doesn't that pane persist?
Is there a better, or alternative way to figure out who is constantly trying to access the internet on my computer? It is asking for server privilege, which I have nearly eliminated by the ZoneAlarm "ask" option, so not much happens, other than it is driving me nuts answering the "ask" panel. I would just flat blacklist, except that there are many valuable uses.
@Gus from California
Make sure you open a command prompt first, then run the command. If you use Start \ Run it will do exactly what you described (runs, then closes quickly).
thank you for the command line commands.
Is it possible for a malware program to use svchost.exe?
@greg
Absolutely. With virus and malware programs they usually try to hide themselves by naming themselves after processes or critical system files. Additionaly they are placed in different locations on your computer. Because they do this, you will be less likely to delete it.
One wayto find them is to use a tool such as Process Explorer. Check out the article How To Identify Unknown Processes In Windows for more information.
i have process explorer. and i know i have a yucky trojan/malware problem i have been trying to get rid of unsuccessfully so far. and i have concluded through various malwarebytes anti malware scans and sd fixes etc etc that the file or shellpaths of the 2 rundll32 processes listed are in fact this trojan. ive always been unsure about the svchost.exe processes… but when i looked at the 'properties' of the process, i noticed it named the "parent" of this rundll32 (run a dll as an app) process, which was svchost.exe and in parentheses (916)
and there is a svchost process (916) in my list. i want to kill the process but i want to make sure its not an important process that also handles things my computer cannot function without, despite its infection.
can you tell me if its ok or not to just kill that svc host process its parented by?
im super tired, i hope all that made sense
also, what happens when you "suspend" a process>?
THANKS!!
I'm running WinXP SP2 Home. When I enter "tasklist….." in a command window, it says " 'tasklist' is not recognized as an internal or external command, operable program or batch file."
@Justin O
I did a little digging and found that tasklist is not included with Windows XP Home editions.
Instead, use Process Explorer (mentioned in the article). Or if you have access to a computer running Windows XP Professional, you can copy tasklist.exe to your computer (just copy it to \Windows\System32 folder).
If you are comfortable working with the Registry, you can get a good understanding of the description & functions of Svchost.exe at http://support.microsoft.com/kb/314056
Sometimes the red light is on constantly on my PC.
Sometimes when I leave the comp' the red light is on constanly.
If I move the mouse or press a key the red light slows and then flashes slowly.
Recently I managed to open task manager and could see that svchost.exe and wuauclt were busy in processes.
The OS is supposed to be W XP Home, sometimes it is W XP Professional, it depends what I happen to look at regarding info' it has on it.
I was able to put the tasklist etc into command prompt and it gave a list of the svchost.exe.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\home>tasklist /svc /FI "IMAGENAME eq svchost.exe"
Image Name PID Services
========================= ====== =============================================
svchost.exe 700 DcomLaunch, TermService
svchost.exe 780 RpcSs
svchost.exe 848 AudioSrv, BITS, CryptSvc, Dhcp, dmserver,
EventSystem, FastUserSwitchingCompatibility,
helpsvc, HidServ, lanmanserver,
lanmanworkstation, Netman, Nla, RasMan,
Schedule, seclogon, SENS, SharedAccess,
ShellHWDetection, srservice, TapiSrv,
Themes, TrkWks, W32Time, winmgmt, wscsvc,
wuauserv, WZCSVC
svchost.exe 1116 Dnscache
svchost.exe 1268 LmHosts, SSDPSRV
svchost.exe 1844 WebClient
svchost.exe 2328 stisvc
I was able to select-copy-paste the result as you see it above from the command prompt.
Qs: Why are the numbers different?
Does anyone recognise any malware in amongst the list?
Hello! abgcefa interesting abgcefa site!
I have had it with MS and the malware they call an OS. Switching to Ubuntu and getting Windblows off of my perfectly good Sony Vaio.
Die a horrible death Balmer and Gates.
@Watching The Net:
I have Windows XP Professional SP3 and yet I get the same error as Justin O when I try to use the tasklist command in command prompt. Will look at Process Explorer.
Several times I've killed a sprialing svchost.exe process which was eating up memory which has usually resulted in my sound device subseqently not being recognised by my pc until I reboot. I notice wmprise.exe regularly runs. Have AVG and FIREFOX which I'm aware seem to have conflicts.