What Is the Service Host Process (svchost.exe) and Why Are So Many Running?
By Walter Glenn on April 5th, 2017If you’ve ever browsed through Task Manager, you may have wondered why there are so many Service Host processes running. You can’t kill them, and you sure didn’t start them. So, what are they?
The Service Host process serves as a shell for loading services from DLL files. Services are organized into related groups and each group is run inside a different instance of the Service Host Process. That way, a problem in one instance doesn’t affect other instances. This process is a vital part of Windows that you cannot prevent from running.
This article is part of our ongoing series explaining various processes found in Task Manager, like dwm.exe, ctfmon.exe, mDNSResponder.exe, conhost.exe, rundll32.exe, Adobe_Updater.exe, and many others. Don’t know what those services are? Better start reading!
So What Is the Service Host Process?
Here’s the answer, according to Microsoft:
Svchost.exe is a generic host process name for services that run from dynamic-link libraries.
But that doesn’t really help us much. Some time ago, Microsoft started changing much of the Windows functionality from relying on internal Windows services (which ran from EXE files) to using DLL files instead. From a programming perspective, this makes code more reusable and arguably easier to keep up to date. The problem is that you can’t launch a DLL file directly from Windows the same way you can an executable file. Instead, a shell that is loaded from a executable file is used to host these DLL services. And so the Service Host process (svchost.exe) was born.
Why Are There So Many Service Host Processes Running?
If you’ve ever taken a look at the Services section in Control Panel, you’ve probably noticed that Windows requires a lot of services. If every single service ran under a one Service Host process, a failure in one service could potentially bring down all of Windows. Instead, they are separated out.
Services are organized into logical groups that are all somewhat related, and then a single Service Host instance is created to host each group. For example, one Service Host process runs the three services related to the firewall. Another Service Host process might run all the services related to the user interface, and so on. In the image below, for example, you can see that one Service Host process runs several related network services, while another runs services related to remote procedure calls.
Is There Anything For Me To Do With All This Information?
Honestly, not a lot. In the days of Windows XP (and previous versions), when PCs had much more limited resources and operating systems weren’t quite as fine-tuned, stopping Windows from running unnecessary services was often recommended. These days, we don’t recommend disabling services anymore. Modern PCs tend to be loaded with memory and high-powered processors. Add that to the fact that the way Windows services are handled in modern versions (and what services run) has been streamlined, and eliminating services you think you don’t need really doesn’t have much of an impact any more.
That said, if you notice that a particular instance of Service Host—or a related service—is causing trouble, like continual excessive CPU or RAM usage, you could check into the specific services that are involved. That might at least give you an idea of where to start troubleshooting. There are a few ways to go about seeing exactly what services are being hosted by a particular instance of Service Host. You can check up on things within Task Manager or using a great third-party app named Process Explorer.
Check Related Services in Task Manager
If you’re using Windows 8 or 10, processes are shown on the “Processes” tab of Task Manager by their full names. If a process serves as a host for multiple services, you can see those services by simply expanding the process. This makes it very easy to identify which services belong to each instance of the Service Host process.
You can right-click any individual service to stop the service, view it in the “Services” Control Panel app, or even search online for information about the service.
If you’re using Windows 7, things are a bit different. The Windows 7 Task Manager did not group processes the same way, nor did it show regular process names—it only showed all the instances of “svchost.exe” running. You had to explore a bit to determine the services related to any particular instance of “svchost.exe.”
On the “Processes” tab of Task Manager in Windows 7, right-click on a particular “svchost.exe” process, and then choose the “Go to Service” option.
This will flip you over to the “Services” tab, where the services running under that “svchost.exe” process are all selected.
You can then see the full name of each service in the “Description” column, so you can choose to disable the service if you don’t want it running or troubleshoot why it’s giving you problems.
Check Related Services Using Process Explorer
Microsoft also provides an excellent advanced tool for working with processes as part of its Sysinternals lineup. Just download Process Explorer and run it—it’s a portable app, so no need to install it. Process Explorer provides all kinds of advanced features—and we highly recommend reading our guide to understanding Process Explorer to learn more.
For our purposes here, though, Process Explorer groups related services under each instance of “svchost.exe.” They’re listed by their file names, but their full names are also shown in the “Description” column. You can also hover your mouse pointer over any of the “svchost.exe” processes to see a popup with all the services related to that process—even those that aren’t currently running.
Could this Process Be a Virus?
The process itself is an official Windows component. While it’s possible that a virus has replaced the real Service Host with an executable of its own, it’s very unlikely. If you’d like to be sure, you can check out the underlying file location of the process. In Task Manager, right-click any Service Host process and choose the “Option File Location” option.
If the file is stored in your Windows\System32 folder, then you can be fairly certain you are not dealing with a virus.
That said, if you still want a little more peace of mind, you can always scan for viruses using your preferred virus scanner. Better safe than sorry!
No comments:
Post a Comment