You may have noticed an incipient problem on your PC these days: it’s inundated with millions of mysterious svchost.exe processes!
What are these enigmatic processes doing on your computer? You don’t remember installing any program called svchost.exe so is this some kind of virus? Maybe spyware?
In addition, why are there so many of them? You can probably live with one or two esoteric processes with the same name but when dozens swarm your task manager it can feel disconcerting.
What’s worse, all efforts to kill the svchost.exe process are abortive. Those intractable processes chronically refuse to die and usually re-spawn themselves like zombies from a bad horror flick. Even if you you somehow tricked it to die, they ineluctably return.
Man that sounds evil: “tricked it to die” haha but who cares, we’re talking about processes here so it’s all good
Here’s what’s going on
The lowdown on svchost.exe
svchost is an abbreviation for Service Host and is a critical Windows component. Although some malware have been known to masquerade as the svchost process, it’s actually very easy to discern whether the process is authentic or not.
If the svchost.exe file is located in any folder other than C:\Windows\System32 then it’s malware. Here’s how to check:
In Windows 8 and 8.1, open the Task Manager, click over to the Details tab then click the Name column to sort by process name.
Scroll down to all your redundant svchost.exe processes and right-click each one and choose Open File Location.
If you find one living outside the haven of C:\Windows\System32 then you should immediately scan your computer for viruses to remove it.
Legitimate svchost.exe processes always live inside C:\Windows\System32 and their the good guys. They’re not only innocuous but also integral to the smooth operations of your computer.
The svchost process hosts or better said, contains, bunches of Windows services that perform specific tasks. svchost.exe is just a process that groups related Windows services.
Microsoft’s rationale is that if every Windows service ran under a single svchost.exe instance than if one service froze it could potentially debilitate the entire computer. Thus, Microsoft prudently decided to adopt a modular approach and corral related services into related sections.
So for example, all the services related to the Windows Firewall run under one instance of svchost.exe and all services pertinent to cryptographic functions exist under a completely disparate instance of svchost.exe.
Falling in love with svchost.exe
It’s spring and love is in the air but I’m a geek not a matchmaker like Patti Stanger; therefore, I can’t augment your love life but I sure as heck can make you love your Windows processes.
Wait wait wait, I know what you’re thinking: I can see the dubiety on your face already.
The wrinkled brow and the incredulous look of disbelief as this gawky Vonnie guy posits an absurd notion that is only matched in weirdness by his clunky, magniloquent prose.
But I hold my ground – I can make you believer!
It’s possible to fall in love with this insipid, deathly boring process. You just have to learn a little bit about its personality first.
The first thing we need to do is figure out which processes are assigned to which svchost.exe clone. We can also view which svchost.exe process is consuming the most CPU cycles and then can make an informed decision to disable or remove that process.
Let me show you what I mean.
Open the Windows Task Manager by pressing Ctrl + Shift + Esc or right-clicking the Taskbar at the base of the screen and choosing Task Manager.
Click over to the Details tab and scroll down to those maverick svchost.exe processes.
Right click one and choose Go to service(s).
Windows jumps at your click and displays relevant services with alacrity.
Here you can see that first svchost.exe process comprises the following services:
If you look in the Description tab you’ll see a friendly name for each process.
But this is the thing: I’ll be the first to admit some of these names aren’t very friendly. For example, there’s nothing affable about System Events Broker.
What the heck is a System Events Broker?
Is there some agent on my computer who sells my system events to other brokers or something? When I hear the word “broker” I think Real Estate but System Events have nothing to do with Real Estate so what gives?
To get more information about the service so you can see if it’s safe to stop, just right click it and choose Search online.
Fun with the Command Line
I love the Windows command line because:
- It makes me feel smart when I use it right
- And well… it makes me feel smart when I use it right
That’s right, using the command line will make you feel smart and heck, who doesn’t want that?
I’m going to show you how to deftly use the command line to view all the services assigned to a particular svchost.exe instance.
I just figured this out today so I’m pretty stoked.
Check it out:
Press the Windows logo button on your keyboard + x + a to open a command prompt with Administrator privileges.
Now enter the following command:
tasklist /SVC /FO TABLE /FI "IMAGENAME eq svchost.exe
I know it’s a bit verbose and I won’t bore you with the command arguments listed above. Instead, i’ll let you read the help file on a lonely Friday afternoon by pressing
Anyway, this command is pretty sick.
It shows you all the services assigned to each svchost.exe process.
That PID column in the middle stands for Process Identifier and is basically the unique name for each svchost.exe process. So you can slap open the Task Manager, click the Services tab and then sort all services by the PID column.
Admittedly, you don’t have to do this command line trick to manage your svchosts but I think it’s pretty kick ass so I had to include it.
You can also disable services that svchost.exe shouldn’t launch by running another catchy command.
I’m going to stop the AudioService named Audiosrv with net stop.
net stop Audiosrv
The converse net start does the opposite so you can usually back out of this one if you make a mistake.
Of course, you need to thoroughly research the service before you disable it or you could lock up the computer. Also, if you discover that you’re having to disable a service because it’s constantly pegging your CPU you might want to permanently uninstall it.
Windows Key + x + f will do the trick.
The Bottom Line
- svchost.exe is only a virus if it’s living outside C:\Windows\System32.
- svchost.exe is good and functions like a container for relevant services
- BonChon chicken on 38th and 7th in Manhattan is the bomb and I’m about to grab a bucket right now.