Terms of Use For FixedByVonnie

By proceeding to access fixedByVonnie.com, you expressly acknowledge, and agree to, all of the following:

fixedByVonnie.com is a personal website and blog owned by Security Plus Pro LLC, which is being presented for informational purposes only. The views on this website are solely those of the website owner (and not those of any employer or of any professional associations affiliated with the website owner).  Any views expressed in this website and any information presented on this website, or in any of its blog entries, should not be relied on for any purpose whatsoever other than as the personal opinions of the website owner.  The website owner expressly disclaims any and all liability for any information presented on this site.  The owner of this website and its blog posts shall not be held liable, and shall be held harmless, for any errors or omissions in any information or representations contained in this website, or in any of its blog entries.  The website owner also expressly disclaims any liability for the current or future availability of any such information. The website owner makes no representations as to the accuracy or completeness of any information on this website or which may be found by following any link on this website. The website owner shall not be held liable for any losses, injuries, damages, claims, or causes of action, from the display or use of any information on this website or in any of its blog entries. If you use the information on this website, or on any of its blog entries, you do so solely at your own risk.

What is svchost.exe? Is it a virus? Can I kill it? - fixedByVonnie

What is svchost.exe? Is it a virus? Can I kill it?

Posted on by vonnie 18 Comments ↓

You may have noticed an incipient problem on your PC these days: it’s inundated with millions of mysterious svchost.exe processes!

What are these enigmatic processes doing on your computer?  You don’t remember installing any program called svchost.exe so is this some kind of virus?  Maybe spyware?

In addition, why are there so many of them?  You can probably live with one or two esoteric processes with the same name but when dozens swarm your task manager it can feel disconcerting.

What’s worse, all efforts to kill the svchost.exe process are abortive. Those intractable processes chronically refuse to die and usually re-spawn themselves like zombies from a bad horror flick.  Even if you you somehow tricked it to die, they ineluctably return.

Man that sounds evil: “tricked it to die” haha but who cares, we’re talking about processes here so it’s all good

Here’s what’s going on

The lowdown on svchost.exe

svchost is an abbreviation for Service Host and is a critical Windows component.  Although some malware have been known to masquerade as the svchost process, it’s actually very easy to discern whether the process is authentic or not.

If the svchost.exe file is located in any folder other than C:\Windows\System32 then it’s malware.  Here’s how to check:

In Windows 8 and 8.1, open the Task Manager, click over to the Details tab then click the Name column to sort by process name.

Scroll down to all your redundant svchost.exe processes and right-click each one and choose Open File Location.

Windows 8.1 Open File Location

If you find one living outside the haven of C:\Windows\System32 then you should immediately scan your computer for viruses to remove it.

Legitimate svchost.exe processes always live inside C:\Windows\System32 and their the good guys.  They’re not only innocuous but also integral to the smooth operations of your computer.

The svchost process hosts or better said, contains, bunches of Windows services that perform specific tasks.  svchost.exe is just a process that groups related Windows services.

Microsoft’s rationale is that if every Windows service ran under a single svchost.exe instance than if one service froze it could potentially debilitate the entire computer.  Thus, Microsoft prudently decided to adopt a modular approach and corral related services into related sections.

So for example, all the services related to the Windows Firewall run under one instance of svchost.exe and all services pertinent to cryptographic functions exist under a completely disparate instance of svchost.exe.

Falling in love with svchost.exe

It’s spring and love is in the air but I’m a geek not a matchmaker like Patti Stanger; therefore, I can’t augment your love life but I sure as heck can make you love your Windows processes.

Wait wait wait, I know what you’re thinking:  I can see the dubiety on your face already.

The grimace.

The wrinkled brow and the incredulous look of disbelief as this gawky Vonnie guy posits an absurd notion that is only matched in weirdness by his clunky, magniloquent prose.

But I hold my ground – I can make you believer!

It’s possible to fall in love with this insipid, deathly boring process. You just have to learn a little bit about its personality first.

The first thing we need to do is figure out which processes are assigned to which svchost.exe clone.  We can also view which svchost.exe process is consuming the most CPU cycles and then can make an informed decision to disable or remove that process.

Let me show you what I mean.

Open the Windows Task Manager by pressing Ctrl + Shift + Esc or right-clicking the Taskbar at the base of the screen and choosing Task Manager.

Click over to the Details tab and scroll down to those maverick svchost.exe processes.

Right click one and choose Go to service(s).

Windows 8.1 Task Manager Go to Service

Windows jumps at your click and displays relevant services with alacrity.

Here you can see that first svchost.exe process comprises the following services:

  • SystemEventsBroker
  • Power
  • PlugPlay
  • LSM
  • DcomLaunch
  • BrokerInfrastrure

If you look in the Description tab you’ll see a friendly name for each process.

Windows 8.1 Task Manager Service Details

But this is the thing: I’ll be the first to admit some of these names aren’t very friendly.  For example, there’s nothing affable about System Events Broker.

What the heck is a System Events Broker?

Is there some agent on my computer who sells my system events to other brokers or something?  When I hear the word “broker” I think Real Estate but System Events have nothing to do with Real Estate so what gives?

To get more information about the service so you can see if it’s safe to stop, just right click it and choose Search online.

Windows 8.1 search service details online

Fun with the Command Line

I love the Windows command line because:

  1. It makes me feel smart when I use it right
  2. And well… it makes me feel smart when I use it right

That’s right, using the command line will make you feel smart and heck, who doesn’t want that?

I’m going to show you how to deftly use the command line to view all the services assigned to a particular svchost.exe instance.

I just figured this out today so I’m pretty stoked.

Check it out:

Press the Windows logo button on your keyboard + x + a to open a command prompt with Administrator privileges.

Now enter the following command:

tasklist /SVC /FO TABLE /FI "IMAGENAME eq svchost.exe

I know it’s a bit verbose and I won’t bore you with the command arguments listed above.  Instead, i’ll let you read the help file on a lonely Friday afternoon by pressing

tasklist /?

Windows 8.1 SVCHOST tasklist from command line

Anyway, this command is pretty sick.

It shows you all the services assigned to each svchost.exe process.

That PID column in the middle stands for Process Identifier and is basically the unique name for each svchost.exe process.  So you can slap open the Task Manager, click the Services tab and then sort all services by the PID column.

Admittedly, you don’t have to do this command line trick to manage your svchosts but I think it’s pretty kick ass so I had to include it.

You can also disable services that svchost.exe shouldn’t launch by running another catchy command.

I’m going to stop the AudioService named Audiosrv with net stop.

net stop Audiosrv

Windows 8.1 Net Stop Service

The converse net start does the opposite so you can usually back out of this one if you make a mistake.

Of course, you need to thoroughly research the service before you disable it or you could lock up the computer.  Also, if you discover that you’re having to disable a service because it’s constantly pegging your CPU you might want to permanently uninstall it.

Windows Key + x + f will do the trick.

The Bottom Line

  • svchost.exe is only a virus if it’s living outside C:\Windows\System32.
  • svchost.exe is good and functions like a container for relevant services
  • BonChon chicken on 38th and 7th in Manhattan is the bomb and I’m about to grab a bucket right now.
About

Connect with Vonnie on Twitter

Posted in Security, Windows, Windows 7, Windows 8, Windows 8.1 Tagged with:

  • Pingback: 2 Essential Windows 8.1 programs for the Summer | fixedByVonnie()

  • Yorim Sora Pasila

    nice info, thanks! at first when i saw so manny damn svchost in my taskmanager, i was like : uh oh wtf happend here, but after reading this, i understand that my uh oh is just a bit too much,

  • Richard

    Hi – That was useful, thanks.

    When I try to pipe the results with the command:
    tasklist /SVC /FO TABLE /FI “IMAGENAME eq svchost.exe > C:pid.txt

    I get an “Invalid query” msg. Any idea why?

    • FlRoin tataru

      Move tasklist /SVC /FO TABLE /FI “IMAGENAME eq svchost.exe
      to
      tasklist /SVC /FO TABLE /FI “IMAGENAME eq svchost.exe”

      It will work then ….

      • Richard

        Doh!

        Thanks, R.

  • Karsten Holm

    Thks for bringing light to my frustrated life, i will imidiately go and get that bucket of chicken

  • daviddavy

    Thanks for the info. I’m running Windows 8.1. I had to right click on Properties in the name column to find the svchost files location.
    I have another screaming problem. After recent Microsoft Updates my computer will not start up normally. I turn on and Start Screen appears, but only on left mouse click will lock screen appear. The password box is locked/dead. I have to click Power Button and select Restart. It takes 3 – 5 minutes for the computer to reboot to Start Screen, then Lock Screen Password Box is functional and I can proceed.
    Task Manager shows a very normal/ideal operations picture. I am only using about 13 – 20 % max of the monster memory at my disposal.

  • Ahwarahmarah Qui-Vive

    I thank you sincerely for this very clear information!! And for your enlighten-ment go losethenamecom for shocking truth about your own freedom-possibilities..

  • Rocky

    Thanks for the information and the humor bonus!

  • Lee Van Doren

    >svchost.exe is only a virus if it’s living outside C:WindowsSystem32.

    NOT True. I have a very nasty svchost.exe virus and it is running under the above directory file. One process will continue to consume memory and drag the system to its knees. Killing it off will regain that memory but a new one will spawn and do the same thing.

    I am still trying to find out how to eliminate it. I have tried various commercial products and the numerous tools recommended on various sites but none get rid of it. I had to do a full re-install in the end.

    • Raven_Soul

      What is your AntiVirus?

    • Aaron Harrison

      i had the same issue however after wiping the OS and reinstalling it the problem still remained….

  • Mireya Bojorquez, Realtor

    Vonnie your advise didn’t work for me.. Do you have another option. Says access denied. this svchost.exe is killing my computer>

    C:UsersMireya Laptop>tasklist/svc/fo table /fI “imagename eq svchost.exe”

    ERROR: Invalid argument/option – ‘/svc/fo’.

    Type “TASKLIST /?” for usage.

    C:UsersMireya Laptop>tasklist

    Image Name PID Session Name Session# Mem Usage

    ========================= ======== ================ =========== ============

    System Idle Process 0 Services 0 24 K

    System 4 Services 0 1,216 K

    smss.exe 288 Services 0 1,140 K

    csrss.exe 424 Services 0 4,724 K

    wininit.exe 512 Services 0 4,492 K

    csrss.exe 548 Console 1 8,852 K

    services.exe 572 Services 0 10,616 K

    lsass.exe 596 Services 0 14,180 K

    lsm.exe 604 Services 0 4,344 K

    svchost.exe 716 Services 0 10,004 K

    svchost.exe 792 Services 0 8,720 K

    winlogon.exe 844 Console 1 7,776 K

    atiesrxx.exe 872 Services 0 4,376 K

    svchost.exe 936 Services 0 22,564 K

    svchost.exe 1004 Services 0 20,228 K

    stacsv64.exe 376 Services 0 8,484 K

    svchost.exe 1100 Services 0 5,724 K

    atieclxx.exe 1252 Console 1 6,520 K

    hpservice.exe 1268 Services 0 4,732 K

    vcsFPService.exe 1300 Services 0 7,624 K

    svchost.exe 1344 Services 0 17,044 K

    spoolsv.exe 1572 Services 0 14,984 K

    DpHostW.exe 1600 Services 0 22,376 K

    svchost.exe 1648 Services 0 14,604 K

    AESTSr64.exe 1796 Services 0 2,832 K

    svchost.exe 1880 Services 0 10,680 K

    svchost.exe 1920 Services 0 13,476 K

    HPClientServices.exe 1952 Services 0 8,000 K

    HPDrvMntSvc.exe 1872 Services 0 3,636 K

    HPWMISVC.exe 1144 Services 0 4,944 K

    LSSrvc.exe 1912 Services 0 4,328 K

    mbamscheduler.exe 2056 Services 0 10,100 K

    mbamservice.exe 2136 Services 0 147,280 K

    N360.exe 2168 Services 0 10,752 K

    PsiService_2.exe 2252 Services 0 3,732 K

    RNowSvc.exe 2300 Services 0 4,644 K

    sftvsa.exe 2560 Services 0 4,864 K

    ss_conn_service.exe 2608 Services 0 4,572 K

    WLIDSVC.EXE 2676 Services 0 15,480 K

    sftlist.exe 2736 Services 0 14,304 K

    WLIDSVCM.EXE 2804 Services 0 3,424 K

    taskhost.exe 3064 Console 1 12,968 K

    DPAgent.exe 3100 Console 1 13,900 K

    explorer.exe 3128 Console 1 125,352 K

    mbam.exe 3216 Console 1 49,804 K

    CVHSVC.EXE 3380 Services 0 14,204 K

    chrome.exe 3640 Console 1 35,508 K

    svchost.exe 3864 Services 0 5,896 K

    UA.exe 3416 Console 1 27,752 K

    N360.exe 3188 Console 1 10,180 K

    BrStMonW.exe 3200 Console 1 13,396 K

    BrCtrlCntr.exe 3000 Console 1 8,008 K

    BrCcUxSys.exe 4372 Console 1 7,988 K

    BrYNSvc.exe 4828 Services 0 9,556 K

    DpAgent.exe 4992 Console 1 3,968 K

    SearchIndexer.exe 4276 Services 0 17,996 K

    GWX.exe 5020 Console 1 588 K

    svchost.exe 5704 Services 0 14,768 K

    wmpnetwk.exe 5612 Services 0 13,768 K

    DropboxUpdate.exe 1108 Services 0 2,824 K

    HPHC_Service.exe 996 Services 0 12,624 K

    HPWA_Service.exe 2788 Services 0 34,484 K

    hpqWmiEx.exe 5184 Services 0 6,272 K

    TrustedInstaller.exe 1248 Services 0 9,316 K

    sttray64.exe 180 Console 1 17,528 K

    SeaPort.EXE 5892 Services 0 8,912 K

    HPWA_Main.exe 3688 Console 1 51,720 K

    hpCaslNotification.exe 5460 Console 1 12,164 K

    taskmgr.exe 2500 Console 1 15,744 K

    svchost.exe 1492 Services 0 36,432 K

    WmiPrvSE.exe 1656 Services 0 9,644 K

    svchost.exe 2456 Services 0 160,068 K

    chrome.exe 1156 Console 1 253,564 K

    chrome.exe 5080 Console 1 257,424 K

    chrome.exe 5948 Console 1 64,256 K

    chrome.exe 3176 Console 1 58,620 K

    dwm.exe 2480 Console 1 33,208 K

    WUDFHost.exe 1612 Services 0 6,108 K

    chrome.exe 3040 Console 1 19,600 K

    chrome.exe 4532 Console 1 361,832 K

    chrome.exe 5416 Console 1 69,360 K

    HelpPane.exe 6200 Console 1 42,824 K

    chrome.exe 6528 Console 1 82,500 K

    audiodg.exe 6280 Services 0 16,532 K

    chrome.exe 3492 Console 1 132,512 K

    cmd.exe 2696 Console 1 2,968 K

    conhost.exe 7124 Console 1 6,384 K

    tasklist.exe 3820 Console 1 5,684 K

    C:UsersMireya Laptop>svchost.exe

    C:UsersMireya Laptop>tasklist/svc/fo table/fi “IMAGENAME eq svchost.exe”

    ERROR: Invalid argument/option – ‘/svc/fo’.

    Type “TASKLIST /?” for usage.

    C:UsersMireya Laptop>net stop Audiosrv

    System error 5 has occurred.

    Access is denied.

    C:UsersMireya Laptop>tasklist /SVC /FO TABLE /FI “IMAGENAME eq svchost.exe

    Image Name PID Services

    ========================= ======== ============================================

    svchost.exe 716 DcomLaunch, PlugPlay, Power

    svchost.exe 792 RpcEptMapper, RpcSs

    svchost.exe 936 AudioSrv, Dhcp, eventlog,

    HomeGroupProvider, lmhosts, wscsvc

    svchost.exe 1004 EventSystem, fdPHost, FontCache, netprofm,

    nsi, WdiServiceHost, WinHttpAutoProxySvc

    svchost.exe 1100 gpsvc

    svchost.exe 1344 CryptSvc, Dnscache, LanmanWorkstation,

    NlaSvc

    svchost.exe 1648 BFE, DPS, MpsSvc

    svchost.exe 1880 DiagTrack

    svchost.exe 1920 FDResPub, SSDPSRV, upnphost

    svchost.exe 3864 PolicyAgent

    svchost.exe 5704 p2pimsvc, p2psvc, PNRPsvc

    svchost.exe 1492 AeLookupSvc, Appinfo, BITS, Browser,

    EapHost, IKEEXT, iphlpsvc, LanmanServer,

    ProfSvc, Schedule, SENS, Themes, Winmgmt,

    wuauserv

    svchost.exe 2456 AudioEndpointBuilder, hidserv, Netman,

    PcaSvc, SysMain, TrkWks, UxSms, Wlansvc,

    WPDBusEnum, wudfsvc

    C:UsersMireya Laptop>net stop Audiosrv

    System error 5 has occurred.

    Access is denied.

    • Gary_Baldi

      Minor point, it’s ‘advice’, not advise which describes the process of giving advice

      • Sean

        Considering your being a condescending cock sucker here, I thought I would point out that you missed his lack of a “?” at the end of “Do you have another option.” If your going to be a dick, at least be a smart dick. Prick!

  • Cyborg Basumatary

    I really fall in love with “svchost.exe”. From now this is my friend…
    1000 million Thank you for you info. It’s helps a lot.
    and
    1000 million Thank you make it funny. That’s the way how I exactly learn things…

  • Jezebel

    Ugh, well right now it’s completely disabled my computer, so it is a sly prick trojan. There are also about a dozen versions of it in different locations on my computer. It made my computer unable to start up for 4 days, I randomly turned it on and left it and it started up again after resolving to reinstall windows but hadn’t yet done it. then it stripped both internet programs of Favourites and caused multiple system crashes. It’s near impossible to remove entirely. I’ve used Rkill to stop it’s processes, and two separate antivirus softwares to remove it. Malwarebytes, which is a decent program didn’t detect any problems, but Roguekiller was all over it. Deleted the temporary malware it distributed but it’s still stuck in there and I can’t delete the core virus files. It is totally FUCKING my computer. It will keep releasing it’s attacks on my system until it becomes unusable, so I will have to run every antirootkit/trojan software I can to keep it at bay. But my computer will never be the same again. About 5 or so years ago this virus killed my last computer so I know this for a fact. And now it’s in this one too.

  • Barry

    To see the file location ASAP: Open task manager go to the Details tab. Right click on the “columns bar” click on “select columns” find and select “Image Path Name”

  • Scott SSS Shortland

    *They’re the good guys :]
    cheers for the info