What is svchost and why are multiple instances of it running?

Question

There's six instances running on my desktop, and probably ten on a server I manage. What is this, and is it vital to system function?

LOL. I have 91 of them running in my laptop! – Sen Jacob Nov 07 '19 at 06:49 — Sen Jacob, Nov 07 '19 at 06:49

score 20 · Answer 1 · edited Feb 20 '19 at 12:55

Many executing components of Windows are implemented as services (see all services on your machine opening Control Panel > Administrative Tools > Services). These are specialized programs running in the background. They are not started by the logged-in user, but my the operating system itself.

Most services aren't stand-alone executables (EXE files), but are implemented in libraries (DLLs), which can be used by running processes. As the name suggests, Svchost or "Service Host" is Windows' standard executable for running these DLLs. You can find svchost.exe file in the %systemroot%\system32 directory.

If you want to know which instance of svchost is executing which service, type

 tasklist /svc /fi "IMAGENAME eq svchost.exe"

on a command line console (cmd).

On the machine, where I made the screenshot, one of the instances of svchost is running 21 different services, for example. This grouping of services allows for better control and easier debugging, according to Microsoft's documentation.

Svchost.exe groups are identified in the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost

A tip (if you run Windows Vista, Windows 7 or Windows Server 2008): you can open the Task Manager and right-click on a particular svchost.exe process, and then choose the "Go to Service" option. This will show the Services tab, where all services running under the selected svchost.exe process will be marked.

There is a very interesting document in Microsoft's Download Center:

Microsoft Windows Server 2003 System Services Reference

This document contains summaries all of the services available for the Windows Server 2003 family of operating systems. The services are listed in alphabetical order by display name. Following a description of each service, a table lists key information about the service.

Every Windows service is listed with all its details. You learn, for example, that the executable file name of the Terminal Services service is

 svchost.exe -k termsvcs

+1 thanks for the info....you and your 8000 point rep...seriously though, that is a great resource to have. I consider myself well-versed in Win CLI, but wasnt aware of this one. Thanks! — cop1152, Jun 15 '09 at 14:01

score 16 · Accepted Answer · answered May 22 '09 at 18:58

16

svchost, hosts services in Windows See KB. If you use Process Explorer you can see which services are being ran inside a particular process.

answered May 22 '09 at 18:58

Rob Haupt

794
6
10

1

So is this more or less equivalent to inetd under linux? A general purpose server framework, so that developers can write services without worrying about the server portion of the code? – Jason Tan May 30 '09 at 16:02
Same sort of idea Jason, but obviously with further range than inetd which generally only props up webbish type tasks doesn't it? A nice analogy though, certainly close enough for cash... – Rob Moir Jun 15 '09 at 11:30

score 7 · Answer 3 · answered May 22 '09 at 19:38

Svchost is short for "Service Host". It keeps most of the Services on your machine running. There will be a few Services that host themselves in their own .exe file, but most of Windows' Services need to be hosted inside a svchost.exe process. The Services on your machine handle important stuff like networking, RpC server, audio, event log etc.

Type "services.msc" in Start->Run to view the Services you have running on your machine. If you deem anyone unneccecary you can stop the service.

Type "tasklist /SVC" to see which services are hosted by the different svchost.exe files.

score 1 · Answer 4 · answered Jun 04 '09 at 09:34

Here is a PowerShell one-liner that outputs all services hosted in svchost.exe processes:

PS>get-process svchost | % {get-wmiobject win32_service -filter "processid=$($_.id)"} | format-table processid,name,displayname,state,status -auto

processid name          displayname                               state   status
--------- ----          -----------                               -----   ------
      316 HTTPFilter    HTTP SSL                                  Running OK
     1328 DcomLaunch    DCOM Server Process Launcher              Running OK
     1328 TermService   Terminal Services                         Running OK
     1392 RpcSs         Remote Procedure Call (RPC)               Running OK
     1528 AudioSrv      Windows Audio                             Running OK
     1528 BITS          Background Intelligent Transfer Service   Running OK
     1528 Browser       Computer Browser                          Running OK

Shorter version of an one-liner looks like this:

gps svchost | % {gwmi win32_service -f "processid=$($_.id)"} | ft proc*,name,disp*,stat* -auto

score 0 · Answer 5 · answered Jul 10 '09 at 13:24

0

This article might help: http://www.gfi.com/blog/exploring-svchostexe-part-1/

answered Jul 10 '09 at 13:24

What is svchost and why are multiple instances of it running?

5 Answers5