44

Task Manager shows the overall memory usage of svchost.exe. Is there a way to view the memory usage of individual services?

Note this is similar to Finegrained performance reporting on svchost.exe

Community
  • 1
Aidan Ryan
  • 1,253
  • 2
  • 13
  • 16

7 Answers7

52

There is an easy way to get the information you are asking for (but it does require a slight change to your system):

Split each service to run in its own SVCHOST.EXE process and the service consuming the CPU cycles will be easily visible in Task Manager or Process Explorer (the space after "=" is required):

SC Config Servicename Type= own

Do this in a command line window or put it into a BAT script. Administrative privileges are required and a restart of the computer is required before it takes effect.

The original state can be restored by:

SC Config Servicename Type= share

Example: to make Windows Management Instrumentation run in a separate SVCHOST.EXE:

SC Config winmgmt Type= own

This technique has no ill effects, except perhaps increasing memory consumption slightly. And apart from observing CPU usage for each service it also makes it easy to observe page faults delta, disk I/O read rate and disk I/O write rate for each service. For Process Explorer, menu View/Select Columns: tab Process Memory/Page Fault Delta, tab Process Performance/IO Delta Write Bytes, tab Process Performance/IO Delta Read Bytes, respectively.

On most systems there is only one SVCHOST.EXE process that has a lot of services. I have used this sequence (it can be pasted directly into a command line window):

rem  1. "Automatic Updates"
SC Config wuauserv Type= own

rem  2. "COM+ Event System"
SC Config EventSystem Type= own

rem  3. "Computer Browser"
SC Config Browser Type= own

rem  4. "Cryptographic Services"
SC Config CryptSvc Type= own

rem  5. "Distributed Link Tracking"
SC Config TrkWks Type= own

rem  6. "Help and Support"
SC Config helpsvc Type= own

rem  7. "Logical Disk Manager"
SC Config dmserver Type= own

rem  8. "Network Connections"
SC Config Netman Type= own

rem  9. "Network Location Awareness"
SC Config NLA Type= own

rem 10. "Remote Access Connection Manager"
SC Config RasMan Type= own

rem 11. "Secondary Logon"
SC Config seclogon Type= own

rem 12. "Server"
SC Config lanmanserver Type= own

rem 13. "Shell Hardware Detection"
SC Config ShellHWDetection Type= own

rem 14. "System Event Notification"
SC Config SENS Type= own

rem 15. "System Restore Service"
SC Config srservice Type= own

rem 16. "Task Scheduler"
SC Config Schedule Type= own

rem 17. "Telephony"
SC Config TapiSrv Type= own

rem 18. "Terminal Services"
SC Config TermService Type= own

rem 19. "Themes"
SC Config Themes Type= own

rem 20. "Windows Audio"
SC Config AudioSrv Type= own

rem 21. "Windows Firewall/Internet Connection Sharing (ICS)"
SC Config SharedAccess Type= own

rem 22. "Windows Management Instrumentation"
SC Config winmgmt Type= own

rem 23. "Wireless Configuration"
SC Config WZCSVC Type= own

rem 24. "Workstation"
SC Config lanmanworkstation Type= own

rem End.
Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
  • 14
    For the PowerShell users out there: Get-Service | ForEach-Object {C:\Windows\System32\SC.EXE config $_.Name type= own} – Tamara Wijsman Apr 28 '10 at 13:30
  • 1
    Actually, I typically notice 3 or 4 instances of `svchost.exe` on Windows XP systems. On this one I see 6. – SamB Nov 29 '10 at 17:44
  • 4
    @TomWij: Be _extremely_ careful when using this snippet--if you are using EFS (Encrypting File System) and set it to `type= own` it may not work correctly and you'll be left without access to any files that are encrypted with it (which can be catastrophic if the OS files are encrypted!) – Beau Sep 13 '11 at 17:45
  • 1
    @Beau: Do you know why explicitly? – Tamara Wijsman Sep 13 '11 at 18:25
  • @TomWij: I do not, unfortunately--I only know that when EFS is set to `type= own` on Windows 7 systems here at work that the service flaps hundreds of times per second. – Beau Sep 13 '11 at 18:52
  • 3
    @Peter Mortensen: I've created [Service Disclosure tool](http://sourceforge.net/projects/svcdisclsr/). It 1. Stores services which share svchost.exe process. 2. Configures services to run in separate process. 3. Returns all stored at step #1 services back to one process. Your comments and suggestions are welcome. Thanks for idea. – Dmytro Ovdiienko Feb 24 '12 at 17:28
  • Of course this requires rebooting, or at least restarting the services in question, so it doesn’t help diagnose the *current* issue since it may not show up again for a while (or at all, especially if part of the reason is due to it being shared). – Synetech Jul 13 '13 at 05:29
  • For me, this script didn't work with the Schedule and gpsvc services. – Rosberg Linhares Mar 22 '18 at 02:08
21

You could use the built-in tasklist command and filter by service name (/fi switch), for example:

 tasklist /fi "services eq TermService"

Output:

Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
svchost.exe                   2940 Console                    0      7.096 K

If you don't know a name, you can list them by running this statement:

 tasklist /svc /fi "imagename eq svchost.exe"

It lists all services hosted by svchost.exe, for example:

Image Name                     PID Services
========================= ======== ============================================
svchost.exe                    632 DcomLaunch
svchost.exe                    684 RpcSs
svchost.exe                    748 Dhcp, Dnscache
svchost.exe                    788 LmHosts, W32Time
svchost.exe                    804 AeLookupSvc, AudioSrv, Browser, CryptSvc,
                                   dmserver, EventSystem, helpsvc,
                                   lanmanserver, lanmanworkstation, Messenger,
                                   Netman, Nla, RasMan, Schedule, seclogon,
                                   SENS, ShellHWDetection, TrkWks, winmgmt,
                                   wuauserv, WZCSVC
svchost.exe                   1140 ERSvc
svchost.exe                   1712 RemoteRegistry
svchost.exe                    196 W3SVC
svchost.exe                   2940 TermService
svchost.exe                   2420 TapiSrv

Services aren't necessarily hosted by svchost.exe. So, if you can't find a service filtering by the executing file name, just run tasklist /svc. It will show all services.

splattne
  • 28,348
  • 19
  • 97
  • 147
10

Process explorer will indeed show you individual memory usage within svchost Ensure you have the latest version from here https://docs.microsoft.com/sysinternals/downloads/process-explorer

Make sure to run the Process Explorer as administrator, click on the svchost you want to inspect, click the View DLLs button (or CTRL+D). Right click the headers in the DLLs window, Select Columns..., then check WS Total Bytes, and hit OK.

Now you can view and sort on the memory usage of individual services (implemented by dlls) within the svchost.

RockPaperLz- Mask it or Casket
  • 119
  • 7
Chris T.
  • 101
  • 1
  • 2
7

While Process Monitor is a general purpose utility (that will do everything but wash dishes for you), for this particular question you want to use VMMap (another SysInternals utility)

https://docs.microsoft.com/sysinternals/downloads/vmmap

VMMap is a process virtual and physical memory analysis utility. It shows a breakdown of a process's committed virtual memory types as well as the amount of physical memory (working set) assigned by the operating system to those types. Besides graphical representations of memory usage, VMMap also shows summary information and a detailed process memory map. Powerful filtering and refresh capabilities allow you to identify the sources of process memory usage and the memory cost of application features.

Besides flexible views for analyzing live processes, VMMap supports the export of data in multiple forms, including a native format that preserves all the information so that you can load back in. It also includes command-line options that enable scripting scenarios.

RockPaperLz- Mask it or Casket
  • 119
  • 7
Sean Earp
  • 7,207
  • 3
  • 34
  • 38
  • 5
    Cool! Now is there a way to trace usage of a block of heap memory to the individual service that owns it? – Aidan Ryan Jun 08 '09 at 18:20
3

This is getting into stackoverflow territory, but if you can get hold of per-thread memory stats you may be able to roughly correlate that to the individual service dlls by matching them up to the dlls listed in the thread stack. Way too much for my tiny sysadmin brain, though.

user2278
  • 873
  • 5
  • 9
2

I extend Peter Mortensen's answer here. Before modifying the type of services, please check the existing type by command like:

sc query wuauserv

Which will output the followings:

    TYPE               : 20  WIN32_SHARE_PROCESS
    STATE              : 1  STOPPED
    WIN32_EXIT_CODE    : 0  (0x0)
    SERVICE_EXIT_CODE  : 0  (0x0)
    CHECKPOINT         : 0x0
    WAIT_HINT          : 0x0

Any type other than "10 WIN32_OWN_PROCESS", "20 WIN32_SHARE_PROCESS" should not be modified.

Pierre.Vriens
  • 1,159
  • 34
  • 15
  • 19
sken130
  • 21
  • 2
1

Separating the services is the correct answer, but the sc config command didn't work for me (2008 R2).

You can do it via the registry though, which means setting the "Type" parameter to 0x00000010 (dec. 16):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\<ServiceName>\Type

Be careful though which service you choose to modify, there are special types besides "own" and "share" that shouldn't be changed, like:

  • kernel
  • filesys
  • rec
  • adapt

After that, just restart the service and you should see in ProcessExplorer that it now has its own svchost.exe process.

Michael Böckling
  • 301
  • 3
  • 15