Did svchost.exe behaviour change in Windows 10 Creators Update (Build 1703)?

3

2

Today I upgraded to the Creators Update by running setup from the ISO mounted locally. When I got back to my computer I opened Task Manager and saw my memory usage was a lot higher than it was previously (it's now almost 6GB memory usage at idle after logging in instead of 2-3GB with the previous Windows build) - the processes tab revealed that there were upwards of 60 different instances of svchost.exe running. This 6GB figure is just for process memory - not including memory used for caching or "standby".

I ran tasklist /svc to get a listing of which services were in which processes and it lists almost every svchost.exe instance as only having one running service contained within (with the exception of a handful of instances that are running a few system services).

Here's my output:

Image Name                     PID Services
========================= ======== ============================================
System Idle Process              0 N/A
System                           4 N/A
smss.exe                       440 N/A
csrss.exe                      612 N/A
wininit.exe                    700 N/A
csrss.exe                      708 N/A
services.exe                   776 N/A
lsass.exe                      784 KeyIso, Netlogon, SamSs, VaultSvc
svchost.exe                    888 PlugPlay
svchost.exe                    908 BrokerInfrastructure, DcomLaunch, Power,
                                   SystemEventsBroker
fontdrvhost.exe                936 N/A
svchost.exe                   1000 RpcEptMapper, RpcSs
svchost.exe                    104 LSM
winlogon.exe                   544 N/A
fontdrvhost.exe                420 N/A
svchost.exe                   1072 DeviceInstall
dwm.exe                       1136 N/A
svchost.exe                   1164 BFE, CoreMessagingRegistrar, MpsSvc
svchost.exe                   1424 lmhosts
svchost.exe                   1432 W32Time
svchost.exe                   1440 nsi
svchost.exe                   1448 wudfsvc
svchost.exe                   1528 hidserv
svchost.exe                   1628 Dhcp
svchost.exe                   1716 Dnscache
svchost.exe                   1748 EventLog
WUDFHost.exe                  1792 N/A
svchost.exe                   1908 TimeBrokerSvc
svchost.exe                   1952 NlaSvc
NVDisplay.Container.exe       1968 NVDisplay.ContainerLocalSystem
svchost.exe                   1324 Themes
svchost.exe                   1596 ProfSvc
svchost.exe                   1944 EventSystem
svchost.exe                   1052 netprofm
svchost.exe                   2116 StateRepository
svchost.exe                   2256 SENS
svchost.exe                   2296 AudioEndpointBuilder
svchost.exe                   2304 FontCache
(etc)...

I know you can configure individual services to run in their own instance of svc with the sc config <serviceName> type= own command, but to my knowledge I've never run this command.

I took a quick look at Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and it looks like the Type key values for most of these services is missing the flag bit at 0x10 which controls if a service runs in its own svchost.exe instance or not. I wonder what could have effected this change.

Has anyone else observed this behaviour before or after installing Windows 10 Creators Update? If it is a default configuration change, will it have any implications on system performance or stability?

I suspect it will increase system stability because if a service crashes it won't bring down other services - but this comes at a massive cost of RAM - but I've never experienced a service crashing on me - or at least ever noticed it (instead the worst problem I've had is with wuauserv consuming 100% CPU for hours on end - and that's not a problem process isolation will solve).

(I just noticed: they finally added an address bar to the Registry Editor!)

Dai

Posted 2017-05-25T04:26:11.263

Reputation: 1 451

Answers

6

Yes, this is a change in the Creators Update if you use a PC with more than 3.5GB of RAM. Here all services run in their own svchost.exe to better see which service causes issue or prevent crash of other services if a service crashes a svchost.exe.

If your PC has 3.5+ GB of memory, you may notice an increased number of processes in Task Manager. While this change may look concerning at first glance, many will be excited to find out the motivation behind this change. As the number of preinstalled services grew, they began to get grouped into processes known as service hosts (svchost.exe’s) with Windows 2000. Note that the recommended RAM for PC’s for this release was 256 MB, while the minimum RAM was 64MB. Because of the dramatic increase in available memory over the years, the memory-saving advantage of service hosts has diminished. Accordingly, ungrouping services on memory-rich (3.5+ GB of RAM) PCs running Windows now offers us the opportunity to do the following:

  • Increase reliability: When one service in a service host fails, all services in the service host fail. In other words, the service host
    process is terminated resulting in termination of all running
    services within that process.

  • Increase transparency: Task Manager will now give you a better view into what is going on behind the scenes. You can now see how much CPU, Memory, Disk & Network individual services are consuming.

    enter image description here

  • Increase security: Process isolation and individual permission sets for services will increase security.

So, don't worry, this is a good change in v1703 and everything is fine.

But there is a way to revert it. This was discovered by an user of a website that deals with Windows tweaking.

So, run regedit.exe, go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control and create a 32Bit DWORD SvcHostSplitThresholdInKB and set it to a large number (larger compared to your install RAM).

magicandre1981

Posted 2017-05-25T04:26:11.263

Reputation: 86 560

1I disagree that it's "a good change" because I've never knowingly encountered an svchost.exe crash, and I'm concerned that running every service in their own process will needlessly waste memory (despite shared-process memory for common things like shared libraries) and may even harm performance when you consider all the extra memory that needs to be initialized and serialized (when hibernating or simply when paged t disk). I plan to reconfigure my computer to go back to using shared-processes for services and perform benchmarks to see. – Dai – 2017-05-26T03:04:04.597

2so lets remove seat belt and airbag from car again, because you never had a car crash. What a crappy logic. I had svchost.exe crashes that killed several other services and it is a good change, no matter if you like it or not. I answered the question correctly, there is nothing more to say about it. What you see is by design, so I'm out of this topic. – magicandre1981 – 2017-05-26T15:18:40.360

2I've accepted your answer and I'm happy with it - I just personally disagree with Microsoft's position when it comes to my own personal computer (I wouldn't change this setting on a PC I don't own and use for my own personal use). I understand the airbag analogy but my desktop is not a safety-critical system and I'm prepared to accept that risk :) – Dai – 2017-05-26T17:06:05.353

@Dai - It's largely been this way for services on Linux for years. Of course, those services tend to both be a lot leaner in general, and the functionality any given service encompasses is larger, so there aren't quite as many of them. I would be very nervous about the idea of a whole bunch of unrelated things running in the same address space. A security nightmare. – Omnifarious – 2017-08-22T18:55:13.317

Asked: 2017-05-25T04:26:11.263

Viewed: 2 553 times

Active: 2017-09-12T06:25:51.707