"svchost.exe" Process on Windows 7

Q

What is the "svchost.exe" process on windows 7? Is the "svchost.exe" process a virus? Can I terminate the "svchost.exe" process? Why there are multiple "svchost.exe" processes?

✍: FYIcenter.com

A

"svchost.exe" process represents "Host Process for Windows Services" program. "svchost.exe" is used to launch and host multiple Windows services. Each "svchost.exe" process hosts a group of related services.

"svchost.exe" process is normally running under the parent process "services" as shown in the process tree below:

Boot
   wininit
      services
         svchost

On the Processes tab of "Task Manager", multiple "svchost.exe" processes may be listed as:

Image Name   PID User Name        Memory Services

svchost.exe  712 SYSTEM           2,500K DcomLaunch, PlugPlay, Power                 
svchost.exe  832 NETWORK SERVICE  4,348K RpcEptMapper, RpcSs                         
svchost.exe 1004 LOCAL SERVICE    7,240K Audiosrv, Dhcp, eventlog, 
                                             lmhosts, wscsvc   
svchost.exe 1040 SYSTEM          68,216K AudioEndpointBuilder, CscService, 
                                             Netman, PcaSvc, SysMain, 
                                             TrkWks, UmRdpService, UxSms, 
                                             Wlansvc, wudfsvc
svchost.exe 1064  LOCAL SERVICE   4,748K EventSystem, FontCache, netprofm, 
                                             nsi, W32Time, WdiServiceHost                     
svchost.exe 1088 SYSTEM          42,460K Appinfo, BITS, CertPropSvc, 
                                             EapHost, iphlpsvc, LanmanServer, 
                                             ProfSvc, Schedule, SENS, 
                                             SessionEnv, ShellHWDetection, 
                                             Themes, Winmgmt, wuauserv                           
svchost.exe 1200 SYSTEM           1,116K gpsvc                                       
svchost.exe 1620 SYSTEM             928K DiagTrack                                   
svchost.exe 1748 LOCAL SERVICE    9,376K BFE, DPS, MpsSvc                            
svchost.exe 1828 NETWORK SERVICE  5,724K CryptSvc, LanmanWorkstation,
                                             NlaSvc, TermService                                 
svchost.exe 1928 SYSTEM             684K AppHostSvc                                  
svchost.exe 3492 LOCAL SERVICE    2,084K SSDPSRV, upnphost                           
svchost.exe 3668 NETWORK SERVICE  1,424K PolicyAgent                                 
svchost.exe 4936 LOCAL SERVICE    1,356K StiSvc                                      
..

Additional information about "svchost.exe" process:

Command line:
   C:\windows\system32\svchost.exe -k DcomLaunch

Programe file information:
   Name: svchost.exe
   Location: C:\windows\system32\svchost.exe
   Description: Host Process for Windows Services
   Version: 6.1.7600.16385 (win7_rtm.090713-1255)
   Size: 27136 bytes
   Last modified: 7/13/2009 9:39:46 PM
   Company Name: Microsoft Corporation

Some data files used:
C:\Windows\System32
C:\Windows\System32\en-US\svchost.exe.mui
C:\Windows\System32\en-US\umpnpmgr.dll.mui
C:\Windows\System32\en-US\setupapi.dll.mui
C:\Windows\System32
C:\Windows\System32\en-US\svchost.exe.mui
C:\Windows\System32\en-US\wshtcpip.dll.mui
C:\Windows\System32\en-US\wship6.dll.mui
C:\Windows\System32\en-US\oleres.dll.mui
C:\Windows\System32

Some registry keys used:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKLM\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions
HKLM\SYSTEM\ControlSet001\Control\SESSION MANAGER
HKLM\SYSTEM\ControlSet001\Control\Power\PowerSettings\245d8541-3943-4422-b025-13a784f679b7
HKU\.DEFAULT\Control Panel\International
HKLM\SYSTEM\ControlSet001\services
HKLM\SYSTEM\ControlSet001\Enum
HKLM\SYSTEM\ControlSet001\Enum
HKLM\SYSTEM\ControlSet001\services
HKLM\SYSTEM\ControlSet001\Control\CLASS

Some DLL libraries used:
C:\windows\SYSTEM32\ntdll.dll
C:\windows\system32\kernel32.dll
C:\windows\system32\KERNELBASE.dll
C:\windows\system32\msvcrt.dll
C:\windows\SYSTEM32\sechost.dll
C:\windows\system32\RPCRT4.dll
c:\windows\system32\bthserv.dll
c:\windows\system32\SHFOLDER.dll
C:\windows\system32\SHELL32.dll
C:\windows\system32\SHLWAPI.dll

"svchost.exe" processes could be infected by virus. If you see a "svchost.exe" process acting strangely, you can stop all services hosted by this "svchost.exe" process, using Task Manager. Or you can terminate this "svchost.exe" process directly. This will prevent the virus from make additional damages.

Then you should use an anti-virus tool to scan the system and disinfect the virus.

In general, "svchost.exe" processes can be terminated. This may cause some Internect connection and other system feature issue. But Windows 7 system will continue to run.

 

System Service Processes on Windows 7

⇒⇒Windows 7 Processes Tutorials

2016-07-27, 1857👍, 0💬