Fixing svchost.exe

Services are programs that Windows loads at start up that continue to run in the background without interaction from the user. Since Windows has no way to directly execute programming code stored in dynamic link library (DLL) files, svchost.exe is a process used as a system launcher by the windows operating system to handle code being used from DLL files to provide windows services and is important for the stable and secure operation of your computer and should not be terminated or deleted.

However, while svchost.exe is a legitimate operating system process, it could also be a Trojan. Which one it is depends on where it is located on your computer. Trojan writers frequently use valid file names to get their Trojans to run without problems on your computer. Telling whether you have a legitimate file or a Trojan can be difficult since the symptoms are similar for Trojans and poorly maintained machines such as slow speed at startup and on the internet, excessive popups, and a lot of errors such as the system crashing or freezing.

Usually the most serious problem occurs when automatic updates are enabled. Although Microsoft has a patch for the svchost.exe problem for windows XP, most of the time it does not work. An instance of svchost.exe can actually use up all of your available CPU processing ability.

Fix Svchost.exe Problem on Windows XP

Open the task manager by select CTL-ALT-DEL then click on the Image Name column header. This will sort the processes by name. As you can see below, my machine has six instances of svchost.exe running. Their combined CPU percentage is zero. That tells me that all of the instances are legitimate processes running on my machine. If I had a problem the CPU usage would be greater than 60% for all of the instances.

If you have a problem, you need to find out what processes are using the various svchost.exe files you see in the task manager. You can do this by downloading Process Explorer from sysinternals.com and installing it on your computer.

To find out which services are running within a particular SVCHOST.EXE process open process explorer and double-click the SVCHOST.EXE entry to open its properties screen. To view the services running in this process, click on the Services tab. A window similar to the one below will open.

In this case, terminal services are a legitimate windows service. If  you find a bogus instance, perform the repair below:

  • Download Windows Update v3 Update Agent30-x86.exe  (http://go.microsoft.com/fwlink/?LinkID=91237 ) from the Microsoft website and save it to your computer.
  • Next download fix_svchost.bat from http://technibble.com/doweloads/windows-tools/fix_svchost.bat (right click and choose save as..) and save it to your computer
  • Download WindowsXP-KB927891.exe  from http://technibble.com/doweloads/windows-tools/WindowsVP-KB927891.exe  (right click and choose save as) and save it to your computer.
  • Reboot the computer and log in to Windows XP in safe mode by pressing the F8 key while still in the black background screen just before the Windows XP logo appears. Then when you get the boot menu highlight Safe Mode and hit enter.
  • Log on as administrator
  • Select Start -> Run then click on the Browse button. Locate fix_svchost.bat then click on Open.
  • The black command window will open and a list of the commands being processed will scroll on the screen. The screen will automatically close once the process is finished.
  • Next select Start -> Run then click on the Browse button. Locate the WindowsUpdateAgent30-x86.exe file you saved before select Open, then OK. Follow the directions to install.
  • When Windows Update Agent finishes installing, select Start -> Run then click on the Browse button. Locate the WindowsXP-KB927891.exe file you saved before, select Open, then OK. Follow the directions to install.
  • Finally, reboot your computer

Fix Svchost.exe Problem on Windows Vista

Windows vista has an enhanced Windows Task Manager. One of the new features shows what services are being controlled by a particular svchost.exe process. Start the task manager by  pressing CTL-ALT-DEL .When the Task Manager opens click on the Processes tab.

Next click on Show processes from all users.  Windows Vista will prompt you to allow authorization to see all the processes as shown below. Then Click Continue.

When the new list appears, you can right-click on a SVCHOST process and select the Go to Service(s) menu option. A list of the services running under this particular SVCHOST process will be highlighted. Now you can easily determine what services a particular SVCHOST process is running in Windows Vista.

At the moment the only way to completely delete a Trojan version of svchosts.exe is to find the bogus file, delete it and then remove any entries related to it from the registry. Doing that is beyond the scope of this article. However, I’m sure a patch similar to the one for XP will be available in the near future.

[home] [category index page] [contact me]

 
Copyright © Donna Warren 2005-2013. All Rights Reserved.