Services are programs that Windows loads at start up that continue
to run in the background without interaction from the user. Since
Windows has no way to directly execute programming code stored
in dynamic link library (DLL) files, svchost.exe is a process
used as a system launcher by the windows operating system to
handle code being used from DLL files to provide windows services
and is important for the stable and secure operation of your
computer and should not be terminated or deleted.
However, while svchost.exe is a legitimate operating
system process, it could also be a Trojan. Which one it is depends
on where it is located on your computer. Trojan writers frequently
use valid file names to get their Trojans to run without problems
on your computer. Telling whether you have a legitimate file
or a Trojan can be difficult since the symptoms are similar for
Trojans and poorly maintained machines such as slow speed at
startup and on the internet, excessive popups, and a lot of errors
such as the system crashing or freezing.
Usually the most serious problem occurs when automatic updates
are enabled. Although Microsoft has a patch for the svchost.exe
problem for windows XP, most of the time it does not work. An
instance of svchost.exe can actually use up all of your available
CPU processing ability.
Fix Svchost.exe Problem on Windows XP
Open the task manager by select CTL-ALT-DEL then
click on the Image Name column header. This will
sort the processes by name. As you can see below, my machine
has six instances of svchost.exe running. Their combined CPU
percentage is zero. That tells me that all of the instances are
legitimate processes running on my machine. If I had a problem
the CPU usage would be greater than 60% for all of the instances.
If you have a problem, you need to find out what processes are
using the various svchost.exe files you see in the task manager.
You can do this by downloading Process Explorer from sysinternals.com
and installing it on your computer.
To find out which services are running within a particular SVCHOST.EXE
process open process explorer and double-click the SVCHOST.EXE
entry to open its properties screen. To view the services running
in this process, click on the Services tab.
A window similar to the one below will open.
In this case, terminal services are a legitimate windows service. If you find
a bogus instance, perform the repair below:
- Download Windows Update v3 Update Agent30-x86.exe (http://go.microsoft.com/fwlink/?LinkID=91237 )
from the Microsoft website and save it to your computer.
- Next download fix_svchost.bat from http://technibble.com/doweloads/windows-tools/fix_svchost.bat (right
click and choose save as..) and save it to your computer
- Download WindowsXP-KB927891.exe from http://technibble.com/doweloads/windows-tools/WindowsVP-KB927891.exe (right
click and choose save as) and save it to your computer.
- Reboot the computer and log in to Windows XP in safe mode
by pressing the F8 key while still in the black
background screen just before the Windows XP logo appears.
Then when you get the boot menu highlight Safe Mode and
- Log on as administrator
- Select Start -> Run then click on the Browse button.
Locate fix_svchost.bat then click on Open.
- The black command window will open and a list of the commands
being processed will scroll on the screen. The screen will
automatically close once the process is finished.
- Next select Start -> Run then click on the Browse button.
Locate the WindowsUpdateAgent30-x86.exe file you saved before
select Open, then OK. Follow the
directions to install.
- When Windows Update Agent finishes installing, select Start
-> Run then click on the Browse button.
Locate the WindowsXP-KB927891.exe file you saved before,
select Open, then OK. Follow
the directions to install.
- Finally, reboot your computer
Fix Svchost.exe Problem on Windows
Windows vista has an enhanced Windows Task Manager. One of the
new features shows what services are being controlled by a particular
svchost.exe process. Start the task manager by
pressing CTL-ALT-DEL .When the Task
Manager opens click on the Processes tab.
Next click on Show processes from all users. Windows
Vista will prompt you to allow authorization to see all the processes
as shown below. Then Click Continue.
When the new list appears, you can right-click on a SVCHOST
process and select the Go to Service(s) menu
option. A list of the services running under this particular
SVCHOST process will be highlighted. Now you can easily determine
what services a particular SVCHOST process is running in Windows
At the moment the only way to completely delete a Trojan version
of svchosts.exe is to find the bogus file, delete it and then
remove any entries related to it from the registry. Doing that
is beyond the scope of this article. However, I’m sure
a patch similar to the one for XP will be available in the near