In the Windows NT family of operating systems, svchost.exe (Service Host, or SvcHost) is a system process which hosts multiple Windows services.[1] Its executable image, %SystemRoot%\System32\Svchost.exe or %SystemRoot%\SysWOW64\Svchost.exe (for 32-bit services running on 64-bit systems) runs in multiple instances, each hosting one or more services. It is essential in the implementation of so-called shared service processes, where a number of services can share a process in order to reduce resource consumption.
Contents |
Services run in SvcHost are implemented as dynamically-linked libraries (DLLs). Such service's registry key must have a value named ServiceDll under the Parameters subkey, pointing to the respective service's DLL file. Their ImagePath definition is of the form %SystemRoot%\System32\svchost.exe -k netsvcs: all the services sharing the same SvcHost process specify the same parameter, having a single entry in the SCM's database. The first time that a SvcHost process is launched with a specific parameter, it looks for a value of the same name under the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost key, which it interprets as a list of service names. Then, it notifies the SCM of all the services that it hosts. SCM doesn't launch a second SvcHost process for any of those received services: instead, it simply sends a "start" command to the respective SvcHost process containing the name of the service that should be launched within its context, and whose respective DLL SvcHost loads.
Grouping multiple services into a single process conserves computing resources. However, if one of the services causes an unhandled exception, the entire process may crash. In addition, identifying component services can be more difficult for end users. In Windows NT 5.1 (XP) and later editions, the tasklist command with the /svc switch includes a list of component services in each process. In Windows 6.0 (Vista) and later, a "Services" tab in Windows Task Manager includes a list of services and their groups and Process IDs (PIDs). Microsoft's Sysinternals Process Explorer also provides information about services running under svchost.exe processes.
Because svchost.exe is used as a common system process, some malware often uses a process name of "svchost.exe" to disguise itself. Determining the image path of a process, and its invoking command line, can help identify software masquerading in this way, and help locate the actual program file which is running under the assumed process name of "svchost.exe" (Windows allows multiple processes to all display the same name). Some malware inject a .dll file into the authentic svchost process, for example Win32/Conficker worm.[2]
The April 30, 2007 release of Windows Server Update Services 3.0 led to reports of svchost.exe issues, including 100% CPU usage, memory hogging, and excessive laptop fan/power usage.[3]