One program in particular crops up more often than any other whenever there’s a Windows software glitch or you look at the list in Task Manager: svchost.exe. Sometimes Task Manager will show dozens of them!
According to Microsoft: “svchost.exe is a generic host process name for services that run from dynamic-link libraries.”
Put another way, the svchost.exe process is a system process found in all versions of Windows since Windows 2000 and NT. Owing to the way Windows is constructed, many of the common services are dynamically loaded at run-time, on request. So-called System services, such as the Windows Firewall and Printer Spooler, are actually packaged as dynamic-link libraries (.dll files) not executable program files (.exe). This makes for more re-use of program code, but you can’t launch a .dll file directly within Windows, it has to be loaded from an executable (.exe).
Hence commons services DLL’s are called and wrapped inside an svchost.exe process. You can even have multiple services running within one svchost.exe process.
A good number of the entries in Widows Control Panel are such services. If each service ran inside a single svchost.exe instance, a failure in one might crash your whole Windows operating system, so they are separated out.
But you don’t want every instance of every service spawning it’s own svchost process, so they are grouped together. For example, one svchost.exe instance runs the 3 services related to the firewall. Another svchost.exe instance usually runs all the services related to the user interface. Printing is another svchost.exe which is instantiated when you begin printing.
Windows makes a stack of assumptions about which services to run full-time, every time you start up Windows and which to call on-demand. Sometimes these services keep running until you shut down, sometimes they are opened and closed for the duration you need them, every time a request is made.
What Windows has in the background is a complex system of managing all the services and svchost processes, opening and closing them as appropriate. Mostly.
Some are given over to services you never ever use, supporting common programs, hardware, protocols and devices you don’t have. Common doesn’t mean mandatory. In normal operation you can have a lot of svchost processes running before you even do anything on your computer.
Owing to the fact that lots of Windows code don’t integrate as well as they should, and sometimes Windows DLL’s and third-party DLL’s don’t play nice together, you can also get a lot of svchost processes running at once.
These can be active processes, or they can be ‘zombie’ processes; ones that have individually crashed, timed out, gone to sleep or been superceded by another svchost which takes over their function in your current Windows session.
All of these svchost processes will be using up precious resources; CPU cycles, memory addresses, stacks, heaps, file handles – a bunch of technical stuff you could probably care less about.
You can trim the unneeded service hosts by disabling or stopping the services that you don’t need to run. Also if you get ‘leech’ services, soaking up more CPU time or memory space than they should, you can restart the services running under that instance.
The problem is identifying what services are running inside a particular svchost.exe instance…
Opening Task Manager with “Show processes from all users” option checked doesn’t give you what you need.
Checking From the Command Line (Vista or XP Pro)
I hate to take this route, but in this case you need a command prompt:
This will show you what services are being hosted by a particular svchost.exe instance.
C:\Documents and Settings\allan>tasklist /svc
Image Name PID Services
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 552 N/A
csrss.exe 616 N/A
winlogon.exe 644 N/A
services.exe 688 Eventlog, PlugPlay
lsass.exe 700 PolicyAgent, ProtectedStorage, SamSs
VBoxService.exe 864 VBoxService
svchost.exe 908 DcomLaunch, TermService
svchost.exe 1012 RpcSs
svchost.exe 1108 AudioSrv, Browser, CryptSvc, Dhcp, dmserver,
svchost.exe 1220 Dnscache
svchost.exe 1444 LmHosts, RemoteRegistry, SSDPSRV
vsmon.exe 1556 vsmon
spoolsv.exe 2004 Spooler
svchost.exe 252 WebClient
However, the command line output doesn’t tell you what services run under these cryptic names.
Checking in Task Manager in Vista
From the Task Manager, right-click on an svchost.exe process, then choose the “Go to Service” option. This takes you to the Services tab, where the services running under that svchost.exe process will be listed:
This method at least provides the real name under the Description column. You can then choose to stop or even disable the service if you don’t want it running.
Services in Windows Control Panel
To stop a service, go to Control Panel, Administrative Tools, then Services, or type services.msc into the Start Menu search or run box.
This lists all Services and you can double-click or right-click for a context menu, then choose Properties, then click the Stop button to immediately stop it. You can also change the Startup Type to Disabled, meaning it will never run. This can be a good diagnostic test.
Process Explorer in XP and Vista
There is a great utility called Process Explorer from Microsoft’s Sysinternals which shows the services running under each svchost.exe process.
Hover the mouse over an svchost process for a pop-up list open showing all the services running inside it. You can also double-click on an svchost.exe instance and select the Services tab, where you can stop any of the services individually.
In order to stop unwanted or troublesome services running at start-up, you can go to Control Panel, Administrative Tools, then Services, or type services.msc into the Start Menu search or run box.
This lists all Services and you can double-click or right-click for a context menu, then choose Properties. Change the Startup Type to Disabled, and then click the Stop button to immediately stop it. AJS