Tips System
How to identify what's really running as SVCHOST.EXE

A lot of services that are identified as critical will be started by SVCHOST, with this being a small way of seeing these associations and the different instances of SVCHOST.

Windows XP Pro Windows 2000 Windows 2003 Windows XP Home
Tags : associated services, scvhost services, windows tip

Tips & Tricks : categories

Customization, Internet, Network, Optimization, Others, Security, System

How to identify what's really running as SVCHOST.EXE

May 04th, 2005 - 06:00 pm ET by R. K.
  1. 1 - How to identify what's really running as SVCHOST.EXE - part one
  2. 2 - How to identify what's really running as SVCHOST.EXE - part two

What is Svchost.exe?

This is the name of a generic host process for services that are executed from DLL files. Still don’t understand? In English, it mans this:

Simple Explanation

It’s a Windows process that has the same title as other visible processes in the task manager, like “explorer.exe” or “winlogon.exe”, but with the particularity of being generic so that it actually functions as a host for all the services that start from DLL files. Its name is as it is said: svchost, which when you cut it in two you have svc for services and host for host.

Detailed explanation

The svchost.exe file can be found in the %SystemRoot%\System32 folder. Each time Windows starts, the svchost.exe process analyses the “services” section of the registry so that it can build a list of all the services it needs to load. Multiple instances of the svchost.exe can be started, happily living together with each one of these instances containing a unique service or group of services.

If you are curious you can consult these groups of services via the registry editor in the HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost branch.

Image



Each value of the keys that scvhost represents in a group of services will, by consequence, be an instance of svchost.exe. These groups will appear in the form of distinct instances when you view the active processes as you can see from the following screen capture:

Image



As you can see, these instances don’t actually provide you with a lot of information about the services that are running, which can be a little frustrating. Fortunately there is a simpler way of listing the group of services that are executed via the svchost.exe process, which we will look at a little later.

To identify the DLL files that are used by these services, and then the services that are executed from these DLL files, you will need to look at the following tree:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\[name of service in question]\Parameters

Image



In the example above, for the “Nla” service you will see that the DLL being used in ServiceDll is in fact an instance of the mswsock.dll.

So this should explain most things that you will need to know about the svchost.exe file. So, that’s enough blah blah, let’s see what’s next…


next page » Page 1 / 2 Post a comment
Previous tip and trick Next tip and trick
How to change the folder background in Windows Explorer Hide username and picture in start menu