Analyzing the svchost.exe processes
I more than once asked myself why I had so many svchost.exe processes running when opening the task manager which displayed no additional information besides name and basic information.
I needed another software that would help me analyze the svchost.exe processes and determine if they were really needed or even malicious.
The first step was to download the excellent Process Explorer from Sysinternals. This program gives detailed information on all processes currently running on the system including services and files that depend on them as well as the path to the file on the operating system.
All processes that are running on the system are displayed in Process Explorer after starting the application. Press CTRL + L to display a pane at the bottom that displays extensive information about the selected process. Moving the mouse over the process displays information as well but not in depth like the bottom pane does.
Lets take a quick look at what Wikipedia has to say about svchost.exe
In software Svchost.exe is a generic host process name for services that run from dynamic-link libraries (DLLs) within modern versions of the Microsoft Windows operating system.
At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging, but it also causes some difficulty for end users wishing to see the memory usage or vendor legitimacy of individual services and processes.
The last sentence explains pretty much the dilemma that we - the users - are in. How can we figure out if a svchost.exe process is legit and needed or a waste of memory, processing power or even malicious ?
I'm going to explain how you can find out with a good certainty if the process is needed or not. Back to Process Explorer.
Hover the mouse over the first svchost process and take a look at what it is saying. It should display the path plus the services that started this svchost process.
My first service was the HTTP SSL service that was running on my system. A service that is not needed at all on my system. I first thought it had something to do with the ability to open https websites but this is not the case. Completely useless for end users. I opened services.msc and stopped the service and set it to disabled as well.
The svchost process disappeared in Process Explorer. To test that everything was still working I opened a https url in Firefox which was working perfectly fine.
The next svchost.exe process was running because of the Windows Image Acquisition service. I do have a camera that is using this service but I seldom transfer pictures from the camera to my system. I decided to disable and stop this service as well and activate it whenever I want to transfer images. And puff there vanished the second svchost process.
I went through all svchost process using the same methodology: Hover the mouse over it, type the service in question into a search engine, read up on it and make a decision if I really needed it. Users who want to be on the safe side stop the service and test if everything is still working as usual. They could alternatively set the service to manual if first tests are successful and then later on to disabled.
A good resource for service information is Black Viper.
I have a dual core laptop and it was always pegged at 50%. Process Explorer helped me figure out that svchost was running an HP network device service for a network attached printer. That service was the problem. I disabled it and all is well.
Try Process Explorer to find out if it is really not running.
It’s really weird, for some reason my svchost stopped appearing in the windows task manager. Before it disappeared one instance of it alone was taking up about 40,000kb of my ram. Now that instance along with all other instances have completely disappeared. It gives me a lot more room in my ram(about 20% more), and seems to have no adverse effects. But I’m afraid that there is something wrong with the fact that they just disappeared. I have even tried to run the exe manually and when I click it, it does nothing.
Does anybody here know what might have caused this process to simply disappear?
Great minds think alike :P
LOL
This is a good article.
If you want more of this type of thing in gory details, check out:
http://blogs.technet.com/markrussinovich/default.aspx
Raymond no prob, I understood it correctly ;)
Yeah I do, and it was one of it that brought in hell lotta traffic. By the way, I was just joking about the idea thing. Don’t take it to heart ok?
Why Raymond :), do you have an article of that on your website ?
I’ve already got an article on that. Did you get the idea from my site :P
Maybe the next thing you’ll write is about analyzing rundll32.exe
Man, I’ve been having some bad troubles with svchost.exe recently being used by Windows’ WMI for making some kinda repositories (I guess MSFS 2004 uses it in a certain way). The core of the problem is wbemcore.dll which seems to eat up tons of CPU time w/o any visible outcome. When I kill the whole svchost this library is using, it immediately frees my CPU. Though, it sucks pretty badly to have to manually or automaticly kill this process every time I run MSFS 2004 :( Haven’t tried to totaly disable the WMI function, I guess it’s not the best idea… :/