Analyzing the svchost.exe processes
I more than once asked myself why I had so many svchost.exe processes running when opening the task manager which displayed no additional information besides name and basic information.
I needed another software that would help me analyze the svchost.exe processes and determine if they were really needed or even malicious.
The first step was to download the excellent Process Explorer from Sysinternals. This program gives detailed information on all processes currently running on the system including services and files that depend on them as well as the path to the file on the operating system.
All processes that are running on the system are displayed in Process Explorer after starting the application. Press CTRL + L to display a pane at the bottom that displays extensive information about the selected process. Moving the mouse over the process displays information as well but not in depth like the bottom pane does.
Lets take a quick look at what Wikipedia has to say about svchost.exe
In software Svchost.exe is a generic host process name for services that run from dynamic-link libraries (DLLs) within modern versions of the Microsoft Windows operating system.
At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging, but it also causes some difficulty for end users wishing to see the memory usage or vendor legitimacy of individual services and processes.
The last sentence explains pretty much the dilemma that we - the users - are in. How can we figure out if a svchost.exe process is legit and needed or a waste of memory, processing power or even malicious ?
I'm going to explain how you can find out with a good certainty if the process is needed or not. Back to Process Explorer.
Hover the mouse over the first svchost process and take a look at what it is saying. It should display the path plus the services that started this svchost process.
My first service was the HTTP SSL service that was running on my system. A service that is not needed at all on my system. I first thought it had something to do with the ability to open https websites but this is not the case. Completely useless for end users. I opened services.msc and stopped the service and set it to disabled as well.
The svchost process disappeared in Process Explorer. To test that everything was still working I opened a https url in Firefox which was working perfectly fine.
The next svchost.exe process was running because of the Windows Image Acquisition service. I do have a camera that is using this service but I seldom transfer pictures from the camera to my system. I decided to disable and stop this service as well and activate it whenever I want to transfer images. And puff there vanished the second svchost process.
I went through all svchost process using the same methodology: Hover the mouse over it, type the service in question into a search engine, read up on it and make a decision if I really needed it. Users who want to be on the safe side stop the service and test if everything is still working as usual. They could alternatively set the service to manual if first tests are successful and then later on to disabled.
A good resource for service information is Black Viper.Advertisement