Wednesday, November 3, 2010


You're probably reading this post because you are wondering why there are so many processes running with the name svchost.exe. What are they? Microsoft has been strangely neboulous about this service. Usually Windows services have meaningful names and associated processes too. This is not the case for this sort of black box. What's hiding inside? And why is it so often taking so many server resources?

Microsoft has given its users a tool to check computer performances. This tool is Task manager, which is the only way to check what's going on on a server but which doesn't give enough details about running processes and services. For instance, in Windows 2003, no information is given about the process path and about the command that started it.

So, if having a look at task manager under Windows 2003 you won't have much details, you can rely on thirdy part tools (such as Process Explorer, which Microsoft wisely bought and that you can download for free from here) or open you command prompt and type tasklist /svc. Running his command will give you some more information about the services behind each process:
  • svchost.exe DcomLaunch, TermService
  • svchost.exe RpcSs
  • svchost.exe BITS, Browser, CryptSvc, Dhcp, dmserver, EventSystem, helpsvc, HidServ, lanmanserver, lanmanworkstation, Netman, Nla, RasMan, Schedule, seclogon, SENS, SharedAccess, ShellHWDetection, TapiSrv, Themes, TrkWks, W32Time, winmgmt, WZCSVC
  • svchost.exe Dnscache
  • svchost.exe LmHosts, RemoteRegistry, SSDPSRV
  • svchost.exe WebClient
Information about these services running under svchost.exe is controlled by the Windows registry, which stores configration information in the Services registry key (HKLM\SYSTEM\CurrentControlSet\Services). The svchost.exe process itself identifies the services it hosts by checking the registry subkeys named HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost. Each single value under this key declare a separate Svchost group and appears as a separate instance of svchost.exe when you are viewing active processes.
Under Windows 2003, services are arranged in the follwing groups:
  • netsvcs
  • LocalService
  • NetworkService

Under Windows 2008, services are grouped in smaller groups, for better management and control:
  • LocalService
  • LocalServiceAndNoImpersonation
  • LocalServiceNetworkRestricted
  • LocalServiceNoNetwork
  • LocalServicePeerNet
  • LocalSystemNetworkRestricted
  • NetworkService
  • NetworkServiceAndNoImpersonation
  • NetworkServiceNetworkRestricted
Furthermore, checking in Task Manager in Windows 2008, which was largely improved, and selecting the appropriate columns you will get so many information about the svchost.exe process straight out-of-the box.

What's more, a "Services" tab in Windows Task Manager present you a list of services and their groups and Process IDs (PIDs), for a simpler troubleshooting. Using it you will soon discover that behind svchost.exe you usually have:
  • The ALERTER service: svchost.exe -k LocalService
  • The APPLICATION MANAGEMENT service: svchost.exe -k netsvcs
  • The AUTOMATIC UPDATE service (used by WSUS): svchost.exe -k netsvcs
  • The BITS service: svchost.exe -k netsvcs
  • The COM+ Event System: svchost.exe -k netsvcs
  • The DHCP Client service: svchost.exe -k netsvcs
  • The DNS CLIENT service (the cache for DNS records): svchost.exe -k NetworkService
  • The WEBCLIENT service (used to access Sharepoint): svchost.exe -k LocalService
... and some others.

Under Windows 2008, it is also wise to cross compare performance of each process with network activity. This can be done with the netstat command. Run netstat -b -o and you will get the svchost.exe process network activity with its PID.

netstat -b -o
Active Connections
Proto Local Address Foreign Address State PID
TCP 10.18.x.x:3389 server2003:58863 ESTABLISHED 1436 TermService [svchost.exe]
TCP 10.18.x.x:3389 server2008:3259 ESTABLISHED 1436 TermService [svchost.exe]

If you have performance problem, and once you have determined what's taking so many resources, just grab the failing service in the services.msc mmc and stop it. You should surely see an immediate performance improvement. Additionally, you can trim down unneeded services by definitively disabling them.

Please let me know if you have found this post useful! You may also find the following books interesting for a better understanding of Windows:


  1. Thanks for this great explaination and for taking the time to detail everything we should know! Great post!!

  2. disabling really helped! thx

  3. outils svchost

  4. Thanks for this explanation. I understand many things now... Some services will die héhéhé !

    Oups, everybody know i'm french now... :-)


  5. Helpful to start to get at the problem (I have 10 of these files) but how do you also know which of the many underlying services actually need be active all the time?

  6. @David There is a freeware called "Svchost Process Analyzer" to analyze all svchost processes. Just google for it.


Related Posts Plugin for WordPress, Blogger...