Help
Probably being paranoid but I just got a new laptop and the first thing I noticed was it was using a bit more memory than I'm used to (~10% on startup of 14gigs). Anyways, I check out the task manager and I see one of the svchost.exe using 100kk+. Last time I had a problem with my desktop which had this similar symptom. So my question: is this a problem, me being paranoid, or just something else going on?
Thanks for reading as always.
Page 1 of 1
svhost.exe taking up memory
Back to top
#2
- Bleepin' Janitor
-
- Group: Global Moderator
- Posts: 25,517
- Joined: 09-July 05
- Gender:Male
- Location:Virginia, USA
Posted 03 September 2011 - 06:45 AM
Svchost.exe is a generic host process name for a group of services that are run from dynamic-link libraries (.dll's) and can run other services underneath itself. This is a valid system process that belongs to the Windows Operating System which handles processes executed from .dll's. It runs from the registry key, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost where details of the services running under each instance of svchost.exe can be found. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. It is not unusual to find multiple instances of Svchost.exe running at the same time in Windows Task Manager in order to optimize the running of the various services.
Each Svchost.exe session can contain a grouping of services, therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging. The process identifier (PID)'s must be checked in real time to determine what services each instance of svchost.exe is controlling at that particular time. The PID is not static and can change with each logon but generally they stay nearly the same because they are always running services.
Determining whether a file is malware or a legitimate process usually depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a legitimate or critical system file like svchost.exe. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there. The legitimate Svchost.exe file is located in the C:\WINDOWS\system32\ folder. In Windows 7 64-bit the file may be located in the SysWOW64 folder.
Another technique is for the process to alter the registry and add itself as a service or startup program as shown here and here so that it can run automatically each time the computer is booted. If svchost.exe is running as a startup (shows in msconfig), it can be bad as shown here and here. Always make sure the spelling is correct. If it's scvhost.exe, then your dealing with a Trojan.
Task Manager does not provide enough information. These are tools to investigate running processes, services and gather additional information to identify them or resolve problems:
These tools will provide information about each process, CPU usage, file description and its path location Most of them are stand-alone apps in a zip file so no installation is necessary.
-- System Explorer provides a security check of running processing using their online security database when you first launch the program. If you want process the initial scan, press the "Start Security Check" button. Keep in mind, that the check is not a guarantee of what is or is not detected as malware. Further investigation is always recommended. At the Security Check page you can also check the file through the VirusTotal database by pressing the Check MD5 button.
-- Process Explorer shows two panes by default: the upper pane is always a process list and the bottom pane either shows the list of DLLs loaded into the process selected in the upper pane, or the list of operating system resource handles (files, Registry keys, synchronization objects) the process has open. In the menu at the top select View > Lower Pane View to change between DLLs and Handles.
- svchost.exe SYSTEM
- svchost.exe LOCAL SERVICE
- svchost.exe NETWORK SERVICE
Each Svchost.exe session can contain a grouping of services, therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging. The process identifier (PID)'s must be checked in real time to determine what services each instance of svchost.exe is controlling at that particular time. The PID is not static and can change with each logon but generally they stay nearly the same because they are always running services.
Determining whether a file is malware or a legitimate process usually depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a legitimate or critical system file like svchost.exe. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there. The legitimate Svchost.exe file is located in the C:\WINDOWS\system32\ folder. In Windows 7 64-bit the file may be located in the SysWOW64 folder.
Another technique is for the process to alter the registry and add itself as a service or startup program as shown here and here so that it can run automatically each time the computer is booted. If svchost.exe is running as a startup (shows in msconfig), it can be bad as shown here and here. Always make sure the spelling is correct. If it's scvhost.exe, then your dealing with a Trojan.
Task Manager does not provide enough information. These are tools to investigate running processes, services and gather additional information to identify them or resolve problems:
- Process Explorer
- System Explorer
- ProcessHacker - (requires Microsoft .NET Framework 2.0 or above to use)
- Autoruns
- Process Monitor
- AnVir TaskManager Free
- Windows Service Commander
- svchostViewer
These tools will provide information about each process, CPU usage, file description and its path location Most of them are stand-alone apps in a zip file so no installation is necessary.
-- System Explorer provides a security check of running processing using their online security database when you first launch the program. If you want process the initial scan, press the "Start Security Check" button. Keep in mind, that the check is not a guarantee of what is or is not detected as malware. Further investigation is always recommended. At the Security Check page you can also check the file through the VirusTotal database by pressing the Check MD5 button.
-- Process Explorer shows two panes by default: the upper pane is always a process list and the bottom pane either shows the list of DLLs loaded into the process selected in the upper pane, or the list of operating system resource handles (files, Registry keys, synchronization objects) the process has open. In the menu at the top select View > Lower Pane View to change between DLLs and Handles.
Microsoft MVP - Consumer Security 2007-2012 
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
#3
- Member
-
- Group: Members
- Posts: 16
- Joined: 02-December 10
Posted 03 September 2011 - 05:12 PM
Hello there.
I went through and downloaded/used a couple of those programs to check out the process. It is svchost.exe PID: 964. It includes AudioEndpointBuilder, hidserv, HomeGroupListener, Netman, Pcasvc, SsMain, TrkWks, UxSms, Wlansv, wudfsv. All of them see to check out fine and be legitimate stuff, but today the memory usage is now at 288k compared to yesterdays 100k.
I went through and downloaded/used a couple of those programs to check out the process. It is svchost.exe PID: 964. It includes AudioEndpointBuilder, hidserv, HomeGroupListener, Netman, Pcasvc, SsMain, TrkWks, UxSms, Wlansv, wudfsv. All of them see to check out fine and be legitimate stuff, but today the memory usage is now at 288k compared to yesterdays 100k.
Share this topic:
Page 1 of 1