PID or Process ID number is randomly selected when a process is created by Windows. So the PID would be different each time a program runs on a system. It is not important.
svchost.exe is used by Windows to run Windows services. It is also used by some malware programs. You can tell a Microsoft svchost.exe by seeing that its path (C:\Windows\System32\svchost.exe) and that it is being run by the System.
You can download System Internals Process Explorer from http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx
Run it as administrator. From menu select View > Select Columns
and choose Command Line
. This way you can see CPU usage, command line, full path of svchost.exe etc in Process Explorer.
A legitimate svchost.exe would have User beginning with NT_AUTHORITY. For example, NT_AUTHORITY/SYSTEM etc. Also it should be located in C:\Windows\System32\svchost.exe (depends on your Windows folder).
You can also verify a program by its digital signature in Process Explorer. Select View > Select Columns
Choose, choose Verified Owner
Then from menu, select Options > Verify Image Signatures
. If a image signature cannot be verified it may indicate an illegitimate, fake or malware process.
Edited by Romeo29, 10 April 2010 - 06:52 AM.