If using Internet Explorer 8 or Windows 7, the browser will run an extra instance
of iexplorer.exe for a loaded tab as part of the Loosely-Coupled IE
and Automatic Crash Recovery
features by design. ACR stores information about a browsing session on the hard disk so that in the event of a browser crash, hang, or other unexpected shutdown, it you to resume the last browsing session. If using multiple tabs, ARC allows recovery of all opened tabs in case of a browser failure. Essentially that allows Internet Explorer to prevent itself from closing when a web site in one tab crashes. In order to this, Internet Explorer 8 will open a new process for the main window and another process with any opened tab
. As such, it is not unusual to find multiple instances of iexplore.exe running in Task Manager
. More information about ACR and LCIE can be found on the IEBlog
and an explanation of multiple instances of iexplorer.exe is provided by DON, MS MVP IE here
. One drawback of this new feature is that ACR has been reported to utilize high memory resources.
Disabling ACR is not recommended
, but if you want to do so, please refer to:Svchost.exe
is a generic host
process name for a group of services that are run from dynamic-link libraries (DLLs) and can run other services underneath itself. This is a valid system process that belongs to the Windows Operating System which handles processes executed from .dll's
. It runs from the registry key, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost where details of the services running under each instance of svchost.exe can be found. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. It is not unusual to find multiple instances of Svchost.exe running at the same time
in Task Manager
in order to optimize the running of the various services.
- svchost.exe SYSTEM
- svchost.exe LOCAL SERVICE
- svchost.exe NETWORK SERVICE
Each Svchost.exe session can contain a grouping of services, therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging. The process ID's (PID's) are not static and can change with each logon but generally they stay nearly the same because they are running services all the time. The PID's must be checked in real time to determine what services each instance of svchost.exe is controlling at that particular time.
Determining whether a file is malware or a legitimate process usually depends on the location
(path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file like svchost.exe. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there. The legitimate Svchost.exe file is located in the C:\WINDOWS\system32\ folder.
Another techinique is for the process to alter the registry and add itself as a service
or startup program as shown here
so that it can run automatically each time the computer is booted. Keep in mind that a legitimate file can also be infected by some types of malware such as Virut
which is a dangerous polymorphic file infector
If svchost.exe is running as a startup (shows in msconfig), it can be bad as shown here
. Always make sure the spelling
is correct. If it's scv
host.exe, then your dealing with a Trojan
There are several ways to investigate and see what services a Svchost.exe process is controlling:
Tools to investigate running processes and gather additional information to identify them and resolve problems:-- These tools will provide information about each process, CPU usage, file description and its path location.
-- System Explorer provides a security check of running processing using their online security database when you first launch the program. If you want process the initial scan, press the "Start Security Check" button. Keep in mind, that the check is not a guarantee of what is or is not detected as malware. Further investigation is always recommended. At the Security Check page you can also check the file through the VirusTotal database by pressing the Check MD5 button.
-- Process Explorer shows two panes by default: the upper pane is always a process list and the bottom pane either shows the list of DLLs loaded into the process selected in the upper pane, or the list of operating system resource handles (files, Registry keys, synchronization objects) the process has open. In the menu at the top select View > Lower Pane View to change between DLLs and Handles.