FYI for those reading this topic, especially our novice members.Svchost.exe
is a generic host
process name for a group of services that are run from dynamic-link libraries (.dll's
) and can run other services underneath itself. This is a valid system process that belongs to the Windows Operating System which handles processes executed from .dll's. It runs from the registry key, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost where details of the services running under each instance of svchost.exe can be found. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. It is not unusual to find multiple instances of Svchost.exe running at the same time
in Windows Task Manager
in order to optimize the running of the various services.
- svchost.exe SYSTEM
- svchost.exe LOCAL SERVICE
- svchost.exe NETWORK SERVICE
Each Svchost.exe session can contain a grouping of services, therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging. The process identifier
(PID)'s must be checked in real time to determine what services each instance of svchost.exe is controlling at that particular time. The PID is not static and can change with each logon but generally they stay nearly the same because they are always running services.
Determining whether a file is malware or a legitimate process usually depends on the location
(path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a legitimate or critical system file like svchost.exe. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there. The legitimate Svchost.exe file is located in the C:\WINDOWS\system32\ folder. In Windows 7/8 64-bit the file may be located in the SysWOW64 folder
. Malicious svchost.exe files are commonly located in the C:\Users\[UserName]\AppData\Local\Temp folder. The user profile AppData, ProgramData, and temp folders are common hiding places
for malicious files.
Another technique is for the maicious process to alter the registry and add itself as a startup program
so that it can run automatically each time the computer is booted. If svchost.exe is running as a startup (shows in msconfig), it can be bad as shown here
. Always make sure the spelling
is correct. If it's scv
host.exe, then your dealing with a Trojan.Investigating Svchost.exe Tutorials:
Effective security tools like Malwarebytes Anti-Malware
will typically find and remove malicious svchost files safely.