Svchost.exe is a generic host process name for a group of services that are run from dynamic-link libraries (.dll's) and can run other services underneath itself. This is a valid system process that belongs to the Windows Operating System which handles processes executed from .dll's. It runs from the registry key, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost where details of the services running under each instance of svchost.exe can be found. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. It is not unusual to find multiple instances of Svchost.exe running at the same time in Windows Task Manager in order to optimize the running of the various services.
- svchost.exe SYSTEM
- svchost.exe LOCAL SERVICE
- svchost.exe NETWORK SERVICE
Each Svchost.exe session can contain a grouping of services, therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging. The process identifier (PID)'s must be checked in real time to determine what services each instance of svchost.exe is controlling at that particular time. The PID is not static and can change with each logon but generally they stay nearly the same because they are always running services.
Determining whether a file is malware or a legitimate process usually depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a legitimate or critical system file like svchost.exe. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there. The legitimate Svchost.exe file is located in the C:\WINDOWS\system32\ folder. In Windows 7/8 64-bit the file may be located in the SysWOW64 folder. Malicious svchost.exe files are commonly located in the C:\Users\[UserName]\AppData\Local\Temp folder. The user profile AppData, ProgramData, and temp folders are common hiding places for malicious files.
Another technique is for the maicious process to alter the registry and add itself as a startup program or service so that it can run automatically each time the computer is booted. If svchost.exe is running as a startup (shows in msconfig), it can be bad as shown here. Always make sure the spelling is correct. If it's scvhost.exe, then your dealing with a Trojan.
Investigating Svchost.exe Tutorials::
Windows Task Manager does not provide enough information. These are specific tools to investigate Svchost.exe:
These are more tools to investigate services, running processes, programs that run at startup, and gather additional information to identify them or resolve problems:
These tools will provide information about each process, CPU usage, file description and its location. Most of them are stand-alone portable apps in a zip file so no installation is necessary. The first five tools are especially useful and I use them all to compare the information each provides.
Effective security tools like Malwarebytes will typically find and remove malicious svchost files safely.