What is svchost.exe and how do I kill it?


I ain't 'fraid of no Host!

Multitasking operating systems run a bunch of stuff all the time… so much so that it may be difficult to know which processes you actually want running.  The obfuscation of all this stuff benefits virus and spyware authors, as they can run their dirty little programs mostly unnoticed.  Because spyware is so prevalant today, people are starting to look at what’s actually running in their Task Manager.

You may have become suspicious of a program called “svchost.exe”.  There are usually several of them running at the same time, and look like they could be a hijacked program or under the influence of other spyware.  So what is svchost, and what can you do about it?

According to Microsoft: “svchost.exe is a generic host process name for services that run from dynamic-link libraries”.

Several years ago, Microsoft tried to “modularize” many of their programs by moving shared code libraries into DLLs (dynamic link libraries).  This has led to the term “DLL Hell” where there are several different versions of the same DLL, referenced by several different programs.  Visual Basic programs were famous for this, and Microsoft has since moved to their “dot Net” initiative.  Now, instead of having multiple single DLLs, there is a group of libraries contained under the dot Net umbrella… but it’s still possible to have multiple versions of the libraries referenced by different applications, and some programs will only work with a specific version of the dot Net libraries… but I digress…

The important thing to know is that DLLs cannot be called directly (they must be called from an executable), so Windows loads these libraries into a running executable… called SVCHOST.EXE.

There are even more programs actually running than what you can directly see in a task list.  There are several Services that run in the background; some of which you need, most of which you don’t.  Many of these services run in a seperate svchost.exe instance.  The reason for this seperation is so if one crashes, then it doesn’t affect other running services, or crash Windows altogether.  Therefore there are multiple instances of svchost running.

You really can’t determine easily which instance of svchost is hosting which Service (or group of Services), which is why it is even more important to disable services that you absolutely don’t need.  If you are behind a hardware firewall, then you may not need to run a software firewall, for instance.  If you have less than 4GB of RAM, then you probably don’t need the intelligent caching features of SuperFetch (read how to disable it here).

If you actually want to see which Services are running under each instance of svchost, then you can use the command line to do so.  These commands are also handy when you need to put a leash on a rogue program or virus that has disabled the Task Manager (read more here).

To see a list of all running tasks, type this into the command line:

tasklist /SVC

You will see a Services column that shows the Services running under a particular svchost.  You will also the the PID (process ID).

If you’re just browsing through Task Manager, an easier method is to right-click the copy of svchost.exe you’re curious about and select “Go to Service(s)”. You will then be shown the Services tab, with the associates services highlighted.  There is a Description column that tells you exactly what the service is, so you can disable it if you really don’t need it.

To disable a particular service, open up Services from the administrative tools section of Control Panel, or type services.msc into the start menu search or run box.

Find the service in the list that you’d like to disable, and either double-click on it or right-click and choose Properties.

Set the service to Disabled, and then click on the Stop button.  Repeat for any services that you don’t need, and you’ll notice the number of svchost.exe instances drop!

Alan is a web architect, stand-up comedian, and your friendly neighborhood Grammar Nazi. You can stalk him on the Interwebs via Google+, Facebook and follow his ass on Twitter @ocmodshop.