Was Ist Svchost.exe

0 views

Skip to first unread message

Eleanora Parrot

unread,

Aug 5, 2024, 1:44:22 AM8/5/24

to atadiflu

Svchostexe (Service Host, or SvcHost) is a system process that can host one or more Windows services in the Windows NT family of operating systems.[1] Svchost is essential in the implementation of shared service processes, where a number of services can share a process in order to reduce resource consumption. Grouping multiple services into a single process conserves computing resources, and this consideration was of particular concern to NT designers because creating Windows processes takes more time and consumes more memory than in other operating systems, e.g. in the Unix family.[2] However, if one of the services causes an unhandled exception, the entire process may crash. In addition, identifying component services can be more difficult for end users. Problems with various hosted services, particularly with Windows Update,[3][4] get reported by users (and headlined by the press) as involving svchost.

Services running in SvcHost are implemented as dynamically-linked libraries (DLLs). Each service's registry key must have a value named ServiceDll under the Parameters subkey, pointing to the respective service's DLL file. Their ImagePath definition is of the form %SystemRoot%\System32\svchost.exe -k %service group%; (i.e. netsvcs). Services sharing the same SvcHost process specify the same parameter, having a single entry in the SCM's database. The first time that a SvcHost process is launched with a specific parameter, it looks for a value of the same name under the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost key, which it interprets as a list of service names. Then it notifies the SCM of all the services that it hosts. SCM does not launch a second SvcHost process for any of those received services; instead, it simply sends a "start" command to the respective SvcHost process containing the name of the service that should be launched within its context, and whose respective DLL SvcHost loads.

Starting with Windows 10 version 1903, Microsoft changed the way services are grouped into host processes. On client computer systems with more than 3.5 GB of memory, services are no longer grouped into shared host processes. Instead, each service is run in its own process. This results in better isolation of services, making the computer system more resilient to service failures and vulnerabilities and easier to debug. However, it adds some memory overhead. [7]

Starting with Windows Vista, the internal identification of services inside shared processes (svchost included) is achieved by so-called service tags. The service tag for each thread is stored in the SubProcessTag of its thread environment block (TEB). The tag is propagated across all threads that a main service thread subsequently starts, except for threads created indirectly by Windows thread-pool APIs.[8]

The set of service tag management routines is currently an undocumented API, although it is used by some Windows utilities like netstat to display the TCP connections associated with each service. Some third party tools like ScTagQuery also make use of this API.[8]

In Windows XP and later editions, the command tasklist /svc shows a list of the services being run by each listed process (i.e. by each running instance of svchost.exe), with each separate instance of the svchost process identified by a unique Process ID number (PID).

In Windows Vista and Windows 7, the "Services" tab in Windows Task Manager includes a list of services, showing their groups and Process IDs (PIDs); right-clicking on an svchost instance in the Task Manager's "Processes" tab and selecting "Go to Service(s)" switches to that list of services and selects the service running under the corresponding svchost instance.

The Sysinternals Process Explorer (available as a free download from Microsoft) provides additional information about services running under svchost.exe processes, when the user hovers the mouse over an svchost instance in Process Explorer.

None of the above methods allows the user to identify which of the multiple services running inside an svchost instance accesses a particular resource, i.e. processor, disk, network or memory; the Windows Resource Monitor only accounts for (most of) those resources at process level. It does however show processor usage at service level, on the "CPU" tab.[9] A service-aware list of TCP connections and UDP ports opened can be obtained using the command netstat -b.[10]

In order to troubleshoot other kinds of problems with a service running inside an svchost instance, the service(s) suspected to be causing the problem must (all) be reconfigured so that each runs inside its own svchost instance. For example, sc config foo type= own will reconfigure the service named "foo" to run in its own svchost instance. Changing the type back to shared is done by an analogous command. The service must be restarted for such a configuration change to take effect. This debugging process is not foolproof however; in some cases, a heisenbug may occur, which causes the problem to go away when the service is running separately.[11]

In Windows 10, starting with release 1703, svchost was redesigned by Microsoft to host only one service per process, depending on available system memory.[13] The default setting causes services to be hosted independently if the system has at least 3.5 GB of RAM.

Poking around in Eset I decided to take a look at "Firewall Troubleshooting" and found that "SSDP DIscovery" C:\Windows\System32\svchost.exe is blocked as is my MBR900 Router Gateway blocking scvhost.exe. See second screenshot.

Just a guess that your router has network file/printer/usb sharing enabled and its trying to communicate to svchost on your pc to allow it to be used, and because the firewall is blocking it then it cant issue a connection to it.

Probably why its showing 39 blocking events for the 2 items.

Personally i just allow all processes under svchost to communicate freely to prevent any problems, using (interactive) mode on the firewall to first check what the process is

You are correct I do have file and printer sharing enabled. I think I've corrected the svchost connection as it is not showing any more in the Troubleshooting Wizard. However the DHCP error is still showing in the event Viewer.

Don't have v9 beta running myself so cant advise as to why DHCP is showing on your event viewer if everything is working ok. As your pc would not have an ip address on your network if it could not make DHCP requests and communicate properly.

I do not use a wireless LAN even though one computer has the capability. The service WLANSVC (WLAN AutoConfig Service) was set to manual and even though I do not have a wireless connection the service would start and then stop. It was between the start and stop that it would generate an event DHCP error in the viewer, in a matter of milliseconds. Completely disabling the service resolved the DHCP error.

@cyberhash, Thanks for your comment "your pc would not have an ip address on your network if it could not make DHCP requests and communicate properly" it really was the key that helped me figure this out. I'm still new to all this LAN stuff, about a month and half. It's been a learning experience.

Glad you managed to get your problem sorted

Sometimes learning the hard way is the best as you NEVER forget lol . You now probably know more about networks than 80% of the people online working out your problem.

But I won't say I would never forget, that's why I keep a log and screenshots of all the changes I make. The possibility exists that a year from now I'll be trying to figure out why my wireless LAN won't work.

Sophos is blocking one of my customers main software, and I have had to completely remove it so they could run their office leaving them unprotected. How do I go about submitting a sample, because they have multiple locations, and I am receiving the same error daily at each office?

If you locate the time detected in the logs and look for svchost.exe, it should give you the location it was connecting to. That is the site that is triggering the alert. If you feel this is wrong you can submit it via the form on this page:

If it's a known file:

Many C2 detections will highlight an application which is obviously malicious. However there are certain circumstances where a C2 detection may be triggered against seemingly legitimate applications such as 'svchost.exe'. In these cases it is likely that another application has called the legitimate process and further investigation will be required to identify the actual malicious application.

bambi long you shouldn't be looking to exclude that file. Your customer is most likely infected. A C2 detection is very rarely wrong. The svchost.exe file is not your problem, there is something else hiding on the machine that is connecting to a known command and control site and is using the legit svchost.exe to do it.

I just installed the latest software for an OfficeJet 7210 on my freshly installed Windows 7 (32-bit) system. I'm monitoring network usage of svchost.exe (HPZ12) in the resource monitor and observe a burst of 10 Kbps worth of traffic every second. This traffic is strictly between the system and the OfficeJet 7210. Furthermore, shutting down the "HP Network Devcies Support" service eliminates this traffic.