why so many svchost.exe

[synapse]

http://img57.exs.cx/img57/5138/1a-svchost.jpg

can anyone tell me why i have so many svchost.exe?

[TopperID]

Generic Host Process for Win 32 (svchost.exe) supports a number of different services, for example one instance of svchost.exe hosts Terminal Services and DCOM, while another supports Remote Procedure Call etc. You can find quite a few services bundled up under the svchost banner and I suppose it is more convenient to split them up rather than have them all in just one running process.

Indeed the inter-relationship between some of the services can be mighty inconvenient at times - the rather annoying and unnecessary epmap is always trying get through your FW port 135 and it would be nice to disable the parent service but since this is RPC which is vital to other tasks you cannot do so. If all services were in one process it would be even worse, so it is a good thing to have them split up.

I realise this is not a very good explanation, but it's certainly the best you're going to get out of me!!!

Maybe someone with a bit of knowledge will come along and enlighten us both!

[nadirah]

It's just a service that's part of the operating system's internals.
svchost.exe is important for windows XP to function properly. It should not be terminated in any way.

[nameless]

One instance of SVCHOST.EXE loads for every DWI received by any member of "Destiny's Child", for every pirated copy of a song of theirs that you download.

[gerardwil]

There are also baddies which are show up in your startup programs. They shouldn't be there. For info look at this excellent site:

http://www.sysinfo.org/startuplist.php?filter=svchost

[AJohn]

Quote:

Originally Posted by nameless

One instance of SVCHOST.EXE loads for every DWI received by any member of "Destiny's Child", for every pirated copy of a song of theirs that you download.

How do you know he diddn't burn those and then break the CDs?

If you'd like to see what's running in those svchost.exe you can get from www.sysinternals.com 'Process explorer' Run it, and select properties of any svchost.exe process.....
Then select the tab 'services' and here you go.... you can see exactly what's hiding under this service....

[Starrob]

I think I read somewhere that Microsoft decided to make several svchost.exe for stability reasons. I think the reasoning was that if the svchost crashed it would bring down the whole system in a BSOD if the hosting process contained everything under one umbrella. All you would need is just one minor function in svchost to fail and it would crash the whole system if it was contained all under one umbrella.

I think they decided to make a few seperate umbrellas for svchost for stability reasons. With a few different svchost's if a function under one of the umbrellas failed it would be less likely to crash the whole system. If I am not mistaken this was one of the many reasons WIN 98 crashes more than XP but I am unsure about this because it has been awhile since I read the article.

So, I am not completely sure about this...I just remember reading this as a answer somewhere at some point in time.


Starrob

Quote:

Originally Posted by TopperID

Generic Host Process for Win 32 (svchost.exe) supports a number of different services, for example one instance of svchost.exe hosts Terminal Services and DCOM, while another supports Remote Procedure Call etc. You can find quite a few services bundled up under the svchost banner and I suppose it is more convenient to split them up rather than have them all in just one running process.

Indeed the inter-relationship between some of the services can be mighty inconvenient at times - the rather annoying and unnecessary epmap is always trying get through your FW port 135 and it would be nice to disable the parent service but since this is RPC which is vital to other tasks you cannot do so. If all services were in one process it would be even worse, so it is a good thing to have them split up.

[TopperID]

Quote:

There are also baddies which are show up in your startup programs.

Task Manager is showing a list of running processes, some of which will be auto-starts and some of which may not be. I'm not sure what baddies are being referred to since I cannot see any obvious candidates!

To know whether Generic Host Process has been hijacked by a bad service you would need to look into each instance of svchost.exe (eg by using Process Explorer, as explained above) and then do some detective work!

Ugh! Edit the above, trillian.exe, is one possible candidate for a start!!!

[bigbuck]

Quote:

Svchost (1)


Svchost.exe

(Microsoft)


Service Host – Generic Host Process for Win32 Services. The full path to this file should be shown in The Ultimate Troubleshooter as C:\WinNT\System32\Svchost.exe or C:\Windows\System32\Svchost.exe. Windows 2000/XP/2003 only. SVCHOST is a generic process which acts as a host for processes that run from DLLs rather than EXEs. At startup SVCHOST checks the Services portion of the Registry to construct a list of DLL-based services that it needs to load, and then loads them. There can be many instances of SVCHOST running, as there will be one instance of SVCHOST for every DLL-based service or grouping of services (the grouping of services is determined by the programmers who wrote the services in question). Under Windows XP Professional and Windows 2003 you can find out what DLL-based services SVCHOST is running by typing Tasklist /SVC at a Command/MS‑DOS Prompt (this command is not available in Windows XP Home), while under Windows 2000 you need to use the TLIST –s command from a Command Prompt (MS-DOS Prompt) (depending on how Windows 2000 was installed you may need to download TLIST from the Microsoft website or install it from one of the miscellaneous folders on the Windows 2000 CD).

Recommendation :
An integral part of the operating system, leave alone – multiple instances of SVCHOST is a normal occurrence. If you experience SVCHOST errors, the problem is most likely not with SVCHOST but with the DLLs it is hosting. However, if you experience a lot of SVCHOST errors, and particularly, if the full path to SVCHOST.EXE is not any of the above, then you most likely have a virus (see below).

Svchost (2)


SVCHOST.EXE

()


Many viruses masquerade themselves as SVCHOST to escape detection. Some have names that are similar, such as SCCHOST, others actually drop a program file called SVCHOST in the Windows folder or a Windows sub‑folder.

Recommendation :
The first recommendation is a simple one : always have a good antivirus product which is regularly updated (automatically preferably) and always renew your updates subscription when it expires. To detect if you have a virus that calls itself SVCHOST, first see if its full path shows up in The Ultimate Troubleshooter as either C:\WinNT\System32\Svchost.exe or C:\Windows\System32\Svchost.exe – if it does not, then it is almost certain you have a virus. Secondly, if you have Windows 95/98/ME rather than Win2000/XP/2003, then it is also almost certain you have a virus. Thirdly, go to the Services tab of The Ultimate Troubleshooter and look for the following service – if you find it then you probably have a virus too :

From; www.answersthatwork

[TopperID]

Thanks Buck, that comprehensively answers the question!

Just to add though, that File paths can be obtained via Process Explorer (and similar tools). It is possible for malware to insinuate it's DLL into a genuine instance of svchost.exe, so you cannot rely on file path alone.

As to whether trillian.exe is a baddy, it is just something to look into as it has been associated with nasties (see http://securityresponse.symantec.com...llw.astef.html); but that does not mean this case is certainly bad!!

[synapse]

thanks for your support guys, and naw, that trillian.exe that i have was trillian that i was running at the time for my instant messenger, and about those nasties, what did you see in my process list exactly?

[BlueZannetti]

Quote:

Originally Posted by synapse

thanks for your support guys, and naw, that trillian.exe that i have was trillian that i was running at the time for my instant messenger, and about those nasties, what did you see in my process list exactly?

I don't know about anyone else's opinion - but your process list is clean as far as I can see.

Blue