Discussion in 'other anti-virus software' started by synapse, Dec 3, 2004.
can anyone tell me why i have so many svchost.exe?
Generic Host Process for Win 32 (svchost.exe) supports a number of different services, for example one instance of svchost.exe hosts Terminal Services and DCOM, while another supports Remote Procedure Call etc. You can find quite a few services bundled up under the svchost banner and I suppose it is more convenient to split them up rather than have them all in just one running process.
Indeed the inter-relationship between some of the services can be mighty inconvenient at times - the rather annoying and unnecessary epmap is always trying get through your FW port 135 and it would be nice to disable the parent service but since this is RPC which is vital to other tasks you cannot do so. If all services were in one process it would be even worse, so it is a good thing to have them split up.
I realise this is not a very good explanation, but it's certainly the best you're going to get out of me!!!
Maybe someone with a bit of knowledge will come along and enlighten us both!
It's just a service that's part of the operating system's internals.
svchost.exe is important for windows XP to function properly. It should not be terminated in any way.
One instance of SVCHOST.EXE loads for every DWI received by any member of "Destiny's Child", for every pirated copy of a song of theirs that you download.
There are also baddies which are show up in your startup programs. They shouldn't be there. For info look at this excellent site:
How do you know he diddn't burn those and then break the CDs?
If you'd like to see what's running in those svchost.exe you can get from www.sysinternals.com 'Process explorer' Run it, and select properties of any svchost.exe process.....
Then select the tab 'services' and here you go.... you can see exactly what's hiding under this service....
I think I read somewhere that Microsoft decided to make several svchost.exe for stability reasons. I think the reasoning was that if the svchost crashed it would bring down the whole system in a BSOD if the hosting process contained everything under one umbrella. All you would need is just one minor function in svchost to fail and it would crash the whole system if it was contained all under one umbrella.
I think they decided to make a few seperate umbrellas for svchost for stability reasons. With a few different svchost's if a function under one of the umbrellas failed it would be less likely to crash the whole system. If I am not mistaken this was one of the many reasons WIN 98 crashes more than XP but I am unsure about this because it has been awhile since I read the article.
So, I am not completely sure about this...I just remember reading this as a answer somewhere at some point in time.
Task Manager is showing a list of running processes, some of which will be auto-starts and some of which may not be. I'm not sure what baddies are being referred to since I cannot see any obvious candidates!
To know whether Generic Host Process has been hijacked by a bad service you would need to look into each instance of svchost.exe (eg by using Process Explorer, as explained above) and then do some detective work!
Ugh! Edit the above, trillian.exe, is one possible candidate for a start!!!
Thanks Buck, that comprehensively answers the question!
Just to add though, that File paths can be obtained via Process Explorer (and similar tools). It is possible for malware to insinuate it's DLL into a genuine instance of svchost.exe, so you cannot rely on file path alone.
As to whether trillian.exe is a baddy, it is just something to look into as it has been associated with nasties (see http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.astef.html); but that does not mean this case is certainly bad!!
thanks for your support guys, and naw, that trillian.exe that i have was trillian that i was running at the time for my instant messenger, and about those nasties, what did you see in my process list exactly?
I don't know about anyone else's opinion - but your process list is clean as far as I can see.
Separate names with a comma.