Support Forum Articles File Help Startup DB Tips Service DB Hijack This! Analyzer

 

HijackThis automated log analyzer! Submit a log and you will receive ALL the information we have in our DB's on everything on your system INSTANTLY!

Svchost.exe


Click here to Run a Free Scan for Svchost.exe Related Errors

What is it?
Service Host Process - svchost.exe

What does it do?

Here's a direct quote from MS about this: (source)
Svchost.exe is a generic host process name for services that are run from dynamic-link libraries (DLLs). The Svchost.exe file is located in the %SystemRoot%System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. There can be multiple instances of Svchost.exe running at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.

Svchost.exe groups are identified in the following registry key:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionSvchost

Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service_names extracted from the following registry key, whose Parameters key contains a ServiceDLL value:

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesService

If you're running Windows XP Home edition then you'll have to download this file HERE and put it in your windows/system32 directory. If you're running XP Pro then you won't need that file since you already have it.

1.) Start --> Run --> cmd
2.) Tasklist /svc >C:ianaginfo.txt

Here's an example of what I got when I issued this command if you'd like to take a look at an example.

A Description of Svchost.exe in Windows XP:
http://support.microsoft.com/?kbid=314056

More Info
More Info

Virus Precaution:
The original file from Microsoft gets placed in the Located in C:WINDOWSSystem32 directory. If you find it anywhere else then you should be suspicious for sure.

You'll want to keep an eye on this google search for any known viruses.
Fix Svchost.exe Errors: Free Scan

Recommended: Run a Free Performance Scan to automatically optimize memory, CPU and Internet Settings




Svchost.exe is a Windows System File and should be in a system directory. If it is then this application is safe.

Startup DB Entries:
[SysInit]"Added by the STARTPA-BD TROJAN! Note - this is not the legitimate svchost.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %ProgramFiles%\Common Files" b
[333]"Added by the JD-A TROJAN! Note - this is not the legitimate svchost.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a ""Syswm1i"" directory" b
[alpha]"Added by a variant of the DELF.IT TROJAN! Note - this is not the legitimate svchost.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! The location of this file varies" b
[Auto Updates]"Added by the CHEUKO-A TROJAN! Note - this is not the legitimate svchost.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%" b
[beta]"Added by a variant of the DELF.IT TROJAN! Note - this is not the legitimate svchost.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! The location of this file varies" b
[defragsys]"Added by the BIFROSE-TH TROJAN! Note - this is not the legitimate svchost.exe process which should normally figure in Msconfig/Startup!" b
[DriverCheck]"Added by the DELF-KR TROJAN! Note - this is not the legitimate svchost.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a ""DriverLoad"" sub-directory of the Root folder (C:\)b
[DriverLoad]"Added by the DELF-KR TROJAN! Note - this is not the legitimate svchost.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a ""DriverLoad"" sub-directory of the Root folder (C:\)b
[F-Secure 2005]"Added by the BIFROSE-CH TROJAN! Note - this is not the legitimate svchost.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%" b
[France]"Added by the MIMAIL.L WORM! Note - this is not the legitimate svchost.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%" b
[gamma]"Added by a variant of the DELF.IT TROJAN! Note - this is not the legitimate svchost.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! The location of this file varies" b
[GNP Generic Host Process]"Added by the ZAPCHAS-F BACKDOOR! Note - this is not the legitimate svchost.exe process which should not normally figure in Msconfig/Startup!" b
[hellfire]"Added by the LEOX.D TROJAN! Note - this is not the legitimate svchost.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%" b
[I just want to say I love Milko and I need a drink]"Added by the CHIKO WORM! Note - this is not the legitimate svchost.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in Documents and Settings\Administrator\Local Settings\Application Data" b
[KAVPersonal]"Added by the LINEAGE-V TROJAN! Note - this is not the legitimate svchost.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%" b
[LocalSystem]"EHU adware. Note - this is not the legitimate svchost.exe process which should NOT appear in Msconfig/Startup!" b
[microsoft]"Added by the ASTEF or RESPAN WORMS! Note - this is not the legitimate svchost.exe process which should NOT appear in Msconfig/Startup!" b
[Microsoft (R) Windows Configuration Backup Service]"Added by the RANKY.X TROJAN! Note - this is not the legitimate svchost.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in either a ""config""b
[Microsoft Corp]"Added by the PUSHBOT.QD WORM! Note - this is not the legitimate svchost.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%" b
[Microsoft Genetic Procress]"Added by a variant of the SDBOT WORM!" b

Service DB Entries:
W32Time Added by the Fuwudoor TROJAN!
TrkWks Added by the Fuwudoor TROJAN!
TrkSvr Added by the Fuwudoor TROJAN!
taskmng (svchost) Added by the W32/Tilebot-AW WORM! Read the link rootkit type stealth involved.
System Event Messaging Seems to be viral
svchost.exe (svchost.exe) Added by the Troj/GrayBird-X TROJAN! Note: This trojan file is found in the Windows or Winnt folder.
svchost.exe (moto) Added by the Troj/Agent-MD TROJAN! Note: This worm rojan is located in C:%WINDIR%
svchost Added by the SDBOT.CNK WORM! Note: This is not the legitimate Windows process svchost.exe (Which is
SVC Module (SVC Module) Added by the W32/Sdbot-ADG WORM! Note: This is not the legitimate Windows Process. (Which is found i
Server Management Service Added by an unidentified TROJAN! of the Sdbot family. Note: This worm rojan is located in C:%WINDIR%
Rockwell Application Services (RsvcHost) Related to Rockwell_Automation Inc. FactoryTalk suite
RasAt (Remote Connection) Added by the Troj/Singu-AF TROJAN!
ProtectedStorage Added by the Fuwudoor TROJAN!
Power Manager (PowerManager) Added by an unidentified TROJAN! of the Sdbot family. Note: This worm rojan is located in C:%WINDIR%
Policy Agent Added by the Fuwudoor TROJAN!

Disclaimer

Every attempt has been made to ensure the information about Svchost.exe is accurate but alot of malware applications try to pose as valid applications. If it is something other than what was posted above please leave some feedback in the forum.
Printer Friendly

User Comments
AranjayIt's very good for system administartor. Can i get details about complet windows services.
Windows Files
lsass.exe | csrss.exe | alg.exe | dwwin.exe | Svchost.exe | Spoolsv.exe | wowexec.exe | cidaemon.exe | wmiprvse.exe | ctfmon.exe | Winlogon.exe | wuauclt.exe | Smss.exe | msmsgs.exe | rundll32.exe | mdm.exe | ntvdm.exe | wscntfy.exe | explorer.exe | ntdll.dll | iexplore.exe | msdxm.ocx | wisptis.exe | wdfmgr.exe | MsiExec.exe | PDVDServ.exe | DLLhost.exe | gcasdtserv.exe | shdoclc.dll | Winmgmt.exe | cisvc.exe | oleaut32.dll | taskmgr.exe | inetinfo.exe | Shell32.dll | mspmspsv.exe | internat.exe | hal.dll | comctl32.dll | mstask.exe |