How to find out what kind of process svchost exe is. How to identify a virus masquerading as the svchost system process

Today we will talk about Svchost.exe, what kind of process it is and why it can load the system.

How to access the processes tab

While the computer is working normally, the average user is of little interest in what processes are running in the system and what they are needed for in general.

But the non-standard behavior of Windows XP/Vista/7 - slowdowns, freezing, frequent reboots - forces us to look for reasons.

Where to start your search? Let's try to launch the "Task Manager".

Launch options.

Press the key combination “Ctrl” + “Alt” + “Del”.
Click the “Start” button, select the “Run” command, enter taskmgr.exe and click the “Ok” button.

Now go to the “Processes” tab and study the list.

A large number of svchost.exe processes is immediately alarming. Well, it's time to understand the capabilities of this application.

First acquaintance with svchost.exe

Recently, instead of the usual executable files with the .exe extension, dynamic link libraries with the .dll extension are increasingly being used to compose Windows services.

This method is considered more effective. However, a library file, unlike an executable one, cannot start on its own.

The svchost.exe application “helps” to start a service from a dll file.

For example, here's how the DNS Client service starts:

C:\WINDOWS\system32\svchost.exe -k NetworkService.

A few words about svchost.exe processes

Each instance of the svhost.exe process is initiated by its parent, the services.exe system process.

A single svshost.exe process can run one service or a group of several logically related Windows services.

The launch option “one svchost process -> several Windows services” allows you to save RAM and processor resources.

To view svchost groups and their composition, go to the Windows registry:

Click the “Start” button and find the “Run” command;
In the command line, enter regedit.exe and click the “Ok” button.
in the registry go to the HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost branch;
we find the REG_MULTI_SZ parameters with lists of services for each group.

For example, the DcomLaunch group includes the following services:

Power – a service that manages power configuration and sends notifications about installed power configurations;
PlugPlay is a service through which the computer automatically recognizes devices connected to it and configures them to work without user interaction or minimize this participation.
DcomLaunch is a service for launching COM and DCOM servers for stable operation of programs using server data.

It is not recommended to disable any of the above services.

When viewing the svchost process data, be sure to pay attention to the Username column.

It can only contain one of the following values: “Local Service”, “System”, “Network Service”.

Where does the file live?

In Windows XP/Vista/7 operating systems, the location of the svchost.exe file is standard:

32-bit OS – C:\Windows\System32\;
64-bit OS – C:\Windows\SysWOW64\.

Let's remember the exact address of the file. This will be useful to us later.

The svchost.exe process and its connections

The task manager gives us a whole list of running svchost.exe processes, but this information is clearly not enough.

Naturally, we are interested in which services are launched by a specific instance of this process.

So, here are a few ways to find out about svchost's connections.

Tasklist and sc commands.

The tasklist and sc commands can be used in any version of Windows. Therefore, this method can be considered universal.

First of all, launch cmd – the Windows command line interpreter:

press the “Start” button;
select the “Run” command;
enter cmd and press the “Ok” button.

To get a list of services on the interpreter screen, run the tasklist command with the svc key and press the “Enter” key:

tasklist /svc "Enter".

To save the query results to the text file svc.txt located on drive C: in the temp folder, we redirect the output of the tasklist command:

tasklist /svc > C:\temp\svc.txt “Enter”

Note that the file will be saved in DOS encoding.

Fragment of listing tasklist.exe.

Service PID Image Name:

svchost.exe 1216 DcomLaunch
svchost.exe 1300 RpcSs
svchost.exe 1384 WudfSvc
svchost.exe 1528 Dnscache
svchost.exe 1584 LmHosts, SSDPSRV

Table columns:

“Image name” – the name of the executable file;
“PID” – process identifier;
“Services” – list of services.

To obtain information about a specific service, set its short name as a parameter of the sc service management command.

An example of obtaining information about the TermService service.

– sc qc TermService “Enter”.

Two ways to get to the list of services.

Click the “Start” button, find the “Run” command, enter services.msc in the command line and click the “Ok” button.
Click the “Start” button, then select Settings -> Control Panel -> Administrative Tools -> Services.

Windows Vista/7 Task Manager.

We get a list of services associated with the svchost process using the Windows Vista/7 task manager:

place the cursor on the process name;
Call the context menu by right-clicking and select the “Go to services” option;
We get a list in which the services associated with our process are highlighted.

In the Windows XP operating system, the “Go to Services” option, unfortunately, is missing. This option cannot be considered universal.

Process Explorer utility.

This program is not included in Windows distributions, but is available for download from the Microsoft website or from the Process Explorer download page.

The launch process is very simple and does not require installation:

download the zip archive;
run the file procexp.exe.

The utility provides detailed information about the processes running in the system: pid, cpu load, brief description, information about the manufacturer, etc.

When we hovered the mouse over the name of one of the svchost instances, we received the following information:

Command Line – line for launching a service or group of services via svchost;
Path – path to the svchost.exe file;
Services – list of services.

The right-click context menu provides greater control over the process and the services it runs.

AnVir Task Manager utility.

The AnVir Task Manager program not only provides management of running processes, services, drivers and startup, but also performs antivirus functions.

The startup procedure is the same as for Process Explorer:

download the free version of AnVir Task Manager in zip archive format;
unzip to a folder on disk;
run the AnVir.exe file.

To switch the language when you first start the program, use the main menu:

"View->Language->Russian".

Select the “Processes” tab to get detailed information about our svchosts.

In the process line we see information about the manufacturer, the path to the executable file, the CPU load percentage, etc.

But the most interesting data is presented in the “Startup” column. Here you will find a list of services launched by svchost.

Double-click the left mouse button on the process name and get more detailed information about it (a window with tabs at the bottom of the screen).

The system is slow, what should I do?

What symptoms indicate the culprit of svchost and how to fix the problem. Let's figure it out.

The system may slow down for various reasons. But if in the task manager you find the svchost.exe process with a high percentage of CPU load (sometimes even about 100%), it is likely that this is the reason.

Many users believe that in this case svchost is definitely a virus. But that's not true. A process can load the system for other reasons.

Let's look at how to solve the problem with svchost in both cases.

Is Svchost a virus or not?

Many Trojans and other computer viruses disguise themselves as well-known Windows system applications. Svchost is no exception.

According to Kaspersky Lab, the Trojan-Clicker.Win32.Delf.cn, Virus.Win32.Hidrag.d, Net-Worm.Win32.Welchia.a viruses, as well as the Kido virus known to most users, “pretend” to be svchost.

So, let's start checking our process.

First of all, pay attention to. If it differs from the standard one, you can safely delete the file.

Check the username that started the process. A list of valid names is given in the "" section.

Carefully re-read the process name. Virus writers often use similar names: svhost, svchosts, etc.

An application can never be launched through the "Run" key of the Windows registry.

Therefore, you definitely need to check its presence in startup:

click the “Start” button, select the “Run” command, enter msconfig and click the “Ok” button;
if the svchost.exe file is found, disable the launch.

To delete a suspicious process in the task manager, call up the context menu by right-clicking and select the “End process tree” command.

After completing all the described steps, you must run an anti-virus program and disinfect your computer.

The svchost system file quite often becomes a target for hacker attacks. Moreover, virus writers disguise their malware under its software “appearance.” One of the most prominent representatives of the “false svchost” viruses is Win32.HLLP.Neshta (Dr.Web classification).

This “impostor” copies itself to a Windows directory, infects files with the “exe” extension and takes away system resources (RAM, Internet traffic). However, he is capable of other nasty things. There are known cases of infection when the virus svchost loads the computer's RAM by 98-100%, disconnects the Internet channel, and disrupts the functioning of the local network.

svсhost files - good and evil, or who is who

The whole difficulty of neutralizing viruses of this type is that there is a risk of damaging/deleting a trusted Windows file with the same name. And without it, the OS will not work; you will have to reinstall it. Therefore, before we begin the cleaning procedure, let’s get acquainted with the special signs of a trusted file and a “stranger”.

True Process

Manages system functions that are launched from dynamic libraries (.DLLs): checks and loads them. Listens to network ports and transmits data through them. In fact, it is a Windows utility application. Located in the C directory: → Windows → System 32. In OS versions XP/7/8, in 76% of cases it has a size of 20,992 bytes. But there are other options. You can find out more about them on the recognition resource filecheck.ru/process/svchost.exe.html (link - “29 more options”).

Has the following digital signatures (in the task manager, the “Users” column):

SYSTEM;
LOCAL SERVICE;
NETWORK SERVICE.

hacker fake

May be located in the following directories:

C:\Windows
C:\My Documents
C:\Program Files
C:\Windows\System32\drivers
C:\Program Files\Common Files
C:\Program Files
C:\My Documents

In addition to alternative directories, hackers use almost identical names, similar to the system process, to disguise the virus.

For example:

svch0st (digit “zero” instead of letter “o”);
svrhost (instead of “c” the letter “r”);
svhost (no "s").

There are countless versions of the “free interpretation” of the name. Therefore, it is necessary to pay special attention when analyzing existing processes.

Attention! The virus may have a different extension (other than exe). For example, “com” (Neshta virus).

So, knowing the enemy (the virus!) by sight, you can safely begin to destroy it.

Method number 1: cleaning with Comodo Cleaning Essentials utility

Cleaning Essentials is an antivirus scanner. Used as an alternative system cleaning software. It comes with two utilities for detecting and monitoring Windows objects (files and registry keys).

Where to download and how to install?

1. Open comodo.com (the official website of the manufacturer) in your browser.

Advice! It is better to download the utility distribution package on a “healthy” computer (if possible), and then run it from a USB flash drive or CD.

2. On the main page, hover over the “Small & Medium Business” section. In the submenu that opens, select the Comodo Cleaning Essentials program.

3. In the download block, in the drop-down menu, select the bitness of your OS (32 or 64 bit).

Advice! The bit depth can be found through the system menu: open “Start” → enter “System Information” in the line → click on the utility with the same name in the “Programs” list → look at the “Type” line.

4. Click the “Free Download” button. Wait until the download completes.

5. Unpack the downloaded archive: right-click on the file → “Extract all...”.

6. Open the unpacked folder and double-click on the “CCE” file with the left button.

How to configure and clean the OS?

1. Select “Custom scan” mode.

2. Wait a little while the utility updates its signature databases.

3. In the scanning settings window, check the box next to drive C. And also enable checking of all additional elements (“Memory”, “Critical Areas..”, etc.).

4. Click "Scan".

5. Upon completion of the scan, allow the antivirus to remove the detected impostor virus and other dangerous objects.

Note. In addition to Comodo Cleaning Essentials, you can use other similar antivirus utilities to clean your PC. For example, Dr. Web CureIt!.

Helper utilities

The Cleaning Essentials treatment package includes two auxiliary tools designed for real-time system monitoring and manual malware detection. They can be used if the virus cannot be neutralized during the automatic scanning process.

An application for quick and convenient work with registry keys, files, services. Autorun Analyzer determines the location of the selected object and, if necessary, can delete or copy it.

To automatically search for svchost.exe files, in the “File” section, select “Find” and specify the file name. Analyze the found processes, guided by the properties described above (see “Hacker fake”). If necessary, remove suspicious objects through the utility's context menu.

Monitors running processes, network connections, physical memory and CPU load. To catch a fake svchost using KillSwitch, follow these steps:

On the System tab, open the Processes section.
Analyze all activated svchost processes:
- right click on the file;
- select "Properties";
- look at its current directory. If it is different from C:\Windows\system32\, it is most likely that the object being examined is a virus.

If malware is detected:

Additionally, look at the “Rating” column (safe) and the signature in its field.
If these properties also do not correspond to the characteristics of the trusted system file, activate the context menu again (right-click). And then run the “Suspend” and “Delete” functions in sequence.
Continue checking, the virus may have created and launched copies of itself. It is also imperative to get rid of them!

Method No. 2: using system functions

Checking startup

Click "Start".
Type msconfig in the search bar and press Enter.
In the System Configuration window, go to the Startup tab.
View the commands (the “Command” column) that launch elements when Windows starts, and their location (directories, registry keys in the “Location” column):
- Disable all directives containing svchost (click the checkbox next to the entry). This is 100% a virus. The system process of the same name is never registered in startup.
- Open the malware directory (listed in “Location”) and delete it. To neutralize a key in the registry, use the standard regedit editor: “Win + R” → regedit → Enter.

Analysis of active processes

Press "Ctrl + Alt + Del".
Click on the “Processes” tab.
Check the properties of all active svchosts (name, extension, size, location). When analyzing, rely on the data from the filecheck.ru service and the characteristics given in this article.

Right-click on the image name. From the menu, select Properties.

If a virus is detected:

in the properties of the object, find out its location (copy or remember);
click “End process”;
go to the malware directory and remove it using the standard function (right-click → Delete).

If it is difficult to determine: trusted or virus?

Sometimes it is difficult to say for sure whether svchost is real or fake. In such a situation, it is recommended to carry out additional detection using the free online scanner Virustotal. This service uses 50-55 antiviruses to scan an object for viruses.

Open virustotal.com in your browser.
Click Select File.
In Windows Explorer, open the directory of the process you want to check, select it by clicking, and then click “Open”.
To start scanning, click “Check!” The file will be uploaded from the PC to the service and scanning will begin automatically.
Review the test results. If most antivirus programs detect an object as a virus, it must be removed.

svсhost files - good and evil, or who is who

True Process

Has the following digital signatures (in the task manager, the “Users” column):

SYSTEM;
LOCAL SERVICE;
NETWORK SERVICE.

hacker fake

May be located in the following directories:

C:\Windows
C:\My Documents
C:\Program Files
C:\Windows\System32\drivers
C:\Program Files\Common Files
C:\Program Files
C:\My Documents

In addition to alternative directories, hackers use almost identical names, similar to the system process, to disguise the virus.

For example:

svch0st (digit “zero” instead of letter “o”);
svrhost (instead of “c” the letter “r”);
svhost (no "s").

There are countless versions of the “free interpretation” of the name. Therefore, it is necessary to pay special attention when analyzing existing processes.

Attention! The virus may have a different extension (other than exe). For example, “com” (Neshta virus).

So, knowing the enemy (the virus!) by sight, you can safely begin to destroy it.

Method number 1: cleaning with Comodo Cleaning Essentials utility

Cleaning Essentials is an antivirus scanner. Used as an alternative system cleaning software. It comes with two utilities for detecting and monitoring Windows objects (files and registry keys).

Where to download and how to install?

1. Open comodo.com (the official website of the manufacturer) in your browser.

Advice! It is better to download the utility distribution package on a “healthy” computer (if possible), and then run it from a USB flash drive or CD.

2. On the main page, hover over the “Small & Medium Business” section. In the submenu that opens, select the Comodo Cleaning Essentials program.

3. In the download block, in the drop-down menu, select the bitness of your OS (32 or 64 bit).

Advice! The bit depth can be found through the system menu: open “Start” → enter “System Information” in the line → click on the utility with the same name in the “Programs” list → look at the “Type” line.

4. Click the “Free Download” button. Wait until the download completes.

5. Unpack the downloaded archive: right-click on the file → “Extract all...”.

6. Open the unpacked folder and double-click on the “CCE” file with the left button.

How to configure and clean the OS?

1. Select “Custom scan” mode.

2. Wait a little while the utility updates its signature databases.

3. In the scanning settings window, check the box next to drive C. And also enable checking of all additional elements (“Memory”, “Critical Areas..”, etc.).

4. Click "Scan".

5. Upon completion of the scan, allow the antivirus to remove the detected impostor virus and other dangerous objects.

Note. In addition to Comodo Cleaning Essentials, you can use other similar antivirus utilities to clean your PC. For example, Dr. Web CureIt!.

Helper utilities

An application for quick and convenient work with registry keys, files, services. Autorun Analyzer determines the location of the selected object and, if necessary, can delete or copy it.

Monitors running processes, network connections, physical memory and CPU load. To catch a fake svchost using KillSwitch, follow these steps:

On the System tab, open the Processes section.
Analyze all activated svchost processes:
- right click on the file;
- select "Properties";
- look at its current directory. If it is different from C:\Windows\system32\, it is most likely that the object being examined is a virus.

If malware is detected:

Additionally, look at the “Rating” column (safe) and the signature in its field.
If these properties also do not correspond to the characteristics of the trusted system file, activate the context menu again (right-click). And then run the “Suspend” and “Delete” functions in sequence.
Continue checking, the virus may have created and launched copies of itself. It is also imperative to get rid of them!

Method No. 2: using system functions

Checking startup

Click "Start".
Type msconfig in the search bar and press Enter.
In the System Configuration window, go to the Startup tab.
View the commands (the “Command” column) that launch elements when Windows starts, and their location (directories, registry keys in the “Location” column):
- Disable all directives containing svchost (click the checkbox next to the entry). This is 100% a virus. The system process of the same name is never registered in startup.
- Open the malware directory (listed in “Location”) and delete it. To neutralize a key in the registry, use the standard regedit editor: “Win + R” → regedit → Enter.

Analysis of active processes

Press "Ctrl + Alt + Del".
Click on the “Processes” tab.
Check the properties of all active svchosts (name, extension, size, location). When analyzing, rely on the data from the filecheck.ru service and the characteristics given in this article.

Right-click on the image name. From the menu, select Properties.

If a virus is detected:

in the properties of the object, find out its location (copy or remember);
click “End process”;
go to the malware directory and remove it using the standard function (right-click → Delete).

If it is difficult to determine: trusted or virus?

Open virustotal.com in your browser.
Click Select File.
In Windows Explorer, open the directory of the process you want to check, select it by clicking, and then click “Open”.
To start scanning, click “Check!” The file will be uploaded from the PC to the service and scanning will begin automatically.
Review the test results. If most antivirus programs detect an object as a virus, it must be removed.

The operation of the Windows operating system is a complex process that is only possible with the proper functioning of all software components. MacOS is no less complex, but in it users do not have the ability to monitor system processes. In Windows, you can view all executable files in the Task Manager, and some of them may scare inexperienced users. A prime example of a file that is causing concern is svchost.exe. Quite often in Windows, svchost.exe loads memory or CPU, and there is a feeling that it is a virus. Is this really true? Let's figure it out.

Svchost.exe: what is this process, what functions does it have and why is it needed?

There is a basis for the widespread belief that svchost.exe is a virus, but in reality, most often, this process does not pose any threat. If you understand the functional responsibilities assigned to this file, it is necessary to connect dynamic DLLs for programs and services that cannot work without them. Each program uses its own svchost file, which can be located in different folders of the Windows operating system.

Most often, the svchost.exe file can be found at the following addresses:

C:\WINDOWS\system32
C:\WINDOWS\Prefetch
C:\WINDOWS\winsxs\ amd64_microsoft-window
C:\WINDOWS\ServicePackFiles\i386

If the svchost.exe file is located in other folders, this is a reason to sound the alarm, but it is far from an indication that it is a virus. This rule also applies in the opposite direction; if svchost.exe is even located in one of the above folders, it may well turn out to be virus software.

It is very easy to determine in which folder the currently active svchost.exe processes are located. To do this, follow these steps:

In the Windows 8 and Windows 10 operating systems, you can view the list of services that use the svchost.exe process through the Task Manager. This is easy to do - you need to right-click on the suspicious process and select “Go to services”. It is worth noting that the names of many services are unlikely to tell the average computer user anything.

The svchost.exe process may not be a virus, and if it loads the system, then 2 scenarios should be considered here:

The computer is infected with a virus that sends spam, mines cryptocurrency for its creators, or transfers other data to attackers;
Due to inattention, the user does not notice that the malicious process is only hiding under the guise of the svchost.exe system library, but in fact it is not one.

If your computer is infected with a virus, and because of this the svchost.exe process loads Windows 10 or an earlier version of the operating system, then you should scan your computer with popular antiviruses. Be sure to install a Firewall, which will ensure your computer's network security.

In the second case, you should recognize the malicious file svchost.exe, which is not such, and then delete it.

How to distinguish svchost.exe virus from a system file

If the svchost.exe process is using up memory or the CPU, you should make sure that the file it references is valid. To do this, carefully check the name of the executing process. Below we present several tricks of attackers who replace the svchost.exe process with another one, but similar in name. The following schemes are most often used to disguise the virus:

Listed above are only the most common options for masking the virus, but there may be others. Make sure that the process is called svchost.exe and that all letters are written in Latin letters.

If you find a process that masquerades as svchost.exe, but is not one, you should delete it. This is quite easy to do if you use the AVZ program.

How to remove svchost.exe using AVZ program

The well-known anti-virus utility AVZ is capable of detecting and removing unwanted programs, including viruses. It is free and has many useful features. The advantage of the AVZ program is that it does not need to be installed on the system drive. AVZ can be launched from a flash drive, external hard drive, or directly from a downloaded archive.

To remove the svchost.exe file using the AVZ utility, you must perform the following steps:

begin SearchRootkit(true, true);

Instead of the words “Path to the virus” highlighted in red, you must specify the location of the svchost virus process. Above, we have already described how to determine where the virus file is located, which is masquerading as svchost.exe. Copy the path to it (or write it manually) and paste it instead of the words highlighted in red. Attention: Quotes cannot be removed from the script - only letters highlighted in red.

After successfully removing the file that pretended to be svchost.exe, we strongly recommend that you scan your computer for viruses. There is a high probability that one of the programs generates new files that automatically run in processes and pretend to be svchost.exe.

Have you ever gone into your operating system's Task Manager and found multiple copies of the same file called svchost.exe running? What is this file and can it harm your computer? Is it possible and necessary to remove it? We will talk about this and many other issues related to this file in this article.

Definition

Svchost.exe is the general name of the main process for services launched from dynamic libraries in the Windows OS line. Each service that accesses the svchost.exe file runs its own copy of this file on the personal computer. Thus, several dozen copies of it can be displayed in the task manager at once. This system was invented in order to save as much free space as possible in the device’s memory.

Is this file safe?

The svchost.exe file itself is an important component of the operating system and does not pose any threat. However, often malicious code picked up on the Internet is disguised as this file. The calculation is made on the fact that a file with such a name will be more difficult for you to detect and you will be afraid to delete it, considering it a system file.

Where is this file located?

It is quite simple to recognize whether a particular running process named svchost is a virus. First of all, you need to know where the real, safe svchost.exe file can be located:

C:\WINDOWS\system32
C:\WINDOWS\ServicePackFiles\i386
C:\WINDOWS\Prefetch
C: \WINDOWS\winsxs\any folder located in this partition.

If you find the svchost file in any other path, you know that you are dealing with a virus. The only exceptions are antivirus and some other programs, which also create folders of the same name, but do not pose a threat to your computer.

How can I see what services are running using svchost?

Let's consider this issue using Windows 7 as an example.

Press the Ctrl+Alt+Del keys simultaneously and select "Launch task manager".
Go to the processes tab and select "Display processes of all users".
In the list that opens, you can see how many copies of the file are running on your computer at the moment and under which user. You need to know that the svchost.exe system file can only be run as LOCAL SERVICE, SYSTEM, NETWORK SERVICE or System users. If the file is called by the name of the local machine, you are dealing with a virus.
To see which service launched a specific copy of a file, right-click on this copy from the list and select “Go to Services” or select a copy from the list with the left mouse button and open the adjacent “Services” tab.
To find out what a particular service is and what functions it performs on your computer, click on the “Services…” button in the lower right corner of the window that opens.

How to remove a virus masquerading as svchost?

If you suspect that your computer is infected with a virus that disguises itself as a svchost file, the best solution would be to download a program specifically designed to remove this type of file from your computer. An example of such a program would be Security Task Manager or the antivirus utility AVZ. After deleting suspicious files, you will need to reboot your computer and conduct a full system scan for viruses. Only after this can you be completely sure that you have gotten rid of the virus, and this file no longer threatens the security of your computer.