What is the Service Host process (svchost.exe) and why are so many running?

Who I am
Aina Martin
Author and references

What is the Service Host process (svchost.exe) and why are so many running? If you've ever opened the Task Manager, you may have wondered why there are so many Host Service processes running. You can't close them and you certainly didn't start them. So what are they?

Service Host processes act as a shell for loading services from DLL files. The services are organized into related groups and each group runs within a different instance of the Host Service process. In this way, a problem in one instance does not affect other instances. This process is a vital part of Windows that cannot be prevented from running.

1. So what is the Service Host process (svchost.exe)?

Here is the answer, according to Microsoft:

What is the Service Host process (svchost.exe)? Svchost.exe is a generic host process name for services running from dynamic link libraries.

But that doesn't help us much. Some time ago, Microsoft started changing much of Windows functionality from relying on internal Windows services (which were run from EXE files) to using DLL files. From a programming standpoint, this makes the code more reusable and probably easier to update. The problem is that you can't start a DLL file directly from Windows in the same way you can run an executable file. Instead, a shell that is loaded from an executable file is used to host these DLL services. And so the Service Host process (svchost.exe) was born.

2. Why are there so many Service Hosts running?

If you've ever looked at the Services section in the Control Panel, you've probably noticed that Windows requires a lot of services. If every single service runs in a single Service Host process, a failure in one service could potentially shut down the entire Windows system. Instead, they are separate.

The services are organized into logical groups that are all related in some way, so a single instance of the service host is created to host each group. For example, a Service Host process runs the three firewall-related services. Another Service Host process might be running all UI related services, and so on.

In the days of Windows XP (and earlier), when PCs had much more limited resources and operating systems weren't as optimized, it was often recommended to stop running unnecessary services for Windows. Nowadays, we no longer recommend disabling services. Modern PCs tend to be loaded with high-powered memory and processors. Add that to the fact that how Windows services are managed in modern versions (and what services run) has been simplified, and deleting the services you think you don't really need no longer has any impact.

That said, if you notice that a particular instance of Service Host, or a related service, is causing problems, such as continual overuse of CPU or RAM, you can check for the specific services involved. This might at least give you an idea of ​​where to start with troubleshooting. There are a few ways to see exactly which services are hosted by a particular Service Host instance. You can check within Task Manager or by using a great third party app called Process Explorer.

3. Check out related services in Task Manager

If you are using Windows 8 or 10, the processes are displayed in the “Processes” tab of the Task Manager with their full names. If a process is hosting multiple services, you can view those services simply by expanding the process. This makes it easier to identify the services belonging to each instance of the Service Host process.

You can right-click on an individual service to stop the service, view it in the "Services" Control Panel app, or even search online for information about the service.

If you're using Windows 7, things are a little different. The Windows 7 Task Manager did not group processes in the same way, nor did it show regular process names, but only showed all running instances of "svchost.exe". It took a bit of exploration to determine the services related to a particular instance of "svchost.exe".

In the “Processes” tab of the Task Manager in Windows 7, right-click on a particular “svchost.exe” process, then choose the “Go to service” option.

This will take you to the "Services" tab, where all the services running in that "svchost.exe" process are all selected.

You can then see the full name of each service in the "Description" column, so you can choose to disable the service if you don't want to run it or fix why it is giving you problems.

4. Check related services through Process Explorer

Microsoft also provides an excellent advanced tool for working with processes as part of its Sysinternals range. Download Process Explorer and run it - it's a portable app, so you don't need to install it. Process Explorer offers all kinds of advanced features.

For our purposes here, however, Process Explorer groups related services into each instance of “svchost.exe”. They are listed by their file names, but their full names are also shown in the "Description" column. You can also hover the mouse pointer over one of the “svchost.exe” processes to see a popup with all the services related to that process, even those that are not currently running.

Could the Service Host process (svchost.exe) be a virus?

The process itself is an official component of Windows. While it is possible that a virus has replaced the real Service Host with its own executable, it is very unlikely. If you want to be sure, you can check the underlying file location of the process. In Task Manager, right-click on any service host process and choose the “Open file path” option.

If the file is stored in the Windows System32 folder, then you can be pretty sure you are not dealing with a virus.

add a comment of What is the Service Host process (svchost.exe) and why are so many running?
Comment sent successfully! We will review it in the next few hours.