Advertisement

Why so many svchost.exe processes are running in Windows

When you open the the Processes tab of the Task Manager in Windows 7 or the Details tab of Task Manager in Windows 8, you will be surprised to see that a large number of processes are named svchost.exe. Today, we will see why Windows needs so many instances of the SVCHOST process and how to identify which svchost process runs which groups of services.

Advertisеment


The svchost.exe file (service host) is located in the C:\Windows\System32 folder and is used to run various system services. Here is a official description of that file provided by Microsoft:

The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services allows for better control and easier debugging.
Svchost.exe groups are identified in the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost

Each value under this key represents a separate Svchost group and appears as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service names that are extracted from the following registry key, whose Parameters key contains a ServiceDLL value:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Service

So, as a result of grouping services, we have a lots of instances of Svchost.exe, each running a group of services per instance!

Let's see how to view which services are running in a specific svchost.exe instance.

Option one: Task Manager
The built-in tool, Windows Task Manager, is able to show additional information about services related to the selected svchost process. Recently we covered how to see services related to a process in Windows 8, so it is a good idea to use this trick to inspect svchost.

  1. Open the Task Manager by pressing the Ctrl + Shift + Esc shortcut on the keyboard or by right clicking an empty area of the Taskbar.
  2. In Windows 7 or Vista, go to the Processes tab. In Windows 8 and above, switch to the Details tab.
  3. Right click the desired process. Suppose a particular instance of svchost.exe process is consuming lots of memory and you want to find out which service is causing that, then, click on that instance of svchost.exe and choose Go to Service(s). The Services tab will be opened automatically, and all services created by the selected instance of the svchost.exe process will be highlighted.
    services by a process

Option two: Command line trick

Open a command prompt window and type the following:

tasklist /svc

It will list all instances of the svchost process with related services.
tasklist svc
This trick is very useful in Windows XP where the Task Manager app does not have the 'Go to Service(s)' feature.

That's it. Now you know why multiple svchost.exe processes are running on your Windows system and won't be confused why so many of them have to run.

Support us

Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:

If you like this article, please share it using the buttons below. It won't take a lot from you, but it will help us grow. Thanks for your support!

Advertisеment

Author: Sergey Tkachenko

Sergey Tkachenko is a software developer who started Winaero back in 2011. On this blog, Sergey is writing about everything connected to Microsoft, Windows and popular software. Follow him on Telegram, Twitter, and YouTube.

11 thoughts on “Why so many svchost.exe processes are running in Windows”

  1. I didn’t know that, now I Win+Run the following command.

    cmd /c “tasklist /svc | grep svchost.exe”&&pause

    After that, knowing which services I want to unload I use “net stop ” with admin privileges.

    Thanks.

  2. Good information! Thanks!

    Another method is to go to the Task Manager / Processes Tab. Click the arrow to the left of each “Service Host:..” entry and the associated services will be shown.

  3. If you run tasklist /fi “IMAGENAME eq svchost.exe” /svc you’ll get only the svchost.exe instances, with the associated service information for each one. Makes for a more compact, more readable listing. Right now, I have 14 instances up and running with all kinds of interesting service associations.
    HTH,
    –Ed–

    1. Thank you very much for the interesting info.
      With the “eq” filter the output is really more useful.

Leave a Reply

Your email address will not be published.

css.php
Using Telegram? Subscribe to the blog channel!
Hello. Add your message here.