When you open the the Processes tab of the Task Manager in Windows 7 or the Details tab of Task Manager in Windows 8, you will be surprised to see that a large number of processes are named svchost.exe. Today, we will see why Windows needs so many instances of the SVCHOST process and how to identify which svchost process runs which groups of services.
The svchost.exe file (service host) is located in the C:\Windows\System32 folder and is used to run various system services. Here is a official description of that file provided by Microsoft:
The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services allows for better control and easier debugging.
Svchost.exe groups are identified in the following registry key:HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost
Each value under this key represents a separate Svchost group and appears as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service names that are extracted from the following registry key, whose Parameters key contains a ServiceDLL value:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Service
So, as a result of grouping services, we have a lots of instances of Svchost.exe, each running a group of services per instance!
Let's see how to view which services are running in a specific svchost.exe instance.
Option one: Task Manager
The built-in tool, Windows Task Manager, is able to show additional information about services related to the selected svchost process. Recently we covered how to see services related to a process in Windows 8, so it is a good idea to use this trick to inspect svchost.
- Open the Task Manager by pressing the Ctrl + Shift + Esc shortcut on the keyboard or by right clicking an empty area of the Taskbar.
- In Windows 7 or Vista, go to the Processes tab. In Windows 8 and above, switch to the Details tab.
- Right click the desired process. Suppose a particular instance of svchost.exe process is consuming lots of memory and you want to find out which service is causing that, then, click on that instance of svchost.exe and choose Go to Service(s). The Services tab will be opened automatically, and all services created by the selected instance of the svchost.exe process will be highlighted.
Option two: Command line trick
Open a command prompt window and type the following:
That's it. Now you know why multiple svchost.exe processes are running on your Windows system and won't be confused why so many of them have to run.