What is Svchost.exe

svchost.exe

File description

Svchost.exe with description svchost.exe is a process file from an unknown company belonging to an unknown product.
The file is digitally signed from Microsoft Windows Component Publisher - Microsoft Timestamping Service
We do not recommend removing digitally signed files from Microsoft Windows Component Publisher

Why is svchost.exe running on my computer?
You are probably on this page because you noticed that there are multiple svchost.exe processes running on your computer and you can't remember installing or starting them.

The screenshot below is a typical example of a taskmanager opened on a Windows XP computer (the other running processes are stripped out in this image)
As you can see the process is running under the user name SYSTEM, NETWORK SERVICE or LOCAL SERVICE



Where do all these processes come from?
This is the Microsoft definition: Svchost.exe is a generic host process name for services that run from dynamic-link libraries (DLLs).
Microsoft decided instead of creating a separate executable file for each service that start in windows they will create different .dll files and let the process svchost.exe host them all.
Basicly this means that svchost starts and it loads all the needed dll files from the services needed.

So now we know that the legit svchost.exe hosts services, but how do we see them?
Open the command prompt and type the command : Tasklist /SVC and press enter (not available in windows XP home edition)
Tasklist will show a list of all running programs (much like taskmanager) but the /svc will also show the loaded services for this task.

In the screenshot below you can see which services are active on a typical Windows XP machine (DcomLaunch, TermService, RpcSs, AudioSrv, CryptSvc, Dhcp, ERSvc, EventSystem, helpsvc, HidServ, lanmanserver, lanmanworkstation, Netman, Nla, RasMan, seclogon, SENS, ShellHWDetection, srservice, TapiSrv, Themes, TrkWks, winmgmt, WZCSVC, Dnscache, LmHosts, SSDPSRV, upnphost, WebClient)
Notice that the service "Alerter" is not running.



An example service from the registry : Alerter service.
Alerter : Notifies selected users and computers of administrative alerts. If the service is stopped, programs that use administrative alerts will not receive them. If this service is disabled, any services that explicitly depend on it will fail to start.

As you can see in the imagepath the file loaded is actually %systemroot%\system32\svchost.exe with an additional parameter : "-k LocalService"
The start value of "4" means that this service is disabled (that's why it didn't show up in the services list using tasklist.exe)



Dangers of svchost
Because svchost is running on all windows computers it's an easy target for malware and virus writers to "mimic" their malware as a legitimate version of svchost.exe.
These fake files can be recognised because there are mostly not located in the %SystemRoot%\System32 folder (or they have typo's in them such as svch0st.exe, scvhost.exe,...)

Automatic startup locations

001 Running Processes
002 Autorun registry entries local machine
003 Autorun registry entries Current User
004 All users startup startmenu
005 Current user startup startmenu
007 Roaming Start Menu\Programs\Startup
008 Autorun registry entries Default user
009 Autorun registry entries SYSTEM user
010 Installed services
011 Installed drivers
012 Autorun registry entries S-1-5-XX users
033 Winlogon Userinit
034 Winlogon Shell
035 Active Setup Installed Components
038 Winlogon Taskman
063 BootExecute
065 Image File Execution Options (debugger)
073 %windir%\Tasks
135 Current User Runonce (+ subkeys)
136 Local Machine Runonce (+subkeys)
139 Windows\load
140 Windows\run
166 HKCU Policies\Explorer\Run
167 HKLM Policies\Explorer\Run
191 Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run

Digital signatures found for this file

    Certificate 
65 Microsoft Windows Component Publisher - Microsoft Timestamping Service
42 Microsoft Windows Publisher - VeriSign Time Stamping Services Signer
32 Microsoft Windows - Microsoft Time-Stamp Service
17 Microsoft Windows XP Publisher - VeriSign Time Stamping Service
7 Microsoft Windows Publisher - VeriSign Time Stamping Service
6 Microsoft Windows - Microsoft Timestamping Service
5 Microsoft Windows XP Publisher (Europe) - VeriSign Time Stamping Service
4 ABDULKADIR SAHIN - Symantec Time Stamping Services Signer - G4
3 Trend Micro, Inc. - COMODO Time Stamping Signer
3 Microsoft Windows 2000 Publisher - VeriSign Time Stamping Service CA SW1
3 Microsoft Windows - VeriSign Time Stamping Services Signer
3 Microsoft Windows Component Publisher - VeriSign Time Stamping Services Signer
2 Microsoft Windows 2000 Publisher - NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.
1 TOLGA KAPLAN - Symantec Time Stamping Services Signer - G4
1 Kings Information & Network Co., Ltd. - Symantec Time Stamping Services Signer - G4

MD5 security rating in our database

1367 files (Not yet rated and not signed)
19 files (Not yet rated and digitally signed)
4 files (Safe and not signed)
211 files (Safe and digitally signed)
Some versions of this filename have not yet been checked for safety.
Warning: Some malware might rename itself to svchost.exe. Always make sure that your file is from a verified publisher.

User ratings for this file

File rating: Average rating of svchost.exe: by 1601 files and users.

Application errors

Fix svchost.exe application error:  Run a FREE registry scan

User comments

Information about this file can be found at:
http://support.microsoft.com/kb/314056
yes SVCHOST.EXE is a safe file of MS Corp. indeed..
but i had once a problem with Nod32, actualy i think that some kind of virus used the svchost.exe to module my settings.
Nod23 wanted just delete the svchost.exe.
of course this dosen't happen anymore after some updates.
possible sdbot.cqm (from kaspersky) in %windir%.
create service Generic Host Process for Win-32 Services
modify winlogon\shell key to autostart
Make sure that all versions of your file are digitally signed and that the only startup location is "010 Installed services" then you should be safe
Only the file under this path is safe - C:\Windows\System32
NOT All Files under the path: 'C:\Windows\System32' are Safe! Malware &/or Viruses can get into & infect files in System32!
svchost.exe is only legit in the system32 folder. If it is found ANYWHERE else it is a trojan.


Please add your comments if you have more information about this file or if you know how to solve svchost.exe application errors.


File safety :

File security rating :

Are you human? How much is 4+14:


Like this page?

Please support this free service by giving us a Google+1


Browse files by letter

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

More system processes

svchost.fix.wizard.1_2.exe svchost.sys svchost32.exe
svchost64.exe svchosta.exe SvchostAnalyzer.exe
svchst.exe svchstb.dll svchоst.exe
svcia32.dll svcinit.exe svcjoging.exe

Lansweeper computer inventory From the creator of Runscanner:

Lansweeper
is an automated IT asset management tool. It can quickly scan your computers and has over 250 default reports available.

There is no need to install any agents on the scanned computers, all hardware and software inventory scanning is done by standard build-in functionality.