Svchost.exe file description |
Svchost.exe with description Generic Host Process for Win32 Services is a process file from company Microsoft Corporation belonging to product Microsoft® Windows® Operating System.
In total there are 23 launchpoints for this file including "Running processes".
There are 15 different variations of the file in our database and the file is
digitally signed from Beijing Rising Information Technology Corporation Limited - VeriSign Time Stamping Services Signer - G2
We do not recommend removing digitally signed files from Beijing Rising Information Technology Corporation Limited
Why is svchost.exe running on my computer?
You are probably on this page because you noticed that there are multiple svchost.exe processes running on your computer and you can't remember installing or starting them.
The screenshot below is a typical example of a taskmanager opened on a Windows XP computer (the other running processes are stripped out in this image)
As you can see the process is running under the user name SYSTEM, NETWORK SERVICE or LOCAL SERVICE
Where do all these processes come from?
This is the Microsoft definition: Svchost.exe is a generic host process name for services that run from dynamic-link libraries (DLLs).
Microsoft decided instead of creating a separate executable file for each service that start in windows they will create different .dll files and let the process svchost.exe host them all.
Basicly this means that svchost starts and it loads all the needed dll files from the services needed.
So now we know that the legit svchost.exe hosts services, but how do we see them?
Open the command prompt and type the command : Tasklist /SVC and press enter (not available in windows XP home edition)
Tasklist will show a list of all running programs (much like taskmanager) but the /svc will also show the loaded services for this task.
In the screenshot below you can see which services are active on a typical Windows XP machine (DcomLaunch, TermService,
RpcSs,
AudioSrv, CryptSvc, Dhcp, ERSvc, EventSystem, helpsvc, HidServ, lanmanserver,
lanmanworkstation, Netman, Nla, RasMan,
seclogon, SENS, ShellHWDetection, srservice,
TapiSrv, Themes, TrkWks, winmgmt, WZCSVC,
Dnscache,
LmHosts, SSDPSRV, upnphost, WebClient)
Notice that the service "Alerter" is not running.
An example service from the registry : Alerter service.
Alerter : Notifies selected users and computers of administrative alerts. If the service is stopped, programs that use administrative alerts will not receive them. If this service is disabled, any services that explicitly depend on it will fail to start.
As you can see in the imagepath the file loaded is actually %systemroot%\system32\svchost.exe with an additional parameter : "-k LocalService"
The start value of "4" means that this service is disabled (that's why it didn't show up in the services list using tasklist.exe)
Dangers of svchost
Because svchost is running on all windows computers it's an easy target for malware and virus writers to "mimic" their malware as a legitimate version of svchost.exe.
These fake files can be recognised because there are mostly not located in the %SystemRoot%\System32 folder (or they have typo's in them such as svch0st.exe, scvhost.exe,...)
|
Automatic startup locations |
 |
001 Running Processes |
 |
002 Autorun registry entries local machine |
|
003 Autorun registry entries Current User |
 |
004 All users startup startmenu |
|
005 Current user startup startmenu |
|
007 Roaming Start Menu\Programs\Startup |
|
008 Autorun registry entries Default user |
|
009 Autorun registry entries SYSTEM user |
 |
010 Installed services |
 |
011 Installed drivers |
 |
033 Winlogon Userinit |
|
034 Winlogon Shell |
|
035 Active Setup Installed Components |
|
038 Winlogon Taskman |
|
065 Image File Execution Options (debugger) |
|
073 %windir%\Tasks |
|
135 Current User Runonce (+ subkeys) |
|
136 Local Machine Runonce (+subkeys) |
|
139 Windows\load |
|
140 Windows\run |
|
166 HKCU Policies\Explorer\Run |
|
167 HKLM Policies\Explorer\Run |
|
191 Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run |
|
File versions in our database |
| |
Company |
Version |
Size |
 |
n/a |
n/a |
4294967295 |
|
?????????? |
1.0.0.40 |
4294967295 |
|
|
1.00.0750 |
4294967295 |
|
|
1.00.0910 |
4294967295 |
|
|
1.00.1119 |
4294967295 |
|
|
1.00.1275 |
4294967295 |
|
|
1.00.1356 |
4294967295 |
|
n/a |
2.03.0002 |
4294967295 |
|
Microsoft Corporation |
5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) |
4294967295 |
|
SFX Cabinet Self-Extractor |
56.0.5.38 |
32507123 |
|
Syncsoft Softwares |
4.00.0002 |
8413184 |
|
Syncsoft Softwares |
4.00.0002 |
7614464 |
|
n/a |
n/a |
7361536 |
|
n/a |
n/a |
6641967 |
|
n/a |
n/a |
4010496 |
|
|
Digital signatures found for this file |
| |
Signer of certificate |
Issuer of certificate |
 |
Beijing Rising Information Technology Corporation Limited |
VeriSign Time Stamping Services Signer - G2 |
|
Microsoft Corporation |
Microsoft Time-Stamp Service |
|
Microsoft Windows |
Microsoft Time-Stamp Service |
|
Microsoft Windows |
Microsoft Timestamping Service |
|
Microsoft Windows |
VeriSign Time Stamping Services Signer |
|
Microsoft Windows 2000 Publisher |
NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc. |
|
Microsoft Windows 2000 Publisher |
VeriSign Time Stamping Service CA SW1 |
|
Microsoft Windows 2000 Publisher (Europe) |
NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc. |
|
Microsoft Windows 2000 Publisher (Europe) |
VeriSign Time Stamping Service CA SW1 |
|
Microsoft Windows Component Publisher |
Microsoft Timestamping Service |
|
Microsoft Windows Component Publisher |
VeriSign Time Stamping Services Signer |
|
Microsoft Windows Publisher |
VeriSign Time Stamping Service |
|
Microsoft Windows Publisher |
VeriSign Time Stamping Services Signer |
|
Microsoft Windows XP Publisher |
VeriSign Time Stamping Service |
|
Microsoft Windows XP Publisher |
VeriSign Time Stamping Services Signer |
|
|
MD5 security rating in our database |
 |
 |
|
935 |
files (Not yet rated
and
not
signed) |
|
|
3 |
files (Not yet rated
and
digitally
signed) |
 |
|
8 |
files (Safe
and
not
signed) |
|
|
187 |
files (Safe
and
digitally
signed) |
|
|
|
Some versions of this filename have not yet been checked for safety.
|
| Warning: Some malware might rename itself to svchost.exe. Always make sure that your file is from a verified publisher. |
|
Application errors |
|
| User comments for Svchost.exe |
 |
Information about this file can be found at:
http://support.microsoft.com/kb/314056 |
|
yes SVCHOST.EXE is a safe file of MS Corp. indeed..
but i had once a problem with Nod32, actualy i think that some kind of virus used the svchost.exe to module my settings.
Nod23 wanted just delete the svchost.exe.
of course this dosen't happen anymore after some updates. |
|
possible sdbot.cqm (from kaspersky) in %windir%.
create service Generic Host Process for Win-32 Services
modify winlogon\shell key to autostart |
|
Make sure that all versions of your file are digitally signed and that the only startup location is "010 Installed services" then you should be safe |
|
|
Database statistics
Top process list
