How to check the processes and services run by svchost.exe
On Windows, applications are built as exe files and code libraries are built as dll (dynamic-link library) files. The dll files contain reusable programs such as database engines, 3D renders, graphing capabilities etc.
The application developers need not bother about writing these libraries all over again and can use these libraries by referencing the dll files in the application program.
Exe files can run as a process, but that is not possible for dll files. Windows needs an exe process to load the dll file(s) and then let other processes call a function in the dll code. One more reason for hosting dlls separately is that some of the code has to run as a super user and running that code from the application as a constrained user is not possible.
svchost.exe does the job of loading the dll files in a process with SYSTEM user.
One or more dll files are grouped by their functions and are loaded into the svchost.exe process. So based on the number of groups these dll files can form, several svchost.exe processes run on your computer.
Task Manager does not show what dll files are being loaded by each svchost.exe. You can run tasklist /svc /fi "imagename eq svchost.exe" from command line or Process Explorer.
tasklist gives you an idea, but it is not super helpful. Let's look as Process Explorer (it is a free standalone program from MS)
When you hover above svchost.exe, it shows information similar to what tasklist /SVC does, plus the name of the service. If you right-click on the svchost.exe process and check the Services tab, you will see the path to the dll file(s) hosted by the process.
If you find svchost.exe using a lot of CPU/RAM, you may have to drill down which service is causing the issue. If you are not able to locate proper information on the dll, it is likely a virus.
The application developers need not bother about writing these libraries all over again and can use these libraries by referencing the dll files in the application program.
Exe files can run as a process, but that is not possible for dll files. Windows needs an exe process to load the dll file(s) and then let other processes call a function in the dll code. One more reason for hosting dlls separately is that some of the code has to run as a super user and running that code from the application as a constrained user is not possible.
svchost.exe does the job of loading the dll files in a process with SYSTEM user.
One or more dll files are grouped by their functions and are loaded into the svchost.exe process. So based on the number of groups these dll files can form, several svchost.exe processes run on your computer.
Task Manager does not show what dll files are being loaded by each svchost.exe. You can run tasklist /svc /fi "imagename eq svchost.exe" from command line or Process Explorer.
tasklist gives you an idea, but it is not super helpful. Let's look as Process Explorer (it is a free standalone program from MS)
When you hover above svchost.exe, it shows information similar to what tasklist /SVC does, plus the name of the service. If you right-click on the svchost.exe process and check the Services tab, you will see the path to the dll file(s) hosted by the process.
If you find svchost.exe using a lot of CPU/RAM, you may have to drill down which service is causing the issue. If you are not able to locate proper information on the dll, it is likely a virus.
Comments
Post a Comment