What is svchost.exe and why so many instances?

ubuysa

The BSOD Doctor
Open Task Manager and click the Details tab. Click the Name column to sort by name and then scroll down to find a process called 'svchost.exe'. How many svchost.exe processes do you have? I've got 75 running on my Windows 10 system at the moment...

What is svchost.exe? What does svchost.exe do? Why are there so many instances of svchost.exe?

Svchost.exe is a process that is often a complete mystery to many users, and with good reason. In Task Manager right-click on any of your svchost.exe processes and see whether you can see any difference at all between these instances. You can't. They all seem to be running exactly the same program (svchost.exe), although they all have different working set sizes and probably different CPU usage. It's the fact that Windows has no tools to let you interrogate svchost.exe, and the fact that you have dozens of instances, that makes the purpose of svchost.exe such a mystery.


Service Host Process

Svchost.exe is the Service Host Process, and each of those three words has meaning. First it's a process, which means it's a complete unit of work in Windows, with its own virtual address space, its own files, and its own threads. Second its a host process which means that it's running in order to allow something else (that can't run in its own process) to run inside it. Third its a service host process which means that what's running inside it is a Windows service that isn't able to run in its own process.

Services run in order to provide, well...services, specialised features and facilities, to other processes. In Linux/Unix they are called daemons. You can see all the services on your Windows system (and whether they are currently running or not) by entering the 'services.msc' command in the Run box.

You can see from the Services window that there are a great many services, the Status column shows you that not all of them are running. That's quite normal, many services are designed for specific environments and won't run if your system isn't one of these. Some services can be manually stopped (even disabled) but that's beyond the scope of this document. Most of these services are running inside an instance of the svchost.exe process.

In versions of Windows prior to Windows 10 1703 (the Creator's Update) each svchost.exe process hosted several services, from 1703 onward (and providing you have more than 4GB of RAM installed) most svchost.exe processes host only a single service. This is to prevent a problem in one service affecting any others, and it's why in Windows 10 1703 you saw an explosion in the number of svchost.exe processes.


Why Use Svchost.exe?

Executable program code exists in two type of file that can be identified by their suffix; .exe and .dll. An executable file (.exe) is a stand-alone program and can be loaded and run by itself. When you start an executable file Windows creates a process structure to hold it. A familiar example is notepad.exe (it's in C:\Windows\System32), you can double-click notepad.exe and it runs, when you look in Task Manager on the Details tab there is a new process (called notepad.exe) created for it.

A dynamic link library file (.dll) is program code that is not directly executable, this is because it has program calls within the code that reference other dlls that must be loaded as well in order for the dll to run. Creating program code as dlls makes it much more transportable and much faster to write and it means a complete self-contained program need not be created, only the functional code need be included in the dll and external calls can be made to other (existing) dlls to include their code dynamically. Functionality is thus provided by many dlls cooperating in a process. Most services in Windows today are created as dlls.

The problem with a dll is that because it's not a fully executable program Windows cannot create a process for it, and without a process structure it can't run. This is where svchost.exe comes in. You'll note that svchost.exe is an executable, Windows will create a process for it when it's started. Svchost.exe then dynamically loads the dll(s) necessary to support whatever service needs to be run and hosts those dlls within the svchost.exe process. Windows now has a process (which is called svchost.exe because that's the executable that started it) and the dlls that support the required service have a process inside which they can run.


What Services Are Running In Svchost?

Unfortunately Windows doesn't contain any tools that let you find out what service(s) are being hosted inside which instances of svchost.exe. This can be a problem if there is an issue with a service, because all you see is an instance of svchost.exe running away with CPU cycles, running away with RAM, or having some other issue. You don't know what service is being hosted so you don't know where to start looking.

There is an official Microsoft tool called Process Explorer, which is part of the Sysinternals suite of tools, that will show you what services are being hosted by which instances of svchost.exe. However, Process Explorer is an extremely complex and powerful tool and you should be careful if you go on to explore the many other features of Process Explorer.

You can download Process Explorer from Microsft at https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer. It's a stand-alone executable and it doesn't require any installation, you just double-click the .exe file and it runs.

When Process Explorer starts you'll see several columns and lots of colours. Look at the left hand column labelled Process, this is a list of all the processes running on your system. Initially it's in a tree view (processes have a parent-child relationship) but if you click on the Process column header it will sort them in ascending alphabetical order and that's more useful for our purposes. (Note that if you click again the sort order becomes descending, a third click goes back to the tree view).

Scroll down to the svchost.exe processes, if you hover the cursor over each instance of svchost.exe a fly-out box appears showing you what service(s) are hosted inside that instance. If you double-click an instance of svchost.exe a dialog box opens with a large number of tabs. Click the Services tab if it's not already selected, here you can see the name of the service(s) being hosted and the location of the dll(s) that contains the main service program code (most of them are in C:\Windows\System32).

Svchost.exe is thus an essentail Windows component used to host services running as dlls on which the proper operation of your system depends. You have no control over when an svhost.exe instance is started nor what's running in there, all you can do is enable or disable the services themselves via services.msc. Disabling a service will close that instance of svhost.exe if it was only running that one service (as is the likely on Windows 10 1703 and later).


What About Dllhost.exe?

You may see a few instances of dllhost.exe running in Task Manager too. These are also host processes for features that exist only as dlls. One common use is as 'COM Surrogates'. The Component Object Model (COM) is basically an inter-process communication mechanism that allows objects to be used in processes that were not created for them and without needing to know the internal structure of these objects. COM objects also exist only as dlls and thus require a host process to run them, since they're not Windows services svchost.exe is not appropriate, so a similar hosting process called dllhost.exe is used to host them instead.
 
Last edited:
Top