• The host process for Windows services is consuming memory and CPU. What to do if Svchost loads the processor heavily

    I bet that when you saw the task manager of a Windows system (in particular 2000, XP or their contemporaries) for the first time, you wondered where so many instances of the process came from svchost.exe. I have regularly heard this question from people I know over the years. Today I will try to write an answer.

    What is the svchost.exe process?, is perfectly described in the article:

    The Svchost.exe file is located in the %SystemRoot%\System32 folder. During the boot process, Svchost.exe compiles a list of services that need to be started based on registry entries. Multiple instances of the Svchost.exe process can be running at the same time. Each Svchost.exe session can contain multiple services. Thus, depending on how and where the Svchost.exe process is running, several separate services may be running. This grouping of services provides a higher level of control over them and makes debugging easier.

    Svchost.exe groups are defined in the following registry key:
    HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost
    Each value in this section represents a different Svchost group and appears as a separate instance when viewing active processes. Each of these values ​​is of type REG_MULTI_SZ and contains the services running in that Svchost group. Each Svchost group can contain one or more service names, retrieved from the following registry key, where the Parameters subkey contains the ServiceDLL value:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Service

    Summarizing the above, we can characterize Svchost.exe as a process that runs the services required by the operating system. Services are grouped based on some characteristic; each running group represents a separate process Svchost.exe.

    List of svchost.exe services. Method No. 1

    You can easily find out which services are running by a specific instance of a file svchost. If your current OS is quite modern, i.e. Windows Vista or Windows 7, you can use the Task Manager. Go to the Processes tab and select one of the instances svchost.exe. Right-click on it and select "Go to Services" from the context menu

    Services started by specific Svchost.exe, will be highlighted:

    List of svchost.exe services. Method No. 2

    If you have an operating system other than Windows Vista or Windows 7, for example, Windows XP, the Task Manager in it is not so “advanced” and does not provide the capabilities described in method No. 1. However, using the built-in tools to view services running svchost, it’s still possible. Run on the command line:
    tasklist/svc

    Quite informative.

    List of svchost.exe services. Method No. 3

    The last method is universal for all NT systems. To view services svchost.exe you can use the application. It will show all services related to a specific file instance svchost.exe.

    I take the liberty of recommending that the reader familiarize himself with and use the application regularly SysInternals ProcessExplorer, and the original English version (the screenshot shows a localized unofficial version). A very useful and very powerful program for managing OS processes, providing comprehensive information.

    I hope there is now plenty svchost.exe will not raise any questions for you.

    Users of the seventh modification of Windows very often encounter a problem when a certain Windows 7 Svchost.exe process loads the processor. The solution to fix the problem, as it turns out, lies on the surface. However, in order to accurately determine which method to use to correct the situation, you first need to understand what this process and associated service components are, since disabling some of them can provoke not only incorrect operation of the OS, but also the appearance of more unpleasant symptoms (even a blue screen is not excluded).

    Svchost: what is this process?

    Since problems with increased load by this service are most often observed in Windows 7, and are almost never encountered in systems of later releases, when considering all aspects we will start from the seventh modification.

    What kind of component is it that it consumes such an incredible amount of system resources? This is a specialized tool for launching system and user programs, which, according to developers from Microsoft, should, in theory, reduce the load on the system when programs and their executable components are launched, for example, presented in the form of dynamic libraries loaded at the start of the executable component as additional objects into RAM.

    To put it in simpler and more understandable terms, in Windows 7 the system itself does not need to run each application as a separate process, since for this only one main component is used, due to which all programs start, being, as it were, tied to it. And the Svchost process is a kind of intermediary bridge between the launched program and the main system component responsible for its start. That is, all starting programs and processes through this component are connected to a single launch service.

    Why do I see too many processes of the same name in the Task Manager?

    But the main start service is not displayed in the same “Task Manager”. In it you can see only the Svchost processes of the same name, of which in a normal state of inactivity there can be about four, and in the presence of running programs - even more.

    So, if Svchost is hogging the CPU and memory, Windows 7 is simply processing too many active background (system) and user applications at the moment. But many of them can be quite resource-intensive (take at least AutoCAD or programs for real-time video processing). In such situations, usually in Windows 7 Svchost loads the processor by 50% (maybe a little more). If peak loads are noticed, when the operating system freezes and stops responding to any user actions, you will have to find out the reasons why this is happening.

    Windows 7: Svchost loads the processor at 100%. Why?

    As for the reasons themselves, there can be quite a lot of them, and such situations cannot always be provoked by system failures (although, unfortunately, they cannot be avoided).

    But let's return to the situation when in Windows 7 Svchost.exe loads the processor too much. The most likely reasons for this phenomenon are the following:

    • short-term failures of system processes;
    • viral infection;
    • problems with the system update service;
    • too many or failures of related services and system components;
    • incorrect operation of the tunnel adapter;
    • problems with the SuperFetch component;
    • a large amount of computer garbage.

    The list contains only the main aspects, which will be discussed further. And for situations where in Windows 7 Svchost.exe loads the processor, a solution for each specific case will be proposed precisely based on what was the root cause of such an unpleasant situation. But first things first.

    Windows 7: Svchost (netsvcs) loads the processor: a solution to quickly reduce the load

    Many users quite rightly believe that the simplest way to reduce the load is by ending all Svchost processes in the Task Manager. Yes, indeed, this can be done. But in this case, this is just a temporary measure (and in the presence of viruses, it does not help at all).

    The same applies to a regular reboot of the operating system. After the restart, of course, there will be no increased resource consumption, but the process itself in the form of four (at least) executable files will still be present in the Task Manager. This system component loads along with the system automatically, and it is impossible to disable it using standard methods, say, using the startup menu.

    Checking the system for viruses

    But there are worse situations. Suppose in Windows 7 Svchost loads the processor. What to do if the user sees a dozen and a half lines in the “Task Manager” with a link to the same executable file, and the CPU load reaches its maximum peak values?

    Apparently, this is the first sign of a virus attack, since many threats are disguised as just a system process and are capable of simultaneously launching several copies of themselves. This will require manual user intervention by launching some powerful portable utility to deeply scan your computer for viruses.

    It is best to use a Dr. scanner. Web CureIt!, but the best option would be to boot from removable media with the Kaspersky Rescue Disk utility recorded on it. This program is the undisputed leader, since it starts even before the OS boots and can identify and neutralize threats that are deeply embedded not only in the operating system, but also in RAM.

    You can determine that the selected process is a virus threat using the additional username attribute. There can only be two of them: either NETWORK SERVICE or LOCAL. If the user observes any other description, the conclusion is obvious: this is a virus disguised as the original process. In principle, before using anti-virus utilities, you can use RMB to access the directory where the accompanying process file is located and, if possible, delete it manually.

    Troubleshooting system update problems

    But viruses are not always the reason why Svchost (netsvcs) loads the processor in Windows 7. Very often this is due to failures of the offline update installer (“Update Center”).

    For example, some package was under-downloaded during download. So it turns out that the system service is trying to load it (at the same time the Svchost process corresponding to it is launched), but there is no result. On the other hand, the Update Center itself may, for some reason, not work correctly. It may require a restart.

    In this case, the services section (services.msc) is first called, in which you need to find the corresponding component, enter the editing section, stop the service and set its startup type to disabled. After this, the system needs to be rebooted and the service reactivated with an automatic start type.

    Disable or stop related services

    If none of the suggestions helped, and in Windows 7 Svchost loads the processor, the solution may come down to looking at exactly which processes are associated with the executable file and, if possible, disabling them.

    To do this, the same “Task Manager” is used, in which, through the RMB on each process, you need to look at the corresponding service, go to the main section and temporarily disable all processes, as was shown just above.

    Fixing tunnel adapter problems

    Not often, but sometimes there can be non-standard situations related to the operation of the so-called It is because of its incorrect operation in Windows 7 that Svchost loads the processor. The solution is to adjust its parameters or even turn it off completely.

    To do this, it is best to use the command console, called through the “Run” menu with the cmd command. Next, the lines shown in the image above are written in the console, and after they are executed, the computer system is completely rebooted.

    from garbage

    There is a simpler problem, but just as intrusive. If in Windows 7 Svchost loads the processor, the solution may have something to do with computer junk, for example, due to the lack of free disk space for the normal functioning of the operating system itself (usually it is recommended to keep about 10% of the total volume free in the system partition ).

    To begin with, you can clean the disk with a standard tool by accessing the partition properties through the RMB menu in Explorer. On the other hand, some residual files after uninstalling programs are not deleted in this way. But finding them yourself is quite problematic. Alternatively, you can use special cleaners or optimizers (CCleaner, Advanced SystemCare, Glary Utilities or something similar).

    SuperFetch problems

    Many experts call problems with the SuperFetch service another of the most common situations. To disable it, you can use the methods suggested above by entering the services section, stopping the process and changing the startup type.

    However, most often the problem is not even this, but the overflow of the corresponding Prefetch directory, which is located in the root of the system. It is because of this that Svchost loads the processor in Windows 7. The solution is the simplest: delete the directory yourself, end all Svchost.exe processes in the Task Manager and reboot. After the restart, there is no need to reactivate the disabled service. Most users, in general, do not need it at all, and among other things, it is quite “voracious” in terms of consumption of system resources, which leads to dire consequences on weak computer configurations.

    If in the “Task Manager” you observe the activation of a process with the name of the executable file wuauclt.exe, you need to find the SoftwareDistribution directory (the root directory of the OS) and delete all subfolders and files from it, and then, as usual, restart the computer. You can also rename the original directory itself, giving it a name with the addition “.old” and reboot immediately, even without deleting it.

    Brief summary

    That's all regarding the main reasons for the appearance of increased loads on the central processor and RAM, as well as the main methods for eliminating them. True, in a certain sense, it is very difficult to say immediately what provoked such a phenomenon. This can be done with confidence only in case of a virus infection or in the case when even manual checking of updates or their installation does not work in the Update Center. In all other situations, you will have to perform each action separately. Apart from possible failures or damage to the hardware (in particular, this applies to RAM strips), at least one technique will give a positive effect in any case.

    Just in case, many experts recommend clearing the system event log, which stores LOG files. It can be called through the “Run” console using the eventvwr line, after which use the cleanup items for the application, system, security and installation sections via RMB. After completing all actions, the system must be rebooted.

    If the proposed methods do not work for some reason, identical actions can be performed in Safe Mode by pressing F8 at startup.

    Almost every PC user has encountered the problem of windows periodically freezing. Most users decided to fix the problem by deleting unnecessary processes through the task manager. Having opened the manager and discovered a large number of svchost.exe processes, the user begins to panic.

    As a result, users decide that a large number of processes are due to infection of the system. To avoid losing important files, you should remove the malicious svchost. However, not every computer owner knows how to remove svchost exe on Windows 7.

    The difficulty in removing virus utilities is due to the fact that they are disguised as a system process, the removal of which can lead to disruption of the stability of the PC and the subsequent need to reinstall Windows. Therefore, before deleting a process and its underlying file, you need to compare the characteristics of the two files.

    The standard svchost.exe process is responsible for some system functions. The file is located in the directory of the disk with Windows installed. A process that runs on Windows can only be signed SYSTEM, LOCAL SERVICE, or NETWORK SERVICE.

    In turn, the fake is most often located in the “My Documents”, “Program Files”, “Windows” folders. Virus removal specialists hint at the miscellaneous storage of malicious svchost.exe in the “windows” folder:

    • system;
    • config;
    • inet20000;
    • inetsponsor;
    • system;
    • windows;
    • drivers.

    In addition to the fact that viruses fill the system area, they have a similar name to the standard process. Therefore, if you detect processes with similar names, you should check the service that is responsible for launching them. As a rule, the similarity of virus processes is determined by the following names: svch0st, svchos1, svcchost, svhost, svchosl, svchost32, svchosts, svschost, svcshost, ssvvcchhoosst. The virus has permission (.exe). Sometimes permission (.com) is found.

    Removal using standard methods

    You can remove a virus disguised as svchost.exe in various ways. The easy way is to remove the main malware that runs the virus. To determine this application, you must also view the properties of svchost.exe in the name of which there is a change. The properties will indicate the service that causes the virus to launch, as well as the exact location.

    To remove a virus from Windows, in this case you need to use the “administration” utility. You can select this utility in the “Control Panel”. Having opened “Administration” you need to select the “Services” tab.

    After looking through the list that appears, you need to find the name of the malicious service and disable its launch in the properties. The user must then open the virus's location folder and delete it. You can also delete it in another way: you need to stop the process using the task manager, then .

    Note! Very often, checking the “System Configuration” helps identify a virus. After opening the msconfig.exe file, you need to select the “Startup” tab. If you find the name svchost in the list, you should remove the ability to run simultaneously with the system and delete the application that launches it.

    Third Party Applications

    However, it happens that it is impossible to remove the virus or disable the service. What should the user ultimately do and how to remove svchost exe on Windows 7. The answer to the question is simple: you need to turn to third-party programs.

    Among the programs that actively help Windows fight the malicious svchost.exe are:

    • Cleaning Essentials (you can download the application from the official website https://www.comodo.com/);
    • Dr. WebCureIt;
    • Autorun Analyzer;
    • KillSwitch;

    In other cases, it is not possible to remove the virus due to the fact that it is impossible to determine which is the original file and which is the fake. Then a powerful online scanning system on the virustotal.com portal can come to the user’s aid. On this site you need to press the “Select file” button. Then, using Windows Explorer, select the suspicious file and run the scan. The passed test will indicate that the file should be deleted.

    Have you ever gone into your operating system's Task Manager and found multiple copies of the same file called svchost.exe running? What is this file and can it harm your computer? Is it possible and necessary to remove it? We will talk about this and many other issues related to this file in this article.

    Definition

    Svchost.exe is the general name of the main process for services launched from dynamic libraries in the Windows OS line. Each service that accesses the svchost.exe file runs its own copy of this file on the personal computer. Thus, several dozen copies of it can be displayed in the task manager at once. This system was invented in order to save as much free space as possible in the device’s memory.

    Is this file safe?

    The svchost.exe file itself is an important component of the operating system and does not pose any threat. However, often malicious code picked up on the Internet is disguised as this file. The calculation is made on the fact that a file with such a name will be more difficult for you to detect and you will be afraid to delete it, considering it a system file.

    Where is this file located?

    It is quite simple to recognize whether a particular running process named svchost is a virus. First of all, you need to know where the real, safe svchost.exe file can be located:

    • C:\WINDOWS\system32
    • C:\WINDOWS\ServicePackFiles\i386
    • C:\WINDOWS\Prefetch
    • C: \WINDOWS\winsxs\any folder located in this partition.

    If you find the svchost file in any other path, you know that you are dealing with a virus. The only exceptions are antivirus and some other programs, which also create folders of the same name, but do not pose a threat to your computer.

    How can I see what services are running using svchost?

    Let's consider this issue using Windows 7 as an example.

    1. Press the Ctrl+Alt+Del keys simultaneously and select "Launch task manager".
    2. Go to the processes tab and select "Display processes of all users".
    3. In the list that opens, you can see how many copies of the file are running on your computer at the moment and under which user. You need to know that the svchost.exe system file can only be run as LOCAL SERVICE, SYSTEM, NETWORK SERVICE or System users. If the file is called by the name of the local machine, you are dealing with a virus.
    4. To see which service launched a specific copy of a file, right-click on this copy from the list and select “Go to Services” or select a copy from the list with the left mouse button and open the adjacent “Services” tab.
    5. To find out what a particular service is and what functions it performs on your computer, click on the “Services…” button in the lower right corner of the window that opens.

    How to remove a virus masquerading as svchost?

    If you suspect that your computer is infected with a virus that disguises itself as a svchost file, the best solution would be to download a program specifically designed to remove this type of file from your computer. An example of such a program would be Security Task Manager or the antivirus utility AVZ. After deleting suspicious files, you will need to reboot your computer and run a full system scan for viruses. Only after this can you be completely sure that you have gotten rid of the virus and this file no longer threatens the security of your computer.

    Svchost.exe (host service) is a file and process of Windows operating systems. Its task is to load and execute internal services from dynamic link libraries (files with the .dll extension), ensuring the functionality of almost all components of the operating system. Figuratively speaking, svchost.exe is the liver, kidneys and lungs of Windows, without which its existence is unthinkable. But why do these “vital organs” sometimes create so many problems for us?

    Today we’ll talk about what to do if svchost.exe loads the processor, preventing you from working normally on your computer.

    Reasons why the system is loaded by the svchost process

    Since svchost.exe handles a significant portion of system services, there can be many reasons for heavy CPU load. Here are the most common ones:

    • Viral infection.
    • Too much network congestion, for example, with many open slots in uTorrent.
    • Errors in device drivers (sound, network, etc.), since the latter closely interact with system services.
    • Damage to operating system files (in particular, the service host itself and various dynamic libraries).
    • System service errors.
    • PC hardware malfunction.

    Sometimes this happens as a result of unsuccessful pirated activation of Windows (not all activators are equally useful) and hacking programs.

    How to determine which service is loading the service host

    To view the services running in the loading host process, the built-in or alternative task manager is suitable. In the first, the information we are interested in is contained in the section “ ProcessesWindows" Each host process is listed under the name " Service node».

    The green frame in the screenshot shows the list of services of one svchost process.

    As an alternative to the stock task manager, I prefer the free one from Sysinternals. In it, just hover the cursor over a line - and all the necessary information will be displayed in a pop-up window.

    If there is more than one service running in the loading host process, you will have to brute-force to find the one that is causing the problem:

    • Open the application " Services"(the open button is located at the bottom of the task manager tab of the same name).

    • Disable the first service from the list of loading service host: open its properties through the right-click menu and select from the list " Startup type» « Manually" or " Disabled».

    • Reboot your computer. If the problem persists, start this service again and disable the next one.

    A problematic service has been detected, what next?

    Then act according to the situation. If the failure is caused by a minor component, e.g. Superfetch(quite often creates a problem for Windows 8 and 10 users), just leave it disabled. If the service is related to hardware (audio, network, etc.), try updating or rolling back the device driver. If you have problems with Update CenterWindows(often found on G7s and XP), in 90% of cases disabling the update check helps. However, completely refusing to install system updates is a big security hole in Windows, so it’s better to switch it to manual mode.

    If svchost began to load the processor after installing Windows updates, applications or drivers, or uninstall the source of the failure.

    In some cases, cleaning the folder helps \Windows\Prefetch, where Prefetcher trace files are stored - a system component that speeds up the loading of the system and programs.

    How to unload the network

    Too much network congestion, network driver errors, failures of applications using the Internet, network viruses (worms) become the source of the problem, perhaps, in half of the cases. To check this version, disable the network adapter in Device Manager and restart your PC. If the load on the processor has returned to normal, the cause has been found, all that remains is to find the culprit.

    The following helps reduce processor load on network components:

    • reducing the number of simultaneous downloads and distributions of torrents;
    • prohibiting access to the Internet for programs for which this is not necessary (especially if there are many of them);
    • shutting down network programs when not in use;
    • cleaning temporary folders (temp) – they may contain incompletely downloaded files that downloading applications are trying to download to the end;
    • antivirus scanning for network worms;

    Another “disease” tormented Windows 7 for quite a long time. With it, the CPU load of the svchost process reached 100% and decreased only when the network was turned off. The reason lay in the uncontrolled “reproduction” of virtual tunnel adapters Microsoft 6to4, of which sometimes several hundred were created.

    To check if this is your case, open the device manager, go to the " View" and check the box " Show hidden devices" Next, expand the list of network adapters. All "Microsoft 6to4" clones, if any, are located there.

    To resolve the problem, simply delete the extra copies of virtual adapters. This can be done either manually one at a time or automatically – all at once. For automatic removal you will need a console utility, which is available for download on the MSDN Microsoft website.

    After unpacking devcon to your hard drive, run the command line as administrator and follow the instructions C:\devcon.exe remove *6to4*(instead of C:\, specify your path to devcon.exe). To prevent this from happening again, update your operating system.

    Today, the problem with 6to4 adapters has already been fixed by developers and occurs only in those who do not install Windows updates.

    What if it's a virus? How to distinguish a malicious svchost from a normal one

    The malware can:

    • Create a copy of yourself on your hard drive under the name svchost.exe, which will be located anywhere except in the directory \Windows\System32, since it contains a system file of the same name. That is, to disguise itself as a system process.
    • Inject your dynamic libraries into one of the legitimate host processes.
    • Modify (patch) the svchost.exe system file by placing your own executable code in its body.

    Some users are afraid of what they consider to be too many running host processes. In fact, this indicator does not mean anything bad. The number of svchost processes in a normally operating system is 8-9 or more. Each of them runs one or more services - this can be seen in the task manager. Services are divided into groups depending on the level of access to resources they need, so there are several processes.

    Most normal host processes run on behalf of the system, network service, and local service. Before the release of Windows 8, any host service launched on behalf of the user was automatically recognized as a virus, but now this is only true for Windows 7 and its predecessors. In G8 and 10, one service host working on behalf of the user is the norm.

    The fact that the host process is running or being used by a virus is indicated by at least one of the following signs:

    • The host process file is NOT in the folder \Windows\System32.
    • The process is running an unknown service or has a non-system library (.dll) loaded into it.

    • On Windows XP-7 the host process is running on behalf of the user, and on Windows 8-10 there is more than one host process on behalf of the user.
    • The Parent process of a normal service host is always the Services.exe application. When infected with a virus, anything can happen instead.

    The screenshots show ProcessExplorer, running as administrator. To view the list of .dlls loaded into the service host, select the last one with a mouse click and press Ctrl+D on the keyboard. To find out its parent process, click the " Properties" in the top panel of the program and open the tab " Image».

    What to do if svchost.exe is infected with a virus

    It is important to figure out where exactly the infection is hiding: in the system file svchost.exe itself or in the one that uses it. If a system file is infected, do not delete it under any circumstances, but replace it with a clean one, taking it from a similar copy of Windows (to do this you will have to boot the computer from another medium). Malicious libraries, on the contrary, must be completely removed.

    How to check system files for errors

    Most of the dynamic libraries from which the service host loads services are Windows' own files, a smaller part are components of device drivers. The console utility sfc.exe can help fix system file errors.

    Run the command line as administrator and follow the instructions sfc/scannow. The /scannow option means: “immediately scan and replace all corrupted files from the cached copy.”

    The results will be shown after the test is completed in the same window.

    What to do if nothing helps

    In quite rare cases, 100% CPU load on svchost.exe cannot be eliminated even by reinstalling Windows. The culprits in such situations are faulty drivers or even the devices themselves - network adapters, audio codecs, RAM (the latter's errors sometimes manifest themselves in very bizarre ways) or something else. There have been cases when the problem was solved by the computer.

    If suspicion falls on the hardware, first of all try to completely reinstall all drivers using known stable versions. Check the devices by turning them off one by one - in the BIOS or, if possible, physically. If you find the source of the problem, replace or repair the problem unit.

    Also on the site:

    Read more: