What is svchost and why are multiple instances of it running?

svchost, hosts services in Windows See KB. If you use Process Explorer you can see which services are being ran inside a particular process.


Many executing components of Windows are implemented as services (see all services on your machine opening Control Panel > Administrative Tools > Services). These are specialized programs running in the background. They are not started by the logged-in user, but my the operating system itself.

Most services aren't stand-alone executables (EXE files), but are implemented in libraries (DLLs), which can be used by running processes. As the name suggests, Svchost or "Service Host" is Windows' standard executable for running these DLLs. You can find svchost.exe file in the %systemroot%\system32 directory.

If you want to know which instance of svchost is executing which service, type

 tasklist /svc /fi "IMAGENAME eq svchost.exe"

on a command line console (cmd).

On the machine, where I made the screenshot, one of the instances of svchost is running 21 different services, for example. This grouping of services allows for better control and easier debugging, according to Microsoft's documentation.

alt text

Svchost.exe groups are identified in the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost

A tip (if you run Windows Vista, Windows 7 or Windows Server 2008): you can open the Task Manager and right-click on a particular svchost.exe process, and then choose the "Go to Service" option. This will show the Services tab, where all services running under the selected svchost.exe process will be marked.

There is a very interesting document in Microsoft's Download Center:

Microsoft Windows Server 2003 System Services Reference

This document contains summaries all of the services available for the Windows Server 2003 family of operating systems. The services are listed in alphabetical order by display name. Following a description of each service, a table lists key information about the service.

Every Windows service is listed with all its details. You learn, for example, that the executable file name of the Terminal Services service is

 svchost.exe -k termsvcs