SSD drives. USB Flash. Disks. Data recovery. HDD
What does svchost do? How to identify a virus masquerading as the svchost system process. What is svchost and can it be removed?

What does svchost do? How to identify a virus masquerading as the svchost system process. What is svchost and can it be removed?

06.04.2020 Windows and disks

Question from a user

Good afternoon.

I have Windows 7 installed on my computer, and lately it has started to slow down. Empirically, I found that the “svchost.exe” process loads the 2-core processor 50%-100% (at least that’s what it shows in the task manager).

I tried to end this process, but an error appears and the computer goes into reboot. Is it possible to complete it at all, and how can I reduce the load from it? In general, what is it for and why does it load the system so much?

Thank you in advance.

Dmitry, Arkhangelsk

Good day.

In all popular Windows versions(XP, Vista, 7, 8, 10) this special process is present svchost.exe (note: its full name is Generic Host Process for Win32 Services).

It is used as a platform for the operation of various services (i.e., a purely systemic process that is not advisable to “touch” if everything is working normally for you).

If you open task manager, you will see that there are several lines with svchost.exe (which is not surprising, since Windows always runs many services and applications: Windows Defender, OS update, font service, etc.). And this process loads the CPU, most often due to some service that has begun to not work correctly.

In addition, it is also worth noting that many viruses are disguised as this system process: after all, if there are many of them, then determine which one of them is not real- not so easy for an untrained user.

And so, let's consider below what can be done if svchost.exe loads the system...

Solving the problem with svchost.exe

Of course, the advice is banal, but still, a seemingly simple reboot of the computer helps solve many problems (including this one 👌). N

Often, when connecting/disconnecting peripheral equipment, or when services or drivers malfunction, svchost.exe begins to create an excessive load, which “disappears” after the PC is rebooted. So let's try it!

👉 Isn’t it a virus masquerading as svchost.exe? Let's check!

As I noted just above in the article, many viruses often disguise themselves as this system process. Distinguish the real process svchost.exe from a virus is not always easy! 👀

But we will deal with this now (it is very advisable to first exclude viral activity, and if the high load was not associated with this, then move on to solving problems with services).

To begin, open the Windows Task Manager (buttons Ctrl+Shift+Esc or Ctrl+Alt+Del).

Then open the tab "Processes", sort them by name and look carefully: what is written next to each svchost.exe in the column "User" (screenshot below to help 👇).

Task Manager (Windows 7) - View Processes

👉 I want it right away It should be noted that it is not always possible to “see” all processes in the task manager, and it is not always possible to discern which of them is “not real”. In general, it is much more effective to use a special one for this purpose 👉 (I have praised her more than once in my articles...).

By launching the AVZ utility (by the way, you don’t need to install it), open the menu "Service" and open "Process Manager" .

Then also sort processes by name and find all svchost.exe. Please note that the utility shows ALL processes (that's why there are so many of them).

👉 Important!

Everyone is normal svchost.exe AVZ is marked in green. Moreover, in the column "Description" it will be indicated that this is “Host process...”, “Manufacturer” - “Microsoft Corporation...”, “Full path” - “C:\Windows\System32\svchost32.exe”.

If you find something suspicious, try closing this process, and then scan your computer completely with the AVZ utility for viruses and Trojans. This is done quite simply:


👉 To help!

The best antiviruses for Windows protection -

👉 Which service loads the service host?

And so, the computer has been checked, there are no viruses, let's move on...

Open the task manager again (Ctrl+Shift+Esc buttons) and look for that svchost.exe, which loads the processor. Once you find it, right-click on it and open the link "Go to services" (see screenshot below 👇).

This will show you ALL services associated with the svchost process that is consuming the CPU.

Now close these services one by one, looking at the load on the processor. As soon as she falls- you have found the service that is to blame for the load!

👉 Important!

In the process of closing some services, your Windows may reboot. Therefore, it is better to remember what you have already tried to close (so that next time you can close other services associated with this process).

When a service is found that is causing high load - what to do?

This is a common and rather difficult question. The fact is that there are quite a lot of services that can cause a high load. Giving universal advice (or providing all possible options) is unrealistic!

If the failure is caused by a minor service that you can easily do without, simply disable it (for example, the Superfetch service is often a stumbling block).

If you really need the service (for example, it is associated with audio and video equipment, network adapters, etc.)- then try replacing the driver with the hardware (update or vice versa, install an older one).

👉 Disable the update center, Superfetch (and other services)

Very often the culprits of high file load svchost are services "Update centre" And "Superfetch" (therefore, in case of this problem, I recommend disabling them, at least for a while for testing).

To disable them, you need to open the tab "Services" .

How to open services (universal method):

  1. press the Win+R button combination;
  2. enter the command services.msc and press Enter.

In the column "Startup type" put "Disabled", and in the block "State" click the button "Stop" .

All! The service is now disabled and will no longer start!

👉 Important!

Be careful and don't turn off everything. In some cases, users got so carried away with disabling services that they were then unable to restore their Windows functionality.

👉 Roll back the system a few days/weeks ago

If a high load on the processor appeared not so long ago, and there is control points recovery - then you can try to run Windows recovery and roll it back to a working state.

Despite the fact that many users underestimate this method, it is very effective and helps solve many problems.

How to run System Restore:


👉 To help!

More details about Windows recovery(and analysis of all typical questions) you can

👉 Removing the Prefetch folder

There is another way that helps some people solve the problem with svchost...

1) You need to find the Prefetch folder (note: on the system drive "C:\Windows") and delete it.

2) Then find the Tasks folder (located at this path "C:\Windows\System32"), open it and delete all files from it.

3) After this procedure, simply restart your computer.

Note: this method controversial, use at your own risk.

Having penetrated a computer, viruses usually try not to advertise their presence, hiding their processes from the user’s eyes or disguising them as harmless system processes, of which they suffer the most svchost.exe. And this is quite understandable. Having discovered a dozen instances of this process in the Task Manager, users begin to suspect something is wrong, linking svchost.exe with some problems that may have nothing to do with it. Some beginners even try to remove it, which, of course, does not lead to anything good.

So, what is this one? svchost.exe and why is it duplicated so often? Firstly, svchost.exe is not a virus, although examples of camouflage malware under this extremely important and necessary for Windows operation the process still exists. We will tell you how to expose the viruses hiding behind them a little lower, but for now let me say a few words about the purpose svchost.exe. So, this process is also called Generic Host Process for Win32 Services takes a direct part in the operation of programs, services and services that use dynamic libraries (DLLs), which make up a significant part of the system Windows files and application programs.

Because the svchost.exe it is necessary to maintain many programs and services; to ensure stability, it is launched in several copies, the number of which in some cases can reach several dozen. In general, touch svchost.exe It is highly not recommended, but as we have already said, viruses can masquerade as it. How to recognize them? Let's start with the fact that the real file svchost.exe must be in one of these folders:

  • C:/WINDOWS/system32
  • C:/Windows/SysWOW64
  • C:/WINDOWSPrefetch
  • C:/WINDOWS/winsxs/*

Note: the asterisk at the end of the path of the fourth option implies that after the slash there may be another folder, usually with a long name, which is a set of characters. With rare exceptions svchost.exe may be found in the directories of some programs, for example, Malwarebytes Anti-Malware.

If this file is located in the Windows root directory or user folders, then most likely it is a virus. Showing selectivity, masquerading as a systemic process svchost malicious files can hide in the most unexpected places. To find them, you can use the Task Manager or the Process Explorer utility, identifying paths by process; searching by file name will do MasterSeeker or similar program.

In addition to the location, close attention should be paid to the file name. Few novice users pay attention to this, but in vain. At first glance, you may not notice how the files differ from each other svchost.exe and (in the second the “c” is missing). And in the file name, Latin letters can be replaced with Cyrillic ones. It is more difficult to identify it, since it may be located in the “correct” folder, and only Windows will see the difference in the name; to identify it, you will have to check the characters in the name using the code table (outwardly identical Cyrillic and Latin letters have different codes).

What to do if you find an “incorrect” svchost or located in the wrong place? First, send it for scanning at VirusTotal, if there is something in it, at least one out of fifty antiviruses will give a signal. Real file svchost must be spotlessly clean. To remove counterfeit svchost file, read the virus, use Dr.Web CureIt!, Dr.Web LiveDisk or utility AVZ. To work in AVZ you will also need a script.

And here is the script itself. Create a *.txt file and insert and save the following into it.

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('full path to the malicious file',");
DeleteFile('full path to the malicious file');
BC_ImportAll;
ExecuteSysClean;
ExecuteWizard('TSW',2,3,true);
BC_Activate;
RebootWindows(true);
end.

In brackets opposite the commands QuarantineFile And DeleteFile you need to specify the full path to the malicious file. For example: (' C:\Windows\system\syshost.exe‘,”);

Let's launch AVZ, select from the menu File, then select Execute script, paste the code of the pre-edited script into the window that opens (what needs to be done is indicated in the script itself) and press the button “ Launch" After restarting the computer, we check whether the malicious file has been deleted and then perform a full scan system disk any anti-virus and anti-spyware tools.

The problem with a freezing computer is probably familiar to everyone without exception. As a rule, this is blamed on viruses, poorly written programs, as well as simple overheating. From time to time, svchost.exe is the culprit. What kind of process is this, and why does this happen? Let's try to figure it out!

Virus or not?

Firstly, many people immediately succumb to panic. When they see svchost in the Task Manager, they immediately assume that an insidious virus has entered the computer. The latest antivirus (or better yet two) is immediately installed, after which the computer is scanned several times. If the user was so zealous that he installed two or three security applications at once, then the system is guaranteed to crash.

We warn you right away: this is not a virus, so do not rush to delete svchost.exe! What is this process then?

General information about the application

This is the name of a very important component responsible for launching dynamic libraries systems (DLL). Accordingly, both Explorer (Explorer) of Windows itself and more than one thousand third party applications. This especially applies to games that actively use these libraries via DirectX.

It is located at the following address: %SystemRoot%\System32. By reading registry entries at each boot, the application generates a list of services that should be started. It should be noted that several copies of svchost.exe can be running at the same time (you already know what kind of process this is). The important thing is that each process may well contain its own group of services. This was done for maximum comfort in monitoring the operation of the system, as well as to simplify debugging in case of any problems.

All groups that are currently part of this process can be found in the following registry sections:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost;
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Service.

All parameters that are available in these sections are visible as separate instances of svchost.exe (we have already explained what this is).

Each registry section that relates to them has a parameter of the form: REG_MULTI_SZ. It contains the names of all services that are part of a specific Svchost group. Each of them contains the name of one or more services, the description of which contains the ServiceDLL key.

This is what the svchost.exe file is.

How to check processes associated with Svchost?

To see all the services that are currently associated with this process, you need to do a few simple things.

  • Click on “Start”, and then find the “Run” command in this menu.
  • Enter there and then press ENTER.
  • After that, copy and paste in the opened emulator command line the following expression: Tasklist /SVC. Use the ENTER key again.
  • A list of all processes will be displayed in the form of a list. Attention! Be sure to enter the /SVC key parameter, as it displays the active services. To get extended information about a specific service, use the following command: Tasklist /FI "PID eq process_id" (including quotes).

If you have problems

It often happens that after entering commands, the computer displays something unintelligible, like: “The command cannot be recognized.” Don't rush to enter it again.

As a rule, this happens because you are working from under account, whose rights are simply insufficient to perform this kind of action. It doesn't matter whether you have an administrator account or not. To correct the situation, the command line emulator should be launched in a slightly different way.

To do this, click on the “Start” button, then enter CMD in the “Search” field. A list of found files will open on the right side of the menu. Right-click on the first of them (with the corresponding name), and then select “Run as administrator” in the context menu that appears.

So we have given you the basic information. Now let's look at those malicious programs that can masquerade as a harmless system application.

How to separate the wheat from the chaff?

Look carefully at the process name: it should be written as sVChost! There are some Trojans that masquerade as sVHost that are very common. If you see something like this in your “task manager”, then in this case it is indeed time to completely scan the system for the presence of malicious applications.

Especially “advanced” viruses and Trojans can still masterfully disguise themselves by having exactly the same name as the true process. But even they can be distinguished with 100% probability by paying attention to the most characteristic signs. Let's look at them.

Firstly, a real system process is never (!) launched as a regular user. Its start can be initiated by SYSTEM, LOCAL SERVICE, and NETWORK SERVICE. What is more important is that it does not start (!) when the system starts using startup tools. Accordingly, the list of programs that start simultaneously with the system should under no circumstances include svchost.exe. What is the process in this case?

If you see something like this, then there is only one reason - a virus.

Checking startup

Don't know how to do this? Everything is very simple! First, click on the “Start” button and left-click on the “Run” field. Then enter the MSConfig command there. A list of all applications launched at startup will open, which you need to review carefully.

If there are many svchost.exe processes (or even one), then you will definitely have to think about how to get it out of your computer.

What to do if a “spy” is detected?

As we have already said, in this case it is best to scan the OS with a powerful antivirus program. But before that, it won’t hurt to perform a number of simple steps with which you can completely block the virus from any opportunity to harm you. In general, the svchost.exe virus has spread widely across the RuNet in recent years. As a rule, malware that specializes in stealing user personal data operates under the guise of a normal system process.

First, in the “File location” line, find the specific folder in which the virus file is located. Select it in the list with the left mouse button and click on the “Disable” button. Click “OK”, then go to the directory with the desired file and delete it. All. Can be scanned by antivirus.

The process is very CPU intensive. Why does this happen and what should I do?

So we are back to the beginning of our article. Do you remember that sometimes due to svchost.exe (what kind of process this is, we have already explained in detail) the computer begins to slow down and “hang”? Why is this happening? And how can you overcome this phenomenon without reinstalling the system?

The simplest way

There is a fairly simple and effective recommendation that helps in many cases. Open the “Task Manager”, look for the svchost process there, then right-click on it and select “Priority/Low”. It should be noted that this must be done with each process of the same name that is in the “Task Manager”.

We remind you once again: if you see the svchost.exe file (you already know what it is), under no circumstances rush to delete it, suspecting it is a virus!

Windows Update Service

Often on Windows XP the problem with almost 100% and svchost is caused by the fact that the update service does not work correctly. Some computer resources have found an explanation for this phenomenon.

The issue is an incorrect update checking mechanism. Considering the number of patches that have been released for this system, a small error in memory allocation has turned into a serious problem: the computer is not only slow, but you can easily search for “patches” for days, alternately freezing at the same time.

How to disable the problematic service?

To temporarily disable Windows Update, go to the “Control Panel” and find the “System and Security” item there. This is where the desired “Center” is located. Windows updates", in which we are interested in the item "Enabling and disabling automatic update" Check the box next to “Do not check for updates.” Click on OK and reboot the machine.

If after this everything is fine, and the processor is not in a “dead” state most of the time, then the culprit of all the problems was indeed the update service. In the event that the problem continues to occur after this, return Windows Update to the initial state, after which we continue to look for the culprit of all misfortunes.

Internet Browser

However, take your time. In many cases the culprit is Internet Explorer. Remember how at the very beginning of the article we discussed the importance of svchost for Explorer? But “Internet Browser” is important integral part file manager Windows family OS.

Problems with it very often begin when the IE version is very outdated. For example, Microsoft itself has not recommended using Windows XP since the sixth version for a very long time. Internet version Explorer.

Accordingly, in this case it is quite simple. Use the one mentioned above Windows service Update. Download and install everything Latest updates for your version operating system, install new version I.E. It is possible that this measure will help you.

Games

Observe which applications the processor is overloaded after trying to launch. In addition, you should be wary of “svchost.exe application error” messages, which are almost a 100% indicator that some third-party application is to blame for the system’s inappropriate behavior.

Most often, this program is a game downloaded by its happy owner from some “left” site. Those who made modifications to program code, removing protection from it, rarely test their creation for full compatibility with certain systems, their DLLs, etc. So there is nothing to be surprised in this case.

"Bat"

In rare cases, owners encounter this problem. mail program The Bat old versions, which for one reason or another many people continue to use. Try uninstalling the application. After this, install the latest version of the utility, and then look at the computer’s behavior again.

Drivers

Very often, when transferring a system to another disk after some serious errors in file system, and also after virus attack, users are faced with an OS that is completely frozen due to svchost. exe. “How to remove this malicious process?” - think novice users.

We warn you again: deletion this file will lead to dire consequences and complete inoperability of the system, so before taking extreme measures, it is better to read our next advice.

There is information that the svchost.exe process, the error of which spoils so many nerves for users, may not work correctly due to incorrectly installed or “crooked” drivers. Very often it turns out that the cause is programs for video cards and sound cards. The drivers for these are complex and unpredictable, so if possible, remove them and then install the latest (or most stable) versions.

Windows Defender

Owners of Windows Vista/7 should pay attention to the Windows Defender program, which is included as standard with these operating systems. It serves to prevent malware from entering the system, but sometimes it itself behaves no better.

Problems arise if the installed third-party antivirus software for some reason it does not deactivate the “Defender”. This is especially true for all Eset Nod products, which have been extremely popular with many domestic users in the recent past.

To correct this situation, click on the “Start” button, go to “Control Panel”, and then find “Defender” in it. In its main window there is an item “Run scan when idle.” Uncheck it, click OK. In some cases this measure turns out to be useful.

We hope you found out what the svchost.exe program is. We talked in detail about its purpose, as well as methods for eliminating problems with it. Typically, the troubleshooting methods we provide work. All you need to do is strictly follow the instructions in the article.

In addition, it does not hurt to update the system on time.

How many "svchost.exe" processes should be running? It is impossible to answer this question, since in each case the number of running “svchost.exe” processes is different. This depends not only on the version of your operating system, but also on its build!

Since it is impossible to know the exact number of processes, the creators of the malware could not take advantage of this moment!

A huge number of viruses, Trojans and other malicious programs have chosen the “svchost.exe” process and, in order to disguise themselves in the system, disguise themselves as this process.

That is, malicious programs are launched with the name “svchost.exe” and are lost among many system processes with the same name. This leads to the fact that the chances of remaining undetected in the system increase several times.

How to identify the malicious process svchost.exe

Naturally, if the user suspects that the “svchost.exe” process is malicious, then the first thing the user will do is scan the computer for viruses and other things.

But, if after checking antivirus program reports that the system is clean and no malware was detected - this may not be entirely true!

In this case, it is worth checking the “svchost.exe” process manually. This is done quite simply, all you need is to know a few things about the svchost.exe process.

1) The process always runs from the system folder “System32.” If this is not the case, then most likely the file named svchost.exe is malicious.

2) The svchost.exe process will never run as the user - this must be remembered. The process always starts from “Local Service, System, Network Service”.

As you understand, if the svchost.exe process was launched under the current user name or not from the system folder, then it is worth taking measures to check the suspicious file.

To make sure that the original file is running, launch the task manager and look in the “Details” tab for the list of “svchost.exe” processes.

In this screenshot, all processes are launched by the system itself, this suggests that, most likely, among this list There is no malicious file named “svchost.exe”. Pay attention to the screenshot below...

In this screenshot we see the svchost.exe process running under the user name “SuperUser”. This suggests that this process is more harmful.

You need to press "RMB" where from context menu select “Open location”, Windows Explorer will open and you will find out the full path to the suspicious file! What to do with him next, I think it’s clear as day!

Important to know: Some viruses simply use the name “svchost.exe” to hide their presence in the system, but they can also use the original svchost.exe file for their own selfish purposes.

In this regard, a manual check will not give results here! It was also already said above that an antivirus may not give any results in searching for a virus! A logical question arises: what to do?

As an option, use a free “firewall”, among which I personally highlight “comodo firewall”, how can it help us? It's simple! If a virus using the svchost.exe process suddenly decides to manifest network activity, then the user will be aware of this!

From the screenshot you can clearly see that the svchost file is trying to connect to the server on port 80, the original file will never do this, so svchost is infected!

You can quickly block network access for the svchost file, which would be quite reasonable! Since in this case, there is a possibility of transferring confidential data, such as passwords from the browser to the “Gate”

If such information leaks, you understand how it can end for you!

What to do with an infected svchost.exe file? Since the current antivirus and manual scanning are of absolutely zero use, open the website “virustotal.com” and check the file. By the way, do it right now!

My result is this. Everything is clean! If any antivirus would react, for example “Avast”, then I would uninstall the current antivirus and install Avast and cure svchost.exe.

Computer users want their machines to work as quickly as possible and not slow down. In search of “brakes,” they turn to the task manager to detect resource-intensive processes and unload them from memory. Often svchost.exe is visible in the list of processes. This program runs in multiple copies, and random access memory consumes a lot.

The natural question is: is it a virus or other malicious software if it overloads the computer like this? And another question: is it possible to delete svchost.exe and do without it. Usually the answer is negative to both questions: it is not a virus and it is almost impossible to do without it. But first things first…

svchost.exe is a system process in Windows starting from version 2000. This is the main process that helps dynamic library services run. If you delete the svchost.exe file, the computer will work... only several times slower than usual. The situation is not so paradoxical: although system service It takes up a lot of RAM; without it, the ROM load would only be higher. The CPU load will also be high.

svchost.exe virus

But still, sometimes it is necessary to delete svchost.exe. More precisely, not himself, but viruses and Trojan horses masquerading as this application. It is easy to distinguish them: although the original system process also creates many copies, the malware is located in any directory except the system one.

It is also useful to know that you can see such a program in the task manager if you pay attention to running it as a user. In some cases, viruses use a genuine system service to cause damage.

There is no need to raise an alarm and worry about the fact that svchost.exe runs in ten copies. There are many dynamic services in the system; one process may not be enough for all of them. Then several copies are turned on at once, each with its own identifier. But we must also look at its origin carefully.

The real process runs from the folders: ServicePackFiles\i386, system32, Prefetch, winsxs\ (all inside C:\WINDOWS). If you notice that svchost.exe was launched from somewhere else, then this is a bad sign (as is the situation with a name that differs “just a little” from the original).

In such cases, run a full antivirus scan until you get rid of the malware.

Read also...

Friends are different from friends, or How to limit access to personal data on Facebook Limited friends

Friends are different from friends, or How to limit access to personal data on Facebook Limited friends

How to promote a page in OK

How to promote a page in OK

OpenOffice: Creating a book in fb2 format

OpenOffice: Creating a book in fb2 format

The best on the site
1

Lecture: Arithmetic and logical foundations of computer operation
2

Dropmefiles - Instantly share large files without registration
3

How to completely remove Mozilla Firefox from your computer Delete firefox data
4

What does the routing protocol (IP) do?
5

Windows does not recognize the USB device
New
Electronic digital signature for the Rosprirodnadzor portal

Electronic digital signature for the Rosprirodnadzor portal
Application protection key not found

Application protection key not found
What can you draw in

What you can draw in Paint, tools and colors How to draw well in Paint with a mouse
How to control your TV from your Android phone using apps Universal TV remote control online

How to control your TV from your Android phone using apps Universal TV remote control online
Simple ways to install ipa files on Apple gadgets Installing ipa on iPhone

Simple ways to install ipa files on Apple gadgets Installing ipa on iPhone
MSI K9N Neo V2 motherboard review

MSI K9N Neo V2 motherboard review
Making a K-line adapter with your own hands

Making a K-line adapter with your own hands
Nero Free (Nero) in Russian Download Nero for audio recording

Nero Free (Nero) in Russian Download Nero for audio recording

We recommend reading