svchost.exe: September 2009

Tuesday, September 15, 2009

windows7: find SVCHOST.EXE which system services are loaded. cpu 100% or more than 50%

In the Windows Task Manager "Processes" tab, view the resource-intensive high SVCHOST.EXE process in the corresponding PID, the PID record. (If you do not see in Task Manager "PID", please select the menu "View" - "Column Settings", select the "PID" check box.)
With administrator privileges to run the command prompt (CMD.EXE), at the command prompt, run:
TASKLIST-SVC
You will see similar to the following results:
Image Name PID Services
      SVCHOST.EXE 1104 DcomLaunch, TermServices
      SVCHOST.EXE 1188 RpcSs
      ... ...
Control your Task Manager to see SVCHOST.EXE of the PID, in the above results to find the corresponding SVCHOST.EXE. For example, suppose you see the PID in Task Manager for the 1188's SVCHOST.EXE takes up more system resources, while the TASKLIST-SVC results show that PID is 1188's SVCHOST.EXE load service is RpcSs, namely, that RpcSs Service (Remote Procedure Call (RPC) service) occupy a higher system resources.
Method 2:

In the microsoft.com download the System Tools Process Explorer:
http://www.microsoft.com/technet/sysinternals/Utilities/ProcessExplorer.mspx (http://www.microsoft.com/technet/sysinternals/Utilities/ProcessExplorer.mspx)
Run Process Explorer, in the process list, find the occupier of the SVCHOST.EXE process in more system resources, right-click choose Properties (attributes), switch to the Services (Services) tab, where you can view the SVCHOST.EXE process in Canada what is contained in the system services.

win7 : Svchost.exe take up memory on the 100%

Recently once my computer connected to the internet, the CPU is up to 100%!

Task Manager to see many SVCHOST.EXE always ocuppy for a great memory, CPU at 100%.

Termination of this process! And then to check the relevant web content! Prior to this process has a certain understanding of this to happen to them, and

First, we first get to know what it is attached to svchost.exe system file C: \ Windows \ system32 management system under a variety of services to start Windows NT core of an important process, Svchost.exe is actually a service host, which in itself does not provide any services to users, but can be used to run dynamic-link library DLL files to start the corresponding service. Svchost.exe process can simultaneously start multiple services. Under normal circumstances, windows can have multiple Svchost.exe processes running simultaneously, such as Windows 2000 there are at least two Svchost process, Windows XP has more than 4.
Svchost.exe is precisely because of these characteristics also make a lot of virus, the virus load used to hide Trojans, first of all when we find that this process take up too much memory, the first should take into account whether it is caused by a virus, use of tools to find svchost.exe, if the There is not: \ Windows \ system32 Under this document, then you have to be careful of, first, under this path is not in the file deleted in its entirety into the Registry Editor to view svchost is not in its next \ Windows \ system32 construction value of removed !
If you did not find the above questions then it is very likely perform a system update failed, resulting in this process take up too much CPU. To resolve this problem, enter C: windons / SoftwareDistribution to delete all files, this file is UPdate the downloaded file, if not removed. Right-click My Computer to enter the Computer Management interface for the service entry where the Automatic update of the status change can be removed manually restart. Then re-enter to change it back again to restart the problem solved!

windows 7, 15 svchost.exe processes

Few days ago, newly installed windows 7 ,and Rising and other software installed .

Every time you open task manager, a very scary look at the process, there are sixty or seventy one, sometimes more than 50
15 Svchost.exe !!!??
WIN7 has so many services, turn off the unimportant or not commonly used services, can reduce the svchost.exe,
Download procexp, run procexp, see a lot of processes, point your mouse at any one svchost.exe corresponding service name will appear only in the services.exe process, svchost.exe under the tree is the system of services, if the process Explorer.EXE must be under the svchost.exe Trojan

How do I view windows server 2008 or vista of Svchost-instance service

How do I view windows server 2008 or vista of Svchost-instance service

Running windows server 2008 or vista, the command line mode, enter:

Users \ Administrator.SAVTSTDC01> tasklist / svc

So that you can view the windows server 2008 or vista of Svchost-instance of service

VISTA: SVCHOST.exe take up a lot of memory.

Is difficult to judge this situation, after all, everyone's situation is not the same machine.
My notebook filled with VISTA, closed all the software and firewall, CPU occupancy rate has been a very significant jump in the state, about 1 percent, about fifty to sixty per cent, the process of the CPU inside the display is svchost occupancy rate has been leaps and colleagues VISTA process inside SVCHOST idle occupancy rate is 0, and this version of VISTA I've also used, are all right, now I reinstall the VISTA is true, but in XP inside the CPU to normal, anti-virus of the showed no virus

svchost.exe occupy CPU 50% solution.

Phenomenon:

A few minutes later the machine started running svchost.exe will be accounted for system cpu resources, 100%
Like unplug the network cable, and re-connect to the Internet after a while: svchost.exe has accounted for cpu resources, 99%;
Address:

Suppose you have to use a free anti-virus software to exclude the virus and anti-spyware software has been used to exclude the impact of malicious software:
Think of ways to empty the C: \ WINDOWS \ SoftwareDistribution directory, all files you can restart the machine. (C: \ WINDOWS \ SoftwareDistribution is the Windows update services, temporary file storage directory)

If the machine that the file is being used ( "Automatic Updates" service is running) can not delete the corresponding directory:

Then think of ways to open the Control Panel == "Administrative Tools ==" service to find "Automatic Updates", set to manual start,
Restart after the delete C: \ WINDOWS \ SoftwareDistribution. Problem solved.
And then open the Control Panel == "Administrative Tools ==" service to find "Automatic Updates", to restore to start automatically restart.
Note: The restart after the best conditions for better access to the system where the successful completion of one system is automatically updated.

Promotion: Tingduo be having similar problems, and if you find this approach useful, please http://www.chedong.com/blog/archives/001286.html
Add this link to your blog.
html code: <a xhref="http://www.chedong.com/blog/archives/001286.html"> svchost.exe </ a>

Analysis:

Let us talk about what is svchost.exe: Simply do not have this RPC service, the machine almost can not go net. Many applications are dependent on the RPC interface, and if found that the process took too much CPU resources, directly to the RPC service is disabled the system will be a disaster: because even the restoration of this interface, the system interface for all service settings can not be used. Recovery method requires the use of Registry Editor, locate the HKEY_LOCAL_MACHINE>> SYSTEM>> CurrentControlSet>> Services>> RpcSs, the right to find Start property, the value of it can be changed to 2 and then restart

Svchost causing CPU 100% of the total system, not due to svchost service itself: The above situation is due to Windows Update service to download / install the update service failures caused by repeated retry making. The Windows Automatic Updates is also dependent on the svchost service a background application, which showed a very high load svchost.exe. This problem often occurs the machine is generally access conditions (in particular, is to go abroad site) unstable machine, such as the parents of the machine at home, often in a few months after the installation of the machine from time to time occur, the second week of every month is a high-fat period: Since MS very laws in recent years in the second week of each month issued a patch). The above solution does not guarantee against re-attack, but the svchost files every few months in order to reinstall an operating system or a waste of time.

Lesson: spoolsv.exe and svchost.exe problems are encountered in application failures / exceptions and automatically retry a result of this want to save users time, the design, but through the high-frequency re-examination has led the contrary, and viruses, like effect.

svchost.exe :CPU 100% solution.

How to reduce the number of SVCHOST.EXE process

You can copy the following code into an empty Notepad and then Save As ". Bat" batch file format, and then run the batch. You can turn off unused system services, and you will find a lot less SVCHOST.EXE.
@ echo off
REM off "for Internet Connection Sharing and Windows Firewall provides third-party protocol plug-in support"
sc config alg start = disabled
REM turn off "Windows Automatic Updates function"
sc config wuauserv start = disabled
REM off "ClipBook Viewer"
sc config clipsrv start = disabled
REM off "Messenger"
sc config Messenger start = disabled
REM off "through the NetMeeting Remote Access to this computer"
sc config mnmsrvc start = disabled
REM off "Print Spooler"
sc config Spooler start = disabled
REM turn off "remote to modify the registry"
sc config RemoteRegistry start = disabled
REM off "monitoring system security settings and configuration"
sc config wscsvc start = disabled
REM turn off "System Restore"
sc config srservice start = disabled
REM off "Scheduled Tasks"
sc config Schedule start = disabled
REM off "TCP / IP NetBIOS Helper"
sc config lmhosts start = disabled
REM turn off "Telnet Service"
sc config tlntsvr start = disabled
REM turn off "Firewall Services"
sc config sharedaccess start = disabled
REM turn off "Computer Browser"
sc config Browser start = disabled
REM off "false alarm"
sc config Alerter start = disabled
REM turn off "Error Report"
sc config ERSvc start = disabled
REM off "local and remote computer, the file contents and properties of the index,"
sc config cisvc start = disabled
REM off "Management Volume Shadow Copy Service Volume Shadow Copy Software filming"
sc config SwPrv start = disabled
REM off "support for computers on the network pass-through account logon authentication events"
sc config NetLogon start = disabled
REM off "for the use of transport protocol, rather than named pipes Remote Procedure Call (RPC) programs provide a safe mechanism"
sc config NtLmSsp start = disabled
REM off "collect data on local or remote computers based on preconfigured schedule parameters, performance data, and then this data is written log or triggers an alert,"
sc config SysmonLog start = disabled
REM off "through on-line computer to re-access to any music player serial number"
sc config WmdmPmSN start = disabled
REM off "management connected to the computer's uninterruptible power supply (UPS)"
sc config UPS start = disabled.

by citycool. (http://computervi.com)

vista: 12 svchost.exe

So what kind of svchost process for the virus? In Vista antivirus partner(by http://www.computervi.com) in the "Security" tab for the UN on behalf of unknown safety. We also can observe the svchost process in the command line does not form a service group to start, while the corresponding Dll module path "safe" label for the UN, basically we can determine the virus.

article by citycool ,http://www.onlineypp.com

svchost exe location

8 svchost.exe running. Multiple Instances Running

svchost.exe is a system service process.
Because there are many services, so there will be many such process.

the virus process is offen posing as: svch0st.exe, schvost.exe, scvhost.exe. With the growing number of Windows system services, in order to save system resources, Microsoft has made many services share the way, by the svchost.exe process to start. The system service is a dynamic-link library (DLL) form of realization, they point to the executable program svchost, call the appropriate service from the svchost dynamic-link library to start the service. We can open the "Control Panel" → "Administrative Tools" → service, double-click them "ClipBook" service in its property panel can be found in the corresponding executable file path "C: \ WINDOWS \ system32 \ clipsrv.exe . " And then double-click the "Alerter" service, you can find the executable file path "C: \ WINDOWS \ system32 \ svchost.exe-k LocalService", and "Server" service's executable file path "C: \ WINDOWS \ system32 \ svchost.exe-k netsvcs ". It is through this call, you can save a lot of system resources, so the system appears in multiple svchost.exe, is only the system services only. In the Windows2000 system, there is generally two svchost.exe process, one is RPCSS (RemoteProcedureCall) service process, while the other is shared by many services, one svchost.exe; while in WindowsXP, then in general there are more than 4 svchost . exe service process. If the svchost.exe process than the number six, we must be careful, there may be a fake virus detection method is very simple, using some process management tools such as Windows optimized master's process management functions, see svchost.exe in executable file path, if the "C: \ WINDOWS \ system32" directory outside, it can be determined that the virus has.

7 svchost exe running .Svchost.exe in Windows XP

svchost.exe is a system service process.
Because there are many services, so there will be many such process.

But,....

if we have svchost.exe is an uppercase letter, then you attention!

That should be a Trojan! ! !

the process who have the virus, posing as: svch0st.exe, schvost.exe, scvhost.exe. With the growing number of Windows system services, in order to save system resources, Microsoft has made many services share the way, by the svchost.exe process to start. The system service is a dynamic-link library (DLL) form of realization, they point to the executable program svchost, call the appropriate service from the svchost dynamic-link library to start the service. We can open the "Control Panel" → "Administrative Tools" → service, double-click them "ClipBook" service in its property panel can be found in the corresponding executable file path "C: \ WINDOWS \ system32 \ clipsrv.exe . " And then double-click the "Alerter" service, you can find the executable file path "C: \ WINDOWS \ system32 \ svchost.exe-k LocalService", and "Server" service's executable file path "C: \ WINDOWS \ system32 \ svchost.exe-k netsvcs ". It is through this call, you can save a lot of system resources, so the system appears in multiple svchost.exe, is only the system services only. In the Windows2000 system, there is generally two svchost.exe process, one is RPCSS (RemoteProcedureCall) service process, while the other is shared by many services, one svchost.exe; while in WindowsXP, then in general there are more than 4 svchost . exe service process. If the svchost.exe process than the number six, we must be careful, there may be a fake virus detection method is very simple, using some process management tools such as Windows optimized master's process management functions, see svchost.exe in executable file path, if the "C: \ WINDOWS \ system32" directory outside, it can be determined that the virus has.

vista have svchost.exe,svchost,startup process

Users used Windows 2000/XP/Server2003 there are clear systems have 2 to 4 svchost process. However, under the svchost process in Vista up to 12. The svchost.exe is the same file path C: \ Windows \ System32 \ svchost.exe, they are what is difference? Vista zone today to tell you. We open the Vista Task Manager can see the user name for each svchost process is different, either SYSTEM while the others are NETWORK SERVICE

     We can Vista Task Manager a new "command line" feature to see each process line peb start cmdline know really what is the corresponding group of. If we allow Vista Task Manager shows that "command line" can refer to the Vista Task Manager zone Vista's new features you know a text. They are imgsvc NetworkServiceNetworkRestricted LocalServiceNoNetwork NetworkService LocalService netsvcs LocalSystemNetworkRestricted LocalServiceNetworkRestricted services rpcss WerSvcGroup DcomLaunch Unit

     C: \ Windows \ System32 \ svchost.exe-k imgsvc
     C: \ Windows \ System32 \ svchost.exe-k NetworkServiceNetworkRestricted
     C: \ Windows \ System32 \ svchost.exe-k LocalServiceNoNetwork
     C: \ Windows \ System32 \ svchost.exe-k NetworkService
     C: \ Windows \ System32 \ svchost.exe-k LocalService
     C: \ Windows \ System32 \ svchost.exe-k netsvcs
     C: \ Windows \ System32 \ svchost.exe-k LocalSystemNetworkRestricted
     C: \ Windows \ System32 \ svchost.exe-k LocalServiceNetworkRestricted
     C: \ Windows \ System32 \ svchost.exe-k services
     C: \ Windows \ System32 \ svchost.exe-k rpcss
     C: \ Windows \ System32 \ svchost.exe-k WerSvcGroup
     C: \ Windows \ System32 \ svchost.exe-k DcomLaunch

How to tell whether the true svchost process svchost process and add-ons in the dll the existence of abnormal service. (Svchost process is used to load the Windows NT service group). Let us take a normal Vista process to analyze.

First, we write with their own small piece of software (http://computervi.com product) to detect. From the "process management" list, we can see "select a command-line" as svchost.exe-k SDRSVC Services Division, where all For safety's svchost process, through Vista antivirus partner's "security" tab can be seen.

So what kind of svchost process for the virus? In Vista antivirus partner in the "Security" tab for the UN -unknown safety representatives. We also can observe the svchost process in the command line does not form a service group to start, while the corresponding Dll module path "safe" label for the UN. we can determine that it is a virus.

System services which call SVCHOST process

Application Management
Application Management component is responsible for the installation msi file format, but in fact banned the service is okay.
svchost.exe
Automatic Updates
Windows Automatic Updates service.
svchost.exe
Background Intelligent Transfer Service
Achieve http1.1 transfer of information between servers, Microsoft has stated its support for HTTP when the windows update.
svchost.exe
COM + Event System
Some COM + software needs, check the c: / program files / ComPlus Applications directory, if there is no document which can shut down the service.
svchost.exe
Computer Browser
Used to browse the LAN computer services, but does not affect the browser closed!
svchost.exe
Cryptographic Services
When Windows Update used to identify windows file fingerprint, you can update the time to open.
svchost.exe
DHCP Client
The user needs to use a static IP on the use of Modem users useless.
svchost.exe
Distributed Link Tracking Client
Update connection information for LAN, (for example, there are files on the computer A, computer B made a connection, if the file is moved, the service will update the information. Occupied by four megabytes of memory.)
svchost.exe
DNS Client
DNS interpreter, interpreted as IP address of the domain name
svchost.exe
Error Reporting Service
Error reporting to convert windows in the error report to Microsoft.
svchost.exe
Fast User Switching Compatibility
Multi-user fast switching services, you like it?
svchost.exe
Help and Support
Windows help. Novice, or to rely on him to pointing to.
svchost.exe
Human Interface Device Access
Support "ergonomics" in computer accessories, such as the keyboard, and so increase the volume button.
svchost.exe
Internet Connection Firewall / Internet Connection Sharing
XP's firewall / network for multiple computers to share a dial-up network access Internet services.
svchost.exe
Logical Disk Manager
Disk management services. The system will notify you when required to open.
svchost.exe
Network Location Awareness (NLA)
If the network share, or ICS / ICF may be required. (Server side).
svchost.exe
Portable Media Serial Number
Windows Media Player and Microsoft to protect digital media rights.
svchost.exe
Remote Access Auto Connection Manager
Broadband persons / network share needed services!
svchost.exe
Remote Procedure Call (RPC)
System, core services! If Windows2000 prohibiting the service, the system will not start.
svchost.exe
Remote Registry Service
Remote registry to run / modify.
svchost.exe

Many svchost.exes Running,why?( svchost.exe problems)

If you've ever taken a look at the Services section in control panel you might notice that there are a Lot of services required by Windows. If every single service ran under a single svchost.exe instance, a failure in one might bring down all of Windows… so they are separated out.

Those services are organized into logical groups, and then a single svchost.exe instance is created for each group. For instance, one svchost.exe instance runs the 3 services related to the firewall. Another svchost.exe instance might run all the services related to the user interface, and so on.

Svchost.exe file from a dynamic link library for those who run the service is a generic host process name. Svhost.exe file positioning system% systemroot% \ system32 folder. Start time, Svchost.exe checks the location of the registry (HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ SvcHost) to build a list of services need to be loaded. This results in multiple Svchost.exe running at the same time. Each Svchost.exe contains a set of call back services during the period, so that separate services must rely on how and where Svchost.exe start. This is more easy to control and search for errors.
Svchost.exe groups are used to identify the following registry value.
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Svchost
Each value under this key represents a separate Svchost group, and when you are watching the activities of the process, it displays as a separate example. Each key is of type REG_MULTI_SZ values but also run on Svchost group services. Each Svchost group contains one or more of the selected value from the registry service name, the service parameter value includes a ServiceDLL value.
HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services
Simply do not have this RPC service, the machine almost can not go net. Many applications are dependent on the RPC interface, and if found that the process took too much CPU resources, directly to the RPC service is disabled the system will be a disaster: because even the restoration of this interface, the system interface for all service settings can not be used. Recovery method requires the use of Registry Editor, locate the HKEY_LOCAL_MACHINE>> SYSTEM>> CurrentControlSet>> Services>> RpcSs, the right to find Start property, the value of it can be changed to 2 and then restart
Svchost causing CPU 100% of the total system, not due to svchost service itself: The above situation is due to Windows Update service to download / install the update service failures caused by repeated retry making. The Windows Automatic Updates is also dependent on the svchost service a background application, which showed a very high load svchost.exe. This problem often occurs the machine is generally access conditions (in particular, is to go abroad site) unstable machine, such as the parents of the machine at home, often in a few months after the installation of the machine from time to time occur, the second week of every month is a high-fat period: Since MS very laws in recent years in the second week of each month issued a patch). The above solution does not guarantee against re-attack, but the svchost files every few months in order to reinstall an operating system or a waste of time.
More information
In order to be able to see the list is being run in Svchost services.
Start - Run - type in cmd
And then typing tlist-s (tlist should be win2k toolbox of Dongdong)
Tlist displays a list of active processes. Switch-s is displayed in the activities of each process in the list of services. If you want to know more about the process of information, you can knock tlist pid.
Svchost.exe running Tlist shows two examples.
0 System Process
8 System
132 smss.exe
160 csrss.exe Title:
180 winlogon.exe Title: NetDDE Agent
208services.exe
Svcs: AppMgmt, Browser, Dhcp, dmserver, Dnscache, Eventlog, lanmanserver, LanmanWorkst
ation, LmHosts, Messenger, PlugPlay, ProtectedStorage, seclogon, TrkWks, W32Time, Wmi
220 lsass.exe Svcs: Netlogon, PolicyAgent, SamSs
404 svchost.exe Svcs: RpcSs
452 spoolsv.exe Svcs: Spooler
544 cisvc.exe Svcs: cisvc
556 svchost.exe Svcs: EventSystem, Netman, NtmsSvc, RasMan, SENS, TapiSrv
580 regsvc.exe Svcs: RemoteRegistry
596 mstask.exe Svcs: Schedule
660 snmp.exe Svcs: SNMP
728 winmgmt.exe Svcs: WinMgmt
852 cidaemon.exe Title: OleMainThreadWndName
812 explorer.exe Title: Program Manager
1032 OSA.EXE Title: Reminder
1300 cmd.exe Title: D: \ WINNT5 \ System32 \ cmd.exe - tlist-s
1080 MAPISP32.EXE Title: WMS Idle
1264 rundll32.exe Title:
1000 mmc.exe Title: Device Manager
1144 tlist.exe
In this example, the registry settings of the two groups.
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Svchost:
netsvcs: Reg_Multi_SZ: EventSystem Ias Iprip Irmon Netman Nwsapagent RasautoRa
sman Remoteaccess SENS Sharedaccess Tapisrv Ntmssvc
rpcss: Reg_Multi_SZ: RpcSs
smss.exe
csrss.exe
This is a user-mode part of Win32 subsystem. csrss behalf of a client / server running subsystem and is an essential subsystem that must always run. csrss responsible for controlling windows, create or delete a thread, and some 16-bit virtual MS-DOS environment.

Svchost process viruses, Trojan

Svchost process is started up because of a variety of services, so viruses, Trojan want to find some way to use it in an attempt to use its features to confuse the user, to infection, invasion, destruction of the purpose (such as the Blaster variants of the virus "w32.welchia.worm") . But the windows system, there are several svchost process is normal, in the infected machine in the end which is a virus process? To cite only one example to illustrate.

Suppose windowsxp system was "w32.welchia.worm" infection. Normal svchost file exists in the "c: \ windows \ system32" directory, if you find the file appears in the other directory, be wary. "W32.welchia.worm" the virus exists in the "c: \ windows \ system32wins" directory, so the use of Process Manager to view the svchost process of implementation of the file path is very easy to find whether the system is infected with a virus. windows system, built-in Task Manager is not able to view the path of the process, you can use third-party process management software, such as "windows optimize the master" process manager, through these tools can be very easily see all of the svchost process of implementation of the document the path, once found that the execution path for the unusual position should be immediately detected and addressed.

svchost process/ svchost.exe :Generic Service Host Process for Win32 Services

Process File: svchost or svchost.exe
Process Name: Generic Service Host Process for Win32 Services
Process Type: System Process
Location: C: \ windows \ system32 \ svchost.exe (if your svchost.exe process is not in this directory, then we must be careful)
English Description: svchost.exe is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs. This program is important for the stable and secure running of your computer and should not be terminated. Note: svchost.
English Reference: svchost.exe is a part of Microsoft's Windows operating system programs, Microsoft's official explanation is that it: Svchost.exe is from dynamic-link library (DLL) to run the service in a generic host process name. This program running on your system, it is very important and can not be ended.
(Note: svchost.exe could also be W32.Welchia.Worm virus, which uses Windows LSASS vulnerability, creating a buffer overflow, causing your computer shutdown. More details refer to: http://www.microsoft.com/technet / security/bulletin/ms04-011.mspx, the process of security level is recommended for immediate deletion.)
Chupin by: Microsoft Corp.
Are: Microsoft Windows Operating System
System Process: Yes
Daemon: Yes
Network-related: Yes
Common Errors: N / A
Memory Usage: N / A
Security level (0-5): 0
Spyware: No
Adware: No
Virus: No
Trojan: No
Found that:
Nt kernel-based windows operating system family, different versions of the windows system, there are different number of "svchost" process, the user use "Task Manager" to see the number of its processes. In general, win2000 two svchost process, winxp in there with four or more of the svchost process (later to see the system has more than one of this process, please do not immediately determine the system has a virus, the yo), while the win2003server China is much greater. The svchost process a lot of system services, such as: rpcss Service (remoteprocedurecall), dmserver Service (logicaldiskmanager), dhcp service (dhcpclient) and so on. To a Windows Vista system svchost process, as many as 12, which svchost.exe is the same file path C: \ Windows \ System32 \ svchost.exe, They are imgsvc, NetworkServiceNetworkRestricted, LocalServiceNoNetwork, NetworkService, LocalService, netsvcs, LocalSystemNetworkRestricted , LocalServiceNetworkRestricted, services, rpcss, WerSvcGroup, DcomLaunch Services Group. If you want to learn more about each svchost process, in the end provide a number of system services, you can win2000 command prompt window, type "tlist-s" command to see that the Order is win2000supporttools provide. The winxp use "tasklist / svc" command.
svchost can contain multiple service
In-depth: windows system process and sharing process of the independence process is divided into two kinds, "svchost.exe" file exists in "% systemroot% system32" directory, it belongs to sharing the process. With the growing number of windows system services, in order to save system resources, Microsoft has made many services share the way, by the svchost.exe process to start. But the svchost process is only as a service host, and can not be achieved any service function, that is, it can only provide the conditions for other services have been started here, but did not give its own customers any services. That these services is how to achieve it?
These system services based on the original dynamic link library (dll) achieved in the form, they point to the executable program svchost, call the appropriate service from the svchost dynamic link library to start the service. That svchost, how to know a system which will serve the dynamic link library which calls it? This is done by system service in the registry to set the parameters to achieve. Here's to rpcss (remoteprocedurecall) services as an example to explain.
Can be seen from the startup parameters in the service is to start by svchost.
Examples
With windowsxp, for example, click on "Start" / "Run", type "services.msc" command, the Services dialog box pops up, and then open the "remoteprocedurecall" Properties dialog box, you can see the rpcss service's executable file path is " c: \ windows \ system32 \ svchost-krpcss ", This shows that the rpcss service is to rely on svchost called" rpcss "parameter to achieve, while the parameters of the content is stored in the system registry.
In the Run dialog box, type "regedit.exe" after the carriage return, open the Registry Editor, locate the [hkey_local_machine \ system \ currentcontrolset \ services \ rpcss] key, find the type of "reg_expand_sz" key "Imagepath", its key for the "% systemroot% system32svchost-krpcss" (which is in the service window to see the service start command), the other in the "parameters" have a sub-item entitled "servicedll" key, its value is "% systemroot% system32rpcss . dll ", where" rpcss.dll "is the rpcss service to use the dynamic link library file. This svchost process by reading "rpcss" service registry information, you can start the service.

svchost.exe