What is svchost.exe & How to Check it is Safe or Not?
If you’re like me, you enjoy opening up Task Manager to review what applications are running and inspect other essential details about your system. Here, you have likely noticed several instances of svchost.exe running. Like me, you may wonder what its function is or if it’s a virus, malware, or an application gone wrong.
The great news is, svchost.exe isn’t a virus or artificial intelligence taking over your PC. The bad news is, it’s mysterious and good at hiding precisely what it’s done — by design. That said, with a bit of digging, we can learn quite a bit about what exactly svchost.exe is doing on your computer.
First, let’s open up Windows Task Manager using the CTRL + ALT+ DEL menu or pressing the shortcut CTRL + SHIFT + ESC. Either way, once your Task Manager is started, you will see multiple processes of svchost.exe running.
What is svchost.exe?
The Microsoft Support website describes it as “a generic host process name for services that run from dynamic-link libraries.” Right. So that’s pretty straightforward; anyone could understand that, let’s translate.
A “dynamic-link library,” also known as a .dll file, is just a big block of programming code. Developers can do many neat tricks with these files to make things run faster and take up less space. The problem is that a .dll file can’t run standalone. It would be best to have an .exe or “executable” file to load the .dll and its code.
Now that we grasp a DLL file, it should be simpler to understand why svchost is called a “generic host.” All it does is load DLL files so they can run and execute system applications. So it’s nothing to worry about. Well, there is the possibility that you could download a virus that could make your innocent svchost load up some DLLs from the dark side. Keeping your computer updated with all of the Microsoft Security Updates and running an anti-virus app should minimize the chance of this.
OK, great, so it’s just a host for even more processes! Now I’m even more interested and desire to know what exactly is being run by svchost.exe. How do I check this? There are two easy ways to keep tabs on svchost.exe. The first is the command line.
How to know out what processes are running on your PC using the command line
Click the Start Menu and then click Run. In the Run window that displays Type in cmd and press OK.
In the Command-Line, enter tasklist /SVC, and then press ENTER. Now you’ll be capable to view all of the listed dynamic libraries that svchost.exe is running.
How to find which processes are running under svchost.exe using Process Explorer
The command line issue is that it just brings up even more weird-looking processes that appear as mysterious as svchost itself. So here is where we require to download an application from Microsoft called Process Explorer.
Process Explorer is a great application written by Microsoft to help you understand the nuts and bolts of Microsoft Windows. Once you have it running, you can highlight individual processes and see what each function is doing. The software has been around since Windows XP and remains to be supported and updated for Windows 10.
Start the Process Explorer and take a look at the svchost.exe on my machine. Once opened, hover over a process like svchost.exe for details about it. If you want even more information, right, click svchost.exe and Click Properties, then select the Services tab.
Everything is looking good; now we know what svchost.exe is and how to decipher all of its running services. After playing around with this, you’ll see that some of the svchost processes aren’t running as several services as others. And wait, why are there several svchost.exe processes running concurrently?
All svchost.exe processes run services based on logical service groups; for instance, one may be running network services while another might be handling device drivers. Having these services run on different hosts is a neat feature because this way if one falls, it won’t take down your entire system all at once.
Why does svchost.exe access the network?
While reviewing svchost.exe with the GlassWire network security monitor on our devices based in TX USA, Austin we found that svchost.exe connects to dm3p.wns.notify.windows.com.akadns.net, a server that appears to be controlled by Microsoft. svchost.exe is also connected to many different local hosts on our network.
We found that svchost.exe uses a medium amount of network activity in our testing. However, svchost.exe can use any amount of network activity because any shared process can run behind it. It also looks that svchost.exe could theoretically join any host or server since any process can run behind it. Therefore, its doubtful svchost.exe’s network activity will be restricted to connections to Microsoft servers.
Check Related Services Using Process Explorer
Microsoft also provides an excellent advanced tool for working with processes as part of its Sysinternalslineup. Simply download Process Explorer and run it—it’s a portable application, so no need to install it. Process Explorer gives all types of advanced features—and we extremely recommend reading our guide to understanding Process Explorer to learn more.
For our purposes here, though, Process Explorer groups related services under each instance of “svchost.exe.” Their file names list them, but their full names are also shown in the “Description” column. You can also hover your mouse pointer over any of the “svchost.exe” processes to see a popup with all the services related to that process—even those that aren’t currently running.
Could this Process Be a Virus?
The process itself is an official Windows component. While a virus may have replaced the natural Service Host with an executable of its own, it isn’t definite. If you’d like to be certain, you can verify the process’s underlying file location. In Task Manager, right-click any Service Host process and choose the “Open File Location” option.
If the file is stored in your Windows\System32 folder, you can be pretty sure you are not dealing with a virus.