Fire up
Process Explorer or Task Manager in Windows to view the running processes
and you’ll see something called “svchost.exe”.
In fact, you’ll see it listed several times.
As I write this, there are no less than 11 copies of svchost.exe running in
my Windows 7 64-bit system.
To understand why this is expected, we need to understand a little bit about
why svchost exists and what it does.
Become a Patron of Ask Leo! and go ad-free!
Service Host
Svchost, as the name implies, stands for Service Host.
Many components of the Windows operating system are actually implemented as
what are called “services” – a fancy name for programs that run in the
background and aren’t necessarily associated with whomever is logged into the
machine.
You can quickly see which services are running by typing NET
START in a command window, or by right-clicking on your
Computer icon, clicking on Manage, clicking
on the small triangle next to Services and Applications to
expand it, and then clicking on Services.
On my machine, “Net Start” shows me 76 running services on my machine. The
Services interface shown above displays all installed services and an
indication of whether they are running or not.
There are many things that are common to all services: how they start, how
they interact with the system, and how they manage the administrivia of running a system
service. Rather than writing a complete service from scratch, many
are implemented as a type of program run by another program.
That “host” program is our friend svchost.exe.
Hosting services
Svchost.exe is designed to be the host for one or more actual services. It’s
the program that gets run, and when it gets run, it’s instructed which service
to run. The actual service is typically implemented in a DLL that svhost.exe
accesses.
As it turns out, a single copy of svchost.exe can actually “host” several
different services at once.
Hover your mouse pointer over one of the svchost.exe instances in Process
Explorer and a tool tip will show you exactly which running services are being
hosted by that particular copy of svchost:
In this example, the pop-up shows that this single instance of svchost.exe is
actually hosting 18 separate services. Other instances typically host fewer,
often only one. Which copy of svchost.exe hosts what service is a function of
how the services relate to each other and when they are required by the rest
of the system.
Svchost and malware
Because it’s expected that there will be multiple copies of svchost.exe
running and its workings are quite mysterious to the average computer user,
malware authors have long leveraged the confusion around it to hide or at least
obfuscate their doings.
- In the past, the svchost.exe file itself was a popular target for direct
compromise – malware would actually alter the program with their malicious
code. Windows File Protection in later versions of Windows rendered this
approach mostly ineffective. - Malware authors often try to install their malware as a service hosted by
svchost.exe. Installing a service requires administrative access and is
effectively blocked in most cases by limited user accounts in Windows XP and
UAC in Windows Vista, 7 and later. - Malware is sometimes actually delivered in a file called svchost.exe, but
placed in a non-standard location. When running, the malware looks like “just
another svchost” unless examined more closely. (The correct location is in
Windows\System32.) - Similar sounding names and typos have also been fairly common. “svhost.exe”
and “svchosl.exe” might pass for “svchost.exe,” unless you were looking
carefully and noted the typos.
As I said, the confusion around svchost has become a tool that malware
authors have used to to either worm their malicious code onto machines in the
first place and/or try to hide its presence once installed.
Svchost.exe is not malware
I’ve seen a number of panicked questions that immediately jump to the
conclusion that svchost.exe is, itself, malware.
That’s simply not true.
Svchost.exe is a required system component and Windows will simply not run
without it. If it becomes infected, it’s possible that attempts to
clean it up by deleting or quarantining it may result in a system
that doesn’t work.
As we’ve seen above, malware often tries to look like svchost, or
it tries to run using svchost, but that doesn’t mean that svchost.exe
itself is malware.
(This is an update to an article originally published
October 20, 2003.)
References
A description of
Svchost.exe in Windows XP Professional Edition – Microsoft Support.
What is
svchost.exe? – Microsoft. Written for Windows Vista, but applies to all
recent versions.
QUESTION 1:
WHEN I START MY COMPUTER, THE COMPUTER SAYS :ERROR STARTING, MISSING .DLL FILE. HOW DO I RESTORE THE FILE?
QUESTION 2:
WHEN I SHUT DOWN MY COMPUTER, THE COMPUTER SAYS :NEED TO CLOSE SVCHOSTC PROGRAM. I WASN’T AWARE THAT I WAS RUNNING THE SVCHOSTC PROGRAM. HOW DO I CLOSE THE PROGRAM>
PLEASE HELP!
Question 1: it depends entirely on the operating system version, the filename that should have been specified in the error message, and potentially the applications installed on your machine.
Question 2: svchostC is most likely a virus, I believe. Make sure you’re runing a virus scanner, and that the signatures are up to date.
If you need more specific or detailed help, please submit your question here: http://ask-leo.com/askleo.html
Thanks!
Leo
I have a machine like a server, in this pc I`ve intalled dll’s, this dlls are functions that make transactions in sql over acces. All work fine, but in any moment appears “error en svchost.exe” this error in the server machine. in the side of the client appear an error “error en internet”.
What I can do? what is this error? how can I avoid this?
Please write me to mi e-mail. joseguero@yahoo.com
thank alot for the attention to this trouble.
atte. Jose Luis sanchez from Toluca, Mexico.
Right now when ever I connect the internet, I will get the error message: svchost.exe error. Windows will terminate this program. After that I cannot get linked on any website, and my office2000 program will have trouble to run, like cannot run the “copy”, “cut” and “paste” fuction, and cannot link to anyother file. What is wrong? what shall I do to avoid this? Please help me. Thanks!
I’ll point you all at http://ask-leo.com/askleo.html for those of you that need a quick and specific answer. Since this is so common, I’ll try to come up with a general answer if I have the time to do the research.
In the mean time, I also encourage you to read http://ask-leo.com/archives/000056.html . Regardless of who you take this question to, there are some common bits of information that will help.
Leo
When I connect the internet, I will get the error message: svchost.exe error. Windows will terminate this program. After that I cannot get linked on any website, and my office2000 program will have trouble to run, like cannot run the “copy”, “cut” and “paste” fuction, and cannot link to anyother file. What is wrong? what shall I do to avoid this? Please help me. Thanks!
Everyone who’s having SVCHOST errors, please read this article: http://ask-leo.com/archives/000059.html
i can’t copy and paste since i had the msblast and lovsan viruses.
emil me please on how to fix the problem, thanks
eddstanley@hotmail.com
when i connect to the net after surfing for few minutes i get the svchost.exe error. its a msgbox, asking OK to terminate the program or Cancel to Debug. I am unable to find a solution. I have Win.2000. When u click on Cancel it opens a Visual studio window. I have already formatted the comp and even loaded the latest Internet Explorer version. The problem still persists.
Please read this article: http://ask-leo.com/archives/000059.html
Leo
On the task manager, I always see svchost.exe. I know that there are several of them, but there’s one (listed as LOCAL SERVICE) that steadily takes up CPU usage. When it reaches 50-80%, my programs start to slow down. What causes this and how can I correct it?
2700 MHz, 768MB, 128M nVidia GeForce4 Ti4200-8x (0x0281)
Running Windows XP
I’d use tasklist /svc, as documented in this article, to try and determine which svchost is causing your trouble, and what services it is attempting to provide. That may provide a clue. Naturally I’d also make sure you’re up to date on service packs, windows update, virus checks and so on.
Leo
Leo, thank you for your online forum. My laptop, Toshiba Satellite 1415-S173, cable modem, MS WiFi, Symantec AV and full Security suite has recently required longer and longer to boot. I have tried to find the bottleneck to no avail. Numerous tweak scripts, exhaustive startup manager trials. 1.5 to 2 minutes to get the logon screen and another 2+ to load the desktop. I just found in MS Sys Info, Sys Summary, Software Environment, Startup Programs…..each file is listed twice with NT AUTHORITY\SYSTEM one user and .DEFAULT the other user. This is true for every file listed. Any thoughts? Otherwise, the system performs quite nicely. thanks in advance
Having everything listed twice certainly seems suspicious. I’d have you start with this article:
http://ask-leo.com/archives/000032.html it’s about system slowdowns in general, but many of the same techniques apply. It also points to another article on controlling what happens at startup with instructions on how to use msconfig. I’m curious as to whether msconfig shows everything twice as well. You didn’t mention running any spyware scanning software – that’s also a frequent cause for startup issues. Again, the article I just referenced discusses that also.
Best of luck!
Leo
Through Zone Alarm I learn that svchost.exe want to act as a server. Literally:
Do you want to allow Generic Host Process for Win32 services to act as a server?
Tech Inf.: source IP: 0.0.0.0:Port 5000
Application: svchost.exe
Version: 5.1.2600.0 (xpclient 010817-1148)
[“More info” in ZoneAlarm does not really give one more understanding or “yes/no” advice.]
I guess I am not the only one who gets this Question. Pls mail… tks
Curious Kees
I’m using zone alarm too. and i choose “yes” – nothing bad happend since then.
One of the svchost.exe’s on my computer is making my computer’s CPU run at 100%. It slows things down on my computer, even though I have good parts. Do you know what’s going on?
When I type tasklist /svchost I get the following message.
“tasklist not a known internal or external command, operable program or batch file”
I am running XP home on a Compaq presario notebook. The reason I would dearly like to run the program is that my PC is running at 100% busy even though there are no programs active and I am not connected to the net – or anything else.
Recommend you follow the instructions here: http://ask-leo.com/archives/000059.html and the several good ideas in the comments that follow.
Leo
Tasklist.exe is in \windows\system32 if present. You should be able to find it on your Windows XP CD as well.
Leo
Everytime i connect to the internet… after 10 mins or 15… and “SVCHOST.exe – Application ERROR” appears… and when i click… OK my connection will stop responding… and if CANCEL it will debug… but still stop responding… what was it?!?! thanks!
That’s classic behaviour for one of the viruses that manifests as a SVCHOST error. Check out this article: http://ask-leo.com/archives/000059.html
Good luck!
Leo
I have had many of the same errors that you all are talking about but that is just how it all started for me. I got so bad that I could not open any web pages.
what you all should try is got to the site that makes nortons anti-virus and look up
wn32.blaster
wn32.walchia.worm
wn32.walchia.a.worm
wn32.walchia.b.worm
wn32.walchia.c.worm
worm.lovsan.a
That is what I have found no my computer, and only one of them Nortons corp pro found.
Now I have a question. I am really new to all this computer tek stuff and so when nortons or avg could not fix the walchia worm I paniced and tryed to delete every thing to do with the svchost that I could. I deleted the svchost.dll but the svchost.exe would not delete for it was in use to I tryed everything to delete it. One thing that I wish that I do not do was I opened up the properties and at the time there was six (6) tabs and i changed every setting in there that could be changed.
Now I got rid of all the worms but my computer is not working right at all, i think that is has to do with what I did to the svchost.exe. I tried to reformat my computer using my windows XP but it told me that my files were corrupeted and it can not be done.
Please any info about how I can reformate my computer would help.
thank you for your time
david
Jay trust me you had the blaster worm…..and it is a naste one too
You need to find a program called “FixBlaster” then you need to make sure that you have all the criticial windows updates and that will fix that problem.
svchost.exe is actually an important and required system component. If attempting to resolve a virus issue has damaged it, that can easily explain all sorts of remaining bad behaviour, even after the virus has been eradicated. My recommendation is to run the system file checker (sfc). I mention it and how to run it in this article: http://ask-leo.com/archives/000053.html – it should repair any damaged files.
Good luck!
Leo
Okay Leo, I need help, I am running winodws XP SP1 and print Spooler service disappered from Services list. There are no printers listed in printers folder. I cannot add printer. When trying to run the wizard I get Error: ‘Operation could not be completed.’
I have deleted the print driver and cleaned the registery.
The only thing I can think of was I was trying to print .prn file from dos prompt and something remove spooler service.
Yikes! I’d run the system file checker to see if that doesn’t restore the spooler. I just posted an article on SFC: http://ask-leo.com/archives/000074.html
Good luck!
Leo
Thank you,
I have done that; SFC replaced a DLL and I should have written down which one but did not. My spooler is still not back! any other suggestions
I have a virus that attached itself to my svchhost.exe and svchoste.exe files, since they are running, I try to end process and then move the file to the virus valt (in AVG) – BUT when I end the process I am forced to reboot the machine.
anyone provide any assistance?
Im using WIN XP Home SP1 – thanks
svchost is a required system file – the system can’t run without it. You’ll need to use one of the removal tools. I recommend symantec: http://ask-leo.com/d-symantecavc – it’s also worth reading this article: http://ask-leo.com/archives/000059.html .
Good luck!
Leo
i cant seem to get rid of my popups, i have used ad-ware 6.0 and spybot but these pop-ups keep coming back…sometimes 60 at a time…i think it is a virus that may have attached itself to my svchost.exe file, i want to remove them, how do i go about this….
help please Leo
Well, you didn’t say whether or not you’ve run an anti-virus check, so certainly do that. Also check out this article: http://ask-leo.com/archives/000059.html for more steps to take on the svchost problem (read the posted comments as well, many people contributed valuable info). You also didn’t say what kind of popups. If you’re running XP or Win2k you should disable the Windows Messenger Service (not the IM client, but the service.) I talk about that one in this article: http://ask-leo.com/archives/000017.html
Good luck!
Leo
I learnt about the existence of svchost.exe just
yesterday, when my Norman firewall, under Windows
XP professional, asked whether task
c:\windows\system32\svchost.exe should be allowed
outgoing communication with protocol UDP
to remote address 207.46.130.100.
What is the purpose of svchost.exe accessing
the internet? What if I deny access (which I did,
without observing any negative consequences)?
Who/What is behind 207.46.130.100 (Microsoft, I
guess!?!)?
Thanks for your reponse in advance
franz
I’ll assume you meant “Norton” firewall :-).
So, to find out what 207.46.130.100 is, I went to a command prompt, and typed the following:
ping -a 207.46.130.100
And it tells me that that IP address is “time.microsoft.com” … so you are correct, it was Microsoft. That instance of svchost is supporting the time service, and has asked time.microsoft.com for the current time. You can change the server it uses, or turn off the auto time update completely, in the same place you set your PC’s clock in Windows.
Leo
My computer is running really slow. A lot of CPU usage is taken by svchost. What can I do? Where can I look for the problem?
10X
Hello Leo !
I have a question for you:
I hav norton NIS+NAV installed on win xp pro, and it can’t run anymore, when I restart windows it I can see the icon of nav and nis(with x) and after a few seconds they disapear and I can’t run any norton application besides live update, which dosen’t work as well. I even tried to install windows on another partition and re-install NIS before even conecting to the internet, and the same happens again… I did update all the leasts updates from microsoft update. I think its a virus, but I can’t find it with the pre-installed nis that on the nis-setup-cd or with trend micro online antivirus or fixblast.exe…
is the rpcs service of svchost run is normal ?
if I tried to close it I get the 60secs countdown as in the blaster worm… should this service run by normal use? or is it some kind of virus?
thanks!
rpcss is a normal service. Unfortunately it’s also the service that had a vulnerability that virus writers exploited. You can read more about it, and try downloading the patch for that vulnerability from here: http://ask-leo.com/d-rpcvuln
Some variations of the viruses actually prevent virus scanners from updating, so it sounds like that’s what you have. Try the patch above and see if that doesn’t let you make progress.
Good luck!
Leo
i have a big problem. i have a 1.6 gig processor, and im constantly overloaded. the problem comes when C:windows/system32/svchost.exe gets pinged by a number of different ip adresses, and i get a pop up (ping) from different ip adresses that try to get my to pay 19.99 to http://www.windows-patch.info. i need a solution bad. can anybody help?
Step one: turn off the windows messaging *service*. There’s a paragraph with the quick steps on how to do that about 2/3rds down this article: http://ask-leo.com/archives/000017.html – then, get youself a good spyware scanning program (recommendations here: http://pugetsoundsoftware.com/recommend.html ).
Good luck!
Leo
I had one of the Walchia worms and it said my svchost.exe was infected. Norton tried to get rid of it but it was unable to get into the file. To fix this i restarted in safe mode and ended the process trees of all the svchosts running on my computer after that i looked up where there were located and deleted them. While this was happening my computer was shutting down because of the msblast. When i restarted no a lot works including microsoft explorer. I’m not sure how to restore the correct svchost. I hope you can help.
svchost.exe is a required system file. Removing it is most definitely the *wrong* thing to do to try to resolve this problem, and is pretty much guaranteed to hose your system.
Assuming you’re running XP, my recommendation: try system file checker first. http://ask-leo.com/archives/000074.html
If that gets your system somewhat runable, then follow get all the patches from Windows Update.
And definitely read the comments here … there have been several good suggestions on how to proceed depending on your system, your connectivity, and what state of disarray you are in.
Good luck,
Leo
Norton recently told me that my svchost file was infected with “Download.Trojan”. It could not be repaired, so I quarantined it, but what should I do now? If I can’t repair it, then should I delete it?
Or you can do nothing, if Norton no longer complains. It’s typically OK to delete *the quarantined file* (NOT the *real* file). If you’re not sure about the difference, then leaving it as quarantined should also be fine. Since SVCHOST is a required system file, deleting the wrong one could be a problem.
Leo
I hava a big problem with svchost.exe. 2500 MHz, 512MB, 128M ATI Radeon 9600 Running Windows XP,
it work perfect about 5 min and then CPU usage become 100%. What can I do?
Hi Leo
I’ve just encountered a similar problem to Korsaria. I have a Dell 2.4 Ghz + 512 Mb +80G HD running XP. I have Norton anti virus and also Norton Firewll but they have not been updated for a ouple of months.
this morning I found that every application was being interrupted and it would sit there and do nothing for about a minute before it stumbled on and then stopped again. I used task manager and found that the CPU was running at almost 100% with SYSTEM PROCESS. The only other thing that was running at this time was SVCHOST.EXE but this was not taking up much CPU time and was intermittant. Something is causing SYSTEM PROCESS to commandeer the CPU. Do You have any thoughts.
Many thanks
Richard
My initial reaction is that you are both infected with a virus. Updating virus signatures frequently is a *must* in today’s environment – I update nightly. Update those virus scanners and get the latest round of updates from Microsoft for your system.
Leo
How do I capture the output from tasklist /svc before it disappears?
svchost.exe is constantly taking between 80 & 99% of processor & is bugging me.
If I can capture the output this will tell me which version of SVCHOST.EXE is running what programs, but how do I change them?
try:
tasklist /svc | more
or
tasklist /svc >filename.txt
If your processor is pegged in svchost, you likely are infected with a virus, and need to run a virus scan or removal tool.
Leo
Thanks Leo, going throught the pain of trying to ensure I have all the windows updates & just looked at the symantec security site for the worm removal tool. Printed it off, too tired to plough through that tonight.
Thanks for your advice, truly appreciated.
when i use my notebook with battery. This running program “svchost.exe” are alway run and take a lot of power from my notebook!!
What and how should I do in this case?
Thank You for your comment.
Sakol Nisarut
sakol@sec.or.th
I have a Dell 2.0Ghz running on XP.
After I read the posted here,I tried TASKLIST /SVC on CMD window; but I’ve got only an error message saying:
‘tasklist’ is not recognized as an internal or external command, operable program or batch file.
Why is TASKLIST /SVC not working on my XP?
I’ll appreciate your help.
Tasklist is only in XP Pro, I’m guessing you have XP Home edition. You can copy it over from an XP Pro system, if you have access to one. You might also be able to find a copy on-line if you search.
Leo
Thank you, Leo. Yes, mine is XP Home.
While searching for TASKLIST.EXE, I found great free tools from the following site:
http://www.sysinternals.com/ntw2k/utilities.shtml
Free tools of this sites such as Process Explorer, TCPView, FileMon, RegMon seem very good.
Would you check them out and give me opinion?
I’ll appreciate again.
I *highly* recommend sysinternals. In fact, you’ll find them mentioned in several of my articles, and on my recommendations page. The tools you list are part of my “take everywhere with me” arsenal :-).
Leo
my sygate peronal pro firewall tipes that it is a critical problem and blocks incomming messages to svchost.exe. firewall desdcribes it in that way: 03/26/2004 20:56:08 Intrusion Detection System Critical Incoming TCP 192.168.11.52 192.168.11.191 svchost.exe 4 03/26/2004 20:56:08 03/26/2004 20:56:08
is it wrong if firewall blocks these connectings?
No, it looks like the firewall is doing its job. Further, based on the IP addresses, it looks like one of the other computers on your network may be infected with a virus.
Leo
I think I`ve closed one of svchost and from that I have some errors that appear on my screen… at numeber of error 10053 and 10054… how can I put the svchost again… I`ve installed the windows again and no effect. If I`ve written wrong, please scuse me, I am from ROMANIA and I have 11 years old. Can I fix the problem????
my computer is infected by virus w32.WlechiaB.Wrom .
when ever i run antivirus say virus found in c:\windows\system32\drivers\svchost.exe.
how to over come this.
i searched on net i founf some thing saying run given exe it will delete the file infected, is it ok?
waiting for u’r reply.
THANKS IN ADVANCE.
No way to know, since you didn’t say where you found it. There are such tools … I would start at Symantec’s anti-virus site and download one from there. http://ask-leo.com/d-symantecavc
Best of luck,
Leo
I’m having problems with IEXPLORE.EXE and EXPLORER.EXE…
I think both are corrupted, because when i’m opening certain folders with images or photos or even larger number of files it goes like this:
– “EXPLORER.EXE (or sometimes IEXPLORE.EXE) generated errors and will going to close”
how can i solve this problem?
I think just reinstalling Windows is not enough, so i appreciated if you could give me an answer.
Big Thankx
Lereno from Portugal
p.s – i’ve got Windows XP Professional(sorry about my English!!!)
First, I’d try the system file checker:
http://ask-leo.com/archives/000074.html – then I’d make sure you had an up to date virus scan.
Leo
THE SOLUTION SI PATCH “KB823980”. I HAWE DO THAT BEFORE 7 DAYS AND NOW I DO NOT HAVE ANY PROBLEM WITH MY COMPUTER. THANK YOU “LEO”.
SAMIR, BOSNIA & HERZEGOVINA
Hello
itried to conecct to mIRC and it says i have a trojan ??? ive ran spy-bot , ada-awre and norton2004 i also have a personal firewall enabled , how do i find the trojan thats lurking on my system please ?? i run winXPpro thanx for your assistance
steve
Good question. Does mIRC give you any information as to *what* trojan it thinks you have? You might also try an additional virus scanner (there are several free ones on the net that make for a good second tier scanner).
Leo
Hi. I have a question…
I have four SVCHOST.EXE running after restarting computer … but after 1hour (or more) one of them is using my CPU in 99% … when i disable it i can’t COPY/PASTE/MOVE FOLDERS, etc.
Can you please help me ? And if you reply plz send me an email so i can see what is the problem :P btw. maybe there is a way to look why this process use 99% of my CPU ?
That’s most certainly a virus. Check out the article and subsequent comments here: http://ask-leo.com/archives/000059.html
Good luck!
Leo
thx Leo … i solve my problem myself :)
This was the attack on the RPC to run commands :) I think it was Gaobot attack from LAN network :)
antivirus + patches for xp + little time … and i solve the problem :)
btw. nice site – keep up the good work :)
Hey Leo, I got a question for yah…(obviously). I run windows xp, and for some reason or another, after I reboot my compt, my task bar gets locked up and I am no longer able to use it. I can still minimize programs and alt+tab back into them. I just cannot see them on my taskbar…mainly because it will later dissaper after running a few progams…IE games and such. I ran norton…nothing found…ran spy bot, search and destroy…found a few things, didnt fix my problem. I got the latest xp updates and such. But when i opend up my task manager, and ended svchost, my taskbar came back up and was working fine. svchost does not mainly take up alot of my cpu, but it does have it’s spikes at moments where it will shoot up. Any idea what might be going on?
Is the task bar still visible when the problem happens? I’m wondering if it’s jsut auto-hidden? Right click on an unused area on the task bar, hit properties (you may need to unlock the taskbar), and check the auto-hide and on-top settings.
Leo
Hi There…
I has a problem with my PC’s,
I’m using WinXP Pro, and i had this Generic Host Process For Win32 Services. Where each time the dialog box pop up, i try to close it and there is a dialog box tell that the PCs need to shut down. After a few times faced this problem i try to find a solution in internet and found out it is a MSblast. i been search a file named MSBlast.exe but did not found it. finally i found out that the generic host…. actually point to the svchost.exe.
can anyone help me to settle my problem???plzzz???
Thanks.
Question. I had the common problem of recieving about a dozen popups every 5 minutes. I installed the STOPzilla pop-up Blocker and the pop ups stopped. However, I now have a problem that is just as bad as the pop up ads. Whenever I’m online I can hear the audible sound that alerts me that a pop-up has been blocked. But about twice per hour this results in a major slow or complete freeze of my system. What could be the cause?
Hi. I have a question…
I have four SVCHOST.EXE running after restarting computer … but after 1hour (or more) one of them is using my CPU in 100% … when i disable it i can’t COPY/PASTE/MOVE FOLDERS, etc.
Can you please help me ? And if you reply plz send me an email so i can see what is the problem :P btw. maybe there is a way to look why this process use 100% of my CPU ?
http://ask-leo.com/archives/000059.html
and
http://ask-leo.com/d-blkrpc
should both be helpful.
Good luck.
Leo
Tracy: sounds like the windows messenger *service* is still running and being attacked. This article: http://ask-leo.com/archives/000017.html has instructions for turning that service OFF, which you should do. Or visit Gibson Research (http://ask-leo.com/d-grc ) and grab “Shoot the Messenger” which does the same thing … disables the service.
Good luck!
Leo
I have SVCHOST and SVCHOST running in my system whenever i boot the system. And windows task manager shows 100% of my CPU is being used by these 2 process. when i disable / set the priority to below normal,the system doesn’t allow the operations like COPY/PASTE/MOVE FOLDERS, etc.
Can you please help me ? And if you reply plz send me an email so i can see what is the problem :P btw. maybe there is a way to look why this process use 100% of my CPU ?
SVCHost is a required system component, so you can’t adjust it’s priority, or kill it. You either have or are being attacked by a virus. Check out the various comments in http://ask-leo.com/archives/000059.html – in short: update and patch Windows, update and run virus checking, and make sure you’ve got some kind of firewall in place.
Leo
windows xp pro,, i have a free DL of ad ware for finding spyware,,, i find about 7 per 24 hrs, always comet cursor and tracking something,, both are called data miners,, they arein my registy key and files,, ad ware get rid of them but they always come back,, how can i stop them from coming back
Well, step one is simply to take care in what sites you visit and software you download … typically these downloads are given to you transparently be less-than-reputable vendors.
Second, tighten up your browser’s security settings. This will prevent many.
Finally, Spy Bot does have have a monitoring function that will watch for, and block at your option, many of the bigger offenders. AdAware may also have something like this in their pay version. There’s also a tool called StartupMonitor which can keep reins on what gets added to your startup (http://ask-leo.com/d-startupmonitor ).
Leo
Running in a command window (WinXP home) the “NET START” command works; however, when I type “tasklist /svc” I get the folllowing error message”
[‘tasklist’ is not recognized as
operable program or batch file.]
What am I doing wrong?
Thanks,
Allmen Quester
Nothing. You probably have XP Home, which apparently doesn’t have the tasklist command. I’ll be writing up an article shortly on how to use Sysinternals Process Explorer (http://ask-leo.com/d-31017a ) to get the same information. In a nutshell, run procexp, doubleclick on a svchost instance, and then select the “services” tab, and it’ll show what services that instance of svchost is hosting.
Leo
Over the last few months, with increasing frequency, I receive the following message on my screen. It’s in Norton Internet Security, but it’s not the usual Alert Tracker screen I get when Norton detects an attempt to hack in. It’s more like the screen I get when a new programme – like RealPlayer for example – tries to connect to the internet for the first time.
The message says:
A remote system is attempting to access Generic Host Processes for Win32 on your computer.
Application: C:\WINDOWS\system32\svchost.exe
Protocol: TCP (Inbound)
It also tells me the IP addrss of the computer from which the attempt is being made – I think it’s diferent each time.
I have always asumed it’s someone trying to hack in or plant a trojan or whatever it is these people do, and refused the connection, but, before I set a rule to always forbid such connections, I just wondered if it is a legitimate programme or something which I ought to be allowing for the good running of the computer.
I’d set that always forbid rule. A remote computer should not be attempting to initate a conversation that way … they’re probably attempting to exploit a vulnerability in Windows (that’s since been patched as well).
If you’re curious, you can enter the IP address into a “reverse DNS” tool, such as http://ask-leo.com/d-reversedns and see a) if there is a host name for that address, and b) if the host name is something you recognize.
Leo