Svchost and Svchost.exe – Crashes, CPU maximization, viruses, exploits and more.
I’ve discussed Svchost, aka Svchost.exe, in previous articles on Ask Leo!. Many people are witnessing a svchost.exe crash and it’s actually quite amazing. Unfortunately, there’s no single point of reference for svchost related problems. Rather than answering one single question, I’ll try to cover a theme that can best be summed up as:
What’s The Deal with SVCHOST?
Become a Patron of Ask Leo! and go ad-free!
Do any of these symptoms sound familiar?
- Your system becomes sluggish and you find that something called svchost or
dllhost is taking nearly 100% of your CPU.
- Your system reports that svchost has performed an illegal operation and
will be terminated. After that, various things fail to work properly, if at
- After you log in, your system automatically reboots in one minute.
But just what is svchost?
Let me tell you what it is not: On Windows XP, 2000, and
2003, svchost is not a virus. On those systems, svchost is a
required system component. If you happen to successfully delete it,
your system will not run. You’ll be much worse off
than before. (Win95, 98, and Me users, see Note 1.)
Do not delete svchost.exe. Don’t even think about it.
[Important: do not confuse svchost, which we are discussing
here, with scvhost, which has two letters transposed. They are
not the same thing. The presence of scvhost may indicate a
Svchost, which is short for “service host”, is a core part of the operating
system that provides support to many of the required services that are
Windows. You can see all the copies of svchost and what services they are
running by typing “tasklist / svc” in a command window. If you don’t have
tasklist, or just prefer not to use the command shell, you can use SysInternals Process Explorer instead. (Check out my previous
article “What is Tasklist.exe, and why don’t I have it?” for details.) On my machine, one copy of svchost is responsible
for 30 separate services, another is hosting 4, and the remaining 3 host one
On those systems, svchost is a required system component.”
What about this “RPC” thing that has vulnerabilities?
Same story. RPC, for Remote Procedure Call, is a core operating system
service. Windows won’t run without it. If you happen to successfully
disable it, you’re in deep trouble.
Do not disable the RPC service. Don’t even think about it. (If you already
did, see Note 2.)
So what do you do?
First, we have to understand that there are two possible problems:
You could be infected with a virus.
You could be under “attack” from an outside source attempting to exploit
the RPC vulnerability.
It’ll do you no good to get things all cleaned up only to get hit again the
moment you connect to the internet, so we’ll deal with the second point
Block the Vulnerability
The very first thing we have to do is plug the vulnerability. This will
prevent some forms of re-infection, as well as some forms of attack, both of
which can cause the problems we’ve been talking about.
If you’re running Windows XP, you can turn on the Internet Connection
Firewall. In Control Panel, select Network Connections, select
the connection that corresponds to your internet connection, right click on
that and select Properties, select the
Advanced tab, and make sure that Protect my computer
and network by limiting or preventing access to this computer from the
Internet is checked.
If you have some other kind of firewall, ensure that those same ports are
Update Your System
Install all of the latest service packs and patches. For Windows 2000, that
means getting the latest service pack, as well as
any additional patches. For Windows XP, that also means getting the latest service pack and any additional
patches. (Note: If you’ve installed Windows XP Service Pack 1,
Microsoft now recommends installing Service Pack 1a
that corrects a couple of problems.) The whole process can be simplified to
this: visit Windows Update, let it analyze your
system, and then download and install all the updates suggested.
The single, most important update relating to our svchost / RPC problem is
this one: A Buffer Overrun in RPCSS Could Allow an
Attacker to Run Malicious Programs. Make certain that the patches listed
there have been installed.
You’re not done.
Scan for Viruses
To put it more completely, update your virus signatures to
the latest possible and then scan for viruses. In fact, experience is showing that not all virus scanners are catching all viruses, so it would be in your best interest to use a second virus scanner as well.
You may not have a virus. But you may have contracted one as a result of the
There are several viruses that may result from this vulnerability.
Some cannot be removed by the virus scanners’ traditional mechanisms. If that
happens to you then you’ll need to download a special tool to remove that
particular virus. Take the name of the virus identified by your scanner, visit
the Symantec Anti-Virus Center, and search on that
virus. Chances are, if there’s a tool to remove they virus, they have it.
Scan for Spyware
There is anecdotal evidence that Spyware can also be associated with svchost
related problems. Even if that’s not accurate, it’s a good idea to scan regularly anyway. Grab a copy of a tool such as Spybot Search and Destroy, or Ad-Aware.
Note 1: Windows 95, 98, and Me users: Most of this article
does not apply to you at all. You shouldn’t be seeing the symptoms described
here. If you do, or if you find svchost.exe on your machine, then you likely have a
virus and should scan and clean immediately.
Note 2: If you’ve already disabled the RPC service, then Black
Viper has a possible way to restore it. He also has
instructions for stopping the 60 second shutdown as well.
Note 3: If you have a firewall such as ZoneAlarm, it may
ask if it’s ok for svchost to access the internet. It’s probably ok to allow
it. There is at least one legitimate service that svchost supports
that does need to access the internet: the time service. It connects to time
servers on the internet to ensure your clock is correct.
Finally, check back here for updates. SVCHOST has been the source of a lot
of frustration for people, and I’ll try to update this article as new information becomes available.
- 09-May-2004: Added note on scvhost misspelling, and the
related link to the LSASS article.
- 12-May-2004: Added notes relating to Windows Service Pack
- 03-Dec-2005: Added a new article: Where is it
alright for svchost.exe to be?.
- 10-May-2007: Added a new article: “How do I fix this high CPU usage svchost virus or whatever it is?”