Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

What is svchost, and why is there more than one copy running?

Fire up
Process Explorer
or Task Manager in Windows to view the running processes
and you’ll see something called “svchost.exe”.

In fact, you’ll see it listed several times.

As I write this, there are no less than 11 copies of svchost.exe running in
my Windows 7 64-bit system.

To understand why this is expected, we need to understand a little bit about
why svchost exists and what it does.

Become a Patron of Ask Leo! and go ad-free!

Multiple svchost.exe's running on my machine, viewed in Process Explorer

Service Host

Svchost, as the name implies, stands for Service Host.

Many components of the Windows operating system are actually implemented as
what are called “services” – a fancy name for programs that run in the
background and aren’t necessarily associated with whomever is logged into the
machine.

You can quickly see which services are running by typing NET
START
in a command window, or by right-clicking on your
Computer icon, clicking on Manage, clicking
on the small triangle next to Services and Applications to
expand it, and then clicking on Services.

Services installed in Windows 7

On my machine, “Net Start” shows me 76 running services on my machine. The
Services interface shown above displays all installed services and an
indication of whether they are running or not.

There are many things that are common to all services: how they start, how
they interact with the system, and how they manage the administrivia of running a system
service. Rather than writing a complete service from scratch, many
are implemented as a type of program run by another program.

That “host” program is our friend svchost.exe.

Hosting services

Svchost.exe is designed to be the host for one or more actual services. It’s
the program that gets run, and when it gets run, it’s instructed which service
to run. The actual service is typically implemented in a DLL that svhost.exe
accesses.

As it turns out, a single copy of svchost.exe can actually “host” several
different services at once.

Hover your mouse pointer over one of the svchost.exe instances in Process
Explorer and a tool tip will show you exactly which running services are being
hosted by that particular copy of svchost:

Services running in one specific instance of svchost.exe

In this example, the pop-up shows that this single instance of svchost.exe is
actually hosting 18 separate services. Other instances typically host fewer,
often only one. Which copy of svchost.exe hosts what service is a function of
how the services relate to each other and when they are required by the rest
of the system.

Svchost and malware

Because it’s expected that there will be multiple copies of svchost.exe
running and its workings are quite mysterious to the average computer user,
malware authors have long leveraged the confusion around it to hide or at least
obfuscate their doings.

  • In the past, the svchost.exe file itself was a popular target for direct
    compromise – malware would actually alter the program with their malicious
    code. Windows File Protection in later versions of Windows rendered this
    approach mostly ineffective.

  • Malware authors often try to install their malware as a service hosted by
    svchost.exe. Installing a service requires administrative access and is
    effectively blocked in most cases by limited user accounts in Windows XP and
    UAC in Windows Vista, 7 and later.

  • Malware is sometimes actually delivered in a file called svchost.exe, but
    placed in a non-standard location. When running, the malware looks like “just
    another svchost” unless examined more closely. (The correct location is in
    Windows\System32.)

  • Similar sounding names and typos have also been fairly common. “svhost.exe”
    and “svchosl.exe” might pass for “svchost.exe,” unless you were looking
    carefully and noted the typos.

As I said, the confusion around svchost has become a tool that malware
authors have used to to either worm their malicious code onto machines in the
first place and/or try to hide its presence once installed.

Svchost.exe is not malware

I’ve seen a number of panicked questions that immediately jump to the
conclusion that svchost.exe is, itself, malware.

That’s simply not true.

Svchost.exe is a required system component and Windows will simply not run
without it. If it becomes infected, it’s possible that attempts to
clean it up by deleting or quarantining it may result in a system
that doesn’t work.

As we’ve seen above, malware often tries to look like svchost, or
it tries to run using svchost, but that doesn’t mean that svchost.exe
itself is malware.

(This is an update to an article originally published
October 20, 2003.)

References

A description of
Svchost.exe in Windows XP Professional Edition
– Microsoft Support.

What is
svchost.exe?
– Microsoft. Written for Windows Vista, but applies to all
recent versions.

Do this:

Subscribe to Confident Computing! More confidence & less frustration -- solutions, answers, & tips -- in your inbox every week.

I'll see you there!

82 comments on “What is svchost, and why is there more than one copy running?”

  1. QUESTION 1:
    WHEN I START MY COMPUTER, THE COMPUTER SAYS :ERROR STARTING, MISSING .DLL FILE. HOW DO I RESTORE THE FILE?
    QUESTION 2:
    WHEN I SHUT DOWN MY COMPUTER, THE COMPUTER SAYS :NEED TO CLOSE SVCHOSTC PROGRAM. I WASN’T AWARE THAT I WAS RUNNING THE SVCHOSTC PROGRAM. HOW DO I CLOSE THE PROGRAM>

    PLEASE HELP!

    Reply
  2. Question 1: it depends entirely on the operating system version, the filename that should have been specified in the error message, and potentially the applications installed on your machine.

    Question 2: svchostC is most likely a virus, I believe. Make sure you’re runing a virus scanner, and that the signatures are up to date.

    If you need more specific or detailed help, please submit your question here: http://ask-leo.com/askleo.html

    Thanks!

    Leo

    Reply
  3. I have a machine like a server, in this pc I`ve intalled dll’s, this dlls are functions that make transactions in sql over acces. All work fine, but in any moment appears “error en svchost.exe” this error in the server machine. in the side of the client appear an error “error en internet”.
    What I can do? what is this error? how can I avoid this?
    Please write me to mi e-mail. joseguero@yahoo.com
    thank alot for the attention to this trouble.
    atte. Jose Luis sanchez from Toluca, Mexico.

    Reply
  4. Right now when ever I connect the internet, I will get the error message: svchost.exe error. Windows will terminate this program. After that I cannot get linked on any website, and my office2000 program will have trouble to run, like cannot run the “copy”, “cut” and “paste” fuction, and cannot link to anyother file. What is wrong? what shall I do to avoid this? Please help me. Thanks!

    Reply
  5. When I connect the internet, I will get the error message: svchost.exe error. Windows will terminate this program. After that I cannot get linked on any website, and my office2000 program will have trouble to run, like cannot run the “copy”, “cut” and “paste” fuction, and cannot link to anyother file. What is wrong? what shall I do to avoid this? Please help me. Thanks!

    Reply
  6. when i connect to the net after surfing for few minutes i get the svchost.exe error. its a msgbox, asking OK to terminate the program or Cancel to Debug. I am unable to find a solution. I have Win.2000. When u click on Cancel it opens a Visual studio window. I have already formatted the comp and even loaded the latest Internet Explorer version. The problem still persists.

    Reply
  7. On the task manager, I always see svchost.exe. I know that there are several of them, but there’s one (listed as LOCAL SERVICE) that steadily takes up CPU usage. When it reaches 50-80%, my programs start to slow down. What causes this and how can I correct it?

    2700 MHz, 768MB, 128M nVidia GeForce4 Ti4200-8x (0x0281)
    Running Windows XP

    Reply
  8. I’d use tasklist /svc, as documented in this article, to try and determine which svchost is causing your trouble, and what services it is attempting to provide. That may provide a clue. Naturally I’d also make sure you’re up to date on service packs, windows update, virus checks and so on.

    Leo

    Reply
  9. Leo, thank you for your online forum. My laptop, Toshiba Satellite 1415-S173, cable modem, MS WiFi, Symantec AV and full Security suite has recently required longer and longer to boot. I have tried to find the bottleneck to no avail. Numerous tweak scripts, exhaustive startup manager trials. 1.5 to 2 minutes to get the logon screen and another 2+ to load the desktop. I just found in MS Sys Info, Sys Summary, Software Environment, Startup Programs…..each file is listed twice with NT AUTHORITY\SYSTEM one user and .DEFAULT the other user. This is true for every file listed. Any thoughts? Otherwise, the system performs quite nicely. thanks in advance

    Reply
  10. Having everything listed twice certainly seems suspicious. I’d have you start with this article:
    http://ask-leo.com/archives/000032.html it’s about system slowdowns in general, but many of the same techniques apply. It also points to another article on controlling what happens at startup with instructions on how to use msconfig. I’m curious as to whether msconfig shows everything twice as well. You didn’t mention running any spyware scanning software – that’s also a frequent cause for startup issues. Again, the article I just referenced discusses that also.

    Best of luck!

    Leo

    Reply
  11. Through Zone Alarm I learn that svchost.exe want to act as a server. Literally:
    Do you want to allow Generic Host Process for Win32 services to act as a server?
    Tech Inf.: source IP: 0.0.0.0:Port 5000
    Application: svchost.exe
    Version: 5.1.2600.0 (xpclient 010817-1148)

    [“More info” in ZoneAlarm does not really give one more understanding or “yes/no” advice.]

    I guess I am not the only one who gets this Question. Pls mail… tks
    Curious Kees

    Reply
  12. One of the svchost.exe’s on my computer is making my computer’s CPU run at 100%. It slows things down on my computer, even though I have good parts. Do you know what’s going on?

    Reply
  13. When I type tasklist /svchost I get the following message.

    “tasklist not a known internal or external command, operable program or batch file”

    I am running XP home on a Compaq presario notebook. The reason I would dearly like to run the program is that my PC is running at 100% busy even though there are no programs active and I am not connected to the net – or anything else.

    Reply
  14. Everytime i connect to the internet… after 10 mins or 15… and “SVCHOST.exe – Application ERROR” appears… and when i click… OK my connection will stop responding… and if CANCEL it will debug… but still stop responding… what was it?!?! thanks!

    Reply
  15. I have had many of the same errors that you all are talking about but that is just how it all started for me. I got so bad that I could not open any web pages.

    what you all should try is got to the site that makes nortons anti-virus and look up

    wn32.blaster
    wn32.walchia.worm
    wn32.walchia.a.worm
    wn32.walchia.b.worm
    wn32.walchia.c.worm
    worm.lovsan.a

    That is what I have found no my computer, and only one of them Nortons corp pro found.

    Now I have a question. I am really new to all this computer tek stuff and so when nortons or avg could not fix the walchia worm I paniced and tryed to delete every thing to do with the svchost that I could. I deleted the svchost.dll but the svchost.exe would not delete for it was in use to I tryed everything to delete it. One thing that I wish that I do not do was I opened up the properties and at the time there was six (6) tabs and i changed every setting in there that could be changed.

    Now I got rid of all the worms but my computer is not working right at all, i think that is has to do with what I did to the svchost.exe. I tried to reformat my computer using my windows XP but it told me that my files were corrupeted and it can not be done.

    Please any info about how I can reformate my computer would help.

    thank you for your time
    david

    Reply
  16. Jay trust me you had the blaster worm…..and it is a naste one too

    You need to find a program called “FixBlaster” then you need to make sure that you have all the criticial windows updates and that will fix that problem.

    Reply
  17. svchost.exe is actually an important and required system component. If attempting to resolve a virus issue has damaged it, that can easily explain all sorts of remaining bad behaviour, even after the virus has been eradicated. My recommendation is to run the system file checker (sfc). I mention it and how to run it in this article: http://ask-leo.com/archives/000053.html – it should repair any damaged files.

    Good luck!

    Leo

    Reply
  18. Okay Leo, I need help, I am running winodws XP SP1 and print Spooler service disappered from Services list. There are no printers listed in printers folder. I cannot add printer. When trying to run the wizard I get Error: ‘Operation could not be completed.’
    I have deleted the print driver and cleaned the registery.
    The only thing I can think of was I was trying to print .prn file from dos prompt and something remove spooler service.

    Reply
  19. I have a virus that attached itself to my svchhost.exe and svchoste.exe files, since they are running, I try to end process and then move the file to the virus valt (in AVG) – BUT when I end the process I am forced to reboot the machine.

    anyone provide any assistance?

    Im using WIN XP Home SP1 – thanks

    Reply
  20. i cant seem to get rid of my popups, i have used ad-ware 6.0 and spybot but these pop-ups keep coming back…sometimes 60 at a time…i think it is a virus that may have attached itself to my svchost.exe file, i want to remove them, how do i go about this….
    help please Leo

    Reply
  21. Well, you didn’t say whether or not you’ve run an anti-virus check, so certainly do that. Also check out this article: http://ask-leo.com/archives/000059.html for more steps to take on the svchost problem (read the posted comments as well, many people contributed valuable info). You also didn’t say what kind of popups. If you’re running XP or Win2k you should disable the Windows Messenger Service (not the IM client, but the service.) I talk about that one in this article: http://ask-leo.com/archives/000017.html

    Good luck!

    Leo

    Reply
  22. I learnt about the existence of svchost.exe just
    yesterday, when my Norman firewall, under Windows
    XP professional, asked whether task
    c:\windows\system32\svchost.exe should be allowed
    outgoing communication with protocol UDP
    to remote address 207.46.130.100.
    What is the purpose of svchost.exe accessing
    the internet? What if I deny access (which I did,
    without observing any negative consequences)?
    Who/What is behind 207.46.130.100 (Microsoft, I
    guess!?!)?

    Thanks for your reponse in advance

    franz

    Reply
  23. I’ll assume you meant “Norton” firewall :-).

    So, to find out what 207.46.130.100 is, I went to a command prompt, and typed the following:

    ping -a 207.46.130.100

    And it tells me that that IP address is “time.microsoft.com” … so you are correct, it was Microsoft. That instance of svchost is supporting the time service, and has asked time.microsoft.com for the current time. You can change the server it uses, or turn off the auto time update completely, in the same place you set your PC’s clock in Windows.

    Leo

    Reply
  24. My computer is running really slow. A lot of CPU usage is taken by svchost. What can I do? Where can I look for the problem?
    10X

    Reply
  25. Hello Leo !
    I have a question for you:
    I hav norton NIS+NAV installed on win xp pro, and it can’t run anymore, when I restart windows it I can see the icon of nav and nis(with x) and after a few seconds they disapear and I can’t run any norton application besides live update, which dosen’t work as well. I even tried to install windows on another partition and re-install NIS before even conecting to the internet, and the same happens again… I did update all the leasts updates from microsoft update. I think its a virus, but I can’t find it with the pre-installed nis that on the nis-setup-cd or with trend micro online antivirus or fixblast.exe…
    is the rpcs service of svchost run is normal ?
    if I tried to close it I get the 60secs countdown as in the blaster worm… should this service run by normal use? or is it some kind of virus?

    thanks!

    Reply
  26. rpcss is a normal service. Unfortunately it’s also the service that had a vulnerability that virus writers exploited. You can read more about it, and try downloading the patch for that vulnerability from here: http://ask-leo.com/d-rpcvuln

    Some variations of the viruses actually prevent virus scanners from updating, so it sounds like that’s what you have. Try the patch above and see if that doesn’t let you make progress.

    Good luck!

    Leo

    Reply
  27. i have a big problem. i have a 1.6 gig processor, and im constantly overloaded. the problem comes when C:windows/system32/svchost.exe gets pinged by a number of different ip adresses, and i get a pop up (ping) from different ip adresses that try to get my to pay 19.99 to http://www.windows-patch.info. i need a solution bad. can anybody help?

    Reply
  28. I had one of the Walchia worms and it said my svchost.exe was infected. Norton tried to get rid of it but it was unable to get into the file. To fix this i restarted in safe mode and ended the process trees of all the svchosts running on my computer after that i looked up where there were located and deleted them. While this was happening my computer was shutting down because of the msblast. When i restarted no a lot works including microsoft explorer. I’m not sure how to restore the correct svchost. I hope you can help.

    Reply
  29. svchost.exe is a required system file. Removing it is most definitely the *wrong* thing to do to try to resolve this problem, and is pretty much guaranteed to hose your system.

    Assuming you’re running XP, my recommendation: try system file checker first. http://ask-leo.com/archives/000074.html

    If that gets your system somewhat runable, then follow get all the patches from Windows Update.

    And definitely read the comments here … there have been several good suggestions on how to proceed depending on your system, your connectivity, and what state of disarray you are in.

    Good luck,

    Leo

    Reply
  30. Norton recently told me that my svchost file was infected with “Download.Trojan”. It could not be repaired, so I quarantined it, but what should I do now? If I can’t repair it, then should I delete it?

    Reply
  31. Or you can do nothing, if Norton no longer complains. It’s typically OK to delete *the quarantined file* (NOT the *real* file). If you’re not sure about the difference, then leaving it as quarantined should also be fine. Since SVCHOST is a required system file, deleting the wrong one could be a problem.

    Leo

    Reply
  32. I hava a big problem with svchost.exe. 2500 MHz, 512MB, 128M ATI Radeon 9600 Running Windows XP,
    it work perfect about 5 min and then CPU usage become 100%. What can I do?

    Reply
  33. Hi Leo
    I’ve just encountered a similar problem to Korsaria. I have a Dell 2.4 Ghz + 512 Mb +80G HD running XP. I have Norton anti virus and also Norton Firewll but they have not been updated for a ouple of months.
    this morning I found that every application was being interrupted and it would sit there and do nothing for about a minute before it stumbled on and then stopped again. I used task manager and found that the CPU was running at almost 100% with SYSTEM PROCESS. The only other thing that was running at this time was SVCHOST.EXE but this was not taking up much CPU time and was intermittant. Something is causing SYSTEM PROCESS to commandeer the CPU. Do You have any thoughts.
    Many thanks
    Richard

    Reply
  34. My initial reaction is that you are both infected with a virus. Updating virus signatures frequently is a *must* in today’s environment – I update nightly. Update those virus scanners and get the latest round of updates from Microsoft for your system.

    Leo

    Reply
  35. How do I capture the output from tasklist /svc before it disappears?

    svchost.exe is constantly taking between 80 & 99% of processor & is bugging me.

    If I can capture the output this will tell me which version of SVCHOST.EXE is running what programs, but how do I change them?

    Reply
  36. try:
    tasklist /svc | more
    or
    tasklist /svc >filename.txt

    If your processor is pegged in svchost, you likely are infected with a virus, and need to run a virus scan or removal tool.

    Leo

    Reply
  37. Thanks Leo, going throught the pain of trying to ensure I have all the windows updates & just looked at the symantec security site for the worm removal tool. Printed it off, too tired to plough through that tonight.

    Thanks for your advice, truly appreciated.

    Reply
  38. when i use my notebook with battery. This running program “svchost.exe” are alway run and take a lot of power from my notebook!!
    What and how should I do in this case?
    Thank You for your comment.
    Sakol Nisarut
    sakol@sec.or.th

    Reply
  39. I have a Dell 2.0Ghz running on XP.
    After I read the posted here,I tried TASKLIST /SVC on CMD window; but I’ve got only an error message saying:

    ‘tasklist’ is not recognized as an internal or external command, operable program or batch file.

    Why is TASKLIST /SVC not working on my XP?
    I’ll appreciate your help.

    Reply
  40. Tasklist is only in XP Pro, I’m guessing you have XP Home edition. You can copy it over from an XP Pro system, if you have access to one. You might also be able to find a copy on-line if you search.

    Leo

    Reply
  41. I *highly* recommend sysinternals. In fact, you’ll find them mentioned in several of my articles, and on my recommendations page. The tools you list are part of my “take everywhere with me” arsenal :-).

    Leo

    Reply
  42. my sygate peronal pro firewall tipes that it is a critical problem and blocks incomming messages to svchost.exe. firewall desdcribes it in that way: 03/26/2004 20:56:08 Intrusion Detection System Critical Incoming TCP 192.168.11.52 192.168.11.191 svchost.exe 4 03/26/2004 20:56:08 03/26/2004 20:56:08
    is it wrong if firewall blocks these connectings?

    Reply
  43. No, it looks like the firewall is doing its job. Further, based on the IP addresses, it looks like one of the other computers on your network may be infected with a virus.

    Leo

    Reply
  44. I think I`ve closed one of svchost and from that I have some errors that appear on my screen… at numeber of error 10053 and 10054… how can I put the svchost again… I`ve installed the windows again and no effect. If I`ve written wrong, please scuse me, I am from ROMANIA and I have 11 years old. Can I fix the problem????

    Reply
  45. my computer is infected by virus w32.WlechiaB.Wrom .
    when ever i run antivirus say virus found in c:\windows\system32\drivers\svchost.exe.

    how to over come this.
    i searched on net i founf some thing saying run given exe it will delete the file infected, is it ok?

    waiting for u’r reply.

    THANKS IN ADVANCE.

    Reply
  46. I’m having problems with IEXPLORE.EXE and EXPLORER.EXE…
    I think both are corrupted, because when i’m opening certain folders with images or photos or even larger number of files it goes like this:
    – “EXPLORER.EXE (or sometimes IEXPLORE.EXE) generated errors and will going to close”

    how can i solve this problem?
    I think just reinstalling Windows is not enough, so i appreciated if you could give me an answer.

    Big Thankx

    Lereno from Portugal

    p.s – i’ve got Windows XP Professional(sorry about my English!!!)

    Reply
  47. THE SOLUTION SI PATCH “KB823980”. I HAWE DO THAT BEFORE 7 DAYS AND NOW I DO NOT HAVE ANY PROBLEM WITH MY COMPUTER. THANK YOU “LEO”.
    SAMIR, BOSNIA & HERZEGOVINA

    Reply
  48. Hello

    itried to conecct to mIRC and it says i have a trojan ??? ive ran spy-bot , ada-awre and norton2004 i also have a personal firewall enabled , how do i find the trojan thats lurking on my system please ?? i run winXPpro thanx for your assistance

    steve

    Reply
  49. Good question. Does mIRC give you any information as to *what* trojan it thinks you have? You might also try an additional virus scanner (there are several free ones on the net that make for a good second tier scanner).

    Leo

    Reply
  50. Hi. I have a question…
    I have four SVCHOST.EXE running after restarting computer … but after 1hour (or more) one of them is using my CPU in 99% … when i disable it i can’t COPY/PASTE/MOVE FOLDERS, etc.
    Can you please help me ? And if you reply plz send me an email so i can see what is the problem 😛 btw. maybe there is a way to look why this process use 99% of my CPU ?

    Reply
  51. thx Leo … i solve my problem myself 🙂
    This was the attack on the RPC to run commands 🙂 I think it was Gaobot attack from LAN network 🙂
    antivirus + patches for xp + little time … and i solve the problem 🙂
    btw. nice site – keep up the good work 🙂

    Reply
  52. Hey Leo, I got a question for yah…(obviously). I run windows xp, and for some reason or another, after I reboot my compt, my task bar gets locked up and I am no longer able to use it. I can still minimize programs and alt+tab back into them. I just cannot see them on my taskbar…mainly because it will later dissaper after running a few progams…IE games and such. I ran norton…nothing found…ran spy bot, search and destroy…found a few things, didnt fix my problem. I got the latest xp updates and such. But when i opend up my task manager, and ended svchost, my taskbar came back up and was working fine. svchost does not mainly take up alot of my cpu, but it does have it’s spikes at moments where it will shoot up. Any idea what might be going on?

    Reply
  53. Is the task bar still visible when the problem happens? I’m wondering if it’s jsut auto-hidden? Right click on an unused area on the task bar, hit properties (you may need to unlock the taskbar), and check the auto-hide and on-top settings.

    Leo

    Reply
  54. Hi There…

    I has a problem with my PC’s,
    I’m using WinXP Pro, and i had this Generic Host Process For Win32 Services. Where each time the dialog box pop up, i try to close it and there is a dialog box tell that the PCs need to shut down. After a few times faced this problem i try to find a solution in internet and found out it is a MSblast. i been search a file named MSBlast.exe but did not found it. finally i found out that the generic host…. actually point to the svchost.exe.
    can anyone help me to settle my problem???plzzz???

    Thanks.

    Reply
  55. Question. I had the common problem of recieving about a dozen popups every 5 minutes. I installed the STOPzilla pop-up Blocker and the pop ups stopped. However, I now have a problem that is just as bad as the pop up ads. Whenever I’m online I can hear the audible sound that alerts me that a pop-up has been blocked. But about twice per hour this results in a major slow or complete freeze of my system. What could be the cause?

    Reply
  56. Hi. I have a question…
    I have four SVCHOST.EXE running after restarting computer … but after 1hour (or more) one of them is using my CPU in 100% … when i disable it i can’t COPY/PASTE/MOVE FOLDERS, etc.
    Can you please help me ? And if you reply plz send me an email so i can see what is the problem 😛 btw. maybe there is a way to look why this process use 100% of my CPU ?

    Reply
  57. I have SVCHOST and SVCHOST running in my system whenever i boot the system. And windows task manager shows 100% of my CPU is being used by these 2 process. when i disable / set the priority to below normal,the system doesn’t allow the operations like COPY/PASTE/MOVE FOLDERS, etc.
    Can you please help me ? And if you reply plz send me an email so i can see what is the problem 😛 btw. maybe there is a way to look why this process use 100% of my CPU ?

    Reply
  58. SVCHost is a required system component, so you can’t adjust it’s priority, or kill it. You either have or are being attacked by a virus. Check out the various comments in http://ask-leo.com/archives/000059.html – in short: update and patch Windows, update and run virus checking, and make sure you’ve got some kind of firewall in place.

    Leo

    Reply
  59. windows xp pro,, i have a free DL of ad ware for finding spyware,,, i find about 7 per 24 hrs, always comet cursor and tracking something,, both are called data miners,, they arein my registy key and files,, ad ware get rid of them but they always come back,, how can i stop them from coming back

    Reply
  60. Well, step one is simply to take care in what sites you visit and software you download … typically these downloads are given to you transparently be less-than-reputable vendors.

    Second, tighten up your browser’s security settings. This will prevent many.

    Finally, Spy Bot does have have a monitoring function that will watch for, and block at your option, many of the bigger offenders. AdAware may also have something like this in their pay version. There’s also a tool called StartupMonitor which can keep reins on what gets added to your startup (http://ask-leo.com/d-startupmonitor ).

    Leo

    Reply
  61. Running in a command window (WinXP home) the “NET START” command works; however, when I type “tasklist /svc” I get the folllowing error message”
    [‘tasklist’ is not recognized as
    operable program or batch file.]
    What am I doing wrong?
    Thanks,
    Allmen Quester

    Reply
  62. Nothing. You probably have XP Home, which apparently doesn’t have the tasklist command. I’ll be writing up an article shortly on how to use Sysinternals Process Explorer (http://ask-leo.com/d-31017a ) to get the same information. In a nutshell, run procexp, doubleclick on a svchost instance, and then select the “services” tab, and it’ll show what services that instance of svchost is hosting.

    Leo

    Reply
  63. Over the last few months, with increasing frequency, I receive the following message on my screen. It’s in Norton Internet Security, but it’s not the usual Alert Tracker screen I get when Norton detects an attempt to hack in. It’s more like the screen I get when a new programme – like RealPlayer for example – tries to connect to the internet for the first time.

    The message says:
    A remote system is attempting to access Generic Host Processes for Win32 on your computer.
    Application: C:\WINDOWS\system32\svchost.exe
    Protocol: TCP (Inbound)

    It also tells me the IP addrss of the computer from which the attempt is being made – I think it’s diferent each time.

    I have always asumed it’s someone trying to hack in or plant a trojan or whatever it is these people do, and refused the connection, but, before I set a rule to always forbid such connections, I just wondered if it is a legitimate programme or something which I ought to be allowing for the good running of the computer.

    Reply
  64. I’d set that always forbid rule. A remote computer should not be attempting to initate a conversation that way … they’re probably attempting to exploit a vulnerability in Windows (that’s since been patched as well).

    If you’re curious, you can enter the IP address into a “reverse DNS” tool, such as http://ask-leo.com/d-reversedns and see a) if there is a host name for that address, and b) if the host name is something you recognize.

    Leo

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.