Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Where is it alright for svchost.exe to be?

Question: I was told that the file svchost.exe should only exist in the windows\system32 directory. I was also told that if I find it in another directory, it is part of a virus. I have WinXP and found the svchost.exe file in the windows\system32 directory. However, I also found it in the windows\ServicePackFile\i386 directory and in the windows\$NtServicePackUnistall$ directory. Is this a problem? Should I delete the svchost.exe files in the non system32 directories?

Indeed, you were told correctly ... kind of.

I just took a look at my machine, and found all those copies and one more. Fortunately they are not the result of a virus, and you and I are quite safe.

Let's look a little more closely as to why.

Become a Patron of Ask Leo! and go ad-free!

One of the ways that viruses try to hide is to give themselves the same name as important or critical system files, like svchost.exe, but then place themselves in a different location on your machine. That way you might be afraid to delete them, for fear of deleting the wrong one, or you might not even notice that it's running because of its familiar name.

As you and I have seen, the file svchost.exe can, in fact, live in several places and be ok. Let's enumerate what those locations are, and why they're ok.

"One of the ways that viruses try to hide is to give themselves the same name as important or critical system files..."

For purposes of this discussion, I'm going to assume that Windows is installed into C:\Windows.

C:\Windows\System32 - the first and most obvious, this is the running copy of Windows itself. This is where you were told correctly - this is the only copy of svchost.exe that should actually be running. How do you find out? You'll need to grab a copy of Process Explorer from SysInternals.com. In current versions of that tool, simply hovering the mouse over any of the "svchost.exe" listed there will display the full path. If your Windows is installed in c:\windows, then svchost.exe should be "c:\windows\system32\svchost.exe".

C:\Windows\ServicePackFiles\i386 - this directory contains the most recent service pack installed on your machine. svchost.exe was one of the files updated, so it's located here. This is just a copy of the files - I believe the files here are used when new software is installed or when you run the system file checker. This Microsoft Knowledgebase article points out that it's possible to burn these files to a CD and remove them from your system.

C:\Windows\$NtServicePackUninstall$ - if present, this directory contains the previous copies of files that were saved when the service pack was installed. Thus it contains the old version of svchost.exe. You can delete this folder, but only if you are absolutely certain you'll never uninstall the service pack. (I'd probably burn it to CD first, just in case.)

C:\I386 - if present, this directory contains a copy of your Windows Installation CD, and hence would also have a copy of svchost.exe. I've discussed this extensively in other articles, most recently: So just what *is* the I386 directory anyway?.

Those four locations are all valid places to find a file called "svchost.exe". Note that only one of them, C:\Windows\System32\svchost.exe, should actually be running. The rest are various forms of backup associated with installing and upgrading Windows.

So what if you find a svchost.exe somewhere else? It could be the result of a virus. Your very first step should always be to run an up-to-date anti-virus scan. Most will take care of the problem safely.

If they do not, things are less clear. You can try renaming or removing the file (make a backup copy on floppy or somewhere else first, just in case). But ultimately, I would probably consider scanning again with an additional, different anti-virus product. Once again I'd emphasize that the virus database should be up to date, as new viruses appear every day.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

51 comments on “Where is it alright for svchost.exe to be?”

  1. Great artice, unfortunately it didn’t help me. All my five SVCHOST.EXE files where in the right directory. But I could just shut down the one process that used 50 % of the CPU. I then got the one minute to shutdown warning. But that was easily avoided by typing shutdown -a in the run window. My computer ran smoother then, but I still experience a bit lag in certain games like Battlefield 2.

    Reply
  2. I just did a scan for svchost.exe
    I not only found it in /system32 and /servicepack/i386 but also in /prefetch

    I’m assuming the one in /prefetch is a virus

    Reply
  3. Not neccesarily. Prefetch is a valid place for it to be, but it’s also ok to delete it from there. It’ll probably come back. Prefetch is a performance optimization for loading windows.

    Reply
  4. Hi Leo. I found a copy of svchost in the directory C:/Windows/System32/wins/SVCHOST.EXE
    What i should do??
    This svchost file in property windows says:
    TCP/IP Trivial file transfer daemon…What is this?

    Reply
  5. Hi Leo, I have Trend Micro installed and I keep getting a message that the virus TROJ_DLOADR.AD has been found in C;/windows/system32/directx/svchost.exe. The PC-cillin software always quarantines the file but I keep getting the message at various times when I try to connect to the internet. The good news is that the anti virus software seems to be working. The bad news is there is something on the computer that keeps installing a bad copy of svchost.exe in the directx directory. Any ideas on how to identify what is installing this bad copy of svchost?

    Reply
  6. I solved the problem. Windows Xp Pro SP 1.

    In my case is Windows Update. I just turn off Automatic Updates. No more svchost 100% CPU. Now the problem is: I have to do manually updates.

    Reply
  7. I found a svchost.exe in my programs directory (C:/program/svchost/svchost.exe) which couldn’t be removed since the system was using it somehow. I also saw that I had blocked it with my firewall. When I released the block for a short period of time it immediatley began connecting to a computer in Holland. I then blocked it again and searched for registry keys with that path name. It turns out the keys were about the eMando remote control software. After removing the keys I could delete the file. Shortly before this a buddy of mine had his pokeraccounts robbed for about $6000 and his hard drive erased, which was probably the result of this very file. Thanks to Leo for helping me identify the trojan.

    Reply
  8. Process Explorer is great. I’ve been looking for an application like this for a long time. I have 5 svchost.exe running and they are all from the legit directory. I’m glad to finally confirm this.

    Reply
  9. Hi Leo. McAfee Security Center detected a copy of svchost.exe in c:\windows\. It said it was infected by a trojan. It presented me with several options including deleting it or quarantining it. I deleted it immediately, thinking svchost.exe is not important. Then I decided to research the file and found this site. The file is not located in the folders you specified but it is located in c:\windows\. So now I’m not so sure if I did the right thing by deleting it. What do you think?

    Thanks!

    Reply
  10. hi leo,

    i really need your help here i had been having this problem for 2 days now, as i’m connecting to the internet by using a moden provided by my broadband provider. my problem are:

    1. suddenly an error message appear saying generic host process for win32 had encounter a problem and need to be closed. this happen when i’m surfing the net, it cause me to be disconnected from the net and i have to restart my computer for me to be able to connect again.
    2. it happened on a time duration of 30min-2 hours time surfing the net.
    3. error signature:
    event type:BXE p1:svchost.exe

    what i did try:
    1. used system restore( didn’t work )
    2. scan my computer for viruses( using avast/symantec/spybot and even use fixblast )

    i need a solution on solving this problem.

    p/s i’m using window XP
    thanx for the help

    Reply
  11. Word 97 and Excel 97 were loading very very slow. I found an additional svchost.exe file in C:\WINNT\SYSTEM32\WINS . After renaming this file everything worked fine. On changing the name back again Word and Excel loaded very very slow again. I scan the file with NAV but no virus was detected. What should I do with this file and do you know what it is and where it came from?

    Thanks for your very useful website.

    Mike

    Reply
  12. Plain and to the point about “svchost locations”
    This file should ONLY BE THE C:\Windows\System32 directory AND in the C:\I386. If you do have more than one in ANY OTHER location, delete it, how can I tell you ask? Well, do a search for “svchost”, when the search results are posted, there should only be a copy in the direcories stated above. If there are more than one elsewhere look at the DATE of that svchost file, thats a true giveaway, IE. the svchost files in the correct locations will have the date of the Oringal operating system. If there are later dates of the file in other locations is earlyer then delete them.

    Reply
  13. So you’ve covered in what locations svchost can be, what about process users? In the Task Manager, some of the svchost.exe instances list SYSTEM as the User Name, or NETWORK SERVICE or LOCAL SERVICE, which I’m sure is fine, but what if it listed the name of a log-in on that computer (or another computer too, I guess, but that would obviously be very bad :P )
    This isn’t happening right now, so I can’t be %100 certain, but I seem to recall seeing such an occurance in the past. Could this be an easy way to spot a phoney svchost?

    Thanks

    Reply
  14. why are there 7 svchost.exe’s running at the same time but only 1 causes system failure? these 7 things
    are 25% of my commit charge. its even worse when gaming! Please help!

    macon

    Reply
  15. i have 5 SVCHOST.exe on my list, and one of them is pumping my CPU usage every time i am connected to internet, i tried to disable it but it reappeared every 10-15 secs after i disable.i did a search for it. Its on its original place which on win32 file. The user name for that “fake” SVCHOST.exe was SYSTEM.

    Reply
  16. Please note C:\Windows\svchost.exe is NOT a place where the file should be. I have had a trojan in that path, with two dozen different methods to start automatically when the computer is booted (like Startup item on start menu and lots of places on the registry). It was a backdoor and it was sending information back to the hacker. I managed to remove it within an hour of getting it (and unplugged network cable during the whole removal process so it didn’t keep sending anything).

    Reply
  17. Please, I have the same problem as ” Nicolas at April 29, 2007 10:49 AM” but I’m unable to remove it. I really tried everything but I cannot find the source of the infectation. Please tell me how to get rid of C:\Windows\svchost.exe (what is definitly not existing, but showing up after every restart)

    Reply
  18. I have a relatively new computer, with Vista operating system. How is any of your advice about svchost.exe changed for Vista users?

    Reply
  19. My question is basically the same as Nicholas’s, Ken’s and Kim’s. I require info on how to get rid of the files that shouldn’t be there and how to know which files should be running and which shouldn’t (svchost.exe). So, can you please, help me.

    Thanks.

    Reply
  20. I used PRT Perlovga Removal Tool which I found at this site:

    http://en.sergiwa.com/modules/mydownloads/singlefile.php?cid=2&lid=4

    I’m not sure how reliable this site and it’s program is. I used it to get rid of the temp1.exe and temp2.exe virusses. Appearantly it also does help against svchost.exe virus problem.

    I now get this at start up:

    ————————
    E:\windows\svchost.exe
    ————————
    Windows cannot find ‘E:\windows\svchost.exe’. Make sure you typed the
    name correctly, and then try again. To search for a file, click Start
    button, and then click Search.
    ————————

    and after clicking “okay” I get this:

    ————————
    Desktop
    ————————
    Could not load or run ‘E:\WINDOWS\svchost.exe’ specified in registry.
    Make sure the file exists on your computer or remove the reference to
    it in the registry.
    ————————

    Well, svchost is now only in E:\windows\system32

    I’m guessing I should go into the registry and get out that HKEY to svchost in E:\windows\

    right?

    Reply
  21. i have a problem with my pc,after entering my password the pc monitor will show a black screen then after some few sec it will then display svchost property.My question is what is this and how do i solve the problem?

    Reply
  22. My PC was acting very slow, I went to the task manager and many svchost.exe, I researched and found out it is a virus or malware, so deleted all svchost.exe from the registry by mistake, and my lap top is xp proffessional sp2, I can not connect to the internet, because I noticed that there is nothing in the network communication ( no LAN or Wireless, also no volume control in the lower right corner, and when I try to open norton, it will not allow me to open it, when I open a word document and try to mimize it to the system tray, it disappears. what should I do to restore it back to it’s previous state?

    Reply
  23. Cool guys..

    There is a problem that was identified by Microsoft.

    QUOTE
    The Svchost.exe process may spike the CPU usage to 100 percent during update detection or update installation. Also, the Svchost.exe process causes the computer to stop responding for various lengths of time.

    If that fits your issue, you may wish to try this hotfix from Microsoft. MS Help and Support(http://support.microsoft.com/?scid=kb%3Ben-us%3B932494&x=11&y=10)

    I had the same problem and noticed that wuauclt was also running – Microsoft’s autoupdate.

    A little background on svchost

    GL…

    Reply
  24. The true svchost.exe file in Windows/system32 has version number 5.1.2600.2180 and a length of 14,336 bytes.

    The bad file in Windows/inf has a version number of 1.0.0.1 and a length of 15,872 bytes. This file has the same name, svchost.exe but cannot be altered or removed and it propagates it’s spyware relentlessly.

    Reply
  25. Windows cannot find ‘E:\windows\svchost.exe’. Make sure you typed the
    name correctly, and then try again. To search for a file, click Start
    button, and then click Search.

    i tried everythin…as you have said(maybe not)
    i even tried updating my windows xp and hotfix and those kinda stuff…but the problem reappears everytime i started my windows….i need help terribly….

    Reply
  26. I have read your article on the svchost.exe and checked my system. I found it in the System32 folder, the ServicePackFiles folder and then also in this folder: C\Windows\Prefetch, is this a virus??

    Thank you

    Reply
  27. I am having a problem i have not seen on the internet at all. scvhost.exe has rooted itself in windows/win32/oobe/scvhost.exe…not only has not one article on the internet show it in that directory but it makes the computer absolutley go beserk. the only way to keep my computer responding is to keep task manager open. if I close it 100’s of svchost open and cause a reboot. i cant seem to find a way to stop it.

    Reply
  28. —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA1

    As the article indicates, that’s highly suspicious of a virus, and you need to
    run an *up to date* anti-virus scan with a good scanner.

    Leo

    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v1.4.7 (MingW32)

    iD8DBQFHLKngCMEe9B/8oqERAvalAJ0f3Ul6p9PaN3jOKgC1Dvbe+UDogQCeIcCc
    Mct8FOdYq47SJpJp+RcCx/k=
    =HHTz
    —–END PGP SIGNATURE—–

    Reply
  29. “Windows cannot find ‘E:\windows\svchost.exe’. Make sure you typed the
    name correctly, and then try again. To search for a file, click Start
    button, and then click Search.

    i tried everythin…as you have said(maybe not)
    i even tried updating my windows xp and hotfix and those kinda stuff…but the problem reappears everytime i started my windows….i need help terribly….”

    The same thing has happened to me. How do I fix this?

    Reply
  30. Thanks Leo, I was having a problem with svchost.exe taking up all of my CPU.
    Turned out after using the Process Explorer you recommended that it was the HP printer and software I installed a while ago. A network polling service was hogging all of the CPU through svchost.exe. I turned off the automatic service and fixed the problem.

    Andrea

    Reply
  31. i was threatened w/ this “svchost” cause i saw it in a USB i plugged in the computer. i deleted the thing at my C drive but it keeps on recoming so i stopped all processes having svchost.exe and deleted all svchost files found in my pc. After I read this, im troubled. It looks like I really need the svchost.exe in the folder system32… What shall I do? Thanks for the help.

    Reply
  32. Hi Leo,

    I have BitDefender which tells me I have that my
    C:\WINDOWS\system32\=>:svchost.exe is infected with a Trojan.Generic.138368. Bit defender can’t seem to get rid of it, same goes for Norton 360. I thought it was ok to have the svchost.exe. in this location…Any ideas?

    Carol

    Reply
  33. I found a SVCHOST.EXE-2d5fbd18.pf located in C:\windows\Prefetch. Should I delete it? I regularly run an up tp date Symantec anti virus scan as well “spyware terminator” and it hasn’t noted this as a virus. Thanks

    Reply
  34. was having the svchost.exe problem not only taking up 100% of my cpu usage but also popping up all kinds of porn in a non-explorer window not detectable as an application. With the process explorer I found a copy of svchost.exe running from a suspicious directory C:\google.com\svchost.exe lol. Renamed the file. Restarted the computer. Problem solved. Now to delete that little bastard…

    Reply
  35. Had the same problem as Shack…using 100% of CPU, pop-up porn in non-explorer window and wouldn’t let me delete C:\google.com\svchost.com. Renamed file, restarted computer and deleted file and folder successfully. This killed it off!

    Reply
  36. Hello Leo,
    I just read your comments on Svchost.exe after checking my running processes. I had stopped a couple of proccesses earler today as they were not familiar and were .exe files.
    On looking through my running system files I have
    Svchost.exe running on the following instances at once:
    -System
    -System
    -Local Service
    -Local Service
    -Network service
    -System
    -Network service
    -System
    -System
    -Network service
    -System
    -Systm
    -Local service.
    That is a total of 12 instances of it running in my processes at once.
    I reinstalled my win xp just 2 weeks ago after I found it crashing and my enti virus Trend micro not responding.
    Since reinstal my modem was changed last weekend (Friday Evening) and my username and password were changed in the security system of the wireless modem (I keep wireless broadcasting off and use a lead to plug the modem into the PC)
    Since I noticed it cannot run a full system scan and last time stayed at 99% complete after 46 hours.
    It seems like a lot of Svchost.exe files/processs to be running. Is there any way I an be sure of which ones to end or delete?
    With many thanks.
    Leslie

    Reply
  37. As I can see here, many ppl still have problems with creepy svchost named viruses…
    Well, there are really 4 places, where svchost can be stored, that is ok. But as said in the article above, only the one in System32 folder should be running.
    So good way to discover svchost.exe viruses is to obtain list of actually running processes called svchost.exe and then read the path (if it is other than System32, it is a virus).
    It is quite a creepy process on Windows platform, so I am going to code auto-removal utility for this purpose. I will send the link to the final product later :).

    Reply
  38. When I open the task manager I see

    SVCHOST.EXE System
    SVCHOST.EXE Network Service
    SVCHOST.EXE System————> 22,260 KB!!
    SVCHOST.EXE Network Service
    SVCHOST.EXE Local Service
    SVCHOST.EXE Local Service
    SVCHOST.EXE System

    Do you think my computer is ok?

    Reply
  39. my svchost.exe is running on 50CPU, and Bitdefender tells me it’s infected by trojan virus. Bitdefender deletes it, but I seems to keep coming back. Also I’m having problems with Generic Malware virus, and Rootkik, Bitdefender seems to be powerless. I NEED A WAY TO REMOVE THESE PLEASE HELP

    Sounds like you need this article: How do I remove a virus?

    Leo
    14-Dec-2009

    Reply
  40. I have svchost.exe.hdmp file located on my C:\Documents and Settings\local\Temp|WERa04e.dir00 folder. based on what I’ve read, this is proably a virus and should be removed? It has disabled my antivirus software. darrel

    “svchost.exe.hdmp” is not the same as “svchost.exe”, so you cannot make the same assumptions about where it’s alright to be, and you cannot assume that it is a virus. a “.hdmp” file is a file used by Windows Error Reporting, and may be totally valid. I recommend you make sure your anti-malware tools are up to date.

    Leo
    09-Jan-2010

    Reply
  41. Hi. I have the svchost.exe only in the places you mentioned above. But, in Task Manager it says there are 9 running. It says some are running by SYSTEM and others running by LOCAL SERVICE, and you only mentioned 4. If there was more svchost.exes in other places, how could I find them? Or do you know if I have a virus?

    It is quite common to have more that one copy of SVCHOST running – which is different than the number and location of the SVCHOST.EXE files. More here: What is svchost, and why is there more than one copy running?

    Leo
    12-Mar-2010

    Reply
  42. i have an svchost.exe in c:documents and settingsmy nameapplication datamicrosoft
    i delete it and it keeps coming back.
    i scan it for viruses but nothing shows up.
    i started to notice it when it started requesting access to the internet. i block it every time.
    this directory also contains a .bat file which can delete all svchost.exe files in this directory.

    Reply
  43. After reading this article, I typed “svchost.exe” into my Winows XP search mechanism. In addition to the four places mentioned in your article, I also found one in a folder entitled C:WINDOWSERDNTcache. I don’t know if this means anything or not, but both of my virus checking programs (Avast and Malwarebytes) did not identify it as a problem.

    Reply
  44. I just reinstall Win7 Home Prem. from a Gateway hidden partition ( 3rd time ). It is not connected to the internet yet as I had other problems. I un-hid everything and I have 2 different size Svchost.exe. one 26.5k in \windows\system32 and one 20k in \windows
    Malware bytes earlier complained about the windows one. Had it remove it and compuer was funny. Any thoughts? Just downloaded the analyzer and will run that. I’m wondering if the reload from DVDs and then the hidden partition have done the same thing.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.