windows\system32 directory. I was also told that if I find it in another
directory, it is part of a virus. I have WinXP and found the svchost.exe file
in the windows\system32 directory. However, I also found it in the
windows\ServicePackFile\i386 directory and in the
windows\$NtServicePackUnistall$ directory. Is this a problem? Should I delete
the svchost.exe files in the non system32 directories?
Indeed, you were told correctly … kind of.
I just took a look at my machine, and found all those copies and one more.
Fortunately they are not the result of a virus, and you and I are
Let’s look a little more closely as to why.
Become a Patron of Ask Leo! and go ad-free!
One of the ways that viruses try to hide is to give themselves the same name
as important or critical system files, like svchost.exe, but then place
themselves in a different location on your machine. That way you might be
afraid to delete them, for fear of deleting the wrong one, or you might not
even notice that it’s running because of its familiar name.
As you and I have seen, the file svchost.exe can, in fact, live in several
places and be ok. Let’s enumerate what those locations are, and why
themselves the same name as important or critical system files…”
For purposes of this discussion, I’m going to assume that Windows is
installed into C:\Windows.
C:\Windows\System32 – the first and most obvious, this is
the running copy of Windows itself. This is where you were told correctly –
this is the only copy of svchost.exe that should actually be running.
How do you find out? You’ll need to grab a copy of Process Explorer from SysInternals.com. In current versions of
that tool, simply hovering the mouse over any of the “svchost.exe” listed there
will display the full path. If your Windows is installed in c:\windows, then
svchost.exe should be “c:\windows\system32\svchost.exe”.
C:\Windows\ServicePackFiles\i386 – this directory contains
the most recent service pack installed on your machine. svchost.exe was one of
the files updated, so it’s located here. This is just a copy of the files – I
believe the files here are used when new software is installed or when you run
the system file checker. This Microsoft Knowledgebase article points out that
it’s possible to burn these files to a CD
and remove them from your system.
C:\Windows\$NtServicePackUninstall$ – if present, this
directory contains the previous copies of files that were saved when the
service pack was installed. Thus it contains the old version of svchost.exe.
You can delete this folder, but only if you are absolutely certain
you’ll never uninstall the service pack. (I’d probably burn it to CD first,
just in case.)
C:\I386 – if present, this directory contains a copy of your
Windows Installation CD, and hence would also have a copy of svchost.exe. I’ve
discussed this extensively in other articles, most recently: So just
what *is* the I386 directory anyway?.
Those four locations are all valid places to find a file called
“svchost.exe”. Note that only one of them, C:\Windows\System32\svchost.exe,
should actually be running. The rest are various forms of backup associated
with installing and upgrading Windows.
So what if you find a svchost.exe somewhere else? It could be the
result of a virus. Your very first step should always be to run an
up-to-date anti-virus scan. Most will take care of the problem
If they do not, things are less clear. You can try renaming or removing the
file (make a backup copy on floppy or somewhere else
first, just in case). But ultimately, I would probably
consider scanning again with an additional, different anti-virus product. Once
again I’d emphasize that the virus database should be up to
date, as new viruses appear every day.