Indeed, you were told correctly ... kind of.
I just took a look at my machine, and found all those copies and one more. Fortunately they are not the result of a virus, and you and I are quite safe.
Let's look a little more closely as to why.
Become a Patron of Ask Leo! and go ad-free!
One of the ways that viruses try to hide is to give themselves the same name as important or critical system files, like svchost.exe, but then place themselves in a different location on your machine. That way you might be afraid to delete them, for fear of deleting the wrong one, or you might not even notice that it's running because of its familiar name.
As you and I have seen, the file svchost.exe can, in fact, live in several places and be ok. Let's enumerate what those locations are, and why they're ok.
For purposes of this discussion, I'm going to assume that Windows is installed into C:\Windows.
C:\Windows\System32 - the first and most obvious, this is the running copy of Windows itself. This is where you were told correctly - this is the only copy of svchost.exe that should actually be running. How do you find out? You'll need to grab a copy of Process Explorer from SysInternals.com. In current versions of that tool, simply hovering the mouse over any of the "svchost.exe" listed there will display the full path. If your Windows is installed in c:\windows, then svchost.exe should be "c:\windows\system32\svchost.exe".
C:\Windows\ServicePackFiles\i386 - this directory contains the most recent service pack installed on your machine. svchost.exe was one of the files updated, so it's located here. This is just a copy of the files - I believe the files here are used when new software is installed or when you run the system file checker. This Microsoft Knowledgebase article points out that it's possible to burn these files to a CD and remove them from your system.
C:\Windows\$NtServicePackUninstall$ - if present, this directory contains the previous copies of files that were saved when the service pack was installed. Thus it contains the old version of svchost.exe. You can delete this folder, but only if you are absolutely certain you'll never uninstall the service pack. (I'd probably burn it to CD first, just in case.)
C:\I386 - if present, this directory contains a copy of your Windows Installation CD, and hence would also have a copy of svchost.exe. I've discussed this extensively in other articles, most recently: So just what *is* the I386 directory anyway?.
Those four locations are all valid places to find a file called "svchost.exe". Note that only one of them, C:\Windows\System32\svchost.exe, should actually be running. The rest are various forms of backup associated with installing and upgrading Windows.
So what if you find a svchost.exe somewhere else? It could be the result of a virus. Your very first step should always be to run an up-to-date anti-virus scan. Most will take care of the problem safely.
If they do not, things are less clear. You can try renaming or removing the file (make a backup copy on floppy or somewhere else first, just in case). But ultimately, I would probably consider scanning again with an additional, different anti-virus product. Once again I'd emphasize that the virus database should be up to date, as new viruses appear every day.
Hi Leo
I’ve done what you suggested and it worked perfectly. I haven’t got the 100% cpu usage eny more. Thanks a lot for your help
Great artice, unfortunately it didn’t help me. All my five SVCHOST.EXE files where in the right directory. But I could just shut down the one process that used 50 % of the CPU. I then got the one minute to shutdown warning. But that was easily avoided by typing shutdown -a in the run window. My computer ran smoother then, but I still experience a bit lag in certain games like Battlefield 2.
I just did a scan for svchost.exe
I not only found it in /system32 and /servicepack/i386 but also in /prefetch
I’m assuming the one in /prefetch is a virus
Not neccesarily. Prefetch is a valid place for it to be, but it’s also ok to delete it from there. It’ll probably come back. Prefetch is a performance optimization for loading windows.
Hi Leo. I found a copy of svchost in the directory C:/Windows/System32/wins/SVCHOST.EXE
What i should do??
This svchost file in property windows says:
TCP/IP Trivial file transfer daemon…What is this?
Hi Leo, I have Trend Micro installed and I keep getting a message that the virus TROJ_DLOADR.AD has been found in C;/windows/system32/directx/svchost.exe. The PC-cillin software always quarantines the file but I keep getting the message at various times when I try to connect to the internet. The good news is that the anti virus software seems to be working. The bad news is there is something on the computer that keeps installing a bad copy of svchost.exe in the directx directory. Any ideas on how to identify what is installing this bad copy of svchost?
I solved the problem. Windows Xp Pro SP 1.
In my case is Windows Update. I just turn off Automatic Updates. No more svchost 100% CPU. Now the problem is: I have to do manually updates.
I found a svchost.exe in my programs directory (C:/program/svchost/svchost.exe) which couldn’t be removed since the system was using it somehow. I also saw that I had blocked it with my firewall. When I released the block for a short period of time it immediatley began connecting to a computer in Holland. I then blocked it again and searched for registry keys with that path name. It turns out the keys were about the eMando remote control software. After removing the keys I could delete the file. Shortly before this a buddy of mine had his pokeraccounts robbed for about $6000 and his hard drive erased, which was probably the result of this very file. Thanks to Leo for helping me identify the trojan.
Process Explorer is great. I’ve been looking for an application like this for a long time. I have 5 svchost.exe running and they are all from the legit directory. I’m glad to finally confirm this.
Hi Leo. McAfee Security Center detected a copy of svchost.exe in c:\windows\. It said it was infected by a trojan. It presented me with several options including deleting it or quarantining it. I deleted it immediately, thinking svchost.exe is not important. Then I decided to research the file and found this site. The file is not located in the folders you specified but it is located in c:\windows\. So now I’m not so sure if I did the right thing by deleting it. What do you think?
Thanks!
hi leo,
i really need your help here i had been having this problem for 2 days now, as i’m connecting to the internet by using a moden provided by my broadband provider. my problem are:
1. suddenly an error message appear saying generic host process for win32 had encounter a problem and need to be closed. this happen when i’m surfing the net, it cause me to be disconnected from the net and i have to restart my computer for me to be able to connect again.
2. it happened on a time duration of 30min-2 hours time surfing the net.
3. error signature:
event type:BXE p1:svchost.exe
what i did try:
1. used system restore( didn’t work )
2. scan my computer for viruses( using avast/symantec/spybot and even use fixblast )
i need a solution on solving this problem.
p/s i’m using window XP
thanx for the help
Word 97 and Excel 97 were loading very very slow. I found an additional svchost.exe file in C:\WINNT\SYSTEM32\WINS . After renaming this file everything worked fine. On changing the name back again Word and Excel loaded very very slow again. I scan the file with NAV but no virus was detected. What should I do with this file and do you know what it is and where it came from?
Thanks for your very useful website.
Mike
Plain and to the point about “svchost locations”
This file should ONLY BE THE C:\Windows\System32 directory AND in the C:\I386. If you do have more than one in ANY OTHER location, delete it, how can I tell you ask? Well, do a search for “svchost”, when the search results are posted, there should only be a copy in the direcories stated above. If there are more than one elsewhere look at the DATE of that svchost file, thats a true giveaway, IE. the svchost files in the correct locations will have the date of the Oringal operating system. If there are later dates of the file in other locations is earlyer then delete them.
So you’ve covered in what locations svchost can be, what about process users? In the Task Manager, some of the svchost.exe instances list SYSTEM as the User Name, or NETWORK SERVICE or LOCAL SERVICE, which I’m sure is fine, but what if it listed the name of a log-in on that computer (or another computer too, I guess, but that would obviously be very bad :P )
This isn’t happening right now, so I can’t be %100 certain, but I seem to recall seeing such an occurance in the past. Could this be an easy way to spot a phoney svchost?
Thanks
why are there 7 svchost.exe’s running at the same time but only 1 causes system failure? these 7 things
are 25% of my commit charge. its even worse when gaming! Please help!
macon
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
You might want to look at this article:
http://ask-leo.com/what_is_svchost_and_why_is_there_more_than_one_copy_running.html
Leo
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.6 (MingW32)
iD8DBQFGFbDWCMEe9B/8oqERAus4AJ9jOJcQ53ltV6C3HVXyxq/iN4eZGgCePKLw
zzgE5KImzpqTIgH3LQ+cBRU=
=4uLd
—–END PGP SIGNATURE—–
i have 5 SVCHOST.exe on my list, and one of them is pumping my CPU usage every time i am connected to internet, i tried to disable it but it reappeared every 10-15 secs after i disable.i did a search for it. Its on its original place which on win32 file. The user name for that “fake” SVCHOST.exe was SYSTEM.
Please note C:\Windows\svchost.exe is NOT a place where the file should be. I have had a trojan in that path, with two dozen different methods to start automatically when the computer is booted (like Startup item on start menu and lots of places on the registry). It was a backdoor and it was sending information back to the hacker. I managed to remove it within an hour of getting it (and unplugged network cable during the whole removal process so it didn’t keep sending anything).
Please, I have the same problem as ” Nicolas at April 29, 2007 10:49 AM” but I’m unable to remove it. I really tried everything but I cannot find the source of the infectation. Please tell me how to get rid of C:\Windows\svchost.exe (what is definitly not existing, but showing up after every restart)
I have a relatively new computer, with Vista operating system. How is any of your advice about svchost.exe changed for Vista users?
My question is basically the same as Nicholas’s, Ken’s and Kim’s. I require info on how to get rid of the files that shouldn’t be there and how to know which files should be running and which shouldn’t (svchost.exe). So, can you please, help me.
Thanks.
I used PRT Perlovga Removal Tool which I found at this site:
http://en.sergiwa.com/modules/mydownloads/singlefile.php?cid=2&lid=4
I’m not sure how reliable this site and it’s program is. I used it to get rid of the temp1.exe and temp2.exe virusses. Appearantly it also does help against svchost.exe virus problem.
I now get this at start up:
————————
E:\windows\svchost.exe
————————
Windows cannot find ‘E:\windows\svchost.exe’. Make sure you typed the
name correctly, and then try again. To search for a file, click Start
button, and then click Search.
————————
and after clicking “okay” I get this:
————————
Desktop
————————
Could not load or run ‘E:\WINDOWS\svchost.exe’ specified in registry.
Make sure the file exists on your computer or remove the reference to
it in the registry.
————————
Well, svchost is now only in E:\windows\system32
I’m guessing I should go into the registry and get out that HKEY to svchost in E:\windows\
right?
Ow..ehm..HOW do I change things in the registry..? (How do I even GET in the registry..?!)
i have a problem with my pc,after entering my password the pc monitor will show a black screen then after some few sec it will then display svchost property.My question is what is this and how do i solve the problem?
My PC was acting very slow, I went to the task manager and many svchost.exe, I researched and found out it is a virus or malware, so deleted all svchost.exe from the registry by mistake, and my lap top is xp proffessional sp2, I can not connect to the internet, because I noticed that there is nothing in the network communication ( no LAN or Wireless, also no volume control in the lower right corner, and when I try to open norton, it will not allow me to open it, when I open a word document and try to mimize it to the system tray, it disappears. what should I do to restore it back to it’s previous state?
Cool guys..
There is a problem that was identified by Microsoft.
QUOTE
The Svchost.exe process may spike the CPU usage to 100 percent during update detection or update installation. Also, the Svchost.exe process causes the computer to stop responding for various lengths of time.
If that fits your issue, you may wish to try this hotfix from Microsoft. MS Help and Support(http://support.microsoft.com/?scid=kb%3Ben-us%3B932494&x=11&y=10)
I had the same problem and noticed that wuauclt was also running – Microsoft’s autoupdate.
A little background on svchost
GL…
The true svchost.exe file in Windows/system32 has version number 5.1.2600.2180 and a length of 14,336 bytes.
The bad file in Windows/inf has a version number of 1.0.0.1 and a length of 15,872 bytes. This file has the same name, svchost.exe but cannot be altered or removed and it propagates it’s spyware relentlessly.
Windows cannot find ‘E:\windows\svchost.exe’. Make sure you typed the
name correctly, and then try again. To search for a file, click Start
button, and then click Search.
i tried everythin…as you have said(maybe not)
i even tried updating my windows xp and hotfix and those kinda stuff…but the problem reappears everytime i started my windows….i need help terribly….
I have read your article on the svchost.exe and checked my system. I found it in the System32 folder, the ServicePackFiles folder and then also in this folder: C\Windows\Prefetch, is this a virus??
Thank you
I am having a problem i have not seen on the internet at all. scvhost.exe has rooted itself in windows/win32/oobe/scvhost.exe…not only has not one article on the internet show it in that directory but it makes the computer absolutley go beserk. the only way to keep my computer responding is to keep task manager open. if I close it 100’s of svchost open and cause a reboot. i cant seem to find a way to stop it.
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
As the article indicates, that’s highly suspicious of a virus, and you need to
run an *up to date* anti-virus scan with a good scanner.
Leo
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.7 (MingW32)
iD8DBQFHLKngCMEe9B/8oqERAvalAJ0f3Ul6p9PaN3jOKgC1Dvbe+UDogQCeIcCc
Mct8FOdYq47SJpJp+RcCx/k=
=HHTz
—–END PGP SIGNATURE—–
“Windows cannot find ‘E:\windows\svchost.exe’. Make sure you typed the
name correctly, and then try again. To search for a file, click Start
button, and then click Search.
i tried everythin…as you have said(maybe not)
i even tried updating my windows xp and hotfix and those kinda stuff…but the problem reappears everytime i started my windows….i need help terribly….”
The same thing has happened to me. How do I fix this?
What if it’s located C:\Documents and Settings\BACK UP MY DOCs\SvcHost.exe is this normal?
Thanks Leo, I was having a problem with svchost.exe taking up all of my CPU.
Turned out after using the Process Explorer you recommended that it was the HP printer and software I installed a while ago. A network polling service was hogging all of the CPU through svchost.exe. I turned off the automatic service and fixed the problem.
Andrea
i was threatened w/ this “svchost” cause i saw it in a USB i plugged in the computer. i deleted the thing at my C drive but it keeps on recoming so i stopped all processes having svchost.exe and deleted all svchost files found in my pc. After I read this, im troubled. It looks like I really need the svchost.exe in the folder system32… What shall I do? Thanks for the help.
Hi Leo,
I have BitDefender which tells me I have that my
C:\WINDOWS\system32\=>:svchost.exe is infected with a Trojan.Generic.138368. Bit defender can’t seem to get rid of it, same goes for Norton 360. I thought it was ok to have the svchost.exe. in this location…Any ideas?
Carol
Hello Leo, I have the same Problem with Bitdefender and Trojan.Generic.138368 – like Carol !!
LoloXP
I found a SVCHOST.EXE-2d5fbd18.pf located in C:\windows\Prefetch. Should I delete it? I regularly run an up tp date Symantec anti virus scan as well “spyware terminator” and it hasn’t noted this as a virus. Thanks
was having the svchost.exe problem not only taking up 100% of my cpu usage but also popping up all kinds of porn in a non-explorer window not detectable as an application. With the process explorer I found a copy of svchost.exe running from a suspicious directory C:\google.com\svchost.exe lol. Renamed the file. Restarted the computer. Problem solved. Now to delete that little bastard…
Had the same problem as Shack…using 100% of CPU, pop-up porn in non-explorer window and wouldn’t let me delete C:\google.com\svchost.com. Renamed file, restarted computer and deleted file and folder successfully. This killed it off!
Hello Leo,
I just read your comments on Svchost.exe after checking my running processes. I had stopped a couple of proccesses earler today as they were not familiar and were .exe files.
On looking through my running system files I have
Svchost.exe running on the following instances at once:
-System
-System
-Local Service
-Local Service
-Network service
-System
-Network service
-System
-System
-Network service
-System
-Systm
-Local service.
That is a total of 12 instances of it running in my processes at once.
I reinstalled my win xp just 2 weeks ago after I found it crashing and my enti virus Trend micro not responding.
Since reinstal my modem was changed last weekend (Friday Evening) and my username and password were changed in the security system of the wireless modem (I keep wireless broadcasting off and use a lead to plug the modem into the PC)
Since I noticed it cannot run a full system scan and last time stayed at 99% complete after 46 hours.
It seems like a lot of Svchost.exe files/processs to be running. Is there any way I an be sure of which ones to end or delete?
With many thanks.
Leslie
As I can see here, many ppl still have problems with creepy svchost named viruses…
Well, there are really 4 places, where svchost can be stored, that is ok. But as said in the article above, only the one in System32 folder should be running.
So good way to discover svchost.exe viruses is to obtain list of actually running processes called svchost.exe and then read the path (if it is other than System32, it is a virus).
It is quite a creepy process on Windows platform, so I am going to code auto-removal utility for this purpose. I will send the link to the final product later :).
When I open the task manager I see
SVCHOST.EXE System
SVCHOST.EXE Network Service
SVCHOST.EXE System————> 22,260 KB!!
SVCHOST.EXE Network Service
SVCHOST.EXE Local Service
SVCHOST.EXE Local Service
SVCHOST.EXE System
Do you think my computer is ok?
my svchost.exe is running on 50CPU, and Bitdefender tells me it’s infected by trojan virus. Bitdefender deletes it, but I seems to keep coming back. Also I’m having problems with Generic Malware virus, and Rootkik, Bitdefender seems to be powerless. I NEED A WAY TO REMOVE THESE PLEASE HELP
14-Dec-2009
C:\windows\system32
I have svchost.exe.hdmp file located on my C:\Documents and Settings\local\Temp|WERa04e.dir00 folder. based on what I’ve read, this is proably a virus and should be removed? It has disabled my antivirus software. darrel
09-Jan-2010
Even your svchost.exe is located in C:WindowsSystem32 it could host and run a virus .dll! Study the Conficker worm which just add a Registry entry, and svchost loads this worm on the next Windows startup. I suggest the free Svchost Analyzer http://www.neuber.com/free/svchost-analyzer/ to verify all the .dll’s started from svchost.exe
Hi. I have the svchost.exe only in the places you mentioned above. But, in Task Manager it says there are 9 running. It says some are running by SYSTEM and others running by LOCAL SERVICE, and you only mentioned 4. If there was more svchost.exes in other places, how could I find them? Or do you know if I have a virus?
12-Mar-2010
i have an svchost.exe in c:documents and settingsmy nameapplication datamicrosoft
i delete it and it keeps coming back.
i scan it for viruses but nothing shows up.
i started to notice it when it started requesting access to the internet. i block it every time.
this directory also contains a .bat file which can delete all svchost.exe files in this directory.
After reading this article, I typed “svchost.exe” into my Winows XP search mechanism. In addition to the four places mentioned in your article, I also found one in a folder entitled C:WINDOWSERDNTcache. I don’t know if this means anything or not, but both of my virus checking programs (Avast and Malwarebytes) did not identify it as a problem.
I just reinstall Win7 Home Prem. from a Gateway hidden partition ( 3rd time ). It is not connected to the internet yet as I had other problems. I un-hid everything and I have 2 different size Svchost.exe. one 26.5k in \windows\system32 and one 20k in \windows
Malware bytes earlier complained about the windows one. Had it remove it and compuer was funny. Any thoughts? Just downloaded the analyzer and will run that. I’m wondering if the reload from DVDs and then the hidden partition have done the same thing.