Svchost.exe is a generic host process name for services that are run from
dynamic-link libraries (DLLs). The Svchost.exe file is located in the
%SystemRoot%\System32 folder. At startup, Svchost.exe checks the services
portion of the registry to construct a list of services that it needs to
load. There can be multiple instances of Svchost.exe running at the same
time. Each Svchost.exe session can contain a grouping of services, so that
separate services can be run depending on how and where Svchost.exe is
started. This allows for better control and debugging.
Svchost.exe groups are identified in the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost
Each value under this key represents a separate Svchost group and is
displayed as a separate instance when you are viewing active processes. Each
value is a REG_MULTI_SZ value and contains the services that run under that
Svchost group. Each Svchost group can contain one or more service_names
extracted from the following registry key, whose Parameters key contains a
ServiceDLL value:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Service
MORE INFORMATION
To view the list of services that are running in Svchost:
1.. From the Windows 2000 installation CD's Support\Tools folder, Extract
the Tlist.exe utility from the Support.cab file.
2.. On the Start menu, click Run, and then type cmd.
3.. Change folder to the location from which you extracted the Tlist.exe
utility.
4.. Type tlist -s.
Tlist.exe displays a list of active processes. The -s switch shows the list
of active services in each process. For more information about the process,
type tlist pid.
The following sample Tlist output shows two instances of Svchost.exe
running:
0 System Process
8 System
132 smss.exe
160 csrss.exe Title:
180 winlogon.exe Title: NetDDE Agent
208 services.exe Svcs:
AppMgmt,Browser,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,LanmanWorkstati
on,LmHosts,Messenger,PlugPlay,ProtectedStorage,seclogon,TrkWks,W32Time,Wmi
220 lsass.exe Svcs: Netlogon,PolicyAgent,SamSs
404 svchost.exe Svcs: RpcSs
452 spoolsv.exe Svcs: Spooler
544 cisvc.exe Svcs: cisvc
556 svchost.exe Svcs: EventSystem,Netman,NtmsSvc,RasMan,SENS,TapiSrv
580 regsvc.exe Svcs: RemoteRegistry
596 mstask.exe Svcs: Schedule
660 snmp.exe Svcs: SNMP
728 winmgmt.exe Svcs: WinMgmt
852 cidaemon.exe Title: OleMainThreadWndName
812 explorer.exe Title: Program Manager
1032 OSA.EXE Title: Reminder
1300 cmd.exe Title: D:\WINNT5\System32\cmd.exe - tlist -s
1080 MAPISP32.EXE Title: WMS Idle
1264 rundll32.exe Title:
1000 mmc.exe Title: Device Manager
1144 tlist.exe
The registry setting for the two groupings for this example are as follows:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost:
netsvcs: Reg_Multi_SZ: EventSystem Ias Iprip Irmon Netman Nwsapagent Rasauto
Rasman Remoteaccess SENS Sharedaccess Tapisrv Ntmssvc
rpcss :Reg_Multi_SZ: RpcSs
