Tip: Tracking Down That Wiley Svchost Process

28 Aug 2007
August 28, 2007

imageSometimes the computer seems pretty slow. You fire up Task Manager and a quick glance shows the CPU running at 100%! Flip to the Process tab, click on the CPU column heading (to sort) and see that svchost.exe is using all the cycles.

Traditionally, that’s when I’d say, “oh crap.” You see, you can have a lot of svchost.exe processes running at one time, each for various/combined purposes. Now what?

Here are two options to figure out what’s really going on

  1. tasklist /svc
    Bring up a command prompt and type tasklist /svc and hit enter. Enjoy the resulting list — but look closely at the svchost.exe entries. The right column displays what processes are running “under the umbrella” of svchost.

    Here’s an example of 3 from one of my home machines, see how different each is?
    Some svchost.exe action

  2. ProcessExplorer
    Sysinternals is where you go for the handy windows utilities and ProcessExplorer is no exception. This utility is everything Task Manager could have been if Microsoft didn’t mind overwhelming 50% of the population.

    Here’s another example from one of my machines, The popup is the detail for that particular svchost.ext:

Just what is this crazy svchost.exe thingy anyways?

Our friends at Microsoft have a useful article on the topic at KB314056:

At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging.

That’s actually an interesting article if you’re a windows person — some more tasklist command line arguments are mentioned.

Tags: , , , , ,
4 replies
  1. Michael says:

    I got hiyt by the mljjh.dll adware last week, but it was hard to detect since it was running behind an rundll.exe process. The malware was constantly accessing the disk, so I knew something was wrong.

    Using FileMon, I looked at what was making all the disk pings (rundll.exe), and then using Process Explorer, I identified the file behind the operation (mljjh.dll). Only problem was that ending rundll.exe wouldn’t help; it would just relaunch itself.

    Since I run as an LPU (least priveleged user), Iw as able to switch to an admin user, and delete the DLL from there (since it wasn’t running on that user).

  2. Chris says:

    Great tale, Michael! And a good example of where runnning as LPU can be so very helpful — and how much sysinternals tools rock. :-)

  3. Sephyroth says:

    I’m using XP SP2, and tried to do that tasklist /svc command, but all I got was that ‘tasklist’ is not recognized as a command or program, etc.

    Is this a separately downloaded program, or is it something built into another version of Windows?


  4. Chris says:

    @Sephyroth – It’s built-in with winxp & up. I just tried it again on a couple XP SP2 machines and they all ran it just fine.

    On my machine, tasklist.exe is located in c:\windows\system32. Dated 8/4/2004 and is 71KB.

    My win2k machine gave the same error you mention though.


Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>