« Predicting failure ..., or knowing when to quit. | Main | Microsoft Max is Dead »

How to identify what's really running as SVCHOST.EXE on XP+

So, you're still using Windows XP and not the new Task Manager running in Vista which displays Services with meaningful names... ()

Instead you're looking at something like this in the Process tab of the Windows Task Manager:

You're wondering, like I often have: "What is this SVCHOST.EXE and why is it [fill in the blank]?"

FYI: SVCHOST.EXE is generic computer application that runs "background" computer processes. If that doesn't make any sense, just think of it as an application that helps make your computer run. Services don't directly have user interfaces -- they just run in the background, normally quiet and hopefully out of the way, but performing often critical functions that keep your computer running -- things like making your Internet connection work.

I've had plenty of occasions where a "SVCHOST.EXE" is using far too much CPU, causing my machine to slow to a crawl. Clearly a problem. But, how do I know which service is causing the problem? Elementary! (And no, you don't need to download any additional tools -- these should be available on your XP+ machine already).

Go to a Command Prompt and type:

TASKLIST /SVC /FI "IMAGENAME EQ SVCHOST.EXE"

The output looks like this:

Here's how to read it -- for each SVCHOST.EXE that is running on your machine, the PID (or process ID) is listed along with the named services running under that process. On my machine, you'll see a number of services are actually all running under the same process. Process ID 364 I see using the task manager, is currently utilizing 82 threads which explains how all of those services are actually running under the same process (and interestingly enough, it's also consuming 91MB of RAM right now).

If there's a particular SVCHOST process you're interested in, you can extend the command line easily:

TASKLIST /SVC /FI "IMAGENAME EQ SVCHOST.EXE" /FI "PID EQ ###"

Where the highlighted ### represent the process ID (PID) you specifically want. In the case above, I might have done this:

TASKLIST /SVC /FI "IMAGENAME EQ SVCHOST.EXE" /FI "PID EQ 364"

to see what services were running within the SVCHOST instance that is consuming so much memory and so many threads.

To do a final match up of the somewhat cryptic service name to something more meaningful, you'll need to go to the service browser in Windows. An easy way to get there when running XP is to click the Start menu, right click on "My Computer", and select "Manage". This opens the "Computer Management" application. On the left side you'll see a variety of locations, but in this case, you'll need the last one, "Services and Applications"

Expand that (use the +), and click on the first item, "Services".

Now comes the tricky part. You'll need to use some intuition and logic to try to match the human readable name of the service with Windows' name of the service. For example, one of the named services in the list on my computer was PID 700, BthServ. I looked through the lists of names and the most likely service was "Bluetooth Support Service." I double clicked on the entry which shows the properties for that service:

Ah ha! In this case, the "Service Name" exactly matches what I was looking for: BthServ. For further confirmation, you should double check the "Path to Executable" if you want to be more certain you've found the right service. What you want to see there is that the executable that is being run is "svchost.exe". In this case, it is. So, PID 700 is the Bluetooth Support Service. (And oddly, I don't know why I have any bluetooth support on my PC running!).

There are plenty of good sites that explain better what each service does and why you should be ABSOLUTELY careful about what you do with starting/stopping/etc services. But hopefully you now can at least more easily locate which services are masquerading as SVCHOST.EXE ....

Oh -- and if you want to just quickly list all of the running services on your machine, regardless of whether they are running in SVCHOST.EXE, just type this:

TASKLIST /SVC

This will show the all of the services without filtering them (the /FI command line switch does the filtering). If there's a N/A in the column, it's not a service (and I can't get a filter to work that removes the N/A entries...?). If you want to know more about how the services are grouped under various SVCHOST.EXE instances, go here.

Help support my web site by searching and buying through Amazon.com (in assocation with Amazon.com).