Getting Started with SVCHOST.EXE Troubleshooting

Getting Started with SVCHOST.EXE Troubleshooting

  • Comments 20
  • Likes

Troubleshooting issues with the SVCHOST.EXE process can be a very frustrating experience for server administrators.  Whether the issue manifests as High CPU or the SVCHOST.EXE process crashing, there are some challenges that make the troubleshooting process a little more tricky.  So before we dive into the troubleshooting, let's talk about what exactly the SVCHOST.EXE process does.  SVCHOST.EXE is a generic host process for services.  When you look at the list of running processes in Task Manager, you may see a number of different SVCHOST.EXE processes (as shown below).  Each of these processes hosts a group of services.

When the system starts up, SVCHOST.EXE checks the registry to determine which services it should load.  The specific registry key is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost.  A sample is shown below:

Although this gives us useful information regarding which account a particular SVCHOST.EXE is running under, it doesn't necessarily help us with troubleshooting an issue where one instance of SVCHOST.EXE is utilizing a lot of CPU. You may remember an issue several months ago where Windows machines would become unresponsive when scanning for Windows Updates, or an SVCHOST.EXE process would crash when scanning for updates.  An issue like that typifies the problems with SVCHOST.EXE troubleshooting.  So, if we were to run into another problem with SVCHOST.EXE, how would we go about troubleshooting it?

The first thing to do is understand which services are mapped to which instance of SVCHOST.EXE.  Using the TASKLIST.EXE utility we can determine which services belong to which instance.  The command syntax is: tasklist /SVC /FI "IMAGENAME eq svchost.exe" - the output from this command is below:

Now we have some useful information that we can use to isolate and troubleshoot.  Using the information in this output along with the view in Task Manager, we would be able to identify which specific instance of SVCHOST.EXE was consuming the CPU by using the Process Identifier (PID).  If you don't have the PID column visible in Task Manager, you can add it by selecting View ... Select Columns and then checking the box for PID.  Also ensure that you select the CPU column so you can sort by that to figure out which instance is the culprit.  In some cases, simply knowing which processes reside within the culprit instance may be enough - because you can identify what tasks are running on the machine at that time - such as scanning / installing updates at a specific time via WSUS.  However, where the problem is not quite so easily identifiable, or the SVCHOST.EXE process itself is crashing, it helps to be able to isolate the services to allow more granular troubleshooting.

To isolate these services, there are two different approaches with very subtle differences.  The first method is to create an isolated process that runs within the same SVCHOST group as it did before, just not in a shared process.  The second method is to create a completely separate SVCHOST group.  Since we've been using Windows Updates as our example, let's continue on with that.

Method 1: Creating an Isolated Process

What this method really does is modify one of the registry parameters for the service in question from a shared process to an isolated process.  The command syntax is fairly straightforward and uses the sc config command set: sc config <service name> type= own.  So for Windows Updates (wuauserv), the command would be: sc config wuauserv type= own.  Note that there is a space between the '=' and 'own' - you must insert that space.  Behind the scenes, what happens is that the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Type registry value is changed from 0x20 (which denotes a shared process) to 0x10 (indicating it has its own process).  You can read more about these particular values on the MSDN Article about SERVICE_STATUS_PROCESS Structure.  In order to complete the change, you need to stop and restart the service.  To change this service back to being a shared service, run the following command: sc config wuauserv type= share.  For this change to complete, the machine itself needs to be rebooted.  No other parameters are being modified with respect to this service, however when you change the type to isolated, restart the service and then run the tasklist command to get the list of services, you will notice that there is an SVCHOST.EXE process that only contains the Windows Update service.

Method 2: Creating an isolated Service Group

This method is a bit more involved, and involves directly editing the registry.  Please remember to back up the registry before making any changes!  The process is below:

  1. Create a new REG_MULTI_SZ value named WindowsUpdates in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost key. 
  2. Add the name of the service (in this case wuauserv) to the value.  You also need to remove the wuauserv from the list in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\Netsvcs value to prevent conflicts.
  3. Now navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\wuauserv key and change the ImagePath value from %systemroot%\system32\svchost.exe -k netsvcs to: %systemroot%\system32\svchost.exe -k WindowsUpdates
  4. Restart the Automatic Updates service and you should now see a new instance of SVCHOST.EXE that only contains the Automatic Updates service.
  5. This method can be repeated to isolate multiple services into their own groups.
  6. To revert back to the original configurations, reverse the steps above and restart the machine.  Use the backup of the registry to ensure that you get the right services back into the proper groups.

An additional refinement to this method would be to create copies of SVCHOST.EXE that are appropriately named for the isolated service - for example copy %systemroot%\system32\svchost.exe to a new file named %systemroot%\system32\svchost_wuauserv.exe.  Remember that you will need to make the appropriate modifications to the ImagePath value in the registry that reflect the name of the executable file.  By customizing the executable, you can use tools such as the Debug Diagnostic Toolkit that we covered in an earlier post to monitor specific services for crashing.  You can also quickly tell which services are misbehaving in Task Manager as well as getting the name of the failing executable logged in the Event Viewer in the event of that service crashing.

And that brings us to the end of this post.  As always be extremely careful when editing the registry directly.  Until next time ...

Additional Resources:

- CC Hameed

Share this post :
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • PingBack from http://geeklectures.info/2008/01/11/getting-started-with-svchostexe-troubleshooting/

  • If those services are all smashed in a shared process by default, what would be the IMPLICATIONS in isolating them in its own process? If would not have some obscure dependency aspects (e.g. shared memory for data exchange among some of them, semaphores or locks beind made easier once in a shaed process)... would not they "by default" haveits own process? Before 'isolating' a service I would ask to the team who programmed it WHY they decided to leave that code in that particular shared process/group. BTW, I HATE my wuau - it periodically lenghts computers and their 'cousin' services in their shared svchost. I really have ANY idea what wuau have to do with bits or helpsvc, to be in the same process...

  • today, all of us need to be aware of those viruses which will have the names like svchost.exe, svvhost.exe, scvhost.exe and many more which run on administrator/user. If it is a rootkit, then even tuff the situation is, we need to <a href="http://miraclesdooccur.blogspot.com/2007/10/getting-rid-of-svchost-virus.html">get rid of svchost virus</a>. Better be careful than suffer after getting affected.

  • Marcelo,

    Larry Osterman,http://blogs.msdn.com/larryosterman, has some posts about services which share an instance of SvcHost that might be of interest to you:

    http://blogs.msdn.com/larryosterman/archive/2005/09/09/463018.aspx

    http://blogs.msdn.com/larryosterman/archive/2005/09/12/464077.aspx

  • great post!!

    process explorer is also good at peeking whats inside svchost's

  • First. This is just more like a preamble to troubleshooting. For example, if you looked at the screen capture and found out that the PID ID #1016 was sucking up 100% of CPU time, how would you know which service is causing the problem.

    Second. for every SVCHOST.EXE running, it's chewing up memory but I suspect it's small compared to what the actual services running. that said, from the screen capture, would there be any harm combining two or more (such as 2132 and 2192 PIDs).

  • sc config was THE command I was looking for,, THANKS

  • my laptop has been crashing for a while, and i ask my friend why this was happening and he said that this svchost.exe has been hogging my memory, its using about 2 times as much memory than that of my firefox.exe, the only problem is that i have no idea how to fix it, if anyone could help me that'd be great.

    my e-mail is meluckycoin@aol.com if you want to e-mail, or just post back.

    thanks a bunch,

    jon

  • This is all well and good, but I opened the command prompt and input [tasklist /SVC /FI "IMAGENAME eq svchost.exe"] the system said tasklist is not recognized as an internal or extenal command.  Now what do I do?

  • Fantastic information!  Thanks!

    I've isolated the wuauserv process and even though it still wants to take 25% of my quad system, I now have the ability to lower priority or change affinity w/o affecting the other critical services in the netsvcs group.

    It makes no sense to my why they would group these things.  Seems to me like it defeats the whole purpose behind a multi-threaded OS.

    Of course, I also can't figure why this particular process should need to consume such resources.

    Thanks again,

    William

  • I've had incredible issue with an svchost utiliziing half my duo core 2 cpu and it's a pain in the ass!!!   I can't wait to get home to utilize the sc config command to hopefully see this bizarre behavior "go away"  - no viruses or spyware/malware and this process seemingly out of nowhere (obviously came from an update or something I can't remember) is driving me nuts... THANK YOU for light at the end of the tunnel... this is neat stuff that may save my sanity :)

  • You guys are GREAT!

    Thank you so much.........

  • It doesn't make the problem "go away" but it does let you isolate it.  Windows Update is being a pain for me as well.

  • svc host.exe-application error

    the instruction at '0*c00000fd' refference memory at location "0*5b878abg" the memory could not be read.

    whenever i am on net my pc hangs wid this error...wat to do

  • I have the problem of a winlogon screen popup

         Svchost:

    The instruction at "0x7c91b21a" referenced memory at "0x00000010". The memory could not be "written".

    I am running XP Pro +SP3.

    Prior to this some months back I acccidentally delete the \Service key in the registry under

           HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

    I discovered this problem when following similar Microsoft documentation (previously Q314056) on SvcHost.  This document seems to have more detail.  The info about using tasklist /FI "IMAGENAME eq SVCHOST.EXE" /FI "PID eq <PID NUMBER>" wasn't in the document I had.

    Also I am wondering why under

        HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost  there are

         no REG_MULTI_SZ entries with the services listed

    keys are:

       DcomLauncher

       dot3svc

       eapsvcs

       HTTPFilter

       LocalServices

       netsvcvs

       PCHealth

       termsvcs

    most have only one or two

         DWORD values such as

       AuthenticationCapabilities

       CoInitialistionAccess (??? noted at 1:25am)

    Are the REG_MULTI_SZ entries necessary for these keys?

    Can the deleted Service key values be re-instituted?

    If so how?

    Do the PID groups e.g

          PID          Services

         1112        6to4, AppMgmt, AudioSrv, Browser, Cryptsvc, Dhcp,

                         dmserver, EventSystem,

                         FastUserSwitchingCompatibility, helpsvc, HIDServ,

                         hkmsvc, lanmanserver, lanmahworkstation,

                         Messenger, Netman, Nla, Rasauto, RasMan, Schedule,

                         seclogon, SENS, SharedAccess, ShellHxDetedtion,

                         srservice, TapiSrv, Themes, TrkWks, XuTuneUp,

                         winmgmt, Wmi, xmlprov

    require a key under HKLM\...\Services\Service to run properly?

    Jepethiel