What is SVCHOST ?

  • Article

If you use Task Manager then i am sure you must have noticed multiple instances of a process called SVCHOST. So, what is it and why do i see multiple instances?

image

Defination: SVCHOST is a generic process which acts as a host for processes that run from DLLs rather than EXEs. At startup SVCHOST checks the Services portion of the Registry to construct a list of DLL-based services that it needs to load, and then loads them. There can be many instances of SVCHOST running, as there will be one instance of SVCHOST for every DLL-based service or grouping of services.

SVCHOST is not a service because you cannot stop SVCHOST through NET STOP/Services.msc/SCM. As per my understanding i would say that SVCHOST is a container which runs many services under its hood. This is the reason why you do not see a separate process running for bits, helpsvc etc. There are many Services which run under SVCHOST. If you open command prompt and type: TASKLIST /SVC

image

Most of these services if run independently then we would end up giving each one 2 GB Virtual Address(VA) space which they would never use. So instead of giving each of these services a dedicated VA which they would never use as they would just have 3-4 threads running at any given point in time, they are clubbed under one single hood. This is NOT the ONLY reason but there are several other important reasons as well like dependency on process boundary etc. It makes use of "service grouping" through which we start the SVCHOST and tell it what we need through a DLL specified in "ServiceDLL" key. In a nutshell, SVCHOST runs DLL based services under its hood. You can can confirm this by picking up any of these services, lets say: BITS

Open Regedit and browse through HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Parameters. You can see that Qmgr.dll is the service dll for BITS.

image

How is this Implemented?

For this we will have to go back to registry. Lets goto: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost

image

There are different groups like LocalService, netsvc, NetworkService etc. BITS runs under netsvcs and it can be confirmed if you check the ImagePath under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS.

image

Lets double click on netsvcs:

image

When BITS is started the we check for ServiceDll and the group in which it is implemented; ntesvcs in our case. If you have any of these two parameters missing/incorrect then the service would refuse to start with errors like:

The system cannot find the file specified. (Missing ServiceDll Key)

Or

The executable program that this service is configured to run in does not implement the service. (Missing entry in related group)

NOTE: It is possible to separate the services in SVCHOST and have them run independently but i would never recommend this as you may run into several issues. I being a part of PSS do it at times but for troubleshooting/debugging purposes only.