Applies to:
Windows 7
Windows Server 2008 R2
Windows Vista
Windows Server 2008
Windows XP
Windows Server 2003
Windows 2000
Windows 2000 Server
How to troubleshoot Service Host (svchost.exe) related problems:
History of svchost.exe
In Windows NT 4.0, the different services were under their own .exe’s.
For example above, we could see that the following services had their own executables:
Spoolss.exe (Print Spooler)
Rpcss.exe (Remote Procedure Call)
Tapisrv.exe (Telephony)
What is a svchost.exe?
Starting with Windows 2000, since each process consumes resources (desktop heap, memory, disk space, etc…), we moved the individual services to a generic service host.
Svchost stands for “Service Host” which hosts services.
The Services are compiled as .dll’s. Since it is a service, it will run in the background until it is needed even without any user being logged on or if the system is shutdown.
Above you will notice that there are 17 svchost.exe processes running.
It is nicely described in these links:
In the figure above, all the svchost.exe processes seem identical; let’s find out what the Process ID (PID) and the User Names are for the different svchost.exe’s.
In Task Manager, let’s click on “View” and then on “Select Columns”.
Check the boxes next to:
PID (Process Identifier)
and
User Name
Now, what you should be seeing is the following:
The svchost.exe’s processes are organized in logical groups. These logical groups are usually grouped by the accounts that are needed.
i.e.
System
Local Service
Network Service
How do you find out which service is running in all these different svchost.exe processes?
In Windows 2000, Windows 2000 Server, Windows XP and Windows Server 2003:
Click on Start, Run, cmd.exe
Type “tlist /svc /fi “imagename eq svchost.exe”
Note: The output will provide the names in shortnames which are used with the Service Control Manager command (SC.exe), also the way that they are in the registry HKLM\System\CurrentControlSet\Control\Services.
In Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2:
Within Task Manager, right click on the svchost.exe that you are interested.
Click on “Go to Service(s)”:
In the “Services tab”, it will highlight the services that are running under that particular svchost.exe as show above.
Note: You will see the full name of the service under the “Description” column.
Click on Start, cmd.exe (Run as admin)
Type “tasklist /svc /fi “imagename eq svchost.exe”
Note: The output will provide the names in shortnames which are used with the Service Control Manager command (SC.exe), also the way that they are in the registry HKLM\System\CurrentControlSet\Control\Services
Using Process Explorer to find the services that are running under the svchost.exe processes.
You could hover over the svchost.exe that you are interested in and you will see the following info:
If you want to go a step further, instead of using services.msc, you could start or stop the services by doing the following within Process Explorer:
Right click on the svchost.exe and click on “Properties…”
Click on the “Services” tab which will provide with the “Stop”, “Pause” and “Resume” options.
How to start or stop the service by using the command prompt or powershell:
Type “net start /?” without the quotation marks and then Press Enter.
You could see that the syntax is “net start ServiceName”
i.e. net start dnscache
Type “net stop /?” without the quotation marks and then Press Enter.
You could see that the syntax is “net stop ServiceName”
i.e. net stop dnscache
How to set the service to “Automatic (Delayed Start)”, or “Automatic”, or “Manual”, or “Disabled”.
In Services.msc, you could double click on the service that you are troubleshooting and click on the drop down menu for “Startup type:”.
You could accomplish the same task by using the command prompt or powershell:
Click on Start, CMD (Run as admin)
Type “sc config /?” without the quotation marks and then press Enter.
In this output, you will see the options for start which are boot, system, auto, demand, disabled and delayed-auto.
To enable a service from the command line:
Type “sc config ServiceName start= start”
Note: Where ServiceName is the actual service name.
Note 2: There is a space between start= and start. This is a gotcha for a lot of folks.
i.e. Type “sc config dnscache start= start”
To disable a service from the command line:
Type “sc config ServiceName start= disable”
i.e. Type “sc config dnscache start= disable”
This list contains a summary that relates Windows services to the files that implement them, and to the components that provide those files. This is not an exhaustive listing.
Windows service
File name
Component name
Alerter
AlrSvc.dll
This service runs within the context of SvcHost.exe.
Alerter Service
Application Layer Gateway Service
AppMgmts.dll
Software Installation Group Policy Extension
Automatic Updates
WuauServ.dll
Windows Update Agent
Background Intelligent Transfer Service
Qmgr.dll
COM+ Event System
Es.dll
COM+ Services
Computer Browser
Browser.dll
Computer Browser Service
Cryptographic Services
CryptSvc.dll
Core Certificate Services
DHCP Client
DhcpcSvc.dll
DHCP Client Service
DNS Client
DHCPSvc.dll
Error Reporting Service
ErSvd.dll
Error Reporting
Event Log
EventLog.dll
This service runs within the context of Services.exe.
Fast User Switching Compatibility
Shsvcs.dll
User Interface
Help and Support
HelpSvc.exe
Help and Support Services
Human Interface Device Access
HidServ.dll
In Target Designer, all components under Hardware | Devices | Human Interface Devices
Internet Connection Firewall (ICP) / Internet Connection Sharing
Fwcfg.dll
Windows Firewall/Internet Connection Sharing (ICS)
Logical Disk Manager
DmServer.dll
Disk Management Services
Messenger
MsgSvc.dll
Messenger Service (Net Send)
Network Connections
Netman.dll
Primitive: Netman
Network Location Awareness (NLA)
Mswsock.dll
Network Location Awareness Service
Portable Media Serial Number
Mspmsnsv.dll
Windows Media Player 10 Technologies
Remote Access Auto Connection Manager
Rasmans.dll
Dial-Up Networking Common Libraries
Remote Access Connection Manager
SessMgr.exe
Terminal Services Remote Assistance Component
Remote Procedure Call (RPC)
Rpcss.dll
RPC Server
Remote Registry
RegSvc.dll
Remote Registry Service
Removable Storage
Ntmssvc.dll
Removable Storage Service
Routing and Remote Access
Mprdim.dll
Dial-up Server for Windows
Secondary Logon
SecLogon.dll
RunAs Service
Server
SrvSvc.dll
File Sharing
Shell Hardware Detection
ShSvcs.dll
User Interface Core
SSDP Discovery Service
SsdpSrv.dll
Universal Plug & Play
System Event Notification
Sens.dll
System Event Notification Service (SENS)
System Restore Service
SrSvc.dll
System Restore Core
Task Scheduler
SchedSvc.dll
TCP/IP NetBIOS Helper
ImhSvc.dll
NetBIOS over TCP/IP
Telephony
TapiSrv.dll
Terminal Services
TermSrv.dll
Terminal Services Core
Themes
UxTheme.dll
Primitive: Uxtheme
Universal Plug and Play Device Host
UPnPHost.dll
Universal Plug & Play Device Host
WebClient
Webclnt.dll
Webdav Client Redirector
Windows Audio
AudioSrv.dll
Microsoft Audio Compression Manager (MME Core)
Windows Image Acquisition (WIA)
WIAservc.dll
Windows Image Acquisition Core
Windows Management Instrumentation
WMIsvc.dll
WMI Core
Windows Management Instrumentation Driver Extensions
Advapi32.dll
Windows API - Advanced
Windows Time
W32Time.dll
Time Service Core
Wireless Zero Configuration
WzcSvc.dll
Primitive: Wzcsvc
Workstation
WksSvc.dll
Workstation Service
Troubleshooting svchost.exe issues:
Before you ever start troubleshooting anything, as always please make sure that you have a complete backup of your system.
Note: Backing up is the easy portion, have you tried restoring and making sure that it works? Most folks don’t, and they end up with a backup that is just taking disk space.
Shotgun approach (not recommended):
Stop the services for the svchost.exe
Recommended troubleshooting:
Step 1. Find the Process ID of the svchost.exe that is causing the high cpu, memory leak (private bytes (a.k.a. heap) or virtual bytes) or handle leaks.
Using Task Manager or Process Explorer find the svchost.exe that is causing the problem.
Write down the PID
Step 2. Which services are running in that particular SVCHOST.exe?
Using Task Manager or Tasklist or Process Explorer find the services that are running in that particular svchost.exe.
Step 3. Separate the services for that particular SVCHOST.exe
Type “Sc.exe config ServiceName Type= own” without the quotation marks and then press Enter.
Type “Net stop ServiceName” without the quotation marks and then press Enter.
Type “Net start ServiceName” without the quotation marks and then press Enter.
To put the service back to the shared service host:
Type “Sc.exe config ServiceName Type= share” without the quotation marks and then press Enter.
Related reading:
How to separate out .DLL based services that use a shared generic service host process name (svchost.exe) for troubleshooting…
http://blogs.msdn.com/b/windowsvistanow/archive/2009/01/30/how-to-separate-out-dll-based-services-that-use-a-shared-generic-service-host-process-name-svchost-exe-for-troubleshooting.aspx
Note: On Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2
There are always exceptions, in this case, WinMgmt (Windows Management Instrumentation) is unique.
To break WMI to its own svchost.exe:
Type “Winmgmt.exe /standalonehost” without the quotation marks and then press Enter.
Type “Net stop winmgmt” without the quotation marks and then press Enter.
Type “Net start winmgmt” without the quotation marks and then press Enter.
To put WMI on a shared svchost.exe:
Type “Winmgmt.exe /sharedhost” without the quotation marks and then press Enter.
Depending on the issue that you are troubleshooting, there are different steps that you could take…
In a future post, I’ll go over all these different scenarios.
Parabens, artigo muito util.
Tnx a lot for this post! :)