What Is Svchost.exe?
The svchost.exe (Service Host) file is a critical system process provided by Microsoft in Windows operating systems. Under normal circumstances, this file isn’t a virus but a crucial component in many Windows services. The purpose for svchost.exe is to, as the name would imply, host services. Windows uses it to group services that need access to the same DLLs to run in one process, helping to reduce their demand for system resources. Because Windows uses the Service Host process for so many tasks, it’s common to see increased RAM usage of svchost.exe in Task Manager. You’ll also see many instances of svchost.exe running in Task Manager because Windows groups similar services together, such as network-related services. Given that this is such a critical component, you shouldn’t delete it or quarantine it unless you’ve verified that the specific svchost.exe file you’re dealing with is unnecessary or malicious. There can be only two folders where the real version is stored, making it easy to spot a fake.
Which Software Use Svchost.exe?
The svchost.exe process starts when Windows starts, and then checks the HKLM hive of the registry (under SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost) for services it should load into memory. Svchost.exe can be seen running in Windows 11, Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP, and Windows 2000. A few examples of Windows services that use svchost.exe include:
Windows Update Background Tasks Infrastructure Service Plug and Play World Wide Web Publishing Service Bluetooth Support Service Windows Firewall Task Scheduler DHCP Client Windows Audio Superfetch Network Connections Remote Procedure Call (RPC)
Is Svchost.exe a Virus?
Not usually, but it doesn’t hurt to check, especially if you have no idea why svchost.exe is taking up all the memory on your computer. The first step in identifying whether svchost.exe is a virus is determining which services each svchost.exe instance is hosting. Since you probably have multiple instances running in Task Manager, you have to dive a little deeper to see what each process is doing before deciding whether to delete the svchost process or disable the service running inside. Once you know what services are running within svchost.exe, you can see if they’re real and necessary or if malware is pretending to be svchost.exe. If you have Windows 11, 10, or 8, you can “open” each svchost.exe file from Task Manager. For other versions of Windows like Windows 7, you can also use Task Manager to see all the services used by svchost.exe, but it isn’t as clearly laid out as it is in newer versions. Do that by right-clicking a svchost.exe instance in the Processes tab, choosing Go to Services, and then reading through the list of highlighted services in the Services tab. If the location that opens is anything other than either of the following paths, which are where Windows stores authentic copies of svchost.exe, you might have a virus:
%SystemRoot%\System32\svchost.exe%SystemRoot%\SysWOW64\svchost.exe
Another option is to use the tasklist command in Command Prompt to product a list of all the services used by all the svchost.exe instances. To do that, open Command Prompt and enter the following command: If you don’t identify something on the list, it doesn’t necessarily mean you have a virus. It could just be a service you don’t recognize but is vital to the essential operations of Windows. There are probably dozens of “virus-looking” services that are entirely safe. If you’re hesitant about anything you see, search online. You can do that in newer versions of Windows through Task Manager: right-click the service and select Search online. For Windows 7, Vista, or XP, note the service in Command Prompt and type it into Google. To shut down a service running in svchost.exe, see the two sets of instructions at the bottom of this page.
Why Is Svchost.exe Using So Much Memory?
Like any process, this one requires memory and CPU power to run. It’s normal to see the increased memory usage of svchost.exe, mainly when one of the services using Service Host is being used. A big reason for svchost.exe to use lots of memory (and even bandwidth) is if something is accessing the internet, in which case “svchost.exe netsvcs” might be running. It could happen if Windows Update is working to download and install patches and other updates. Other services that are used under svchost.exe netsvcs include BITS (Background Intelligent Transfer Service), Schedule (Task Scheduler), Themes, and iphlpsvc (IP Helper). One way to stop the svchost process from sucking away so much memory or some other system resource is to stop the services that are to blame. For example, if Service Host slows down your computer because of Windows Update, stop downloading/installing updates or disable the service entirely. Or maybe Disk Defragmenter is defragmenting your hard drive, in which case Service Host will use more memory for that task. However, it shouldn’t, under everyday situations, be hogging all the system memory. If svchost.exe uses upwards of 90–100 percent of the RAM, you might be dealing with a malicious, non-genuine copy of svchost.exe. If you think that’s what’s happening, keep reading to learn how to delete svchost.exe viruses.
How to Shut Down an Svchost.exe Service
What most people probably want to do with the svchost process is delete or disable a service running inside svchost.exe because it’s using too much memory. However, even if you’re going to delete svchost.exe because it’s a virus, follow these instructions anyway because it’ll be helpful for the service to be disabled before trying to delete it.
You can verify that it’s been shut down, or permanently disable it, by locating the same service in the Services program (search for services.msc from the Start menu). To stop it from running again, double-click the service from the list and change the startup type to Disabled.
To do this in Windows 11, 10, or 8, expand the Service Host:
How to Remove an Svchost.exe Virus
You can’t delete the actual svchost.exe file from your computer because it’s too integral and essential of a process, but you can remove fake ones. If you have a svchost.exe file that’s anywhere, but in the \System32\ or \SysWOW64\ folder mentioned earlier, it’s 100 percent safe to delete. For example, if your downloads folder contains a Service Host file, or there’s one on your desktop or a flash drive, it’s evident that Windows isn’t using it for important service hosting purposes, in which case you can remove it. However, svchost.exe viruses are probably not as easy to delete as regular files. Follow these steps to remove the virus: We won’t do anything with that window just yet, so keep it open. If that doesn’t work, open Process Explorer and right-click the svchost.exe file, and then select Kill Process to shut it down. If you can’t, install LockHunter and tell it to delete the file on the next reboot (this will delete the locked file, something you can’t normally do in Windows). Reboot your computer if something was found.
