Identifying processes running as svchost.exe


I have previously written about experiences with systems becoming unresponsive and reporting svchost.exe utilizing 99% of the CPU. Since so many different .dll’s run as this generic host process, identifying exactly which program is the cause of the high CPU usage is often difficult.

According to KB314056, the Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging.

Svchost.exe service groups are listed in the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost

Windows XP Pro has a built in function that can be run from a command prompt called tasklist.exe that provides information useful in tracking down the offending programs.

Running tasklist.exe with no switches will provide a list of running processes, their PID, console type and memory usage. Notice svchost.exe is shown as PIDs 1448, 1508, and 1856.

tasklist.jpg

To determine which PID is running which service, run

tasklist.exe /SVC

tasklistsvc.jpg

Notice the additional information that is shown about which instances services are run from.

You can list services and applications on a remote system by running

tasklist.exe /s remoteIPaddress

or

tasklist.exe /s remoteComputerName

tasklists.jpg

If you want even more detail about the process and applications running, type:

tasklist /M

This will show which .dlls are in use by the processes.

If you want to isolate a service shared from svchost.exe, My Green Paste has a nice post on manipulating this service via the registry.

Once you’ve isolated the offending process that is causing the excessive resource utilization, use taskkill.exe to kill the offending application. You may need to specify the /F switch to force the offending process to be killed.

taskkill.jpg

Obviously killing the wrong processes can crash your machine, and editing the registry can make it unbootable, so before making changes make sure you have a recent backup.

[edited 01-24-2008]

Ask the Performance Team has published a new post on svchost.exe with some really detailed information. I think the methods of creating isolated processes and isolated service groups would be most helpful in troubleshooting performance and bottleneck issues.

One Response to “Identifying processes running as svchost.exe”

  1. Yossi Beck Says:

    A really good overview of available command lines for listing/handling processes and in particular separating services for resource consuming identifications.
    Thanks,


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 32 other followers

%d bloggers like this: