Published on
29,077 Points
12 Endorsements
Last Modified:
Whenever there is a consistent high utilization of CPU or MEMORY, we check Task Manager to verify which process is consuming high resources. And if we find the culprit as SVCHOST.EXE we simply say its SVCHOST process and try to kill the process without thinking much on it.

Killing the process may sometime resolve the issue or may crash the system. However one should know SVCHOST is not a process, it’s a container in which various window’s services run. So if you kill svchost.exe, there is a chance that you are killing more than one window’s services.

So in order to understand what are those services which is running in this SVCHOST container, please follow the steps mentioned below :-

1.      Open command prompt with administrative privilege. [CMD -> run as administrator]

2.      Run without quote “tasklist /svc” ,below is the fragment of the output.
 tasklist command to check all the running process , with its process id i.e PIDYou can view one or more services running in a single container of SVCHOST.

3.      Since you are already aware of the SVCHOST consuming high resource, note the PID i.e process identity number of the SVCHOST.

4.      Now you are aware of the PID of SVCHOST which is consuming high resource. Note how many services are running in the SVCHOST container.

Next steps are to separate the services:-

1.      In order to separate a service from a container which is running along with multiple services in the same container we will be using SC command.

2.      Command should be used without quote “ sc config <Service_Name> type= own”

3.      For example you can see CryptSvc ,Dnscache, LanmanWorkstation, NlaSvc, TapiSrv ,these all services are running in a single container. We will be using above mentioned command on one of the services “CryptSvc” . So the command will be “ sc config CryptSvc type= own ” .

4.      Now restart the CryptSvc .
 Command  used to separate CryptSvc from its shared SVChost.exe container5.       Now we can see that the process ID 1120 doesn’t have CryptSvc service in SVCHOST container.
 verifying that the container does not run CryptSvc service in itself6.      However we can view that a new PID 440 is running with the service CryptSvc under SVCHOST container.
 Process running in a seperate container7.      You may experience different PID in your machine . If you have to separate multiple services, you can run “ sc config <Service_Name> type= own” with all service name first and in place of restarting the service restart the machine.

8.      Once all services are running in an individual SVCHOST container , it is easy for the user to understand which service is consuming high resource .

And based on the service consuming high resources, next part of troubleshooting starts.
LVL 18

Expert Comment

Thank you Ratnesh for your article.

I just thought I would throw this in. To view just the svchost processes instead of all of the processes, you can type this command in a DOS window.

Type or paste as is, quotes and all, in to a DOS window to just see svchost processes

 tasklist /svc /fi "IMAGENAME eq svchost.exe"

Expert Comment

by:Matthew Borrusso
Another little tool that will help you identify the offending child process is process explorer.
This is a free tool that is part of the sysinternals suite. Microsoft distributes it for free.
It is very customizable so you can dig in to just about any aspect of a process.

Expert Comment

by:Maidine Fouad
Thank you sir Ratnesh Mishra Great article, Its always been Consuming too much !!

Featured Post

Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

Join & Write a Comment

The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
Next Article:

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month