Discovering what is running on the svchost.exe stack

Posted on 2007-04-05
Medium Priority
Last Modified: 2013-11-22
How does one find out what services or applications are running under svchost.exe?  I have a situation where svchost.exe is peaking out the processor and the battery of av/am applications that I've run have not discovered anything (including three rootkit detection tools).  There is something going on here as it is causing terrible pauses in the system and it should be much more responsive with 768 MB of memory.

Again, I believe that the root is digging out what is going on exactly with svchost.exe.  I'm assuming that this process is some sort of a container process for services of some sort.
Question by:gpsocs
  • 5
  • 4
  • 3
  • +3
LVL 59

Assisted Solution

LeeTutor earned 150 total points
ID: 18861906
This MSKB article gives you some info on SVCHOST.EXE:

A Description of Svchost.exe in Windows XP

In order to see what services are connected with each instance of Svchost.exe that is running under Task Manager, you should:  go to Start -> Run -> type CMD and hit Enter key -> type tasklist /svc in the DOS-like dialog box and hit the Enter key.
LVL 97

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 300 total points
ID: 18861918
You can also use ProcessExplorer to see more details on usage. - Formerly a sysinternals tool, it's currently available from Microsoft.


Author Comment

ID: 18861936
Oddly enough `Tasklist` is not available on this system it appears.  As you, and Microsoft, describe the command it cannot be run on this system.  Am I missing something, has this been deleted by an infection per chance?  I'll keep digging...
We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

LVL 59

Expert Comment

ID: 18861945
The article says it applies to XP Pro.  Are you running Home?
LVL 47

Assisted Solution

rpggamergirl earned 75 total points
ID: 18861961
Sometimes svchost problems are caused by the windows auto-update software.
If you have it on, try turning auto-update off and reboot, at least that's one cause that can be ruled out at least.

Svchost of course, usually malware/viruses are most common causes for this but not always.

Please show us your hijackthis log, most malware show up in the scan.
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.


Author Comment

ID: 18861992
Yes, it is Home.  I'll grab a copy off of a Pro box.  

With regards to HJT, I've already run that previously and scrubbed down what appeared to be infections and invalid entries as normal, but I can certainly check it again and post my result.

Give me a few minutes and I'll be back.
LVL 97

Expert Comment

by:Lee W, MVP
ID: 18861998
Is there a reason you are not going to try Process Explorer?

Expert Comment

ID: 18862006
I would agree with leew.  ProcessExplorer will give you a detailed description of all the images (files) being used by each instance of svchost.exe.  I have ProcessExplorer as a part of my standard "toolbox."  It can also be used to monitor network connections in a far more user-friendly manner than netstat.  VERY useful tool.
LVL 47

Expert Comment

ID: 18862020
>>With regards to HJT, I've already run that previously and scrubbed down what appeared to be infections<<

Can you also please show us those entries that you already removed? it will help us. You can get it from the backup that hijackthis keeps, thanks.

A clean hijackthis log won't be helpful to us.
Bad entries once removed will no longer show up in the scan unless it's one of those persistent and stubborn malware.

Author Comment

ID: 18862029
Alright, I pulled the results of that unit on over and I'll paste it below.  First will be the `tasklist /svc` result.  Next will be the HJT result.

`tasklist /svc` output:
Image Name                     PID Services
========================= ======== ============================================
System Idle Process              0 N/A
System                           4 N/A
smss.exe                       624 N/A
csrss.exe                      672 N/A
winlogon.exe                   696 N/A
services.exe                   740 Eventlog, PlugPlay
lsass.exe                      752 PolicyAgent, ProtectedStorage, SamSs
svchost.exe                    900 DcomLaunch, TermService
svchost.exe                    964 RpcSs
MsMpEng.exe                   1052 WinDefend
svchost.exe                   1096 AudioSrv, BITS, CryptSvc, Dhcp, ERSvc,
                                   FastUserSwitchingCompatibility, helpsvc,
                                   lanmanserver, lanmanworkstation, Netman,
                                   Nla, RasMan, Schedule, seclogon, SENS,
                                   SharedAccess, ShellHWDetection, srservice,
                                   TapiSrv, Themes, TrkWks, W32Time, winmgmt,
                                   wscsvc, wuauserv
svchost.exe                   1208 Dnscache
svchost.exe                   1260 LmHosts, SSDPSRV, WebClient
explorer.exe                  1428 N/A
LEXBCES.EXE                   1464 LexBceS
spoolsv.exe                   1504 Spooler
LEXPPS.EXE                    1540 N/A
Nhksrv.exe                    1648 Nhksrv
guard.exe                     1664 AVG Anti-Spyware Guard
avgamsvr.exe                  1676 Avg7Alrt
avgupsvc.exe                  1748 Avg7UpdSvc
FrameworkService.exe          1820 McAfeeFramework
MDM.EXE                       1892 MDM
svchost.exe                    184 stisvc
naPrdMgr.exe                   508 N/A
DellMMKb.exe                   584 N/A
LXSUPMON.EXE                   320 N/A
iTunesHelper.exe               604 N/A
MSASCui.exe                    612 N/A
avgcc.exe                      588 N/A
avgas.exe                      644 N/A
PicasaMediaDetector.exe        648 N/A
ctfmon.exe                     652 N/A
OSD.exe                        856 N/A
AIRPLUS.EXE                   2508 N/A
iPodService.exe               2520 iPod Service
alg.exe                       2580 ALG
wuauclt.exe                    440 N/A
taskmgr.exe                   2892 N/A
UpdaterUI.exe                 3648 N/A
cmd.exe                       3720 N/A
tasklist.exe                  3964 N/A
wmiprvse.exe                  2928 N/A

HijackThis Output:
Logfile of HijackThis v1.99.1
Scan saved at 9:21:38 PM, on 4/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\D-Link AirPlus\AIRPLUS.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
\\gplymale\Repair\Repair USB\Repair CD\HijackThis\alternativ.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\tbu5\toolbaru.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program Files\ICQToolbar\tbu5\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: D-Link AirPlus Utility.lnk = ?
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174342726421
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

LVL 47

Expert Comment

ID: 18862066
Thanks for the log, sorry nothing stood out there, is it possible for us to see those bad entries that you removed? thanks.

Author Comment

ID: 18862114
No, sorry, those were removed some time ago and this unit is one that returned for a modem repair but I noticed those pauses were still existent and driving me nuts so I'm trying to figure out what might be going on.  I've only seen an issue like this once before of the last several years and it took a reinstallation (ie, not repair installation) to resolve the issue...  So I'm worried as to what could be causing this pause.

I really wish Windows had better diagnostic tools that could isolate pauses like this.  Are there any other deeper tools that pick up unresponsive apps and services as such that I'm overlooking?
LVL 32

Accepted Solution

r-k earned 975 total points
ID: 18862384
LVL 97

Expert Comment

by:Lee W, MVP
ID: 18862411
Oh look - that article says to use process explorer - mentioned much earlier in your question... again... is there ANY reason you are ignoring my posts?

Author Comment

ID: 18863335
I apologize leew, I had already used that long ago.  I did check it again at your behest and did find another item, however this was not the issue, but useful nonetheless so thanks.  

It appears that the article referred to by r-k was the key in terms of a resolution even though the proc hanging was hard to isolate (read, I did not find it with process explorer again as it is acting very erratic, however after applying the hotfix things seem to have reached normalcy).
LVL 47

Expert Comment

ID: 18868086
So I was right in my very first post all along, that this was caused by windows auto-update software.
If you'd turned off autoupdates you would have found out that that was the one causing it.
LVL 32

Expert Comment

ID: 18869517
"So I was right in my very first post all along"

Yes, rpggamergirl, you are correct once again. We may only ignore your comments at our own peril :)

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
Issue: Unstable cursor in Windows XP and Windows runs extremely slow in that any click will bring up the Hour glass (sometimes for several seconds before giving you what you want) . Troubleshooting Process and the FINAL FIX: This issue see…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

588 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question