All about Svchost.exe

Svchost.exe is a Windows system file. It is the Generic Host Process for Win32 Services.
Svchost.exe manages 32-bit DLLs as well as other services.
Microsoft runs a lot of software functionality from DLL (dynamic link library) interface.
But DLLs can’t launch themselves – they need an executable program. On startup,
svchost.exe checks the services in the Registry and makes a list of services it has to load.
Usually there are several svchost.exe files running at the same time. Each svchost.exe instance can group services,
so that separate services can be run depending on where and how svchost.exe is started.
The multiple executions of svchost.exe reduce the possibility of one process crashing the entire system,
thIs making the operating system more stable and secure.

IMPORTANT: The svchost.exe file should be in the C:\Windows\System32 folder. If you find it anywhere else, then svchost.exe could be a virus, trojan, worm, or spyware! Scan your computer with Auslogics Antivirus to make sure it’s not infected.

According to Microsoft: “svchost.exe is a generic host process name for services that run from dynamic-link libraries”. Could we have that in english please?

Some time ago, Microsoft started moving all of the functionality from internal Windows services into .dll files instead of .exe files. From a programming perspective this makes more sense for reusability… but the problem is that you can’t launch a .dll file directly from Windows, it has to be loaded up from a running executable (.exe). Thus the svchost.exe process was born.

So What Can I Do About It?

You can trim down unneeded services by disabling or stopping the services that don’t absolutely need to be running. Additionally, if you are noticing very heavy CPU usage on a single svchost.exe instance you can restart the services running under that instance.

The biggest problem is identifying what services are being run on a particular svchost.exe instance… we’ll cover that below.

The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services allows for better control and easier debugging.

Svchost.exe groups are identified in the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost
Each value under this key represents a separate Svchost group and appears as a separate instance when you are viewing active processes.
Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group.
Each Svchost group can contain one or more service names that are extracted from the following registry key, whose Parameters key contains a ServiceDLL value:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Service

To view the list of services that are running in Svchost:

Click Start on the Windows taskbar, and then click Run.
In the Open box, type CMD, and then press ENTER.
Type Tasklist /SVC, and then press ENTER.
Tasklist displays a list of active processes. The /SVC switch shows the list of active services in each process. For more information about a process, type the following command, and then press ENTER:
Tasklist /FI “PID eq processID” (with the quotation marks)

That’s fine, but what about firewall rules for it ?
In my case I have set it up as “Outgoing only” and it works fine.
Only inbound that I allow is for utorrent.

You dont know about firewall rules?

A utility to help with viewing svchost.exe is Svchost Viewer.

edit
updated the link

Can Comodo add to CIS rules for services as for processes? If so, we can tune in\out connection for diferent services and not for ALL running in svchost.exe!

For example: “netstat -a -b” in Win7 can shows conections by services, not processes.

Trying to make a safe security policy while allowing scvhost out for everything and in for utorrent is pure nonsense: you might as well use no firewall at all.

Hmm, seeing this title, i had hoped i would find informations about how to set policy rules for Svchost too, so if anyone can help us.

I’ve known those informations for some time, but knowing this, what kind of policy should i set-up for this one. Considering the number of different applications/malware/things that can hide inside Svchost, i hate giving it too large rules, but if i set them too narrow, some parts of the system won’t work correctly.

Currently, Svchost and other windows system applications are set to a custom rule that gives them outbound access to my LAN (3 CPUs, 1 printer and a router), inbound access from my LAN, acess to the loopback and access to the IPs i gathered are run by Comodo (since it seems they are trying to contact them for whatever reason).
Should i make some sort of by-port rules on top of this, for instance allowing the ports listed for Windows processes in the article linked in this post? Is there a better way to “secure” Svchost?
I’m running Windows XP SP3 by the way.

svchost is supposedly safe on a LAN if every computer on the LAN is safe (i.e. if one of these computers is not able to propagate a malware to others after gathering it either from internet, either from an external media).

Moreover, it is very difficult if not impossible to write exhautive svchost LAN rules because not only fixed ports are used for some apllication or protocol, but also random high ports.

On the opposite, i think useful to write explorer and system rules where the only ports allowed by default are the netbios ones (extended to port 135, but excluding port 445).

Well, thanks Brucine.
A few more questions on Svchost.

• Is it a normal behaviour for it to try and open various connection to remote web IPs on port 80? I see in my firewall log several attempts each day, some of them lead to IPs i can identify by searching on the web (one of them belongs to Microsoft for instance), but others seem to be unknown (like 217.156.169.152, i got only two pages of google results, and none of them told me who owned it).

• Also, is it normal for Svchost to open hundreds of connections to my network printer. If i turn on my Printer, i have between 350-500 open connections to it’s Ip from Svchost, even if i’m not printing or scanning anything. I’m not worried about those as i don’t think my printer could be spying on me, but it’s strange. :o

-First point:
I don’t remember what OS you are using, and i do also not know what softwares you are using.
Under my XP configuration (and outside of LAN rules), such a behavior would definitely not be normal, and the 2 only allowed connexions are TCP/UDP Out to my mail provider DNS, port 53 and a multicast request very specific to my router brand, UDP Out to 255.2550.255.255 port 67 (providing bootp abilitity at boot time).

-Second point:
Yes. It results from Network Discovery coming from the Upnp and ssdp services.
If you don’t want to disable these services, and assuming all of your LAN computers including the printer have static ip in the same workgroup, you should write LAN allowing rules:

-SVCHOST:
-Allow UDP Out from any IP to Loopback Zone, source port any, dest port any
If you want, say, PC “30” to be able to explore PC “20”:
-Allow TCP In from 192.168.0.30 to 192.168.0.20, source port any, dest port 135

-SYSTEM:
Access PC “20” from PC “30”:
-Allow TCP In from 192.168.0.30 to 192.168.0.20, source ports any, dest port 137-139
-Same rule for UDP In
At the opposite, access PC “30” from PC “20”:
-Allow TCP or UDP Out from 192.168.0.20 to 192.168.0.30, source ports any, dest port 137-139
Needing to access the routers gateway in order to establish the connexion from PC “20”:
-Allow UDP Out from 192.168.0.20 to 192.168.0.255, source ports any, dest ports 137-139.

Observations:

1. These rules must be followed by a global deny rule for ports 137-139 if you don’t want it to be implicit.
2. The job can be made easier if writing ports zones (e.g. “Netbios” for 137-139)
3. They can be extended to the whole LAN including the printer if you are confident to this LAN by writing a LAN zone (192.168.0.1-192.168.0.255) and writing instead of a single rule for PC 20,30, 40… a global rule from “LAN zone” to “LAN zone” (also of course followed by a deny rule is both source and dest are not “LAN zone”).

Thanks again brucine. I’m scanning my Computer with Comodo anti-virus currently (critical zones only as a full day is not enough for a full scan ) however i think i’ve finally identified what’s causing those connections.

Connection to Microsoft IP, maybe it’s caused by me swithcing from the old Windows Update to the new Microsoft Update. It shouldn’t be a worry anyway.

One unknown IP i’ve found a reference it belongs to Akamai technologies. The downloader for the demo version of Photoshop is created by Akamai. I have a dll loaded at startup signed by Akamai. I shouldn’t need it anymore so i’ll try and disable it.

Another unknown IP probably belongs to Adobe cause i got a request from Firefox plugin-container.exe to access this IP when trying to visualize a video tutorial on Adobe site. Proably no worry then, but i don’t like applications “phoning home” in my back.

Is there a way to stop the Firewall Event Log stop logging all of the svchost activity? Personaly, my log is full of it and nothing else, although I do use VNC Viewer for remote (local) access.
Thank you

http://i51.tinypic.com/27x3qc2.jpg

To my knowledge, event logging is trigerred by your firewall rules. By default, Svchost is controled by the Windows System Applications rules. The last rule in this set is proably “block and record any other request” or someting like this. You can change it to block without recording by unchecking the “create event if the rule is trigered”. It will stop logging blocked connections for all of the Windows System group. If you want to change the behaviour of Svchost only, create a rule for Svchost alone and remove it from the group in Defense + settings (the same groups are used by defense + and the firewall).

Now, of course, you won’t have any way to tell the firewall blocked a request and this might prevent you from troubleshooting issues caused by blocked connections. If your rules are strict, you probably need a way to track down what’s blocked in case a legitimate connection got blocked.

Hope i’m not mistaken, i’m quite new to Comodo CIS but that’s what i understood from reading the documentation.

Hi,
I know this topic is old, but it’s the best I found concerning my problem.

When comodo shows an alert asking if it should allow svchost to open a connection to an IP located somewhere in russia or china for exemple, how can I know which service is using svchost to open this connection ?

I know that in the “see connections” tab, I can read the PID of each svchost process and its opened connections and with the PID I can get the name of the underneath service.

But how can I know the PID or the name of the underneath service before I allow the connection ?

And svchostanalyser.