How to troubleshoot Service Host (svchost.exe) related problems?
Applies to:
Windows 7
Windows Server 2008 R2
Windows Vista
Windows Server 2008
Windows XP
Windows Server 2003
Windows 2000
Windows 2000 Server
How to troubleshoot Service Host (svchost.exe) related problems:
- High cpu
- Memory leaks (private bytes leaks and/or virtual bytes leaks)
- Handle leaks.
History of svchost.exe
In Windows NT 4.0, the different services were under their own .exe’s.
For example above, we could see that the following services had their own executables:
Spoolss.exe (Print Spooler)
Rpcss.exe (Remote Procedure Call)
Tapisrv.exe (Telephony)
What is a svchost.exe?
Starting with Windows 2000, since each process consumes resources (desktop heap, memory, disk space, etc…), we moved the individual services to a generic service host.
Svchost stands for “Service Host” which hosts services.
The Services are compiled as .dll’s. Since it is a service, it will run in the background until it is needed even without any user being logged on or if the system is shutdown.
Above you will notice that there are 17 svchost.exe processes running.
It is nicely described in these links:
- https://windows.microsoft.com/en-US/windows-vista/What-is-svchost-exe
- 250320 Description of Svchost.exe in Windows 2000
- https://support.microsoft.com/?id=250320
- 314056 A description of Svchost.exe in Windows XP Professional Edition
- https://support.microsoft.com/?id=314056
In the figure above, all the svchost.exe processes seem identical; let’s find out what the Process ID (PID) and the User Names are for the different svchost.exe’s.
In Task Manager, let’s click on “View” and then on “Select Columns”.
Check the boxes next to:
PID (Process Identifier)
and
User Name
Now, what you should be seeing is the following:
The svchost.exe’s processes are organized in logical groups. These logical groups are usually grouped by the accounts that are needed.
i.e.
System
Local Service
Network Service
How do you find out which service is running in all these different svchost.exe processes?
In Windows 2000, Windows 2000 Server, Windows XP and Windows Server 2003:
Click on Start, Run, cmd.exe
Type “tlist /svc /fi “imagename eq svchost.exe”
Note: The output will provide the names in shortnames which are used with the Service Control Manager command (SC.exe), also the way that they are in the registry HKLM\System\CurrentControlSet\Control\Services.
In Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2:
Within Task Manager, right click on the svchost.exe that you are interested.
Click on “Go to Service(s)”:
In the “Services tab”, it will highlight the services that are running under that particular svchost.exe as show above.
Note: You will see the full name of the service under the “Description” column.
Click on Start, cmd.exe (Run as admin)
Type “tasklist /svc /fi “imagename eq svchost.exe”
Note: The output will provide the names in shortnames which are used with the Service Control Manager command (SC.exe), also the way that they are in the registry HKLM\System\CurrentControlSet\Control\Services
Using Process Explorer to find the services that are running under the svchost.exe processes.
You could hover over the svchost.exe that you are interested in and you will see the following info:
- Command line
- Path
- Services
If you want to go a step further, instead of using services.msc, you could start or stop the services by doing the following within Process Explorer:
Right click on the svchost.exe and click on “Properties…”
Click on the “Services” tab which will provide with the “Stop”, “Pause” and “Resume” options.
How to start or stop the service by using the command prompt or powershell:
Type “net start /?” without the quotation marks and then Press Enter.
You could see that the syntax is “net start ServiceName”
i.e. net start dnscache
Type “net stop /?” without the quotation marks and then Press Enter.
You could see that the syntax is “net stop ServiceName”
i.e. net stop dnscache
How to set the service to “Automatic (Delayed Start)”, or “Automatic”, or “Manual”, or “Disabled”.
In Services.msc, you could double click on the service that you are troubleshooting and click on the drop down menu for “Startup type:”.
You could accomplish the same task by using the command prompt or powershell:
Click on Start, CMD (Run as admin)
Type “sc config /?” without the quotation marks and then press Enter.
In this output, you will see the options for start which are boot, system, auto, demand, disabled and delayed-auto.
To enable a service from the command line:
Type “sc config ServiceName start= start”
Note: Where ServiceName is the actual service name.
Note 2: There is a space between start= and start. This is a gotcha for a lot of folks.
i.e. Type “sc config dnscache start= start”
To disable a service from the command line:
Type “sc config ServiceName start= disable”
Note: Where ServiceName is the actual service name.
Note 2: There is a space between start= and start. This is a gotcha for a lot of folks.
i.e. Type “sc config dnscache start= disable”
This list contains a summary that relates Windows services to the files that implement them, and to the components that provide those files. This is not an exhaustive listing.
Windows service |
File name |
Component name |
Alerter |
AlrSvc.dll This service runs within the context of SvcHost.exe. |
Alerter Service |
Application Layer Gateway Service |
AppMgmts.dll This service runs within the context of SvcHost.exe. |
Software Installation Group Policy Extension |
Automatic Updates |
WuauServ.dll This service runs within the context of SvcHost.exe. |
Windows Update Agent |
Background Intelligent Transfer Service |
Qmgr.dll This service runs within the context of SvcHost.exe. |
Background Intelligent Transfer Service |
COM+ Event System |
Es.dll This service runs within the context of SvcHost.exe. |
COM+ Services |
Computer Browser |
Browser.dll This service runs within the context of SvcHost.exe. |
Computer Browser Service |
Cryptographic Services |
CryptSvc.dll This service runs within the context of SvcHost.exe. |
Core Certificate Services |
DHCP Client |
DhcpcSvc.dll This service runs within the context of SvcHost.exe. |
DHCP Client Service |
DNS Client |
DHCPSvc.dll This service runs within the context of SvcHost.exe. |
DHCP Client Service |
Error Reporting Service |
ErSvd.dll This service runs within the context of SvcHost.exe. |
Error Reporting |
Event Log |
EventLog.dll This service runs within the context of Services.exe. |
Event Log |
Fast User Switching Compatibility |
Shsvcs.dll This service runs within the context of SvcHost.exe. |
User Interface |
Help and Support |
HelpSvc.exe This service runs within the context of SvcHost.exe. |
Help and Support Services |
Human Interface Device Access |
HidServ.dll This service runs within the context of SvcHost.exe. |
In Target Designer, all components under Hardware | Devices | Human Interface Devices |
Internet Connection Firewall (ICP) / Internet Connection Sharing |
Fwcfg.dll This service runs within the context of SvcHost.exe. |
Windows Firewall/Internet Connection Sharing (ICS) |
Logical Disk Manager |
DmServer.dll This service runs within the context of SvcHost.exe. |
Disk Management Services |
Messenger |
MsgSvc.dll This service runs within the context of SvcHost.exe. |
Messenger Service (Net Send) |
Network Connections |
Netman.dll This service runs within the context of SvcHost.exe. |
Primitive: Netman |
Network Location Awareness (NLA) |
Mswsock.dll This service runs within the context of SvcHost.exe. |
Network Location Awareness Service |
Portable Media Serial Number |
Mspmsnsv.dll This service runs within the context of SvcHost.exe. |
Windows Media Player 10 Technologies |
Remote Access Auto Connection Manager |
Rasmans.dll This service runs within the context of SvcHost.exe. |
Dial-Up Networking Common Libraries |
Remote Access Connection Manager |
SessMgr.exe This service runs within the context of SvcHost.exe. |
Terminal Services Remote Assistance Component |
Remote Procedure Call (RPC) |
Rpcss.dll This service runs within the context of SvcHost.exe. |
RPC Server |
Remote Registry |
RegSvc.dll This service runs within the context of SvcHost.exe. |
Remote Registry Service |
Removable Storage |
Ntmssvc.dll This service runs within the context of SvcHost.exe. |
Removable Storage Service |
Routing and Remote Access |
Mprdim.dll This service runs within the context of SvcHost.exe. |
Dial-up Server for Windows |
Secondary Logon |
SecLogon.dll This service runs within the context of SvcHost.exe. |
RunAs Service |
Server |
SrvSvc.dll This service runs within the context of SvcHost.exe. |
File Sharing |
Shell Hardware Detection |
ShSvcs.dll This service runs within the context of SvcHost.exe. |
User Interface Core |
SSDP Discovery Service |
SsdpSrv.dll This service runs within the context of SvcHost.exe. |
Universal Plug & Play |
System Event Notification |
Sens.dll This service runs within the context of SvcHost.exe. |
System Event Notification Service (SENS) |
System Restore Service |
SrSvc.dll This service runs within the context of SvcHost.exe. |
System Restore Core |
Task Scheduler |
SchedSvc.dll This service runs within the context of SvcHost.exe. |
Task Scheduler |
TCP/IP NetBIOS Helper |
ImhSvc.dll This service runs within the context of SvcHost.exe. |
NetBIOS over TCP/IP |
Telephony |
TapiSrv.dll This service runs within the context of SvcHost.exe. |
Telephony |
Terminal Services |
TermSrv.dll This service runs within the context of SvcHost.exe. |
Terminal Services Core |
Themes |
UxTheme.dll This service runs within the context of SvcHost.exe. |
Primitive: Uxtheme |
Universal Plug and Play Device Host |
UPnPHost.dll This service runs within the context of SvcHost.exe. |
Universal Plug & Play Device Host |
WebClient |
Webclnt.dll This service runs within the context of SvcHost.exe. |
Webdav Client Redirector |
Windows Audio |
AudioSrv.dll This service runs within the context of SvcHost.exe. |
Microsoft Audio Compression Manager (MME Core) |
Windows Image Acquisition (WIA) |
WIAservc.dll This service runs within the context of SvcHost.exe. |
Windows Image Acquisition Core |
Windows Management Instrumentation |
WMIsvc.dll This service runs within the context of SvcHost.exe. |
WMI Core |
Windows Management Instrumentation Driver Extensions |
Advapi32.dll This service runs within the context of SvcHost.exe. |
Windows API - Advanced |
Windows Time |
W32Time.dll This service runs within the context of SvcHost.exe. |
Time Service Core |
Wireless Zero Configuration |
WzcSvc.dll This service runs within the context of SvcHost.exe. |
Primitive: Wzcsvc |
Workstation |
WksSvc.dll This service runs within the context of SvcHost.exe. |
Workstation Service |
Troubleshooting svchost.exe issues:
Before you ever start troubleshooting anything, as always please make sure that you have a complete backup of your system.
Note: Backing up is the easy portion, have you tried restoring and making sure that it works? Most folks don’t, and they end up with a backup that is just taking disk space.
Shotgun approach (not recommended):
Stop the services for the svchost.exe
Recommended troubleshooting:
Step 1. Find the Process ID of the svchost.exe that is causing the high cpu, memory leak (private bytes (a.k.a. heap) or virtual bytes) or handle leaks.
Using Task Manager or Process Explorer find the svchost.exe that is causing the problem.
Write down the PID
Step 2. Which services are running in that particular SVCHOST.exe?
Using Task Manager or Tasklist or Process Explorer find the services that are running in that particular svchost.exe.
Step 3. Separate the services for that particular SVCHOST.exe
Click on Start, CMD (Run as admin)
Type “Sc.exe config ServiceName Type= own” without the quotation marks and then press Enter.
Type “Net stop ServiceName” without the quotation marks and then press Enter.
Type “Net start ServiceName” without the quotation marks and then press Enter.
To put the service back to the shared service host:
Type “Sc.exe config ServiceName Type= share” without the quotation marks and then press Enter.
Type “Net stop ServiceName” without the quotation marks and then press Enter.
Type “Net start ServiceName” without the quotation marks and then press Enter.
Related reading:
How to separate out .DLL based services that use a shared generic service host process name (svchost.exe) for troubleshooting…
Note: On Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2
There are always exceptions, in this case, WinMgmt (Windows Management Instrumentation) is unique.
To break WMI to its own svchost.exe:
Click on Start, CMD (Run as admin)
Type “Winmgmt.exe /standalonehost” without the quotation marks and then press Enter.
Type “Net stop winmgmt” without the quotation marks and then press Enter.
Type “Net start winmgmt” without the quotation marks and then press Enter.
To put WMI on a shared svchost.exe:
Type “Winmgmt.exe /sharedhost” without the quotation marks and then press Enter.
Type “Net stop winmgmt” without the quotation marks and then press Enter.
Type “Net start winmgmt” without the quotation marks and then press Enter.
Depending on the issue that you are troubleshooting, there are different steps that you could take…
- Access Violates (AV’s, better known as application crashes).
- High CPU utilization
- Private bytes leaks (heap leak)
Virtual bytes leaks - Handle leaks.
In a future post, I’ll go over all these different scenarios.