Contacts      About the site
home Mozilla Firefox

Remove svchost exe virus from Windows system. How to detect a virus masquerading as the svchost system process What is the svchost service responsible for

If you are reading this article, then you have probably already paid attention to the system process called "svchost.exe". And usually he is not alone, and he is accompanied by several other processes of the same name:

In a normal situation, the performance of the computer does not suffer from this process, and ordinary users do not pay attention to it. The situation is quite different when the process begins to "devour" from half to 100% of the computer's resources. And not sporadically, but constantly. In this case, a radical solution to the problem sometimes becomes either a rollback of the system to the moment when it worked normally. These methods are not only redundant, but do not always help, so today we will tell you about more simple solutions problems when the svchost.exe process loads the computer's processor "to the full".

What is svchost.exe

Let's start with theory. svhost.exe- systemic windows process, which is responsible for starting various services on the computer (for example, Print Service or Windows Firewall). With it, several services can be running on the computer at the same time, which reduces the consumption of computer resources by these services. In addition, the process itself can be run in multiple copies. That is why there is always more than one svchost.exe process running in the Task Manager.

So why can svchost.exe create a high load on the computer's processor and memory? On the network, you can find the opinion that the svchost.exe process is initiated by a virus or is a virus at all. This is not true. Strictly speaking, some viruses and Trojans can disguise under it, creating an additional load on computer resources, but they are quite easy to calculate and neutralize.

How to remove a virus disguised as the svchost.exe process

Launch the "Task Manager" (using the keyboard shortcut Control+Atl+Delete or from the menu Start > Programs > Accessories > System Tools) and open the Processes tab. In the first column you will see the names of the processes, and in the second - an indication on whose behalf it was launched. So, pay attention to the fact that svchost.exe can only be run on behalf of the LOCAL SERVICE, SYSTEM (or "system"), and NETWORK SERVICE users.

If you notice that the process is running on behalf of your user (for example, on behalf of User), then you have a virus in front of you. Since the real svchost.exe can only be started by system services, it cannot be in the "Startup" of the current Windows user. Therefore, it is there that we will try to find a virus disguised as the svchost.exe system process. There are two ways to get into Autoload: through third party program, for example, or standard means Windows.

In order to get into Startup without installing additional programs, open Start and in the program search bar (in Windows XP - in Start > Run) write msconfig, then press OK. The System Configuration window will appear. Click the tab and carefully review the list of programs that start at system boot. If you find a process in this list svchost.exe, then you can be sure of its viral origin.

Real svchost.exe can be launched only from a folder C:\WINDOWS\system32, where "C" is the drive where Windows is installed. (On a 64-bit operating system, the 32-bit version of svchost.exe is located in the C:\WINDOWS\SysWOW64 folder, and theoretically the process can also be launched from it. However, by default, all system processes, including svchost.exe, are 64-bit Windows are launched from C:\WINDOWS\system32.) The screenshot above shows that the file is located in the WINDOWS folder, and it is also called "svhost.exe" and not "sv c host.exe", which directly speaks of its viral origin.

The list of favorite folders for virus masking looks something like this:

C:\WINDOWS\ svchost.exe
C:\WINDOWS\config\ svchost.exe
C:\WINDOWS\drivers\ svchost.exe
C:\WINDOWS\system\ svchost.exe
C:\WINDOWS\system\ svchost.exe
C:\WINDOWS\windows\ svchost.exe
C:\Users\your-username\ svchost.exe

The virus process file can not only be located in one of the folders listed above (and not in the standard folder where the real svchost.exe is located), but also be called differently:

svhost.exe
svch0st.exe
svchost32.exe
svchosts.exe
syshost.exe
svchosl.exe
svchos1.exe

So, you have found the svchost.exe virus in the Startup. The first thing to do is disable its autorun by unchecking it in the "Startup item" column. Now you need to end its process through the "Task Manager" (right-click on the process> End Process) and delete the file itself. The full path to the file, as in the screenshot above, is always indicated in the "Command" column. It is possible that the process file will not allow itself to be deleted - in this case, try first restarting the computer and repeating the operation, or use the Unlocker program to remove such "unremovable" files.

After that, it will not be superfluous to also conduct an anti-virus scan of the computer. If you still do not have an antivirus installed on your computer, we recommend that you read our article.

There are no viruses in the system, but does svchost.exe still "load" the computer?

Have you found and neutralized all viruses in the system, or have you made sure that there are no viruses on the computer, but svchost.exe still interferes with work? Try to find out which program or service is using this process. This is easy to do with a simple free program process explorer. Very often, the svchost.exe process uses the service windows update, which automatically installs updates on the computer:

In this case, you can either wait until all windows updates will be downloaded and installed, or temporarily disable automatic Windows updates. This can be done via Control Panel In chapter System and Security > Windows Update by opening Parameter Settings(in the side menu of the window) and selecting the item in the drop-down list Do not check for updates:

If the trip automatic update did not help, then you can also check all other Windows services in the same way. You can stop or disable any Windows service through the Services snap-in. It's easy to get in: click Start > click on A computer right-click, select from the drop-down menu Management > go to Services & Applications > Services. After selecting the service you are looking for, right-click on it and select Stop. If it was she who created the load on the computer, then after stopping the service, the svchost.exe process will stop loading your computer at 100%.

Computer users want their machines to work as quickly as possible and not “slow down”. In search of “brakes”, they turn to the task manager to detect resource-intensive processes and unload them from memory. Often svchost.exe is visible in the process list. This program runs in multiple copies, and random access memory consumes a lot.

The question is logical: is it not a virus or other malicious software, if it overloads the computer in this way. And another question: is it possible to remove svchost.exe and do without it. Usually the answer is no to both questions: it is not a virus and it is almost impossible to do without it. But first things first…

svchost.exe is a system process in Windows since version "2000". This is the main process that helps the dynamic library services work. If you delete the svchost.exe file, the computer will work ... just a few times slower than usual. The situation is not so paradoxical: although the system service takes up a lot of RAM, without it, the load on the ROM would only be higher. The load on the processor will also be high.

svchost.exe virus

But still, sometimes it is necessary to delete svchost.exe. More precisely, not himself, but viruses and Trojan horses masquerading as this application. It's easy to tell the difference: although the original system process also creates multiple copies, the malware resides in any directory other than the system directory.

It is also useful to know that you can see such a program in the task manager if you pay attention to running it on behalf of the user. In some cases, viruses use a genuine system service to do damage.

No need to raise the alarm and worry about the fact that svchost.exe starts in ten instances. There are many dynamic services in the system, one process may not be enough for all. Then several copies are included at once, each with its own identifier. But it is also necessary to look at its origin carefully.

The real process starts from the folders: ServicePackFiles\i386, system32, Prefetch, winsxs\ (all inside C:\WINDOWS). If you notice that svchost.exe was launched from somewhere else, then this is a bad bell (as well as the situation with a “just a little bit” different from the original name).

In such cases, run a full antivirus scan until you get rid of the malware.

Description: svchost.exe is the general name of the main process associated with system Windows features, which are run from dynamic link libraries. When launched, svchost.exe checks the functions registry to load and run them. It is normal for them if several of them are running at the same time. Each of them is a group of basic functions that work on a PC. Not to be confused with scvhost.exe.

Detailed analysis: svchost.exe often causes problems and is required for Windows. Svchost.exe is located in the C:\Windows\System32 folder. Known file sizes for Windows 10/8/7/XP are 20,992 bytes (49% of all cases), 14,336 bytes, and .
This is Windows file. The application is not visible to users. This is a file signed by Microsoft. Therefore, the technical reliability rating 7% danger.

How to recognize suspicious processes?

  • If svchost.exe is located in a subfolder of "C:\Users\USERNAME" then the reliability rating is 80% danger. File size 3,580,520 bytes (15% of all cases), 3,772,520 bytes and . It is not a Windows system file. There is no information about the creator of the file. The process has no visible window. The file is digitally signed. Svchost.exe is capable of monitoring applications.
  • If svchost.exe is located in the C:\Windows folder, then the reliability rating is 54% danger. File size 20,480 bytes (32% of all cases), 1,605,120 bytes and . This is not a Windows file. The application is not visible to users. It is located in the Windows folder, but it is not a Windows kernel file. There is no information about the creator of the file. Svchost.exe is capable of monitoring applications and recording input.
  • If svchost.exe is located in a subfolder of C:\Windows then the reliability rating is 60% danger. File size 20,992 bytes (15% of all cases), 1,563,136 bytes and .
  • If svchost.exe is located in a subfolder of "C:\Program Files", then the reliability rating is 66% danger. File size 8,056,832 bytes (5% of all cases), 3,595,880 bytes and .
  • If svchost.exe is located in a subfolder of C:\Windows\System32 then the reliability rating is 60% danger. File size 2,030,080 bytes (6% of all cases), 1,169,224 bytes and .
  • If svchost.exe is located in the Windows folder for storing temporary files, then the reliability rating is 67% danger. File size 409,088 bytes (22% of all cases), 4,582,912 bytes and .
  • If svchost.exe is located in a subfolder of the C:\ drive, then the reliability rating is 54% danger. File size 32,768 bytes (25% of all cases), 752,128 bytes and .
  • If svchost.exe is located in C:\Windows\System32\drivers then the reliability rating is 81% danger. File size 194,560 bytes (16% of all cases), 237,568 bytes and .
  • If svchost.exe is located in Windows subfolders for storing temporary files, then the reliability rating is 71% danger. File size 704,606 bytes (16% of all cases), 645,120 bytes and .
  • If svchost.exe is located in a subfolder of "C:\Program Files\Common Files", then the reliability rating is 52% danger. The file size is 91,648 bytes (75% of all cases) or 1,012,224 bytes.
  • If svchost.exe is located in a subfolder of C:\Windows\System32\drivers then the reliability rating is 63% danger. The file size is 897,215 bytes (50% of all cases) or 26,624 bytes.
  • If svchost.exe is located in "C:\Users\USERNAME" then the reliability rating is 64% danger. The file size is 145,408 bytes.
  • If svchost.exe is in a subfolder of "My Files" then the reliability rating is 74% danger. The file size is 674,304 bytes.
  • If svchost.exe is located in the "C:\Program Files" folder, then the reliability rating is 64% danger. The file size is 90,112 bytes.

Important: Some malware camouflages itself as svchost.exe, especially if located not in the C:\Windows\System32 directory. Thus, you should check the svchost.exe file on your PC to see if it is a threat. We recommend to check the security of your computer.


Total: Site users' average rating for svchost.exe is: - based on 89 votes with 84 reviews.

320 users asked about this file. 27 users have not rated ("I don't know"). 32 users rated it as harmless. 17 users rated how harmless it seems. 6 users rated it as neutral. 21 users rated how dangerous it seems. 13 users rated it as dangerous.

Have you ever gone into the Task Manager of your operating system, detect multiple running copies of the same file called svchost.exe? What is this file and can it harm your computer? Can and should it be removed? We will talk about this and many other issues related to this file in this article.

Definition

Svchost.exe is the general name of the main process for services launched from dynamic libraries in the Windows OS line. Each service that accesses the svchost.exe file starts on personal computer your copy of this file. Thus, several dozen copies of it can be displayed in the task manager at once. Such a system was invented in order to save as much free space as possible in the device's memory.

Is this file safe?

The svchost.exe file itself is an important component of the operating system and does not pose any threat. However, it is not uncommon for malicious code picked up on the Web to disguise itself as this file. The calculation is made on the fact that it will be more difficult for you to detect a file with this name and you will be afraid to delete it, considering it a system file.

Where is this file located?

Recognizing whether a particular running process with the name svchost is a virus is quite simple. First of all, you need to know where the real, safe svchost.exe file can be located:

  • C:\WINDOWS\system32
  • C:\WINDOWS\ServicePackFiles\i386
  • C:\WINDOWS\Prefetch
  • C:\WINDOWS\winsxs\any folder in this partition.

If you find the svchost file in any other way, be aware that you are dealing with a virus. The only exceptions are antivirus and some other programs that also create folders of the same name, but do not pose a threat to your computer.

How to see what services are running with svchost?

Consider this issue on the example of Windows 7.

  1. Hold down the Ctrl + Alt + Del keys at the same time and select "Start Task Manager".
  2. Click the Processes tab and select "Show processes from all users".
  3. In the list that opens, you can see how many copies of the file are running on your computer at the moment and on behalf of which user. Be aware that the system file svchost.exe can only be run as the LOCAL SERVICE, SYSTEM, NETWORK SERVICE, or System users. If the file is called by the name of the local machine, you are dealing with a virus.
  4. To see which service launched a particular copy of a file, right-click on the copy from the list and select "Go to Services" or select the copy from the list with the left mouse button and open the adjacent "Services" tab.
  5. To find out what a particular service is and what functions it performs on a computer, click on the "Services ..." button in the lower right corner of the window that opens.

How to remove a virus masquerading as svchost?

If you suspect that your computer is infected with a virus that masquerades as the svchost file, the best solution is to download a program specially designed to remove these types of files from your computer. An example of such a program is the Security Task Manager or the AVZ antivirus utility. After removing suspicious files, you will need to restart your computer and perform a full system scan for viruses. Only after that you can be completely sure that you got rid of the virus, and this file no longer threatens the security of your computer.

There are many different processes and mysterious files in the Task Manager that constantly consume some kind of computer resources, turn on, turn off and live their active digital life. Among them, users find the so-called Host process for services Windows, he is svhost.exe. This article will tell you what this process is for.

What is the svchost.exe process

Host process for Windows Services is a system process of the operating system. Services and Windows services that are launched from executable files are registered in the task manager as full-fledged separate processes with their own names and graphs for memory, processor, disk and network consumption. Those services that are loaded from dynamically linked libraries (also known as DLL - Dynamic Linked Library) cannot "register" as a full-fledged process. Instead, the system registers them as a process known as the Host Process for Windows Services or svchost.exe. These services include dispatchers network connections, Plug-and-play service, update center, protection mechanisms, and so on.

Another feature is that for each service based on dynamic link libraries, the system creates a separate host process. This is why you may see multiple svchost.exe in the Task Manager. To see how many svhost.exe you are running, and go to the tab Details. Often there are several dozens host processes for Windows services. This is the norm.

host processes. Thousands of them.

Unfortunately, the Task Manager does not allow you to see exactly how many services or groups are associated with each host process. If you're really interested in knowing which libraries are attached to your computer's host processes, you'll need a small utility, Process Explorer, developed by Microsoft. It's "portable" so you don't need to install it. Just download it and extract it to the desired location. Run the file processxp64 if you have 64-bit Windows version or processxp if 32-bit. Listed process find svchost.exe- these are the same host processes for Windows services. Hovering over one of them displays a list of services associated with a particular process. For example, Local Session Manager, HID Device Access, Local Event Log, User Profile Service, and so on. Many different services vital to the operation of Windows.

svchost.exe uses CPU

You may notice that immediately after turning on the computer, all the host processes of Windows services load your computer more heavily, especially the processor. This is also the norm must be. After some time (not very long) everything will calm down, and the load will drop. Why is this happening? When Windows starts, the host process scans all service and registry entries and lists the DLL services needed to start. Then these services are loaded, which increases the consumption of processor resources.

Other factors also affect the increase in CPU load by the svchost.exe process. For example, the system is indexing, downloading an update, or performing some other background task that is required to maintain the system. Of course, there are also emergency situations when one of the system services does not work correctly, which leads to a load on the processor and a slowdown in computer performance. The reasons for this may be a large number of. For example, damaged system files, problematic driver, service failure, outage hard drive or malware.

Often, the root cause of abnormal CPU usage is a failure in one or more services. You can diagnose such a failure in the same Process Explorer utility. Find the process in it that consumes the most resources and move the mouse cursor. A list of connected services or services will appear in the tooltip window. Try turning them off and see the result. Having found a problematic place, act according to the instructions for solving problems in the service.

A warning: system services should not be blindly disabled. Make sure you know what you're doing and that you're confident in your ability to get it back. Blind manipulation of the system can damage its operation.

svchost.exe - virus or not

We have already understood that the svchost.exe process or the Host Process for Windows Services is a standard system mechanism that, in principle, cannot be a virus on a normally working computer. However, there are times when malware or a virus impersonates svchost.exe.

Pay attention to the location of the file. On the Task Manager tab More right click on one of the svchost.exe and select File Location. Its main location is a folder C:\Windows\System32 or SysWOW64 . A file with the same name is also found in directories Prefetch, WinSxS and ServicePackFiles, you will never get to these folders from the Task Manager if svchost.exe is operating normally.

If malware is suspected and anomalies are found in the location of svchost.exe, you will need to contact the services of your antivirus, which is quite obvious. This guide will only help you understand what is the reason for the increased load on the computer by the svchost.exe process.

Share with friends or save for yourself:

Loading...
Recommended related articles
Saw blades Beading machine - Vector Hss saw blade cutting speed
Saw blades Beading machine - Vector Hss saw blade cutting speed
Download xbox app on pc
Download xbox app on pc
Registration and connection to Xbox Live Xbox life official
Registration and connection to Xbox Live Xbox life official