Contributed by: Egle Markauskaite
Date: September 22, 2009
If you are a regular visitor of this website and follow computer security news constantly, you might have read the article I wrote on Svchust.exe last week. If not, you will find it here. I decided to write a follow-up article with the intention of focusing your attention, not only on Svchust.exe, but also on Svchost.exe. I could not pass up the opportunity to compare the two. They look identical at first sight, don't they? Of course they do! The fact is that cyber criminals often create various types of malware with names almost identical to some legitimate file names. In this case, only one letter is different. Lets first find out what Svchost.exe is and what impact it has on a computer system.
In the Windows NT family of operating systems, Svchost.exe - which is an executable file - is the name of a process for hosting services. These services are stored within dynamically-linked libraries (DLLs). Aren't you aware of what a DLL is? If not, you can get acquainted with it by reviewing this article. The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services part of the registry in order to create a list of services that it must load. Multiple instances of Svchost.exe can run simultaneously. Each Svchost.exe session can have a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is launched. This grouping of services enables easier debugging and better control.
Since Svchost.exe is used as an ordinary system process, malware creators often use the "svchost.exe" process name to mask their malware. Discovering the image path of a process, and its invoking command line, can help identify malware hiding in this way, and help locate the legitimate program file running under the supposed process name of "svchost.exe". Look at one of our readers' comments on the Svchust.exe file: "It appears I have a virus that is populating porn sites on my desktop, placing popup blocks on my screen telling me that I may be infected, clicks in the background even when I'm not doing anything (like opening web pages), and I am unable to access my antivirus website to ask for tech support ...; I have seen many instances of svchost.exe and svchust.exe in my task manager. Any Ideas on what I can do? ".
As we can see from the points written in the comment, this user might be a victim of the Svchust.exe virus.Also, the user is using Task Manager - a program that comes with the Microsoft Windows NT family of operating systems, it's used to offer detailed information about computer performance and running applications, the processes and CPU usage, commit charge and memory information, network activity and statistics, logged-in users and system services. This specific application can also be used to set process priorities, processor affinity, forcibly terminate processes, shut down, reboot, hibernate or log off from Windows.
It would be better for users to use the excellent Process Explorer tool from Microsoft/Sysinternals, instead of Task Manager, to see which services are running as a part of the Svchost.exe process. Process Explorer is a freeware computer program for Microsoft Windows. In the below screenshot of Process Explorer you will find a hierarchical view of processes involving Svchost.exe:
Image 1. Process Explorer application
This application is a system control and examination tool. It can be used as the first step to debugging software or system problems. Process Explorer offers you a hierarchical view of processes; if you hover your mouse over one of the processes a pop-up list of all the services is displayed. A double-click on Svchost.exe, and the selection of the Services tab, will give you the option to stop one of the services if needed. You are also able to suspend selected processes and the whole process tree can be killed as well. In the next screenshot you will see an instance of Svchost.exe in gray. This means that it is selected for verifying whether it is a component of Microsoft Windows.
Image 2. Process Explorer application
Next, in order to verify if a process is a component of Windows, right-click on the particular Svchost.exe instance and select Properties. It will direct you to the properties of the process:
Image 3. Process Explorer application
If you select the "Verify" button, you will see if the process is a verified component of Windows. In this case, it is verified:
Image 4. Process Explorer application
All in all, be very cautious and attentive, and ensure that you do not confuse Svchust.exe with Svchost.exe!