What Is Svchost.exe (Service Host)?

Definition of svchost.exe and how to delete svchost.exe viruses

What to Know

  • Service Host (svchost.exe) is a legitimate system process used in the Windows OS.
  • It's safe if it's stored here: %SystemRoot%\System32\ or %SystemRoot%\SysWOW64\.
  • You can delete svchost.exe if you find it anywhere else.

This article explains what svchost.exe is, how to know if it's safe, and what to do if you find a svchost.exe virus.

What Is Svchost.exe?

The svchost.exe (Service Host) file is a critical system process provided by Microsoft in Windows operating systems. Under normal circumstances, this file isn't a virus but a crucial component in many Windows services.

The purpose for svchost.exe is to, as the name would imply, host services. Windows uses it to group services that need access to the same DLLs to run in one process, helping to reduce their demand for system resources.

Because Windows uses the Service Host process for so many tasks, it's common to see increased RAM usage of svchost.exe in Task Manager. You'll also see many instances of svchost.exe running in Task Manager because Windows groups similar services together, such as network-related services.

Given that this is such a critical component, you shouldn't delete it or quarantine it unless you've verified that the specific svchost.exe file you're dealing with is unnecessary or malicious. There can be only two folders where the real version is stored, making it easy to spot a fake.

several svchost.exe processes in Task Manager
Svchost.exe Processes (Windows 11).

Which Software Use Svchost.exe?

The svchost.exe process starts when Windows starts, and then checks the HKLM hive of the registry (under SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost) for services it should load into memory.

Svchost.exe can be seen running in Windows 11, Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP, and Windows 2000.

Beginning with Windows 10 Creator Update (version 1703), for systems running more than 3.5 GB of RAM, every service runs an instance of svchost. If less than 3.5 GB of RAM is available, services are grouped into shared svchost.exe processes just like in previous versions of Windows.

A few examples of Windows services that use svchost.exe include:

  • Windows Update
  • Background Tasks Infrastructure Service
  • Plug and Play
  • World Wide Web Publishing Service
  • Bluetooth Support Service
  • Windows Firewall
  • Task Scheduler
  • DHCP Client
  • Windows Audio
  • Superfetch
  • Network Connections
  • Remote Procedure Call (RPC)

Is Svchost.exe a Virus?

Not usually, but it doesn’t hurt to check, especially if you have no idea why svchost.exe is taking up all the memory on your computer.

The first step in identifying whether svchost.exe is a virus is determining which services each svchost.exe instance is hosting. Since you probably have multiple instances running in Task Manager, you have to dive a little deeper to see what each process is doing before deciding whether to delete the svchost process or disable the service running inside.

Once you know what services are running within svchost.exe, you can see if they’re real and necessary or if malware is pretending to be svchost.exe.

If you have Windows 11, 10, or 8, you can “open” each svchost.exe file from Task Manager.

  1. Open Task Manager.

  2. Select the Processes tab.

  3. Scroll down to the Windows processes section and locate a Service Host: <service name> entry.

    Services running inside svchost.exe
  4. Tap-and-hold or right-click the entry and select Open file location.

    If the location that opens is anything other than either of the following paths, which are where Windows stores authentic copies of svchost.exe, you might have a virus:

    • %SystemRoot%\System32\svchost.exe
    • %SystemRoot%\SysWOW64\svchost.exe
    Svchost.exe in System32 folder
    Svchost.exe in System32 folder (Windows 11).

    The second path is where 32-bit services running on a 64-bit machine are located. Not all computers have that folder.

  5. Back in Task Manager, select the arrow to the left of the entry to expand it. Located directly under the svchost.exe instance is every service it’s hosting.

For other versions of Windows like Windows 7, you can also use Task Manager to see all the services used by svchost.exe, but it isn’t as clearly laid out as it is in newer versions. Do that by right-clicking a svchost.exe instance in the Processes tab, choosing Go to Services, and then reading through the list of highlighted services in the Services tab.

Another option is to use the tasklist command in Command Prompt to product a list of all the services used by all the svchost.exe instances.

To do that, open Command Prompt and enter the following command:

tasklist /svc | find “svchost.exe”
Tasklist /svc command in Windows 7

Another option you have here is to use a redirection operator to export the results of the command to a text file, which might be easier to read.

If you don’t identify something on the list, it doesn’t necessarily mean you have a virus. It could just be a service you don’t recognize but is vital to the essential operations of Windows. There are probably dozens of “virus-looking” services that are entirely safe.

If you’re hesitant about anything you see, search online. You can do that in newer versions of Windows through Task Manager: right-click the service and select Search online. For Windows 7, Vista, or XP, note the service in Command Prompt and type it into Google.

To shut down a service running in svchost.exe, see the two sets of instructions at the bottom of this page.

Why Is Svchost.exe Using So Much Memory?

Like any process, this one requires memory and CPU power to run. It’s normal to see the increased memory usage of svchost.exe, mainly when one of the services using Service Host is being used.

Svchost.exe instance in Task Manager

A big reason for svchost.exe to use lots of memory (and even bandwidth) is if something is accessing the internet, in which case “svchost.exe netsvcs” might be running. It could happen if Windows Update is working to download and install patches and other updates. Other services that are used under svchost.exe netsvcs include BITS (Background Intelligent Transfer Service), Schedule (Task Scheduler), Themes, and iphlpsvc (IP Helper).

One way to stop the svchost process from sucking away so much memory or some other system resource is to stop the services that are to blame. For example, if Service Host slows down your computer because of Windows Update, stop downloading/installing updates or disable the service entirely. Or maybe Disk Defragmenter is defragmenting your hard drive, in which case Service Host will use more memory for that task.

However, it shouldn’t, under everyday situations, be hogging all the system memory. If svchost.exe uses upwards of 90–100 percent of the RAM, you might be dealing with a malicious, non-genuine copy of svchost.exe. If you think that’s what’s happening, keep reading to learn how to delete svchost.exe viruses.

How to Shut Down an Svchost.exe Service

What most people probably want to do with the svchost process is delete or disable a service running inside svchost.exe because it's using too much memory. However, even if you're going to delete svchost.exe because it's a virus, follow these instructions anyway because it'll be helpful for the service to be disabled before trying to delete it.

For Windows 7 and older versions of Windows, it’s easier to use Process Explorer. Right-click the svchost.exe file and choose Kill Process.

  1. Open Task Manager.

  2. Identify the service you want to disable.

    To do this in Windows 11, 10, or 8, expand the Service Host: <service name> entry.

  3. Right-click the Task Manager entry for the service you want to shut down, and choose Stop. Windows will immediately stop that service. Any system resources it was using will be freed for other services and applications.

    Stop service option in Windows 10 Task Manager

    If you don’t see the option to stop the service, make sure you’re selecting the service itself and not the “Service Host” line.

  4. If the service won’t stop because the program is running, exit it. If you can’t, you might be left having to uninstall the software.

You can verify that it’s been shut down, or permanently disable it, by locating the same service in the Services program (search for services.msc from the Start menu). To stop it from running again, double-click the service from the list and change the startup type to Disabled.

Disable service option in Windows 10

How to Remove an Svchost.exe Virus

You can't delete the actual svchost.exe file from your computer because it's too integral and essential of a process, but you can remove fake ones. If you have a svchost.exe file that's anywhere, but in the \System32\ or \SysWOW64\ folder mentioned earlier, it's 100 percent safe to delete.

For example, if your downloads folder contains a Service Host file, or there's one on your desktop or a flash drive, it's evident that Windows isn't using it for important service hosting purposes, in which case you can remove it.

However, svchost.exe viruses are probably not as easy to delete as regular files. Follow these steps to remove the virus:

  1. Right-click the svchost.exe process in Task Manager and select Open file location.

    We won’t do anything with that window just yet, so keep it open.

    Remember that if the folder that opens is one of the System folders mentioned above, your svchost.exe file is clean and should not be deleted. However, take special care to read the file name; if it’s spelled even one letter off of svchost.exe, you’re not dealing with the legitimate file used by Windows.

  2. Right-click the same svchost.exe process and choose End task.

    If that doesn’t work, open Process Explorer and right-click the svchost.exe file, and then select Kill Process to shut it down.

  3. If there are services nested in the svchost.exe file, open them in Task Manager like explained above, and stop each of them.

  4. Open the folder from Step 1 and try deleting the svchost.exe file like you would any other file, by right-clicking it and choosing Delete.

    If you can’t, install LockHunter and tell it to delete the file on the next reboot (this will delete the locked file, something you can't normally do in Windows).

  5. Install Malwarebytes or some other spyware removal tool, and perform a full system scan to delete the svchost process.

    Reboot your computer if something was found.

    If the svchost.exe virus won’t let you install a program on your computer, download a portable virus scanner to a flash drive and scan from there.

  6. Use a full antivirus program to scan for viruses.

    It’s a great idea to have one of these always-on virus scanners anyway, even if a different virus scanner was able to delete the svchost.exe file.

  7. Use a free bootable antivirus program to scan your computer before Windows starts up. These are helpful when the other scanners fail because the svchost.exe virus can’t run unless Windows is running, and a bootable AV tool runs outside of Windows.

  • How many instances of svchost should be running?

    Any number of svchost may be running at any time because several different services are all based on the same svchost.exe system file. Check the name in the Processes tab in Task Manager to make sure it is valid and not malware.

  • What happens if I delete svchost.exe?

    If you delete a legitimate svchost.exe Microsoft Windows executable file, your computer may stop working properly.

Was this page helpful?