How to find the svchost exe file. Removing the svchost exe virus from a Windows system. Universal Windows troubleshooters

For none of Windows users It’s no secret that when your computer freezes or slows down, you first need to look at the “Task Manager” in order to end the processes that are weighing down the system. The task, let’s say, is for first-graders: it seems like we were swimming and we know what’s there and how. However, looking once again into the notorious dispatcher, many users, to their surprise, notice almost for the first time that the process svchost.exe is leading to overload of the central processor, which, attention, is displayed in not one, but 4 at once , or even more lines:

Well, think for yourself, what other reaction could there be at this moment, other than panic at the thought that a virus has settled on your favorite PC? In my memory, there has never been a time when system processes were duplicated in the “Task Manager”! However, before looking in horror for a solution on how to quickly remove svchost.exe from your computer, you need to figure out whether it is actually a virus or not.

Step No. 1: Detecting viruses

Perhaps it’s worth noting right away that the svchost.exe process itself does not pose any threat to Windows, no matter how strange it may seem. In fact, it is designed to run services built into the system, services and various programs that use special DLL libraries in their work. However, given the fact that there are often quite a lot of such system services on a computer, executing them in one process can be very difficult. This is why svchost.exe is often launched several times, serving individual Windows services.

It is clear that deleting such processes does not make any sense, since to disable them it will be enough to simply restart the computer. In the same time complete removal system file svchost.exe may cause crashes in Windows work, the appearance of all sorts of errors and other problems with Windows. That’s why, having discovered a whole fan of svchost.exe in the “Task Manager”, there is no need to rush to say goodbye to it right away: everything can be much simpler.

However, you shouldn’t relax in this case either. The fact is that viruses often disguise themselves as svchost.exe, bringing with them very unpleasant gifts in the form of:

• random exit of the computer from sleep mode;
• appearance system error when launching applications, opening the drive or reading a disc;
• automatic reboot Windows;
• turning off the computer for no reason;
• PC slowdown due to CPU load of more than 90%;
• spontaneous opening of applications, etc.

The question arises: how, in this case, can we determine where the virus is and where it is normal? system process svchost.exe? The answer is simple - take a closer look at it.

So, the first sign that svchost.exe is a virus will be the execution of this process on behalf of the user (normally it is launched on behalf of LOCAL SERVICE, SYSTEM (system) or NETWORK SERVICE). To determine this, just press Ctrl+Shift+Esc on your keyboard at the same time, thereby calling up the “Task Manager”, then select the “Processes” tab in the window that opens and, finally, look at the data specified in the “User” column for the process svchost.exe:

I note that for the same purpose, if desired, you can use a special program Process Explorer, which displays full information about all processes running on the computer, including svchost.exe:

At the same time, the location of such a file can help determine whether there is a threat from svchost.exe. Remember: normally it is stored only in one of 4 folders located on the hard drive, namely in the directory:

• WINDOWS\Prefetch
• WINDOWS\ServicePackFiles\i386
• WINDOWS\system32
• WINDOWS\winsxs

Accordingly, if svchost.exe is located in some other place, for example, separately in the WINDOWS folder, rest assured: this is a real virus. At the same time, the “Task Manager” can again help you check whether this is actually the case. In this case, after starting it, you will need to right-click on the line with the process name svchost.exe, select “Properties” in the menu that opens, and then pay attention to the “Location” field:

In addition, the name of the process itself can be a clue. Thus, any deviations from the spelling of svchost.exe in the image name can be safely regarded as a hidden virus threat. Therefore, if you see in the “Task Manager” processes such as svhost.exe, svehost.exe, svxhost.exe, svchos1.exe, svchest.exe, svch0st.exe and other misspelled values, you can safely delete them: these are viruses.

Step No. 2: Remove viruses from svchost.exe

It must be said that due to the numerous varieties of svchost.exe viruses of some kind universal method There is simply no way to remove them from your computer at the moment. In particular, a complete Windows check antivirus program installed on the PC. The main thing in this case is not to forget before starting it:

• disconnect from local network and the Internet;
• end suspicious svchost.exe processes in the Task Manager;
• clear startup of svchost.exe files. In this case, we first need to press ÿ+R on the keyboard, then enter the msconfig task into the “Run” utility that appears, click OK, and then after selecting the “Startup” tab in the window that opens, check for the presence of svchost.exe in it:

At the same time, so that the effect of treating the computer does not turn out to be temporary, in mandatory You need to take care of installing and updating a powerful antivirus and firewall in Windows. This is the only way to be sure that the problem with the malicious Trojan file svchost.exe will not return to the system.

How many "svchost.exe" processes should be running? It is impossible to answer this question, since in each case the number running processes"svchost.exe" miscellaneous. It depends not only on your version operating system, but also from its assembly!

Since it is impossible to know the exact number of processes, the creators of the malware could not take advantage of this moment!

A huge number of viruses, Trojans and other malicious programs have chosen the “svchost.exe” process and, in order to disguise themselves in the system, disguise themselves as this process.

That is, malicious programs are launched with the name “svchost.exe” and are lost among many system processes with the same name. This leads to the fact that the chances of remaining undetected in the system increase several times.

How to identify the malicious process svchost.exe

Naturally, if the user suspects that the “svchost.exe” process is malicious, then the first thing the user will do is scan the computer for viruses and other things.

But, if after scanning the antivirus program reports that the system is clean and no malware was detected, this may not be entirely true!

In this case, it is worth checking the “svchost.exe” process manually. This is done quite simply, all you need is to know a few things about the svchost.exe process.

1) The process always starts from system folder“System32” If this is not the case, then most likely the file named svchost.exe is malicious.

2) The svchost.exe process will never run as the user - this must be remembered. The process always starts from " Local Service,System ,Network Service.”

As you understand, if the svchost.exe process was launched under the current user name or not from the system folder, then it is worth taking measures to check the suspicious file.

To make sure that the original file is running, launch the task manager and find the list of “svchost.exe” processes on the “Details” tab.

In this screenshot, all processes are launched by the system itself, this suggests that, most likely, among this list There is no malicious file named “svchost.exe”. Pay attention to the screenshot below...

In this screenshot we see the svchost.exe process running from a user named “SuperUser”. This suggests that this process is more malicious.

You need to press "RMB" where from context menu select “Open location”, Windows Explorer will open and you will find out the full path to the suspicious file! What to do with him next, I think it’s clear as day!

Important to know: Some viruses simply use the name “svchost.exe” to hide their presence in the system, but they can also use the original svchost.exe file for their own selfish purposes.

In this regard, a manual check will not give results here! It has also already been said above that an antivirus may not give any results in searching for a virus! A logical question arises: what to do?

As an option, use a free “firewall”, among which I personally highlight “comodo firewall”, how can it help us? It's simple! If a virus using the svchost.exe process suddenly decides to manifest network activity, then the user will be aware of this!

From the screenshot you can clearly see that the svchost file is trying to connect to the server on port 80, the original file will never do this, so svchost is infected!

You can quickly block network access for the svchost file, which would be quite reasonable! Since in in this case, there is a possibility of transmitting confidential data, such as passwords from the browser to the “Gate”

If such information leaks, you understand how it can end for you!

What to do with an infected svchost.exe file? Since the current antivirus and manual scanning are of absolutely zero use, open the website “virustotal.com” and check the file. By the way, do it right now!

My result is this. Everything is clean! If any antivirus would react, for example “Avast”, then I would uninstall the current antivirus and install Avast and cure svchost.exe.

SVCHOST.EXE is one of the important processes when running Windows OS. Let's try to figure out what functions are included in its tasks.

SVCHOST.EXE can be seen in the Task Manager (click to go Ctrl+Alt+Del or Ctrl+Shift+Esc) In chapter "Processes". If you do not see elements with a similar name, then click “Display processes of all users”.

For ease of display, you can click on the field name "Image name". All data in the list will be arranged in alphabetical order. There can be a lot of SVCHOST.EXE processes: from one and theoretically to infinity. But in practice, the number of simultaneously active processes is limited by the parameters of the computer, in particular the power of the CPU and the amount of RAM.

Functions

Now let us outline the range of tasks of the process under study. He is responsible for the work of those Windows Services, which are loaded from dll libraries. For them, it is the host process, that is, the main process. Its simultaneous operation for several services saves significantly RAM and time to complete tasks.

We have already found out that there can be many SVCHOST.EXE processes. One is activated when the OS starts. The remaining instances are launched by services.exe, which is the Service Manager. It forms blocks of several services and runs a separate SVCHOST.EXE for each of them. This is the essence of saving: instead of running separate file for each service, SVCHOST.EXE is activated, which unites a whole group of services, thereby reducing the level of CPU load and the consumption of PC RAM.

File location

Now let's find out where the SVCHOST.EXE file is located.

Why does SVCHOST.EXE load the system?

Relatively often, users encounter a situation where one of the SVCHOST.EXE processes loads the system. That is, it uses a very large amount of RAM, and the CPU load from the activity of this element exceeds 50%, sometimes reaching almost 100%, which makes working on a computer almost impossible. This phenomenon may have the following main reasons:

• Substitution of a process by a virus;
• A large number of simultaneously running resource-intensive services;
• OS malfunctions;
• Problems with the Update Center.

Ways to solve these problems are described in detail in a separate material.

SVCHOST.EXE – virus agent

Sometimes SVCHOST.EXE in the Task Manager turns out to be a virus agent, which, as mentioned above, loads the system.

1. The main sign of a viral process, which should immediately attract the user’s attention, is its large consumption of system resources, in particular the high CPU load (more than 50%) and RAM. To determine whether a real or fake SVCHOST.EXE is loading your computer, activate the Task Manager.

   First we pay attention to the field "User". IN different versions OS it can also be called "Username" or "User Name". Only the following names can match SVCHOST.EXE:

   • Network Service;
   • SYSTEM("system");
   • Local Service.

   If you notice a name that matches the object being studied with any other user name, for example, the name of the current profile, then you can be sure that you are dealing with a virus.



2. It is also worth checking the location of the file. As we remember, in the vast majority of cases, minus two very rare exceptions, it must correspond to the address:

   C:\Windows\System32

   If you find that the process refers to a directory different from the three discussed above, then you can confidently say that there is a virus in the system. Especially often the virus tries to hide in the folder "Windows". You can find out the location of the files using Conductor in the manner described above. You can use another option. Right-click on the item's name in the Task Manager. From the menu, select "Properties".

   

   A properties window will open, in which, in the tab "Are common" there is a parameter "Location". Opposite it is the path to the file.



3. There are also situations when the virus file is located in the same directory as the genuine one, but has a slightly changed name, for example, “SVCHOST32.EXE”. There are even cases when, in order to deceive the user, attackers insert the Cyrillic “С” instead of the Latin letter “C” into the Trojan file or insert “0” (“zero”) instead of the letter “O”. Therefore, you need to pay special attention to the name of the process in the Task Manager or the file that initiates it, in Conductor. This is especially important if you see that this object consumes too many system resources.



4. If your fears are confirmed and you find out that you are dealing with a virus. It should be eliminated as quickly as possible. First of all, you need to stop the process, since all further manipulations will be difficult, if not impossible, due to the processor load. To do this, right-click on the virus process in the Task Manager. Select from the list "End process".



5. A small window opens where you need to confirm your actions.



6. After this, without rebooting, you should scan your computer with an antivirus program. It is best to use the Dr.Web CureIt application for these purposes, as it is the most proven in the fight against a problem of this very nature.



7. If using the utility does not help, you should delete the file manually. To do this, after completing the process, move to the directory where the object is located, right-click on it and select "Delete". If necessary, then dialog boxes we confirm the intention to delete the element.

   

   If a virus is blocking the removal procedure, then restart your computer and log in to Safe Mode (Shift+F8 or F8 while loading). Eliminate the file using the above algorithm.

Thus, we have found out that SVCHOST.EXE is an important Windows system process that is responsible for interacting with services, thereby reducing the consumption of system resources. But sometimes this process can turn out to be a virus. In this case, on the contrary, it squeezes all the juice out of the system, which requires an immediate response from the user to eliminate the malicious agent. Additionally, there are situations where, due to various glitches or lack of optimization, SVCHOST.EXE itself can be the source of problems.

Users who frequently use Task Manager have noticed that several svchost.exe services are displayed in the list of worker processes. But not everyone, and especially inexperienced users, know what svchost.exe is in the Task Manager and what it is responsible for.

What is svchost.exe?

Svchost.exe is a system executable (as the name suggests) file for Windows OS. It is responsible for launching some applications and functions, reducing the load on CPU and RAM. Therefore, you cannot remove it from the system (except in cases where malware is disguised as this service or when you can disable unused services, as written in the article “”).

If you see multiple copies of svchost.exe in Task Manager, don't worry as the number depends on the number of running programs: the more there are, the more of these services there are.

How the process works

This process is present in almost every version of Windows OS, but its potential was revealed only with the release of Windows XP. Previously, he was primarily responsible for network connections, with which the computer connects to the Internet. But Microsoft developers decided not to stop there, so now the service is designed to run background local processes related to dynamic libraries that have the “.dll” extension.

Interesting! Dynamic libraries cannot be launched in normal mode.

svchost.exe allows you to save computer resources because you do not need to physically run the executable file when using the service. Therefore, the number of processes loading RAM and virtual memory PC. It is because of this that several services with the same name are simultaneously displayed in the Task Manager.

In addition, the svchost.exe file is automatically launched when Windows starts, regardless of what programs are “hanging” in the . That's why complete shutdown unnecessary services and applications will not affect its loading.

Reasons for downloading resources

Often, users notice that a process loads one of the resources (processor or RAM) of the device, regardless of whether programs are running or not. There are various reasons for this.

Viruses

The main reason is malware that has entered the computer and “masquerades” as the svchost.exe file. Sort processes in Task Manager by name and see on whose behalf these services are running. If this is done on behalf of account user (your account), then this is the “trick” of the virus. If the “Username” column indicates: Local Service, Network Service or System, such a file is safe.

If you think you have discovered a virus, right-click on the process → Open file location. This way you will determine the location of the malware and check it through the VirusTotal.com portal. But it’s better to immediately scan the system using Dr.Web CureIt or Malwarebytes Anti-Malware. The point is that removing one executable file will not help get rid of the virus, since there are probably auxiliary fragments on the computer that will restore it after a reboot or simply prevent it from being deleted.

Downloading updates

Since in most cases the user does not change OS settings, Windows is set to automatically download updates by default. This is also the “responsibility” of svchost.exe. To disable downloading updates:

Problematic programs

This reason is typical for those users who install a huge number of programs and applications on their computer and do not monitor them. To identify unnecessary software, install Process Explorer on your PC. It will help you determine which programs are taking up device resources, but you are not using them.

Another advantage of Process Explorer is that it works closely with the file checking service for malware - VirusTotal, so it will help distinguish system services from viruses.

To check a file, select it in the program window → Options → VirusTotal.com → Check VirusTotal.com.

Using µTorrent

Often, the µTorrent program loads computer resources when downloading files. To reduce CPU load:

Troubleshooting

The easiest way to reduce the load on the main components of your computer is to restart it. But this approach does not always help. The drastic measure is to “kill” the svchost.exe process in the Task Manager. How to do this for Windows 10.

How to recognize a virus?

It is easy to recognize a virus that disguises itself as the svchost.exe file. It runs under the user account or any other processes except Local Service, Network Service or System.

Another characteristic feature is “mistakes” in the name. Processes called svhost, svchosts or others are malware that need to be removed.

"Cleaning" the system

If you find a virus on your computer masquerading as the svchost.exe file, run an in-depth system scan with installed antivirus software.

Important! Surely scanning with installed software will not bring results.

But better use special utilities from famous companies: Dr.Web CureIt, Malwarebytes Anti-Malware or Kaspersky Rescue Disc. They will identify and neutralize malware.

Video

You will learn more about the svchost.exe process in the video.

As a rule, most Trojans and spyware They try to hide their presence on the computer, for which they resort to various kinds of tricks, for example, they carefully hide their processes or disguise themselves as system processes. Potential "victim" Any system process can become a virus, but most often malware hides behind a process mask svchost .

And they have their own reasons for this. The fact is that svchost is launched in several copies that are practically indistinguishable from each other, so if another svchost process appears in the Task Manager, and their number can reach several dozen, this will not cause much suspicion on the part of the user. But if they are the same, how can you tell which one is real and which one is a wolf in sheep's clothing?

It turns out that it is not so difficult, but before we begin to identify them, let me say a few words about the svchost process itself. As can be seen from its full name Generic Host Process for Win32 Services , he is responsible for the operation of services and services, both system and third-party ones using dynamic libraries DLL, which in turn constitute a significant part Windows files and application programs.

This process is so important that if the file will be damaged, Windows will not be able to work normally. There are at least four instances of the svchost process on a running system, but there may be many more. The need for such duplication is explained by the number of services served by the process, as well as the need to ensure system stability.

So how do you know if svchost is real? The first criterion for the authenticity of a file is its location. Its legal habitat is the following folders:

C:/WINDOWS/system32
C:/Windows/SysWOW64
C:/WINDOWSPrefetch
C:WINDOWS/ServicePackFiles/i386
C:/WINDOWS/winsxs/ *

Note: star at the end of the road C:/WINDOWS/winsxs indicates that in the folder winsxs there may be another directory. Typically, it has a long name from a set of characters, for example, amd64_3ware.inf.resources_31bf3856ad364e35_6.3.9600.16384_ru-ru_7f622cb60fd30b1c . As an exception to the rule, the file may be located in the anti-spyware program directory Malwarebytes Anti-Malware.

If it is found in some other folder, especially in the root Windows or in "Users", then most likely you are dealing with a masking virus. You can check the file location from Task Manager by right-clicking on the process and selecting the option from the menu or using third party utilities like Process Explorer. Using third party file managers, you can also search for all files by mask.

The latter method is not so reliable, since a virus that imitates the svchost process can use a more cunning method of disguise. So, in the file name, one of the Latin letters can be replaced with a Cyrillic one. Externally, such a file will be no different from the real one., moreover, it can be located in the same directory as "correct". However, verifying its authenticity is not difficult. It is enough to compare the character codes of the file name using the character table Unicode. Sometimes an extra letter is added to the name of the svchost file, or vice versa, it is skipped. An inattentive user may not notice the difference between, say, and svhost.exe .

However, you should not rush to remove suspicious svchost right away. To begin with, it would be a good idea to check it on a multi-antivirus service like VirusTotal and if suspicious file turns out to be a fake, although one of antivirus programs will give a positive result. Malicious file masquerading as svchost is removed using Dr.Web LiveDisk or utilities AVZ. If you use AVZ, you will also need a special script, which you can download from the link below.