svchost.exe

svchost.exe (Service Host, or SvcHost) is a system process that can host from one to many Windows services in the Windows NT family of operating systems.[1] Svchost is essential in the implementation of so-called shared service processes, where a number of services can share a process in order to reduce resource consumption. Grouping multiple services into a single process conserves computing resources, and this consideration was of particular concern to NT designers because creating Windows processes takes more time and consumes more memory than in other operating systems, e.g. in the Unix family.[2] However, if one of the services causes an unhandled exception, the entire process may crash. In addition, identifying component services can be more difficult for end users. Problems with various hosted services, particularly with Windows Update,[3][4] get reported by users (and headlined by the press) as involving svchost.

The svchost process was introduced in Windows 2000,[5] although the underlying support for shared service processes has existed since Windows NT 3.1.[2]

Implementation

Its executable image, %SystemRoot%\System32\Svchost.exe or %SystemRoot%\SysWOW64\Svchost.exe (for 32-bit services running on 64-bit systems) runs in multiple instances, each hosting one or more services.

Services running in SvcHost are implemented as dynamically-linked libraries (DLLs). Such service's registry key must have a value named ServiceDll under the Parameters subkey, pointing to the respective service's DLL file. Their ImagePath definition is of the form %SystemRoot%\System32\svchost.exe -k (service group; i.e. netsvcs). Services sharing the same SvcHost process specify the same parameter, having a single entry in the SCM's database. The first time that a SvcHost process is launched with a specific parameter, it looks for a value of the same name under the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost key, which it interprets as a list of service names. Then, it notifies the SCM of all the services that it hosts. SCM doesn't launch a second SvcHost process for any of those received services: instead, it simply sends a "start" command to the respective SvcHost process containing the name of the service that should be launched within its context, and whose respective DLL SvcHost loads.

According to a 2003 MS presentation, the minimum working set of a shared service is approximately 150 KB vs. 800 KB for a standalone process.[6]

Service tags

Starting with Windows Vista, the internal identification of services inside shared processes (svchost included) is achieved by so-called service tags. The service tag for each thread is stored in the SubProcessTag of its thread environment block (TEB). The tag is propagated across all threads that a main service thread subsequently starts, except for threads created indirectly by Windows thread-pool APIs.[7]

The set of service tag management routines is currently an undocumented API, although it is used by some Windows utilities like netstat to display the TCP connections associated with each service. Some third party tools like ScTagQuery also make use of this API.[7]

Svchost.exe (netsvcs)

Netsvcs is a sub process used by svchost.exe (netsvcs).[8] If and when there is a memory leak the svchost.exe consumes and hogs the CPU. This issue occurs because a handle leak occurs in the Winmgmt service after installing Windows Management Framework 3.0 on the computer.[9] The Winmgmt service is the Windows Management Instrumentation (WMI) service within the svchost.exe process that is running under the LocalSystem account.

Identification and management of hosted services

In Windows XP and later editions, the tasklist command with the /svc switch includes a list of component services in each process.

In Windows Vista and Windows 7, a "Services" tab in Windows Task Manager includes a list of services and their groups and Process IDs (PIDs); right-clicking on a svchost instance in the Task Manager and selecting "Go to Services(s)" also switches to the list of services and additionally selects the services running under the corresponding svchost instance.

In Windows 8, the Task Manager interface was streamlined so that each svchost entry can be expanded by a single click to a sub-list of services running inside it.

Microsoft's Sysinternals Process Explorer also provides information about services running under svchost.exe processes when the user hovers the mouse over the svchost instance.

None of the above methods allows the user to identify which of the multiple services running inside a svchost instance taxes a particular resource, e.g. processor, disk, network or memory; the Windows Resource Monitor only does accounting for most of those resources at process granularity. It does however account for processor usage at service granularity by going to the "CPU" tab.[10] A service-aware list of TCP connections and UDP ports opened can be obtained using netstat -b.

In order to troubleshoot other kinds of problems with a service running inside a svchost instance, the service (or services suspected to be causing the problem) must be (all) reconfigured so that each runs inside its own svchost instance. For example, sc config foo type= own will reconfigure the service named "foo" to run its own svchost instance. Changing the type back to shared is done by an analogous command. The service must be restarted for this kind of configuration change to take effect. This debugging process is not foolproof however; in some cases, a heisenbug may happen, which causes the problem to go away when the service is running separately.[11]

A more complex method of troubleshooting is creating an isolated service group.[12]

In Windows 10, starting from release 1703, svchost was refactored by Microsoft to only host one service per process depending on system specification.[13] The default setting causes services to be hosted independently when the system has at least 3.5GB of RAM.

See also

References

  1. Russinovich, Solomon & Ionescu (2009:302)
  2. 1 2 "Shared Services". Retrieved 1 October 2014.
  3. Woody Leonhard (16 December 2013). "Microsoft promises to fix Windows XP SVCHOST redlining 'as soon as possible'". InfoWorld. Retrieved 1 October 2014.
  4. "Svchost.exe gets worse before it's fixed - Series - Windows Secrets". Retrieved 1 October 2014.
  5. "How to troubleshoot Service Host (svchost.exe) related problems?". Retrieved 1 October 2014.
  6. David B. Probert, Windows Service Processes
  7. 1 2 Russinovich, Solomon & Ionescu (2012:335)
  8. "High CPU Usage by svchost.exe (nets". Appuals.com. 2015-12-03. Retrieved 2016-08-12.
  9. "High memory usage by the Svchost.exe". support.microsoft.com. Retrieved 2016-08-12.
  10. "Figuring out why my SVCHOST.EXE is at 100% CPU without complicated tools in Windows 7 - Scott Hanselman". Retrieved 1 October 2014.
  11. "What is svchost.exe, and why do I have so many instances of it?". Retrieved 1 October 2014.
  12. "Getting Started with SVCHOST.EXE Troubleshooting". Retrieved 1 October 2014.
  13. "Changes to Service Host grouping in Windows 10". Microsoft. Retrieved 30 April 2018.

Further reading

  • Russinovich, Mark; Solomon, David; Ionescu, Alex (2009), Windows® Internals (5th ed.), Microsoft Press, ISBN 0-7356-2530-1
  • Russinovich, Mark; Solomon, David; Ionescu, Alex (2012), Windows Internals. Part 1 (6th ed.), Microsoft Press, ISBN 978-0-7356-4873-9
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.