Improving the world one bad analogy at a time

One thing I am known for at Microsoft is my frequent use of bad analogies. Everybody else at work has had to suffer; now it's your turn.

Why are there so many copies of svchost.exe running? What is svchost.exe anyway?

Traditionally, each service runs in its own process. When you are developing and testing your service, having it in its own process makes debugging a lot easier.

But if you look at your list of services (in Computer Management, Services), you can see that if each one got its own process you'd sure have a whole lot of processes lying around. Since there is a cost to each process merely for existing, having so many processes running would be a waste, since many services are used only sporadically. Tapisrv, for example, is active only when you are doing things with your modem.

For performance reasons, groups of services are thrown together and run in a shared process called svchost. Sort of like a reality TV show, but without the voting.

This means that if you see a copy of svchost.exe going a bit haywire in Task Manager, you can't really tell which service inside it is responsible. For performance reasons, groups of services are thrown together and run in a shared process called svchost. Sort of like a reality TV show. Knowledge Base article 314056 describes how you can dig into each svchost to see which services are running inside it. This will at least narrow the problem down to a subset of all the services.

Comments (9)
  1. _brG_ says:

    i think its about time u went on vacation ;)

  2. C-J Berg says:

    LOL :)

    The wonderful freeware utility Process Explorer by Mark Russinovich (SysInternals) should not go unnoticed in this context (open the properties for svchost.exe, and the Services tab will show you all registered services in the process).

  3. Jeremy Gray says:

    And if it isn’t obvious yet, the current mechanism must change, lest we will all end up infected with worms that actually run themselves as services under svchost so that they can sneak through programs like ZoneAlarm which because of this mechanism must grant unnecessary permissions to svchost on account of having no clue as to what is running under that .exe at any given time.

    We have multiple GHz machines with hundreds of megabytes of memory. Soon enough we will have desktop 64 bit processors and operating systems to match. We can afford to have a few more unique processes idling around in memory, and, from a security perspective, we’re long past the realm of excuses.

  4. Eyal says:

    Altough I agree with Jeremy that the current mechanism much change, i disagree that having more processes is the right way to do it. I think the way to handle this is to let the (e.g.) Tapi service register itself within svchost.exe (so the service will "appear" running), but when it is actually needed, svchost will execute the actual TapiSrv.exe and forward all requests to it. A service will be able to shutdown it’s process and again register for "wake up" when it isn’t uses for sometime.
    Just a thought.

  5. Fred says:

    What does it have to do with reality TV show? The fact that they throw a bunch of services into one svchost process instance?

  6. Mike Dimmick says:

    It also means that once a service loads a DLL, that DLL can’t be unloaded – and hence replaced – until all the services in that host process terminate and the host process quits.

    This is why a new MDAC version almost always requires a reboot on Windows 2000 – because some part of Windows (might be IIS) running as a service uses some part of MDAC, and you can’t kill it off.

  7. It is partly because of issues like this that I sincerely regret that the human race hasn’t yet been able to open up the colonization of space. Then we could just go and live on the far side of Jupiter and stop worrying.

  8. The Svchost.exe file is located in the %SystemRoot%System32 folder. At startup, Svchost.exe checks the services part of the registry to…

Comments are closed.