Description of Svchost.exe in Windows 2000

Active Ports does not give information about what each instance of SvcHost is actually running.  This will tell you.  I have included a link to the utility required that I have placed in our software library.

 

View products that this article applies to.

This article was previously published under Q250320
For a Microsoft Windows XP version of this article, see 314056.
 
SUMMARY

Svchost.exe is a generic host process name for services that are run from dynamic-link libraries (DLLs). The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. There can be multiple instances of Svchost.exe running at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.

Svchost.exe groups are identified in the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost

Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service_names extracted from the following registry key, whose Parameters key contains a ServiceDLL value:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Service

MORE INFORMATION

To view the list of services that are running in Svchost:

  1. From the Windows 2000 installation CD's Support\Tools folder, Extract the Tlist.exe utility from the Support.cab file. ftp://ftp.edsec.us/Utilities/W2K Support Tools/tlist.exe
  2. On the Start menu, click Run, and then type cmd.
  3. Change folder to the location from which you extracted the Tlist.exe utility.
  4. Type tlist -s.

Tlist.exe displays a list of active processes. The -s switch shows the list of active services in each process. For more information about the process, type tlist pid.

The following sample Tlist output shows two instances of Svchost.exe running:

0 System Process
8 System
132 smss.exe
160 csrss.exe Title:
180 winlogon.exe Title: NetDDE Agent
208 services.exe Svcs: AppMgmt,Browser,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,LanmanWorkstation,LmHosts,Messenger,PlugPlay,ProtectedStorage,seclogon,TrkWks,W32Time,Wmi
220 lsass.exe Svcs: Netlogon,PolicyAgent,SamSs
404 svchost.exe Svcs: RpcSs
452 spoolsv.exe Svcs: Spooler
544 cisvc.exe Svcs: cisvc
556 svchost.exe Svcs: EventSystem,Netman,NtmsSvc,RasMan,SENS,TapiSrv
580 regsvc.exe Svcs: RemoteRegistry
596 mstask.exe Svcs: Schedule
660 snmp.exe Svcs: SNMP
728 winmgmt.exe Svcs: WinMgmt
852 cidaemon.exe Title: OleMainThreadWndName
812 explorer.exe Title: Program Manager
1032 OSA.EXE Title: Reminder
1300 cmd.exe Title: D:\WINNT5\System32\cmd.exe - tlist -s
1080 MAPISP32.EXE Title: WMS Idle
1264 rundll32.exe Title:
1000 mmc.exe Title: Device Manager
1144 tlist.exe

The registry setting for the two groupings for this example are as follows:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost:
netsvcs: Reg_Multi_SZ: EventSystem Ias Iprip Irmon Netman Nwsapagent Rasauto Rasman Remoteaccess SENS Sharedaccess Tapisrv Ntmssvc
rpcss :Reg_Multi_SZ: RpcSs
 

The information in this article applies to:

 

         

Download MS Internet Explorer FrontPage 2003 logo Powered by Windows 2003 Server
 
 
Send mail to WebMaster@hottubinc.com with questions or comments about this web site.
Copyright © 1999, 2000, 2001, 2002, 2003, 2004 HotTub, Inc.   Microsoft BackOffice® products and Microsoft Exchange® are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.  HotTub, Inc has no affiliation with and is independent of Microsoft Corporation.
Last modified: March 25, 2005