the main Programs The svchost process and how to distinguish it from a virus masquerading as it. How to identify a virus masquerading as the svchost system process Where is the svchost file

The svchost process and how to distinguish it from a virus masquerading as it. How to identify a virus masquerading as the svchost system process Where is the svchost file

Almost every PC user has faced the problem of periodic freezing of windows. Most users decided to fix the problem by deleting unnecessary processes through the task manager. After opening the manager and finding a large number of svchost.exe processes, the user starts to panic.

As a result, users decide that a large number of processes are due to system infection. In order not to lose important files, you should delete the malicious svchost. However, not every computer owner knows how to remove svchost exe on Windows 7.

The difficulty of removing virus utilities is due to the fact that they are disguised as a system process, the removal of which can lead to a violation of the stability of the PC and the subsequent need to reinstall Windows. Therefore, before deleting the process and its fundamental, you need to compare the signs of the two files.

The svchost.exe standard process is responsible for some system functions. The file is located in the directory of the disk with the installed Windows OS. A process that runs on Windows can only be signed by SYSTEM, LOCAL SERVICE, or NETWORK SERVICE.

In turn, a fake is most often located in the folders "My Documents", "Programm Files", "Windows". Virus removal experts hint at the versatile storage of the malicious svchost.exe in the windows folder:

system;
config;
inet20000;
inetsponsor;
sistem;
windows;
drivers.

In addition to the fact that viruses fill the system area, they have a similar name to the standard process. Therefore, if you find processes that are similar in name, you should check the service that is responsible for starting them. As a rule, the similarity of the virus processes is determined by the following names: svch0st, svchos1, svcchost, svhost, svchosl, svchost32, svchosts, svschost, svcshost, ssvvcchhoosst. The virus has permission (.exe). Resolution (.com) is sometimes encountered.

Removal by standard methods

You can remove a virus disguised as svchost.exe different ways... The easy way is to remove the main malware that launches the virus. To determine this application, you must and view the properties of svchost.exe in the name of which there is a change. The properties will indicate the service due to which the virus is launched, as well as the exact location.

To remove the virus from windows, in this case, you need to use the "administration" utility. You can select this utility in the "Control Panel". Having opened "Administration" you need to select the "Services" tab.

After looking through the list that appears, you need to find the name of the malicious service and disable its launch in the properties. Then the user has to open the folder where the virus is located and delete it. You can also delete it in another way: you need to stop the process using the task manager, then delete it from the folder.

On a note! Very often a virus is detected by the "System Configuration" check. Opening the msconfig.exe file, select the "Startup" tab. If the name svchost is found in the list, you should remove the ability to run it simultaneously with the system and remove the application that launches it.

Third Party Applications

However, it happens that it is impossible to remove the virus or disable the service. What should the user do in the end and how to remove svchost exe on windows 7. The answer to the question is simple: you need to turn to third-party programs.

Among the programs that actively help windows to fight the malicious svchost.exe are noted:

Cleaning Essentials (you can download the application from the official website https://www.comodo.com/);
Dr. Web CureIt;
Autorun Analyzer;
KillSwitch;

In other cases, it is impossible to remove the virus due to the fact that it is impossible to determine where is the original file and where is a fake. Then a powerful online scanning system on the virustotal.com portal can help the user. On this site, press the "Select file" button. Then using Windows explorer select a suspicious file and run a scan. A passed test will indicate that the file should be deleted.

To prevent the next Windows infection, it is necessary to timely check the operation of the anti-virus program and update the signature database. In addition, the use of a firewall will not be superfluous in protecting your PC.

You can remove the malicious svchost using the AVZ program. The application is downloaded from the Internet in the avz.exe format. After installing the program and running it, you must execute the script. This function is available in the "File" tab. The script is taken from a photo.

How many svchost.exe processes should be running? It is impossible to answer this question, since in each case the number of running svchost.exe processes is different. It depends not only on the version of your operating system, but also from its assembly!

Since it is impossible to know the exact number of processes, the creators of the malware could not have taken advantage of this moment!

A huge number of viruses, Trojans and other malicious programs have chosen the svchost.exe process and, in order to disguise themselves in the system, they disguise themselves as this process.

That is, malicious programs are launched with the name "svchost.exe" and are lost among many system processes with the same name. This leads to the fact that the chances of being unnoticed in the system increase several times.

How to identify the malicious process svchost.exe

Naturally, if the user suspects that the process "svchost.exe" is malicious, then first of all, the user will scan the computer for viruses and other things.

But, if after checking the antivirus program reports that the system is clean and malware not found - it may not be true!

In this case, it is worth checking the "svchost.exe" process manually. This is done quite simply, all you need is to know some points about the svchost.exe process.

1) The process is always launched from the system folder "System32" If this is not the case, then most likely the file named svchost.exe is malicious.

2) The svchost.exe process will never run as a user - this must be remembered. The process is always started from "Local Service, System, Network Service".

As you understand, if the svchost.exe process was launched from the current username or not from the system folder, then it is worth taking measures to check the suspicious file.

To make sure the original file is running, start Task Manager and find the list of svchost.exe processes on the Details tab.

In this screenshot, all processes are launched by the system itself, this suggests that, most likely, among of this list there is no malicious file named "svchost.exe". Take a look at the screenshot below ...

In this screenshot we see the svchost.exe process launched by a user named "SuperUser" This suggests that this process is more malicious.

You need to click "RMB" where from context menu select "Open location" will open Windows Explorer and you will find out the full path to the suspicious file! What to do with him next, I think it's clear as day!

Important to know: Some viruses do not easily use the name "svchost.exe" in order to hide their presence in the system, but they can also use the original svchost.exe file for their own selfish purposes.

In this regard, manual verification will not give a result here! It was also said above that an antivirus can give no result in the search for a virus! A logical question arises, what to do?

As an option to use a free "firewall" among which I personally single out "comodo firewall" how can he help us? It's that simple! If a virus using the svchost.exe process suddenly decides to manifest network activity, then the user will be aware of this!

The screenshot clearly shows that the svchost file is trying to connect to the server on port 80, the original file will never do this, so svchost is infected!

You can quickly block network access for the svchost file, which would be quite reasonable! Since in this case, there is a possibility of transferring confidential data, for example passwords from the browser to "Gate"

Leakage of such information yourself understand how it could end for you!

What to do with the infected svchost.exe file? Since there is exactly zero sense from the current antivirus and manual check, then open the site "virustotal.com" and check the file. By the way, do it right now!

My result is as follows. Everything is clean! If any antivirus would react, for example "Avast", then I would uninstall the current antivirus and install Avast and cure svchost.exe.

Date of publication: 20.07.2010

The article was updated on 09.12.2011.

Symptoms:
Your computer suddenly began to freeze and slow down the system. At the same time, you have an antivirus with the latest antivirus databases. Click on Ctrl + Alt + Delete and click on the tab Processes... You will see a list of all processes that go to this moment; at the same time, you will see that some of the processes consumes a lot of computer resources (although you are not using any programs at the moment). Here you will see a certain process svchost(There will be several processes with the same name, but you need exactly the one that loads the system at 100%).

Decision:
1) Try, first of all, just restart your computer.
2) If, after rebooting, this process continues to load the system, then right-click on the process and, in the list that opens, select Terminate the process tree... Then restart your computer.
3) If the first two methods did not help you, then go to the folder Windows and find the folder there Prefetch(C: \ WINDOWS \ Prefetch). Delete this folder ( delete exactly the folder Prefetch; DO NOT accidentally delete the folder itself Windows!!!) Then follow the second point (i.e. delete the svchost process tree). Reboot your computer.

How many processes should there besvchost.exe in the Processes tab?
The number of processes with this name depends on how many services are started via svchost. The number may vary depending on the version of Windows, the properties of your computer, etc. Therefore, the number of processes named "svchost.exe" can be from 4 (absolute minimum) to infinity. I have 12 svchosts in the Processes tab on a 4-core computer with Windows 7 (taking into account the launched services).

How to determine which one is a virus?
You can see in the screenshot above that in the "User" column next to each svchost there is the name of the source that launched this very process. In normal form, next to the svchost will be written "system", or "network service", or "local service". Viruses run themselves on behalf of "user" (can be written "user" or "administrator").

What is, in general, a processsvchost.exe?
If we talk simple language, then the svchost process is an accelerator for starting and running services and services. Svchost's are launched through the services.exe system process

What happens if I accidentally terminate the system process by clicking on "End process tree"svchost and not the virus itself?
Nothing bad will happen. The system will give you an error and restart your computer. After the reboot, everything will fall into place.

What viruses are disguised assvchost.exe?
According to Kaspersky Lab, viruses are masked under svchost.exe: Virus.Win32.Hidrag.d, Trojan-Clicker.Win32.Delf.cn, Net-Worm.Win32.Welchia.a
According to unconfirmed reports, some versions of Trojan.Carberp are also disguised as svchost.exe

How do these viruses work?
These viruses, without your knowledge, enter special servers, from where they either download something else dangerous, or send information to the server (namely, your passwords, logs, etc.)

Processsvchost.exe loads the system, but in the "User" column it says "system ". What it is?
Most likely, this means that some service or service is working hard. Wait a little, and this process will stop loading the system. Or it won't stop ... There are some viruses (for example: Conficker) that use real svchosts to corrupt your system. These are very dangerous viruses, and therefore you should check your computer with an antivirus (or better, several at once). For example, you can download DrWeb CureIt - it will find such viruses and remove them.

Why end the process tree and delete a folderPrefetch?
If you terminate the process tree of your svchost, which slows down the system, then the computer will urgently restart. And at startup, when the virus tries to start again, the antivirus (which you must have installed without fail) will immediately detect and remove it. There are many modifications though. For example, the original source of such a virus may be located in the Prefetch folder. This folder is needed to speed up the work of services and services. Removing it will not damage your computer.

Your advice did not help me. Processsvchost.exe continues to load the system.
First of all, check your computer with an antivirus. Better yet, check your computer with several antivirus programs.
I can also advise you to clean the System Volume Information folder. This folder contains the restore points for your computer. Viruses register themselves in this folder, since the system does not allow the antivirus to delete anything from this folder. But this is unlikely to be useful to you. I have not yet heard of such modifications of viruses that would impersonate svchost.exe and are located in the System Volume Information folder.

If you have any more questions, I will be happy to answer them.

Latest Computers & Internet Tips:

Board comments:

Many thanks! Everything is clear and without water. All unnecessary processes have disappeared. Thank you!

Windows6.1-KB3102810 x86 (x64) - for 7, for whom the updater eats a lot of operatives.

In short, I figured out why svchost was loading the percentage by 30%, the Spyware Process Detector utility helped to reveal this mysterious process (you can find it with a crack on the internet), and it turned out not to be some malware, but an ordinary system process Defrag exe, it rattled. Disk Defragmenter, svchost no longer occurs. All issue is resolved.

I tried everything, and the center disabled updates, and Prefetch deleted, and the process tree terminated, nothing helps, svchost still loads percent by 30%.

Ilya, thank you very much! It helped! I did everything as written. Only on my XP service is called Automatic update... After disabling autorun, as soon as I had time to stop the service, this process disappeared, and the CPU load fell asleep. Whoever has XP or updates are not important - I recommend this method.

Ivan, thank you so much for the comment) It helped. Denied access and everything returned to normal. Before that, nothing helped!

I took down the Prefetch folder, but after a reboot it reappears just like the problem with the RAM.

on Win XP solved the problem simply - by disabling the system update. probably small soft in this way unobtrusively nudge users to leave XP and 7.

Rustam, the article clearly states that this folder is not for system files(which lie in windows folder). Here is a quote from the article "Removing it will not damage your computer." READ THE ARTICLE CAREFULLY, cykablyat!

I looked into the svchost folder, but found only the root folders of all programs running on the computer there. when uninstalling, a catastrophe could occur, but minno: a complete shutdown of all life-supporting programs, which ultimately would lead to the fact that the computer after a reboot would stop working altogether, and I had to reinstall Windows. So, I did not risk deleting the entire host folder ... I will look for other solutions to problems. And for those who think that disabling the update solves the problem, I will say: I did this once, so the virus that got into the computer ate the entire motherboard and the hard one stopped working. in fact, it starts the laptop, but immediately freezes, and does not even respond to ctrl-alt-del. And on the start and shutdown button of the computer. you have to take out the battery ... since then the laptop is retired ... not a single workshop undertakes to repair it. some nonsense .....

demolished this folder - it helped. Thank you!

anyone help with svchot? my data for communication waitsap vibe +7 999 171 60 74 skype West00073 I will be grateful. tested the computer with everyone possible ways Does not help

who can help this SVSHOT just tortured re-tried everything. Is there a specialist who can solve this issue?

All the methods indicated in the article did not help me, I decided to read the comments and they most often said that this was not a virus but updates and I turned off these updates and everything went away

thank you !! took down the folder. corrected;)

I beg your pardon, ochepyatka. other processes in Sestem32

And if the process that loads the CPU is located not like all other svchost in Win32, but in AppDataRoaming?

thanks, deleted the folder and all the rules.

I was helped by advice from the comments, from Roman on 08/30/2016, it was the second (additional) method, through the Administration!

ATP everything fell into place!

Can I contact you via skype?

Today we'll talk about the svchost.exe process - what is it, why is it needed and why can there be a lot of them in the task manager?

Many users, when they see a lot of such processes at home, they think that this is definitely a virus in their system, especially when svchost.exe loads the processor, loads Windows .. but if svchost.exe loads the system, then this may be quite normal ! Why? If, for example, you do not have a particularly powerful computer, then after Windows installations 7 it is possible that you encountered such a glitch - you installed it and after a while (provided that the Internet is connected) the svchost.exe process begins to load the system. Why? This is related to the first update - as a rule, there are a lot of these updates and you need to install all of them! I don't know about Windows 8, but Windows 10 seems to have already solved this problem!

And it also happens that svchost.exe starts loading Windows so that the computer itself is already taking action - it turns on the fans to the fullest!

So, now, actually, what is svchost.exe? This is a system module Generic Host Process for Win32 Services, and most importantly, this process is very important for the system! In no case can you turn it off yourself, that is, in the task manager, do not dare to end it! It is the main part in the interaction of programs, services with dll-libraries (in which functions to work), and this is only one of its main tasks.

There can indeed be a lot of svchost.exe processes, up to several dozen. By the way, I've experimented with services in Windows XP and came to the conclusion that the less they work, the fewer svchost.exe processes, in newer versions of Windows I think the same. But I do not recommend disabling the services, since when you disable some of them, there may be serious glitches. By the way, the commander-in-chief over svchost.exe is services.exe, and it is he who launches it.

For example, how many of them I have, not so many, but still ... I have not changed anything in Windows 10 itself, that is, only some settings, and it has already been updated - it does not load anything, the processes hang for themselves and that's it:

svchost.exe virus? how to delete? Yes, indeed, under this process, there can actually be a virus, and so that you do not distinguish it from a normal one, the virus is launched from another folder. Thus, in the task manager you have several processes and one of them can be launched from the left folder ... But remember, the svchost.exe process itself is not a virus and plays a very important role in Windows!

So, here are the folders in which svchost.exe has the right to live, that is, these are its native places:

C: \ Windows \ system32 (probably the most important folder after Windows)
C: \ WINDOWS \ ServicePackFiles \ i386 (Windows installation files are stored here)
C: \ WINDOWS \ Prefetch (this folder usually stores files of the Prefetch technology - preloading data to speed up the computer as a whole, a very useful thing)
C: \ WINDOWS \ WinSxS \ * name of a folder with a long name, in the name of which there is svchost * (it stores all old updates and files of obsolete components for every fireman)

Here's an example - in my WinSxS folder there is another folder with a long name, and inside there is svchost.exe itself and this is definitely not a virus:

If you found svchost.exe in a completely different folder, then this is already bad, since it can easily be a virus! And yet - open the dispatcher and see what is the name of the process? It must be original, for example, there may be special names so that you do not notice the difference: svch0st.exe, svchos1.exe, svcchost.exe, svchost32.exe b and other options, there are a lot of them, there is no point in listing. But the most difficult option is when just svchost.exe - here you already need to check the location of the file (right-click on the process in the manager and there you can select the location).

For process analysis, I recommend using free utility Mark Russinovich - Process Explorer, there is a lot of things you can view about the process itself and it is made conveniently. Moreover, it is approved by Microsoft itself. In the settings, you can enable the replacement of the built-in Windows task manager, to do this, select Options> Replace Task Manager. You can download it from the official:

Although it is a little overloaded with functions, in my opinion, it remains the best replacement for the built-in dispatcher.

What's another sign that svchost.exe is a virus? Very simply, this process seems to never run on your behalf - it always comes from system accounts, namely: SYSTEM, LOCAL SERVICE or NETWORK SERVICE. It has always been this way, but in Windows 10 I noticed that I was already running as a user ... maybe something has changed already? I looked at the location of the process and calmed down that they say everything is fine, this is a system process

Also look at what kind of original process (the one in the system32 folder in Windows 10), here it has the following description:

Are there any suspicions? Then in the search engine type in svchost.exe which version should be yours Windows version, and see if it matches. I am writing this because you go and know what version or build you have - maybe the data will be different.

What to do when svchost.exe loads the system? First, try disabling Service Center Windows updates if the problem is resolved, then this means that the matter is in this service. This I mean that it is better to turn it on and wait until svchost.exe stops loading the computer. This will happen when Windows completely downloads all updates and installs them, but this is much better than disabling the service. By the way, the window with the list of services can be quickly launched: open the Run window, and this is Win + R and write the services.msc command there:

After that enter and such a window will appear:

Well, to disable it, find the service, double-click on it and in the window select Startup type - Disabled, and then click on Stop so that the service stops working.

You should not try to complete this process, since at the same time the Internet will be lost at least, and the maximum is a forced reboot. By the way, terminating the lsass.exe process also leads to forced reboot(if I'm not mistaken then in a minute).

If in the end you still have a load, then move on. We check the computer with this utility - I explained everything in the article there, in general everything is simple and you can do it for sure, it can find you have a virus or even several, it is special for ad viruses!

Another powerful tool is ESET Online Scanner! He is already a master of all viruses! Well, maybe someone won't agree with me, it's just that he helped me more than once. Follow this link and click Launch ESET Online Scanner:

Then a small window will open where you need to enter mail, you can enter any:

And then you will be prompted to start the scanner already:

Will offer to download ESET Smart Installer, which will launch the scanner on your computer:

About Internet Explorer that's right - if you run the scanner there, then it will really work right there in the browser, which is very convenient. This technology is supported by Internet Explorer itself.

The scan may take some time, I advise you to configure it for a deep scan (along with the scan of archives, I do it myself) - this is certainly longer, but the cleaning of viruses will be deeper, well, this is just my advice And if the scanner finds viruses, then they can be delete after checking, that is, you will decide what to delete and what not, suddenly the scanner will take a normal file for a virus.

It is interesting that for some users the svchost.exe process took up all 12 GB of RAM out of the available 16 GB, this is horrible!

You can also try deleting the Prefetch folder from C: \ Windows, temporary files are stored there to speed up the launch of programs, they are not important for the system, but you do not need to delete them all the time! Most often, svchost.exe loads the Windows 7 processor after installing it on a computer and connecting to the Internet! This is the norm!

Well, I seem to have written everything, although I probably missed something for sure, in general, if that - leave comments! And do everything carefully on your computer so that there are no glitches later - here best friend this is System Restore, so create checkpoints in advance and we will be happy for you! Good luck

09.01.2016

Computer users want their machines to work as quickly as possible and not "slow down". In search of "brakes" they turn to the task manager to detect resource-intensive processes and unload them from memory. Often svchost.exe is seen in the process list. This program runs in multiple copies, and random access memory consumes a lot.

The question is logical: is it a virus or some other malicious software, if it overloads the computer in this way. And another question: is it possible to delete svchost.exe and do without it. Usually the answer is no to both questions: it is not a virus and it is almost impossible to do without it. But first things first…

svchost.exe is a system process in Windows 2000 and later. This is the main process that helps the dynamic library services run. If you delete the svchost.exe file, the computer will work ... only several times slower than usual. The situation is not so paradoxical: although the system service takes up a lot of RAM, without it, the ROM load would only be higher. The processor load will also be high.

Svchost.exe virus

Still, sometimes it is necessary to delete svchost.exe. More precisely, not himself, but viruses and Trojan horses masquerading as this application. It is easy to distinguish them: although the original system process also creates many copies, the malware is located in any directory except the system one.

It is also useful to know that you can see such a program in the task manager if you pay attention to running it on behalf of the user. In some cases, viruses use a genuine system service to inflict damage.

There is no need to raise the alarm and worry about the fact that svchost.exe runs in ten copies. There are many dynamic services in the system, one process may not be enough for all. Then several copies are included at once, each with its own identifier. But one must also look at its origin carefully.

The original process starts from the folders: ServicePackFiles \ i386, system32, Prefetch, winsxs \ (everything inside C: \ WINDOWS). If you notice that svchost.exe was launched from somewhere else, then this is a bad call (as well as a situation with a name that "just slightly" differs from the original name).

In such cases, run a full antivirus scan until you get rid of the malware.