Svchost.exe

Satheesh C B | Thursday, April 03, 2008 | 1 comments

Svchost stands for "Service Host".Many of components of the Windows operating system are implemented as what are called "services".The Svchost.exe file is located in the %SystemRoot%\System32 folder.Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services.This grouping of services allows for better control and easier debugging.

Can Svchost.exe be malicious?

Unfortunately, yes...

There are several known spyware and trojans that pretend to be legal Svchost.exe. They usually have the same name or one of the following names: svchost.exe, svchosts.exe (which often causes svchosts.exe page faults), Generic.exe, svcchost.exe and several others

How I can find if my Svchost.exe file is malicious or not?

First of all, legal svchost.exe should reside in Windows\System32 folder and should not appear in startup list. But even if you have no Svchost files other than in your System32 folder and you autorun list is clear, you can't say for sure that you do not have malicious Svchost.exe file.

Error message: "Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry .....Why?

There are several problems connected with Generic Host Process which are unrelated to spyware or trojans or viruses. These problems include error messages like this:
"Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience."
or like this:
"svchost.exe -- application error the instruction at "0x745f2780" reference memory at "0x00000000". the memory could not be 'read'"
If you encountered one of these error messages, here you will find how to get rid of them.
The are several possible reasons of this error message.

Reason 1: You have one these worms in your system: CashToolbar Downloader-MY, System1060, CoolWebSearch Svchost32, ADCLICK-AG, ADCLICK-AX, ADUYO-A, AGENT-V, AGOBOT-KL, AUTOTROJ-C and some others.

Reason 2: Some legal DLL used legal copy of Svchost.exe to run itself at Windows startup. This illegal DLL crashed and caused crash of the whole Svchost.exe service or the whole system.
Reason 3: You used Online Update feature and new update was download from Microsoft's web service which contains errorneous verison of Windows Installer or double-byte character set (DBCS) characters support (only occures in Microsoft Windows XP Service Pack 2 (SP2/SP3)).
Reason 4: You installed old printer or scanner drivers from Hewlett-Packard which are incompatible with the current version of Svchost.exe

Registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost

To view the list of services that are running in Svchost:

  1. Click Start on the Windows taskbar, and then click Run.
  2. In the Open box, type CMD, and then press ENTER.
  3. Type Tasklist /SVC, and then press ENTER.

The /SVC switch shows the list of active services in each process. For more information about a process, type the following command, and then press ENTER: Tasklist /FI "PID eq processID" (with the quotation marks)

You can use the excellent Process Explorer utility from Microsoft/Sysinternals to see what services are running as a part of a svchost.exe process.

Hovering your mouse over one of the processes will show you a popup list of all the services:


w32.blaster.worm; msblast.exe worm etc are some malware which causes svchost.exe crashes,try the following

1) End the Trojan process:
Press Ctrl+Alt+Delete once. Click Task Manager. Click the Processes tab.Double-click the Image Name column header to alphabetically sort the processes. Scroll through the list and look for msblast.exe. If you find the file, click it, and then click End Process. Exit the Task Manager

2) Deleting msblast.exe:
Click Start.Click Search, For Files or Folders.Search for msblast.exe
Once the search is done, delete msblast.exe in the screen to the right.

3) Removing changes msblast made to the registry:
Click Start, and then click Run. (The Run dialog box appears.)
Type regedit Then click OK. (The Registry Editor opens.)
Navigate to the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the value:
"windows auto update"="msblast.exe"
Exit the Registry Editor

Click here to download program True Sword which will find and remove possible trojans or spyware which mask themselves to be legal svchost.exe

If True Sword shows that you do not have svchost.exe virus, then try the following steps to solve generic host win32 services problem and all other similar errors of svchost.exe service

To completely solve "Generic Host Process for Win32 Services" problem you should:

1) Scan your PC for the following viruses: CashToolbar Downloader-MY, System1060, CoolWebSearch Svchost32, ADCLICK-AG, ADCLICK-AX, ADUYO-A, AGENT-V, AGOBOT-KL, AUTOTROJ-C

2) Go to Windows Automatic Updates properties (right-click on My Computer, then click on Properties and switch to Automatic Updates tab)

3) Choose "Turn Off Automatic Updates", click OK and reboot your PC

4) Manually update Windows using "Windows Update" shortcut in the start menu

5) Turn automatic updates on

6) If your problem is not solved on this step, uninstall old Hewlett-Packard printer and scanner drivers (if any) and download new drivers from the manufactures web site

7) If your problem is not solved on this step, use the following command to show all svchost.exe instances and associated services or libraries:

tasklist /svc /fi "imagename eq svchost.exe"

Then search for each of services and libraries shown in that list in the Internet to find out whether the entry is malicious or not. In case you find malicious entry, use msconfig.exe utility to disable the appropriate service entry. This is long but effective way of Generic Host Process or svchosts.exe repair.

Regcure is another software which helps to fix the Svchost.Exe errors

Read more :-

How to Repair SVCHOST.EXE error

SVCHOST.exe generates Error

Microsoft Hotfix Information

Category: , ,

Welcome to SparksSpace . This blog launched on Dec 2007 with a focus on Technology.You can find latest Computer Software, Tutorials, Tricks,Tips & Software promotions here!

1 comment: