Is svchost.exe Safe or is it a malware? Find Out Yourself

svchost.exe is one of the most common process you find in Windows task manager. Moreover you don’t just find one single svchost.exe, there would be many of them listed in the task manager, surprisingly, all having the same name! (as you see in the screenshot below).

Task Manager listing Multiple svchost.exe

Task Manager listing Multiple svchost.exe

Usually in task manager, when we see a single process, say, abc.exe, we think that only one process/service is running and that’s true with all others except svchost.exe, as it has the ability to run multiple services under its name, hiding the names of the actual services. Even though task manager hides the names of actual services, we can easily find them by executing the following command in the command prompt.

tasklist /svc

Using Tasklist /SVC to list service names

Using Tasklist /SVC to list names of services ran by processes

Our topic of interest here account to these services that are hidden behind svchost.exe. They can either be legitimate or malicious. It is possible for a malware to run behind svchost.exe (by using a method called DLL-Injection), pretending to be legitimate. So, how do you find if there is malware or not? It’s not impossible, but will take time as you have to analyze the services and the DLLs behind svchost.exe to see if they are legitimate or not. Here in this article we will introduce you some freewares that help you analyze this mysterious svchost.exe.

Svchost Analyzer :

Svchost Anaylzer is a freeware that is simple to use. As it is portable you can just run it. Upon execution it’ll scan and list all the svchost.exe processes, in the top window. Now, in the top window when you select/click an item in the list, the bottom window will display all the corresponding services that run behind that svchost.exe process.

Analyzing svchost.exe with Svchost Analyzer

Analyzing svchost.exe with Svchost Analyzer

Moreover Svchost Analyzer will clearly mark Microsoft services with a green tickmark telling you that those services are safe, and non-Microsoft service are marked with red warning symbol. These non-Microsoft services can either be legitimate or malicious. So, by using Svchost Analyzer, we can cut down our suspicious services list by a large extent. But, to investigate more you need to use a more advanced tool like Process Explorer.

Download : Svchost Analyzer

Using Process Explorer to analyze svchost.exe :

When you run Process Explorer, it’ll list all the processes in-detailed.

Process Explorer listing detailed list of processes

Process Explorer listing detailed list of processes

As you can see it’ll list the processes and sub-processes clearly. When you hover over a process, it’ll list more details like, the path of the executable file of the process and the names of services that are run by it. So, you can hover over svchost.exe to find what services are run by it. Not only that, when you select a process (here svchost.exe) and use the hotkey Ctrl+D, a bottom pane will show up listing all the DLL’s that are loaded by that process.

Process Explorer listing all the DLLs loaded by process

Process Explorer listing all the DLLs loaded by process

Process Explorer will also show more details about each DLL file, such as, Description, Company Name etc. So, it’d be easy for you to analyze each DLL file.

Download : Process Explorer

Finally, do notice that svchost.exe itself is made by Microsoft and is an integral part of Windows Operating system. Mostly it is used to run the Windows services. So, there is no need for you to spend hours and hours analyzing svchost.exe, unless and until you see weird things happening suddenly on your PC. Such as websites being redirected to malicious IP addresses, constant high CPU usage by svchost.exe, etc, which are usually the signs of malware infection. So, if you find svchost.exe acting suspiciously then make use of the above listed freewares to find any malware hidden behind svchost.exe.

You may also like...

Histats.com © 2005