Task Manager says svchost.exe uses 100% of my CPU

It is hard to believe that this tiny (14kb) program originally created by Microsoft has been the source of so much controversy. Also known as the Generic Host Process for Win32 Services, svchost.exe has been exploited by a slew of computer worms and viruses because it is such an integral part of Windows XP. Throw in the occasional svchost.exe error caused by Microsoft’s own mistake, and it’s no wonder svchost.exe has become synonymous with problems in Windows XP.
In this article I will attempt to explain why svchost.exe is such a popular program for hackers to exploit and how to troubleshoot your computer if it has run into errors with svchost.exe.

Imagine that you are a hacker and you want to create a worm or virus that can run in the background without being detected. Your best bet would be to disguise yourself as a part of the operating system, and quietly perform your tasks in the background without the users knowledge. This is exactly what svchost.exe does. Furthermore Microsoft designed svchost.exe such that several instances of it can run at the same time. This way svchost.exe can appear ubiquitous in the Task Manager and perform its tasks under cover.

task manager
Phew…done with the WHY, lets do the HOW. Maybe you’ve already got a problem with your systems svchost.exe and you just want to fix it. Why not just delete all copies of Svchost.exe? Well, because if you delete all copies of svchost.exe your copy of Windows XP will not run anymore. So what can I do? First we must determine your svchost.exe program is not infected or corrupt and then we must search your system for any hijacked copies of the program and remove them.

First off, lets run a virus scan to make sure we don’t have any infected files that will just re-infect things once we’ve cleaned or replaced them. Here are some FREE anti-virus tools you can use to do this (Install only one at a time):

If you you ran one of these tools and either viruses or spyware was detected, you should air on the side of caution and run a FREE anti-spyware tool ASAP (Install as many as you like).

Again, if any of these tools came up positive on spyware or viruses, proceed with suspicion (pay attention to your computers behavior and record error and notification messages carefully).

If you’ve run all anti-virus and anti-spyware software and you couldn’t find anything wrong, you should check my article on fixing Microsoft Update related svchost.exe errors. If that doesn’t help, you’re probably getting an error from the program itself on bootup, or it is causing your computer perform slower than expected.

Lets check the version of svchost.exe and make sure it’s up-to-date. The file is located in c:windowssystem32svchost.exe and most likely there’s also a copy in c:windowssystem32dllcachesvchost.exe. Your svchost.exe file should have the following properties:

svchost.exe properties

and version:

svchost.exe version

If your svchost.exe file has different properties, chances are either you haven’t installed Service Pack 2 for Windows XP (and should do so immediately) or you haven’t been to WindowsUpdate in a while (and should do so immediately).

If your copy of windows is up-to-date and the file version is still different, you should grab your Windows XP CD and run the System File Checker tool also known as sfc.exe. You can do this by clicking Start->Run and entering sfc.exe /scannow (make sure you have the Windows XP cd in your computers CD drive when running this command).

Running SFC /Scannow

The System File Checker tool will compare versions of critical Windows programs from the original CD to your system to make sure that they have not been altered or hijacked. If it finds files whose versions are incorrect, it will automatically replace them. If your original Windows XP CD does not include SP2 (Service pack 2) you’ll need to re-install it if the sfc.exe tool replaces any files.

If you’re still experiencing issues with svchost.exe, chances are your system is launching a hijacked version of svchost at Windows startup. The program will most likely not be located in the standard c:windowssysteme32 directory and to find it you should simply run a search for “svchost.exe” on the C: drive. Here are some common locations of infected or hijacked versions of svchost.exe:

  • svchost.exe is located in C:Windows
  • svchost.exe is located in C:Windowssystem32drivers or other system32 subdirectory
  • svchost.exe is located in C:Program FilesCommon Files
  • svchost.exe is located in C:Program Files
  • svchost.exe is located in C:

If find any of these, you should move them to the trash or rename them to render them ineffective. Now we’ll need to remove any startup entries that attempt to launch these hijacked versions of svchost.exe. To do this, download and install the Startup Control Panel by Mike Lin (don’t forget to donate). Now launch it and locate any entries relating to svchost.exe and uncheck or right-click->delete them.

Startup Control Panel

Then reboot windows and cross your fingers.

Good luck and take care.


Posted

in

by

Comments

2 responses to “Task Manager says svchost.exe uses 100% of my CPU”

  1. Scott Butler Avatar

    David,
    I read this with interest. I may have a similar problem. Can you tell me if any of the svchost.exe files below look suspicious?

    NAME LOCATION SIZE TYPE

    svchost c:i386 14KB Application
    SVCHOST.EXE-2D5FBD18.pf c:WINDOWSPrefetch 23 KB PF File
    svchost c:WINDOWSsystem32 14KB Application
    svchost c:WINDOWSServicePackFilesi… 14KB Application

    Thanks!

    1. David Vielmetter Avatar

      Those are all legitimate locations for svchost.exe to be. Whether or not it is the correct svchost.exe file (as opposed to a compromised version due to virus infection) is another matter. You can run SFC.exe /scannow to ensure critical windows files are signed by Microsoft. Get yourself a good Antivirus program like AVG or Microsoft Security Essentials and perform a full scan. If svchost.exe is infected, a good AV program will let you know.

      If all this doesn’t work, you can extract svchost.exe from a service pack or the cab files on your original Windows CD…that should be your last resort though.