I have previously written about experiences with systems becoming unresponsive and reporting svchost.exe utilizing 99% of the CPU. Since so many different .dll’s run as this generic host process, identifying exactly which program is the cause of the high CPU usage is often difficult.

According to KB314056, the Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging.

Table of Contents

    Svchost.exe service groups are listed in the following registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost

    Windows XP Pro has a built in function that can be run from a command prompt called tasklist.exe that provides information useful in tracking down the offending programs.

    Running tasklist.exe with no switches will provide a list of running processes, their PID, console type and memory usage. Notice svchost.exe, which has many PIDs. That’s because svchost hosts many different Windows processes inside of it.

    Identifying Processes Running as svchost.exe image 1

    To determine which PID is running which service, run

    tasklist.exe /SVC

    Identifying Processes Running as svchost.exe image 2

    Notice the additional information that is shown about which instances services are run from.

    You can list services and applications on a remote system by running

    tasklist.exe /s remoteIPaddress 

    or

    tasklist.exe /s remoteComputerName

    Identifying Processes Running as svchost.exe image 3

    If you want even more detail about the process and applications running, type:

    tasklist /M 

    This will show which .dlls are in use by the processes.

    If you want to isolate a service shared from svchost.exe, My Green Paste has a nice post on manipulating this service via the registry.

    Once you’ve isolated the offending process that is causing the excessive resource utilization, use taskkill.exe to kill the offending application. You may need to specify the /F switch to force the offending process to be killed.

    Identifying Processes Running as svchost.exe image 4

    Obviously killing the wrong processes can crash your machine, and editing the registry can make it unbootable, so before making changes make sure you have a recent backup.

    Ask the Performance Team has published a new post on svchost.exe with some really detailed information. I think the methods of creating isolated processes and isolated service groups would be most helpful in troubleshooting performance and bottleneck issues.