Svchost and Its Dangers

0 Comments | Rating: 0 | |

The moment you start up your machine, without you even noticing or prompting it to, a whole bunch of processes move into action automatically. This is a good thing because it's automated and doesn't require any action from your part; however, it also poses a security risk because you might not be quite sure as to what those processes are doing and whether they are all legitimate.

These processes go by the name svchost.exe and Microsoft's description for them is as such: "svchost.exe is a generic host process name for services that run from dynamic-link libraries".

To explain and understand this a bit better one must know that a while ago Microsoft started moving all of the functionality from internal Windows services into .dll files (dynamic-link libraries) instead of .exe (executable) files. If you're looking at this from a programming perspective then it's a great move because it makes more sense for reusability; but there is also a problem because you can't launch a .dll file directly from Windows - it has to be loaded up from a running executable (.exe). And that is where svchost.exe came about - to bridge the library process and the operating system.

Windows operating system has many services to run, and piling all these services into one process would not be a good idea because if it had to crash then the entire operating system would fail. It is for this reason that there are several svchost.exe files running. These services are ordered into logical groups and then each svchost.exe file is created for each group, such as the UI (User Interface) for example and another for the services related to the firewall.

We've established what svchost.exe files are and what they're there for, and it all seems legitimate and necessary so what's the problem with them? Well, the problem isn't with these svchost.exe files exactly, it's with malicious files that are disguised as being svchost.exe files. If malicious software is named svchost.exe and is installed on your machine, then your machine is going to run it on startup along with all the legitimate svchost.exe files, not realizing that it is in fact harmful. And that is the problem - how can you tell which files are needed and which are malicious software such as spyware?

The best way to do this is to run a Powershell script for svchost.exe that will tell you how many services are running under a particular svchost.exe file, the service group running under that svchost.exe instance and the service names and descriptions of the services running under that svchost.exe instance. If the script detects that there is something wrong such as no services running under that instance or a malformed command line initiator then you will be presented with a warning signal that will allow you to take the necessary action to look into and stop these rogue files.

If your CPU processes suddenly slow down and you discover that a svchost.exe file is the cause of this, it doesn't necessarily mean that malware has taken over your computer as there was a case where Windows Automatic Updates caused 100% of the CPU to be taken up by the updates. To avoid this you must ensure that your machine is updated with the latest updates. If you're still encountering slow CPU issues then you need to determine which of the active svchost.exe processes is causing this. This is done by opening Process Explorer, clicking on the CPU column header to sort the list of processes by processor usage and when the computer stalls switching over to Process Explorer to see which running process is causing the slow down.

Once the rogue version of svchost.exe is found, because CPU usage is constantly changing it's best to re-sort the processes to keep it from moving up and down the list. Hover the cursor over the specific file causing the problem to open a tooltip window, that provides a list of all the Windows services associated with that process. Using that list you can then determine whether any of the running processes are causing the slow down and deal with them accordingly.

Svchost.exe processes, or the abuse of them as the case may be, can often be the cause behind a machine's crash and whilst understanding the processes that spring into action when you fire up your machine might not be everybody's top priority, it is actually quite an important undertaking so as to either avoid being plagued by malware or to understand the dynamics of why your machine might suddenly seize for no apparent reason.