SVCHOST.exe View processes and Services association

svchost.exe acts as a host process for services. Many of these services are DLLs which cannot be directly used. SVCHOST.exe can execute services that use the DLL technology.

The instructions below makes of use the MS-DOS prompt

  • ==List services associated with specific processes.==

There might be more than one svchost.exe(s) running on a machine. That is because if all services are associated with one svchost.exe and that instance of svchost.exe fails, all services will fail.

Up to windows 2008 and windows7, there was no easy way to see with which svchost.exe each process was associated with. You would have to use the command line. In order to see which services are associated with a particular process, you can use the following command. The /svc option will display all services associated with a particular process.

  • tasklist

This will give you a list of all processes on the local workstation.
It is the same information you will find on Task Manager when you view the Process tab.

C:\ tasklist

Image Name PID SessionName? Session# Mem Usage


System Idle Process 0 Console 0 28 K

System 4 Console 0 152 K

smss.exe 1880 Console 0 132 K

csrss.exe 296 Console 0 3,544 K

winlogon.exe 320 Console 0 12,484 K

services.exe 360 Console 0 1,972 K K

Use tasklist to display which services are associated with which process

  • C:\tasklist /svc

By using the /svc option, you can see a series of svhost.exes. For example svchost with PID 2036 has a series of services running. Also svchost with PID of 1508 has the MSSQLSERVER service associated with it. Note that System idle Process has a PID of 0 and there are no services associated with it for obvious reasons. This shows the idle state of the system.

Image Name PID Services

=================== =======================================

System Idle Process 0 N/A

System 4 N/A

svchost.exe 2036 AudioSrv?, BITS, Browser, CryptSvc?, Dhcp,

dmserver, ERSvc, EventSystem?, helpsvc,

HidServ?, lanmanserver, lanmanworkstation,

Netman, Nla, RasMan?, Schedule, seclogon,

SENS, SharedAccess?, ShellHWDetection,

srservice, TapiSrv?, TrkWks?, W32Time?,

winmgmt, wscsvc, wuauserv

svchost.exe 180 Dnscache

ccSvcHst.exe 1728 ccEvtMgr, ccSetMgr

spoolsv.exe 936 Spooler

svchost.exe 1600 WebClient?

sqlservr.exe 1508 MSSQLSERVER

  • Filters the results of Tasklist using your own keywords.

If you wish to filter the result of the above command so it will only display specific Image Names (svchost.exe for our example) you can do so by typing the following:

tasklist /svc /fi “imagename eq svchost.exe”

What this command does is to display Image Names that are name svchost.exe. In addition with the /svc trigger, it will show all the services running under each svchost.exe. Here is a sample output.

Image Name PID Services

=================== ==========================================

svchost.exe 660 DcomLaunch?, TermService?

svchost.exe 820 RpcSs?

svchost.exe 180 Dnscache

svchost.exe 172 LmHosts?, RemoteRegistry?, SSDPSRV

svchost.exe 1600 WebClient?

svchost.exe 1068 stisvc

  • ==taskkill==

This command will kill a process. You will need to know PID number of that process.
You can get the PID number of that process by viewing the information from Tasklist.

C:\> taskkill 296

The above command will process with PID 296 which is the csrss.exe process.

==How to view which services are associated with a particular process under Windows7 and and Windows 2008.==

