How To Find the Processes Running within the Windows Service Host Process
 |
This topic is a how to.
Please keep it as clear and simple as possible. Avoid speculative discussions as well as a deep dive into underlying mechanisms or related technologies. |
Introduction
The Windows Service Host process (also known as svchost, whose executable file is C:\WINDOWS\system32\svchost.exe) is a special process used by Windows to execute multiple instances of services and processes, started both from an executable (.EXE) file and from a dynamic link library (.DLL) file. There can be several instances of this special process running at any moment on a Windows system and each of them puts additional load on the system.
Sometimes it could be necessary to know which processes are running within a specific instance of the Service Host process: there are several ways to get such an information using the operating system's built-in tools as well as additional tools: let's take a look at.
Using the Windows Task Manager
The Windows Task Manager allows the user to determine the processes running within a specific instance of the svchost.exe process; first click the Details tab, then click the "PID" column to order each running process by its PID (ascending order is the best way): in this example, look at the process whose PID is 528.
Then click the Services tab and click the "PID" column to apply again the ascending ordering to the list of services: find the PID number (528 in this example) and the corresponding service will be easily identified.
In the Windows 10 Task Manager it is also possible to click the Processes tab, look for the PID of the svchost.exe instance and click the ">" sign on the left to expand the list of the processes running within that instance.
Using the Windows Command Prompt
The taklist command can be used to get a tabular list of all the svchost processes running along with their process IDs and the names of all the services running within each instance: open a command prompt window and execute the tasklist /svc /fi "imagename eq svchost.exe" command.
Using Windows PowerShell
In Windows PowerShell the first step is getting the list of all the svchost.exe instances running in the system, by executing the Get-Process cmdlet filtered by the process name (ProcessName property of the System.Diagnostics.Process collection returned by the cmdlet).
If we want to filter the output (in this example, we're looking for the process whose PID is 528), we can furtherly restrict the number of instances displayed in the output by selecting only a specific value for the "Id" property of the collection of objects returned. Then we'll execute the Get-WmiObject cmdlet to get the information for the Win32_Service class corresponding to the type of process we're interested in.
Using Process Explorer
Process Explorer is rich and full featured Task Manager which can be downloaded for free from /en-us/sysinternals/downloads/process-explorer. Among all its useful features, Process Explorer can display information about the services running within a specific instance of the Windows Service Host process: over the mouse on a svchost.exe instance and the tooltip will display the list of the services running within it.
It is also possible to get those information by right-clicking a svchost.exe instance and select Properties...: in the properties window for that instance click the Services tab to get detailed information about the services registered in that instance of the Service Host process.
Other Languages
This article is also available in the following languages: