The Windows Process Journey — svchost.exe (Host Process for Windows Services)
Svchost.exe is probably the builtin executable which has the most instances (for example 78 on my testing VM) among all the running processes in Windows. We can split its name to “Svc” and “Host”, that is service host which hits its responsibility (more on that later).
The executable “svchost.exe” is located in %windir%\System32\svchost.exe. In case we are talking about the 64 bit version of Windows, there is also %windir%\SysWOW64\svchost.exe (which is a 32 bit version). Both of the files are signed digitally by Microsoft. It was introduced during Windows 2000, even though there was support for “shared service processes” already in Windows NT 3.1 (more on this in the following paragraphs).
Due to the fact, many of the Windows’ services (you can read on Wndows’ Services on https://medium.com/@boutnaru/windows-services-part-2-7e2bdab5bce4) are implemented as DLLs (Dynamic Link Libraries) there is a need for an executable to host them. Thus, you can think about “svchost.exe” as the implementation of “shared service process” — A process which hosts/executes/runs multiple services in a single memory address space.
The configuration of services is stored in the registry (“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services”), for each service which is hosted the name of the DLL is stored under the “Parameter” subkey in a value named “ServiceDll”. For example, in the case of the DHCP client is “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\ServiceDll” — as shown in the screenshot below. The ImagePath (which stores the path to the executable to run when starting the service) will be “svchost.exe” with a command line parameter of “-k” and the name of the service groups (like netsvcs, Dcomlaunch, utcsvc, and LocalServiceNoNetwork, LocalSystemNetworkRestricted).
At the end services are splitted into different groups, every group is hosted by one host process which is a single instance of “svchost.exe”. If we want to see which services are hosted on which “svchost.exe” you can use tools like “Process Explorer” and “tasklist” — as you can see in the screenshot below. The configuration of which services are part of what group we can see at “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost” (on my test VM a total of 49 groups are defined).
It is important to know that from Windows 10 (version 1903) on systems with more than 3.5GB or RAM by default there is no grouping. That is, every service will be executed in a single instance of “svchost.exe” for better security and reliability. Of course there are exceptions for that, for more information you can read https://learn.microsoft.com/en-us/windows/application-management/svchost-service-refactoring.
For more information you can follow me on twitter — @boutnaru (https://twitter.com/boutnaru).
