19.Sep.2009 |
by Gusac |
Filed in: Articles, Tutorials
Svchost.exe is a generic host process name for services that run from dynamic-link libraries (DLLs). Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services.
For more details, see the Microsoft KB Article: KB 314056
There are times when there are some issues like svchost.exe causing high cpu spike or crashing. Now, since svchost.exe has multiple services, any single faulty service can cause svchost.exe to spike or crash on the system. This would affect other services running in the same svchost.exe instance as well.
This makes very difficult to find out which service is causing the issue. One way to find out is to note the Process ID of the svchost instance and take a process dump. However, we can also extract the services from svchost.exe so that they run individually in their own container. That is, each service would run a new container individually.
There are two ways to achieve this. Let's have a look at them one by one:
First Method:
- Start the Registry Editor. (Start > Run > regedit
- Locate and then right-click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
- Point to New and click Multi-String Value.
- Rename the new Multi-String Value to: TempGrp
- Double click on it to modify the value data and type the name of the service we want to isolate. Let's say we want to isolate DCOM Server Process Launcher service. DCOM Server Process Launcher service has a keyname DcomLaunch.
Note: Please make sure we are not typing the display name of the service. Also, we will have to remove the service name from the previous String Value that already contains the name. You can check by going to Service Control Manager (services.msc), checking the properties of the service.
- Create a new subkey under SvcHost and give it the same name as the above mentioned Multi-String Value, that is, TempGrp
- For Windows 2000, perform the following step:
Create a new DWORD value and rename it to CoInitializeSecurityParam. Modify it's data to 1
For Windows XP and later, perform the following step:
Create a new DWORD value and rename it to CoInitializeSecurityParam. Modify it's data to 1
Create another DWORD value and rename it to AuthenticationCapabilities. Modify it's data to 3020 (Hex) or 12320(Decimal)
- Now go to the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and locate the subkey for the service you want to extract. Let's say we want to isolate DHCP Client. DHCP Client service has keyname DHCP. So let's localte the DHCP subkey
- On the right pane, double click to modify the value named ImagePath.
- Change the value data to:
%systemroot%\System32\svchost.exe -k TempGrp
- Restart the service and it will run in new instance: svchost.exe -k TempGrp
Second Method:
- Open the command prompt and enter the following command:
copy %windir%\system32\svchost.exe %windir%\system32\svchostTemp.exe
- Open the registry editor and navigate to the following registry:
HKEY_LOCAL_MACHINE\System\Current Control Set\Services
- Go to the subkey for the service we want to extract. For example, we would be extracting Automatic Update service. It has a keyname of wuauserv. So go to the subkey:
HKEY_LOCAL_MACHINE\System\Current Control Set\Services\wuauserv
- On the right pane, modify the value ImagePath and change it's data to:
%systemroot%\system32\svchostTemp.exe -k netsvcs
- Restart the service from command prompt
NET STOP wuauserv & NET START wuauserv
