Process
svchost.exe
Service Host (svchost.exe) is the generic host process for Windows services implemented as DLLs rather than standalone executables. A typical system runs many svchost instances simultaneously, each hosting one or more service groups. It is one of the most common processes on any Windows machine.
File identity
- File type
- PE32+ executable
- Magic
- PE32+ executable (GUI)
- Original name
- svchost.exe.mui
- Internal name
- svchost.exe
- Product
- Microsoft® Windows® Operating System
- Status
- Signed
- Publisher
- Microsoft Corporation
- Signer
- Microsoft Windows
- Issuer
- Microsoft Windows Production PCA 2011
- Signature rate
- 100%
10.0.26100.1 (WinBuild.160101.0800)100%
86.20 KB100%
Execution context
C:\Windows\System32\svchost.exe100%
SYSTEM66.7%Interactive user33.3%
System66.7%Medium33.3%
6833.3%6633.3%6933.3%
Session 089.8%Session 110.2%
SeChangeNotifyPrivilege100%SeImpersonatePrivilege78.3%SeCreateGlobalPrivilege45.3%SeTcbPrivilege32.5%SeDebugPrivilege28.1%
Ancestry
services.exe100%
runtimebroker.exe33.3%taskhostw.exe16.7%applicationframehost.exe16.7%backgroundtaskhost.exe16.7%calculatorapp.exe16.7%
Not observed.
Not observed.
Behavior
msvcp_win.dll42.9%sechost.dll42.9%kernelbase.dll42.9%user32.dll42.9%win32u.dll42.9%
\lsass100%
svchost.exe38.5%startmenuexperiencehost.exe26.9%calculatorapp.exe23.1%searchhost.exe19.2%msedgewebview2.exe15.4%
C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s wlidsvc33.3%C:\WINDOWS\system32\svchost.exe -k GPSvcGroup33.3%C:\WINDOWS\system32\svchost.exe -k LocalService -p -s NPSMSvc33.3%
Indicators
44fd6f9347ceed5798a25c47167f335ef085ae4648a81f775dd4bdc6240d8189100%VirusTotal·MalwareBazaar·Hybrid Analysis·ANY.RUN·Google
d87367d5078c476b109dc3312b62781513330055100%VirusTotal·MalwareBazaar·Hybrid Analysis·ANY.RUN·Google
b1c5636ec08026fd0f8ccbff49ed7e59100%VirusTotal·MalwareBazaar·Hybrid Analysis·ANY.RUN·Google
de43bd45cc98c143357416c7519eccfd100%VirusTotal·MalwareBazaar·Google
Analysis
Windows services can be implemented either as standalone executables or as service DLLs. Service DLLs do not run on their own. The Service Control Manager (services.exe) launches an instance of svchost.exe with a -k <group> argument that names a service group. svchost then loads the DLL of every service registered to that group.
The groups are defined in the registry under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost. Common ones include netsvcs, DcomLaunch, RPCSS, and LocalServiceNoNetwork. Adding -s <service> narrows an instance to one service from that group, for example svchost.exe -k netsvcs -p -s Schedule.
Since Windows 10 1703, systems with more than 3.5 GB of RAM split most service groups and give each service its own svchost instance. This is why modern machines commonly show 70 or more concurrent instances. The -p flag opts the instance into stricter mitigation policies such as signed-DLL-only loading.
Most instances start close to boot. Services also start on demand or at logon, so new svchost instances long after boot are normal. Windows 10 introduced per-user services for features such as notifications and clipboard. Those instances run under the signed-in user's account at Medium integrity rather than a service account.
svchost.exe is a top masquerading target. Malware frequently names itself svchost.exe or a look-alike such as svch0st.exe and runs from a directory other than System32. Watch for a svchost process running from anywhere except C:\Windows\System32 or C:\Windows\SysWOW64. Watch for a parent other than services.exe. Watch for an instance running without the -k service-group argument.
Attackers also commonly persist inside legitimate svchost instances. One method registers a malicious service DLL (T1543.003). Another hijacks an existing service's ServiceDll registry value. Path and parent checks will pass in both cases because the process image is the genuine signed binary. In these scenarios, analysts should examine the loaded modules instead. An unsigned or unexpected DLL inside a legitimate svchost process points to this kind of abuse.
- Running without a
-k <service group>argumenthigh - A
-kgroup name that does not exist underHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchosthigh - Look-alike spelling (svch0st.exe, scvhost.exe, svchosts.exe)high
- Outbound connections to destinations outside Microsoft infrastructure shortly after startmed
- Hosting a service DLL that is unsigned while launched with
-pmed
Telemetry
Microsoft Windows 11 Enterprise Evaluation100%
- First seen
- 2026-06-08
- Last seen
- 2026-06-08
- Machines
- 1
- Executions
- 3