Six copies of svchost

[Guest]

Before I got rid of Norton Internet Security (what a performance pig!), the
Task Manager cpu monitor would peg out at 100% for many minutes everytime I
connected to my dial-up ISP and often for no reason at all. Now things are
better (I have AVG/Grisoft), but still everytime I connect, the Task Manager
cpu monitor will peg out for a short time with svchost being the big cpu
user. Also, I noticed that I have six copies of svchost running, three with
SYSTEM, two with NETWORK SERVICE, and one with LOCAL SERVICE usernames. I
looked at the Microsoft official page for svchost and learned nothing. Why
do I have six copies of svchost running with only a dial-up connection?
Thanks.

 

[Mark Burnett]

Why do I have six copies of svchost running with only a dial-up
connection?

svchost is a generic host process that runs a number of Windows built-in
services. You can see the specific services of each process from a command
prompt using tasklist with this command:

c:\>tasklist /svc /fi "imagename eq svchost.exe"

That will list all svchost processes and the associated services.


Mark Burnett
http://xato.net

 

[Jim]

Before I got rid of Norton Internet Security (what a performance pig!),
the
Task Manager cpu monitor would peg out at 100% for many minutes everytime
I
connected to my dial-up ISP and often for no reason at all. Now things
are
better (I have AVG/Grisoft), but still everytime I connect, the Task
Manager
cpu monitor will peg out for a short time with svchost being the big cpu
user. Also, I noticed that I have six copies of svchost running, three
with
SYSTEM, two with NETWORK SERVICE, and one with LOCAL SERVICE usernames. I
looked at the Microsoft official page for svchost and learned nothing.
Why
do I have six copies of svchost running with only a dial-up connection?
Thanks.

Six different processes are using svchost.exe for six different tasks.
Jim

 

[Wesley Vogel]

Why

do I have six copies of svchost running with only a dial-up connection?

Because it takes more than one service to allow even one dial-up connection.
The Telephony service (Tapisrv) for one. And probably DHCP Client service
(DHCP) and DNS Client service (DnsCache) and others that I cannot think of
off the top of my head.

Also, I noticed that I have six copies
of svchost running, three with SYSTEM, two with NETWORK SERVICE, and one
with LOCAL SERVICE usernames.

Because you have a *BOATLOAD* of services running it takes six copies of
svchost.exe to load all of them.

Services are loaded under svchost.exe, lsass.exe and services.exe.

Lsass.exe is LSA Shell (Export Version). LSA = Local Security Authority.
It is also called the Local Security Administration Subsystem Service.
Lsass.exe seems to have a lot of names.

Lsass.exe is responsible for many services: Net Logon (netlogon), NT LM
Security Support Provider (NtLmSsp), IPSEC Services (PolicyAgent), Protected
Storage (ProtectedStorage) and Security Accounts Manager (SamSs).

services.exe (Services and Controller app) loads the Event Log service and
the Plug and Play service.

svchost.exe (Generic Host Process for Win32 Services) loads the rest of the
services.

Depending on the switch used, svchost.exe loads them under imgsvc,
LocalService, netsvcs, NetworkService, rpcss or termsvcs.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\SvcHost
* imgsvc loads StiSvc.
* LocalService loads Alerter, WebClient, LmHosts, RemoteRegistry, upnphost
and SSDPSRV.
netsvcs loads 6to4, AppMgmt, AudioSrv. Browser, ryptSvc, DMServer, DHCP,
ERSvc, EventSystem, FastUserSwitchingCompatibility, HidServ, Ias, Iprip,
Irmon, LanmanServer, LanmanWorkstation, Messenger, Netman, Nla, Ntmssvc,
NWCWorkstation, Nwsapagent, Rasauto,Rasman, Remoteaccess, Schedule,
Seclogon, SENS, Sharedaccess, SRService, Tapisrv, Themes, TrkWks, W32Time,
WZCSVC, Wmi, WmdmPmSp, winmgmt, TermService, wuauserv, BITS,
ShellHWDetection, helpsvc, uploadmgr, WmdmPmSN and Ip6FwHlp.
* NetworkService loads DnsCache.
* rpcss loads RpcSs.
* loads TermService.

I am not going to translate all of those Service Names to their Display
Names.

The Local System account is a predefined local account that can start a
service and provide the security context for that service. The actual name
of the account is NT AUTHORITY\System.

The Local Service account is a special built-in account that has reduced
privileges similar to an authenticated local user account. The actual name
of the account is NT AUTHORITY\LocalService.

%SystemRoot%\System32\svchost.exe -k LocalService
or
C:\WINDOWS\System32\svchost.exe -k LocalService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\SvcHost
Value Name: Among others LocalService should be listed here

C:\WINDOWS\System32\svchost.exe -k netsvcs
is
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\SvcHost\netsvcs

netsvcs is part of the -k switch for svchost.exe and is the System User.

C:\WINDOWS\System32\svchost.exe -k NetworkService
NetworkService = (Network User)

C:\WINDOWS\System32\svchost.exe -k LocalService
LocalService = (Local User)

C:\WINDOWS\system32\svchost -k rpcss
rpcss = "RpcSs" (System User, Critical Service) the Remote Procedure Call
(RPC) service.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In