Separating SvcHost Services

29 Sep

I’ve finally figured out how to tell windows which services to run together in one service host, and which I want in their own host, it’s tricky, but first, let me explain why I wanted to do this…

This last week or so, I’ve been having problems with a runaway svchost.exe process on several of my computers. I’ve theorized that it’s due to Windows™ Update, but I haven’t been able to prove it one way or another, because when I went to find out what was in that process, it went something like this:

I went to Windows Task Manager (by pressing Shift+Ctrl+Esc) and in the processes tab, I saw that the reason my PC was running slowly was that I had a svchost.exe process using more than 80% of my CPU, and over 200MB of RAM (that’s at home, at work I have susbtantially less RAM, so it was around 120MB when I noticed my PC slowing to a crawl).
I tried to detect what service was the problem by going to the command line (Start->Run: cmd.exe) and typing Tasklist /svc but what I discovered is that the runaway service host was actually hosting 25 different services … which one could it be?
I ran ProcessExplorer and found basically the same information, along with a listing of the “friendly” names of the services …
I ran my services manager console (Start->Run: services.msc), and using the friendly names from Process Explorer, I tried stopping the services one at a time, but the memory was never released (although the CPU usage did go down after I stopped the Automatic Updates service).
I killed the svchost.exe process (from the process tab of the Task Manager) and my memory was released, but now my internet didn’t work properly, my scheduled tasks were disabled and in general, I couldn’t really use the PC, because I’d just killed off 2/3 of my processes.

It was at this point that I suddenly started wondering why there’s not a way to just separate these services into their own processes so that I could narrow down the problematic service … and I did some searching, and some experimenting, and it turns out there is a way.

To separate a service into a new svchost

The automatic way:

Upon suggestion from Karanjit Sidhu below I checked out sc.exe … it’s a command-line app for communicating with the Windows Service Control Manager and individual services, and the config option that he mentioned basically lets you do this a completely different way that I didn’t know about

Setting the service’s type to “own” instead of “shared” causes it to run in it’s own process even while it remains in the same named group. That is, instead of creating a new subkey in the “svchost” key as I suggested below, it simply changes that service’s Type value in HKLM/SYSTEM/CurrentControlSet/Services/@name@ to 16 instead of 32, causing the service to run in it’s own host process. Not only is this a much simpler change, registry-wise, you don’t have to do it manually in the registry, you can just run: sc.exe config [servicename] <option1> .... in fact, you should run sc.exe config by itself to see the help, because it enumerates the options for type, and also lets you set services to start delayed, etc or change their group (which is what I did below).

After you make this change, you have to stop and start the service to get it to run in it’s own host process — you can do that from the command-line using sc.exe stop [servicename] and sc.exe start [servicename]

The (original) manual way:

I’m leaving this here for the record — it’s the process I originally suggested, and it does work, but the “automatic” way listed above is much easier

The first thing you should know is that I’ve only been running with these changes in place for about one day, so there may be problems hiding under the hood that I haven’t detected. As always, when editing the registry, please make backup copies, and be aware that my tech-support rates are $40 an hour if you mess something up and need my help You may refer to KB 314056 if you think it will help.

We’ll be working in two keys in the registry:

HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/SvcHost
HKLM/SYSTEM/CurrentControlSet/Services

I’ll be referring to the first as the “SvcHost” key, and the second as the “Services” key, so please follow carefully:

Go to the SvcHost key, and notice the list of REG_MULTI_SZ values. Each one is a seperate service host, and consists of a list of the services (one per line) that will be hosted by that host. As far as I know, the names are completely arbitrary.
Find the host you want to take something out of… in my case it was “netsvcs”
Check: is there a subkey with that name? If there is:
1. Make an exact duplicate of that subkey, but with a different name (why? because I don’t know what these are for, and when you don’t know what you’re doing, the best bet is to copy someone who does). I named mine “netsvcs2” so that I could easily tell where it came from.
2. Make sure you copy all the values inside it (there’s probably just two REG_DWORD values), make sure they are set the same as the originals.
Make a new REG_MULTI_SZ in the SvcHost key with the new name (the same name you used for the subkey, if you made one above).
Edit the original host’s value to remove the service name(s) a??in my case, just one: wuauserva?? without leaving any blank lines …
Edit the new host’s value to add the service name(s) a??Your best bet is to cut it from one and paste it in the other.
Now go to the Services key
For each service that you moved, you need to find their subkey
Edit the “ImagePath” value:
1. It probably starts with something like: svchost.exe -k netsvcs
2. You should only edit the part after the -k
3. You have to use the exact name you gave your new host in the steps above (mine says svchost.exe -k netsvc2

That’s it. You’re done. You may now reboot, or simply stop and restart that service (or those services, if you moved more than one) and it should run in it’s own host from now on. I’m still waiting for my runaway service to run away again, so I can verify that it’s the Windows™ update one, but if it is, I think I’m going to call Microsoft’s tech support for the first time in my life.

By Joel 'Jaykul' Bennett
Tagged as:
- Development
- Software

RSS feed for comments on this post

CommentsSeparating+SvcHost+Services2005-09-29+14%3A50%3A23Joel+%27Jaykul%27+Bennett for "Separating SvcHost Services"

paul May 18th, 2006 at 5:51 am 1

Hey man this is the only page if found on svchost thats actually been of some help Thanks alot
Alan November 29th, 2006 at 6:56 am 2

Well done for this but did you find the runaway service?? I have the same problem now! Thanks.
Joel 'Jaykul' Bennett December 6th, 2006 at 12:58 pm 3

Yeah, it was the windows update service. I separated it out so it runs in it’s own service host with BITS. That way, when things get too bad I can kill that svchost.exe process without worrying about killing other services.
Marcus January 21st, 2007 at 8:51 pm 4

I had this same problem just recently after updating my computer. i did several virus scans and found a few but deleting them didn’t fix the problem. one of them was named romman or something like that. so when i was looking at svchost through process explorer it showed one of the services was named romman so i killed it and the cpu usage dropped back to zero. it didn’t have the same name in tasklist though. I don’t know where the program came from but hopefully not from windows update. maybe it was just coincidence that the two happened at the same time.
Rich February 28th, 2007 at 12:25 pm 5

You sir, are a legend! Just ran this on my bosses computer. This fix basically saved my arse!
Thanks alot!
C Gomez April 8th, 2007 at 12:28 pm 6

Isn’t one way to tell which instance of svchost is causing your problem (when it’s in the ‘runaway state’) is to add the PID column to Task Manager (I admit, not using ProcessExplorer, but everyone has Task Manager so this keeps it simple). That way you can match up the Process ID with the listing given by Tasklist /FI “PID eq processID” (from the KB article you noted above… very useful article).

It can at least help narrow down which instance is the problem one.
Joel 'Jaykul' Bennett April 8th, 2007 at 11:34 pm 7

C Gomez:

That’s absolutely right. I think I omitted a step when I went from 1 to 2 … in step one I had noted the PID and matched it up in step 2 … I simply failed to mention it because I always have that information visible, and forgot it’s not obvious
Jim Burkhart April 24th, 2007 at 1:11 pm 8

Probably the easiest way, without using the fix in Microsofts Article # 931852 (which does fix this problem), is to just go to “Run” and type in “net stop wuauserv” and that will stop the Automatic Update service.
Joel 'Jaykul' Bennett April 24th, 2007 at 8:37 pm 9

Thanks for the pointer! Actually, I’m not sure that KB article would solve the problem — I think it’s due to using GeoShell, and some weird race condition with the systray icon notification which results from that (but I’m not sure). But I think you’re right that “net stop wuauserv” would probably fix it (once you figure out which service is causing the problem).

Thankfully, it doesn’t seem to be a problem in Vista so far.
Shahzad May 3rd, 2007 at 1:31 am 10

hey Guys i want to kill the SVCHOST.EXE with the help of any script or amything which can kill these services on reboot automatically bcz killing these services cause to restarting the win Nt autority system please help me
Joel 'Jaykul' Bennett May 3rd, 2007 at 9:26 pm 11

That didn’t make any sense. If you want to kill services on startup, you should just stop them from starting in the first place by disabling them in services.msc
Carlos U May 12th, 2007 at 9:04 am 12

Hey Joel! Thanks a lot for the information. You are the man mate! I did exactly what you suggested and found out that my “runaway” service was also the windows update service. What a hungry and egocentric bastard, it eats all the memory on its own! At least now I know what is taking all my memory and can stop it whenever I want without killing other useful processes. This has been the only place where I found something useful – in other sites they just recommend running antiviruses and antispyware, which in my case didn’t make any sense since I just reformatted the computer a couple of days ago. Greetings!
Mike June 28th, 2007 at 7:02 am 13

Hi All

Had the same sort of issue with one of the SVCHOST services taking 100% CPU usage every 15 seconds. Worked out that it wasn’t Windows Updating but the Network Location Awareness (NLA)service that was running in the svchost service. Unless you use Internet connection Sharing you can disable this service. It sorted out my issue. I also removed it from the list of services starting in the svchost service
Hope this helps someone.
Karanjit Sidhu April 8th, 2008 at 2:24 pm 14

This can be done in an easier “NON” Registry intrusive way by using the following command

sc config wuauserv type= own

the sapce between the “=” and “own” is crucial.
Similarly , you can revert this change by making wuauserv a shared process.

sc config wuauserv type= share

This way you are not messing with the registry and still achieving the results.

Cheers.

btw: good work on figuring out how to do it manually yourself.
Jeff E August 17th, 2008 at 3:22 am 15

Karanjit Sidhu,
What exactly does this command do? More details would be nice before we try to run it on a system. Thanks.
Joel 'Jaykul' Bennett August 17th, 2008 at 9:22 am 16

Jeff E: I’ve made edits to the original story above, but you can just run sc.exe config with no parameters to see the help for config, or sc.exe with no params to see the help for the whole command, or you can read the Knowledge Base article kb 251192 and you can find more information about using this method to debug services in kb 934650

Comments are closed.

Huddled Masses

You can do more than breathe for free…

Similar Posts

Recent Posts

In-Page Navigation [+]

Separating SvcHost Services

To separate a service into a new svchost

The automatic way:

The (original) manual way: