Huddled Masses
September 29th, 2005 | 
Author: I’ve finally figured out how to tell windows which services to run together in one service host, and which I want in their own host, it’s tricky, but first, let me explain why I wanted to do this…
This last week or so, I’ve been having problems with a runaway svchost.exe process on several of my computers. I’ve theorized that it’s due to Windows™ Update, but I haven’t been able to prove it one way or another, because when I went to find out what was in that process, it went something like this:
- I went to Windows Task Manager (by pressing Shift+Ctrl+Esc) and in the processes tab, I saw that the reason my PC was running slowly was that I had a svchost.exe process using more than 80% of my CPU, and over 200MB of RAM (that’s at home, at work I have susbtantially less RAM, so it was around 120MB when I noticed my PC slowing to a crawl).
- I tried to detect what service was the problem by going to the command line (Start->Run: cmd.exe) and typing
Tasklist /svcbut what I discovered is that the runaway service host was actually hosting 25 different services … which one could it be? - I ran ProcessExplorer and found basically the same information, along with a listing of the “friendly” names of the services …
- I ran my services manager console (Start->Run: services.msc), and using the friendly names from Process Explorer, I tried stopping the services one at a time, but the memory was never released (although the CPU usage did go down after I stopped the Automatic Updates service).
- I killed the svchost.exe process (from the process tab of the Task Manager) and my memory was released, but now my internet didn’t work properly, my scheduled tasks were disabled and in general, I couldn’t really use the PC, because I’d just killed off 2/3 of my processes.
It was at this point that I suddenly started wondering why there’s not a way to just separate these services into their own processes so that I could narrow down the problematic service … and I did some searching, and some experimenting, and it turns out there is a way.
To separate a service into a new svchost
[new] The automatic way:
Upon suggestion from Karanjit Sidhu below I checked out sc.exe … it’s a command-line app for communicating with the Windows Service Control Manager and individual services, and the config option that he mentioned basically lets you do this a completely different way that I didn’t know about 
Setting the service’s type to “own” instead of “shared” causes it to run in it’s own process even while it remains in the same named group. That is, instead of creating a new subkey in the “svchost” key as I suggested below, it simply changes that service’s Type value in HKLM/SYSTEM/CurrentControlSet/Services/@name@ to 16 instead of 32, causing the service to run in it’s own host process. Not only is this a much simpler change, registry-wise, you don’t have to do it manually in the registry, you can just run: sc.exe config [servicename] <option1> .... in fact, you should run sc.exe config by itself to see the help, because it enumerates the options for type, and also lets you set services to start delayed, etc or change their group (which is what I did below).
After you make this change, you have to stop and start the service to get it to run in it’s own host process — you can do that from the command-line using sc.exe stop [servicename] and sc.exe start [servicename]
The (original) manual way:
I’m leaving this here for the record — it’s the process I originally suggested, and it does work, but the “automatic” way listed above is much easier 
The first thing you should know is that I’ve only been running with these changes in place for about one day, so there may be problems hiding under the hood that I haven’t detected. As always, when editing the registry, please make backup copies, and be aware that my tech-support rates are $40 an hour if you mess something up and need my help You may refer to KB 314056 if you think it will help.
We’ll be working in two keys in the registry:
- HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/SvcHost
- HKLM/SYSTEM/CurrentControlSet/Services
I’ll be referring to the first as the “SvcHost” key, and the second as the “Services” key, so please follow carefully:
- Go to the SvcHost key, and notice the list of REG_MULTI_SZ values. Each one is a seperate service host, and consists of a list of the services (one per line) that will be hosted by that host. As far as I know, the names are completely arbitrary.
- Find the host you want to take something out of… in my case it was “netsvcs”
- Check: is there a subkey with that name? If there is:
- Make an exact duplicate of that subkey, but with a different name (why? because I don’t know what these are for, and when you don’t know what you’re doing, the best bet is to copy someone who does). I named mine “netsvcs2” so that I could easily tell where it came from.
- Make sure you copy all the values inside it (there’s probably just two REG_DWORD values), make sure they are set the same as the originals.
- Make a new REG_MULTI_SZ in the SvcHost key with the new name (the same name you used for the subkey, if you made one above).
- Edit the original host’s value to remove the service name(s) a??in my case, just one: wuauserva?? without leaving any blank lines …
- Edit the new host’s value to add the service name(s) a??Your best bet is to cut it from one and paste it in the other.
- Now go to the Services key
- For each service that you moved, you need to find their subkey
- Edit the “ImagePath” value:
- It probably starts with something like:
svchost.exe -k netsvcs - You should only edit the part after the -k
- It probably starts with something like:
- You have to use the exact name you gave your new host in the steps above (mine says
svchost.exe -k netsvc2
That’s it. You’re done. You may now reboot, or simply stop and restart that service (or those services, if you moved more than one) and it should run in it’s own host from now on. I’m still waiting for my runaway service to run away again, so I can verify that it’s the Windows™ update one, but if it is, I think I’m going to call Microsoft’s tech support for the first time in my life.
Posted in 
Tags:
Hey man this is the only page if found on svchost thats actually been of some help Thanks alot
Well done for this but did you find the runaway service?? I have the same problem now! Thanks.
Yeah, it was the windows update service. I separated it out so it runs in it’s own service host with BITS. That way, when things get too bad I can kill that svchost.exe process without worrying about killing other services.
I had this same problem just recently after updating my computer. i did several virus scans and found a few but deleting them didn’t fix the problem. one of them was named romman or something like that. so when i was looking at svchost through process explorer it showed one of the services was named romman so i killed it and the cpu usage dropped back to zero. it didn’t have the same name in tasklist though. I don’t know where the program came from but hopefully not from windows update. maybe it was just coincidence that the two happened at the same time.
You sir, are a legend! Just ran this on my bosses computer. This fix basically saved my arse!
Thanks alot!
Isn’t one way to tell which instance of svchost is causing your problem (when it’s in the ‘runaway state’) is to add the PID column to Task Manager (I admit, not using ProcessExplorer, but everyone has Task Manager so this keeps it simple). That way you can match up the Process ID with the listing given by Tasklist /FI “PID eq processID” (from the KB article you noted above… very useful article).
It can at least help narrow down which instance is the problem one.
C Gomez:
That’s absolutely right. I think I omitted a step when I went from 1 to 2 … in step one I had noted the PID and matched it up in step 2 … I simply failed to mention it because I always have that information visible, and forgot it’s not obvious
Probably the easiest way, without using the fix in Microsofts Article # 931852 (which does fix this problem), is to just go to “Run” and type in “net stop wuauserv” and that will stop the Automatic Update service.
Thanks for the pointer! Actually, I’m not sure that KB article would solve the problem — I think it’s due to using GeoShell, and some weird race condition with the systray icon notification which results from that (but I’m not sure). But I think you’re right that “net stop wuauserv” would probably fix it (once you figure out which service is causing the problem).
Thankfully, it doesn’t seem to be a problem in Vista so far.
hey Guys i want to kill the SVCHOST.EXE with the help of any script or amything which can kill these services on reboot automatically bcz killing these services cause to restarting the win Nt autority system please help me
That didn’t make any sense. If you want to kill services on startup, you should just stop them from starting in the first place by disabling them in services.msc
Hey Joel! Thanks a lot for the information. You are the man mate! I did exactly what you suggested and found out that my “runaway” service was also the windows update service. What a hungry and egocentric bastard, it eats all the memory on its own! At least now I know what is taking all my memory and can stop it whenever I want without killing other useful processes. This has been the only place where I found something useful – in other sites they just recommend running antiviruses and antispyware, which in my case didn’t make any sense since I just reformatted the computer a couple of days ago. Greetings!
Hi All
Had the same sort of issue with one of the SVCHOST services taking 100% CPU usage every 15 seconds. Worked out that it wasn’t Windows Updating but the Network Location Awareness (NLA)service that was running in the svchost service. Unless you use Internet connection Sharing you can disable this service. It sorted out my issue. I also removed it from the list of services starting in the svchost service
Hope this helps someone.
This can be done in an easier “NON” Registry intrusive way by using the following command
sc config wuauserv type= own
the sapce between the “=” and “own” is crucial.
Similarly , you can revert this change by making wuauserv a shared process.
sc config wuauserv type= share
This way you are not messing with the registry and still achieving the results.
Cheers.
btw: good work on figuring out how to do it manually yourself.
Karanjit Sidhu,
What exactly does this command do? More details would be nice before we try to run it on a system. Thanks.
Jeff E: I’ve made edits to the original story above, but you can just run
sc.exe configwith no parameters to see the help for config, orsc.exewith no params to see the help for the whole command, or you can read the Knowledge Base article kb 251192 and you can find more information about using this method to debug services in kb 934650