Audience: Fellow techs, power users
A couple weeks ago while performing computer repair service in Snohomish, the system I was troubleshooting was responding rather slowly. When I fired up process explorer from Sysinternals I found that a svchost.exe process was consuming up to 50% of the CPU’s resources. In Windows Svchost.exe is simply a host process for windows services. Should you bring up Task Manager (Ctrl+Shift+Esc) you will find many svchost.exes listed, but no detailed information as to which services is running within each process (please also note the description column):
|svchost.exe in Windows Task Manager|
With process explorer you can get much more detailed information about all processes running on your system. In this case, by simply mousing over a svchost.exe process you will see which services it is hosting:
|svchost.exe in Process Explorer|
This can be particularly helpful when trying to find a service that is hogging resources. On the particular system I was working on, however, something was amiss. Firstly the description said “winrscmde” instead of Host Process For Windows Services, and secondly mousing over the entry simply listed “svchost.exe.” Clearly, this process could not be hosting itself. At this point I suspected an imposter. By right clicking any process in Process Explorer you can launch a properties dialog to learn more about the process. The first Tab of this window is “Image.” In this tab you can find, among other items, the file path. Svchost.exe should look like this:
|Valid svchost.exe location|
The location for svchost.exe should be: C:\Windows\system32\svchost.exe. Again, the afflicted system had an inconsistency here, as the location was C:\Windows\svchost.exe. I navigated to this location and attempted to delete the file, but found that it was locked. Fortunately, Process Explorer has a way to deal with this as well. Two of the other right-click menu items are “Kill Process” or “Suspend.”
|Kill Process or Suspend|
The thing about Malware (which at this point it should be clear that is what I was dealing with) it that if you kill one part of it, another component might re-launch it. So, by clicking “Suspend” I was able to delete the fake svchost.exe file. I then followed up with an off-line virus scan to remove all traces of infection.
In conclusion, Process Explorer in a great tool for trouble shooting malware, and bugs. If you haven’t tried it yet, or the other Sysinteral tools, head on over to http://technet.microsoft.com/en-us/sysinternals/default and check them out.
be safe out there