Windows 7 suspicious svchost.exe

Audience: Fellow techs, power users


A couple weeks ago while performing computer repair service in Snohomish,  the system I was troubleshooting was responding rather slowly. When I fired up process explorer from Sysinternals I found that a svchost.exe process was consuming up to 50% of the CPU’s resources. In Windows Svchost.exe is simply a host process for windows services. Should you bring up Task Manager (Ctrl+Shift+Esc) you will find many svchost.exes listed, but no detailed information as to which services is running within each process (please also note the description column):

svchost.exe in Windows Task Manager

With process explorer you can get much more detailed information about all processes running on your system. In this case, by simply mousing over a svchost.exe process you will see which services it is hosting:

svchost.exe in Process Explorer


This can be particularly helpful when trying to find a service that is hogging resources. On the particular system I was working on, however, something was amiss. Firstly the description said “winrscmde” instead of Host Process For Windows Services, and secondly mousing over the entry simply listed “svchost.exe.” Clearly, this process could not be hosting itself. At this point I suspected an imposter. By right clicking any process in Process Explorer you can launch a properties dialog to learn more about the process. The first Tab of this window is “Image.” In this tab you can find, among other items, the file path. Svchost.exe should look like this:

Valid svchost.exe location

The location for svchost.exe should be: C:\Windows\system32\svchost.exe. Again, the afflicted system had an inconsistency here, as the location was C:\Windows\svchost.exe. I navigated to this location and attempted to delete the file, but found that it was locked. Fortunately, Process Explorer has a way to deal with this as well. Two of the other right-click menu items are “Kill Process” or “Suspend.”

Kill Process or Suspend

The thing about Malware (which at this point it should be clear that is what I was dealing with) it that if you kill one part of it, another component might re-launch it. So, by clicking “Suspend” I was able to delete the fake svchost.exe file. I then followed up with an off-line virus scan to remove all traces of infection.


In conclusion, Process Explorer in a great tool for trouble shooting malware, and bugs. If you haven’t tried it yet, or the other Sysinteral tools, head on over to and check them out.



be safe out there


Windows Cannot Find HELPCTR.EXE

Audience: Fellow Techs, Power Users

Recently, I received a call for computer repair in Marysville. The client was getting an error in Windows XP that Windows cannot find HELPCTR.exe. Upon further discussion with the client, I found out that he had recently uninstalled a trial of AVG 2012 anti-virus. A little searching with Google showed that the problem was most likely caused by a missing registry key. Since I was providing tech support over the phone I didn’t want to have the client running regedit.exe himself, so I did a little more searching for easy solutions (yes, I could have started a remote session at this point). My diligence paid off when I found this:

This page contains a registry file to correct the observed error. After verifying the file I directed the client to the fix. He ran it, and upon seeing that the Help and Support link now worked, declared me a genius. (Truth be told I ride on the shoulders of giants.) Special thanks to the author of for his great resource.

Now, in regard to AVG 2012 I can not say for certain that it caused the problem, but it would not be the first time I have seen an uninstalled program break registry links before.

Stay safe out there,

Snohomish Computer Repair – Fall Newsletter

These tips are brought to you by:

Home Computing Tip-of-the-Month:

“How to Make the Most of Internet Radio”

Printing HomeUnderstanding Internet Radio

Internet radio stations (or web radio) are defined as real-time or archived broadcasts of public radio stations, which an individual can listen to and enjoy on their own time. However, there are other web radio programs such as iHeartRadio, ChoiceRadio and SHOUTcast that are intended to be directly used in correspondence with the Internet.

Installing a Player onto Your Computer

In order to listen to the radio online, you need to install or download a player, such as Windows Media Player, RealPlayer, and QuickTime. Windows Media Player provides immediate access to a number of radio “stations”. Some of these stations include genres such as Latin, Christian Hits, Jazz, Americana and Roots, or Rap & Hip Hop.

Cost of Internet Radio

Internet radio, for the most part, provides free music to users. The stations available through Windows Media Player are free, and in addition to Windows Media Player, Pandora offers free music as well, after you sign up and provide your e-mail address. Some companies offer premium services for music through payments and fees, which provide users with better quality music, exclusive content, and commercial-free listening.

Internet Radio on the Web

The web provides many Internet radio websites such as the following:

  • (also available as a free Smartphone App)

Pandora is unique in that it allows the user to tell the site what their favorite musician, composer or song is, register for free, and then Pandora develops a radio station, similar to a playlist, specifically tailored to the individual.

Additionally, individuals can access most of their favorite “traditional” radio stations through the Internet. Currently, major music stations provide websites where users can listen to music and a broadcast in real time, no matter what the user’s location is. Bing provides individuals with the ability to type in their station’s call sign(Example: 100.7), open the station’s website, and then click on a link that says Listen Live or Streaming, which allows the user to hear the station in real time. iHeartRadio is owned by Clear Channel and allows users to access their favorite Clear Channel radio stations from anywhere in the world on their computer and smartphone.

Continue reading

How to replacing missing windows files.

target audience: power users, technicians (If you don’t understand the following, don’t try it. You could do further damage to your installation.)

Replacing critical .dll files in windows can be a bit tricky. Chances are you can’t boot windows properly without the file intact. To fix this you’ll need the correct installation CD for your version of windows. ( I can’t recommend a TechNet subscription strongly enough if you are a technician). Recently I replaced the file “SHLWAPI.DLL.” The following instruction are from Microsoft’s support site. Substitute whichever file(s) you need to replace for the ones listed here .

To resolve this problem, you must restart your computer in the Windows XP Recovery Console, and then replace the damaged DLL files. To do this, follow these steps:

  1. Use the Windows XP Setup start-up disks or the Windows XP CD-ROM to start your computer.
  2. At the “Welcome to Setup” screen, press R, and then press C to start the Recovery Console.
  3. Type the number for the appropriate Windows XP installation, and then type the Administrator account password.
  4. Type the following commands, and then press ENTER after each command:

    cd \
    cd windows\system32
    ren winlogon.exe winlogon.old
    ren msgina.dll msgina.old
    ren shell32.dll shell32.old
    ren shlwapi.dll shlwapi.old
    cd servicepackfiles\i386
    copy MSGINA.DLL c:\windows\system32
    copy SHELL32.DLL c:\windows\system32
    copy WINLOGON.EXE c:\windows\system32
    copy SHLWAPI.DLL c:\windows\system32

    Note: If the DLL files are NOT in the Servicepackfiles folder, you must expand these files from the Windows XP installation CD-ROM and copy them to the System32 folder. To expand these files from the Windows XP installation CD, follow these steps:

    1. Put the Windows XP installation CD in your CD-ROM or DVD drive.
    2. Type the following commands, and then press ENTER after each command:

      expand CD_Drive_Letter:\i386\MSGINA.DL_ C:\windows\system32
      expand CD_Drive_Letter:\i386\SHELL32.DL_ C:\windows\system32
      expand CD_Drive_Letter:\i386\WINLOGON.EX_ C:\windows\system32
      expand CD_Drive_Letter:\i386\SHLWAPI.DL_ C:\windows\system32

  5. Type exit, and then press ENTER.



  • Follow these instructions to get to the Recovery Console
  • There may very well not be a “servicepackfiles” folder so the second half of the above directions apply.
  • You should REALLY do a DIR to look for the file on the CD before starting the replacement procedure. Just remember, the extension is appended with an underscore (e.g. .ex_ or .dl_) because the files are packed.