Ask the Expert

How do I find out which programs are instigating which svchost instance?

I can use task list /svc to find out what each instance of svchost is running, as well as the PID for that instance. But how do I find out which programs are instigating which svchost instance? And if more than one program is using the same instance of svchost to do different things, how do I find out which things exactly each program is asking that svchost instance to do? "Process explorer" and "perfect process" can't do it. Is there any software that will do this for me?

Svchost is essential a process that can be used to run multiple services. You can find out the current arrangement for all svchost processes by viewing the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost

You can also, as you note, use the task list /svc command. This command provides the PID. (You can also find the PID if you add the PID column (from the View menu) to the task manager applet)

(For Windows 2000 the command is tlist /s, the tlist tool is available from the Windows installation CD-ROM support folder.)

More information on the processes within svchost can be found by setting process tracking auditing in the auditing section of group policy. Be aware, however, that many events may be generated. It typically is not a good idea to enable this type of auditing unless you are seeking specific information.

This was first published in July 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: