Using Process Explorer to tame svchost.exe - Advanced topics

Stop svchost.exe from stealing CPU cycles - Advanced topics

Michael Horowitz
Michael Horowitz

Michael Horowitz wrote his first computer program in 1973 and has been a computer nerd ever since. He spent more than 20 years working in an IBM mainframe (MVS) environment. He has worked in the research and development group of a large Wall Street financial company, and has been a technical writer for a mainframe software company.

He teaches a large range of self-developed classes, the underlying theme being Defensive Computing. Michael is an independent computer consultant, working with small businesses and the self-employed. He can be heard weekly on The Personal Computer Show on WBAI.


3 min read

On February 5th, Peter Butler of CNET wrote a blog posting about using the free Process Explorer program to prevent an instance of the svchost.exe process from hogging the CPU on his CNET-provided* computer. This is a follow-up, a more advanced look at Process Explorer.

To people unfamiliar with Process Explorer, I usually call it Task Manager on steroids. But comparing Process Explorer to Task Manager is like comparing humans to amoebas. It's that far up the evolutionary scale.

Let me say up front that I am prejudiced. I think Process Explorer is an excellent program. I'd go so far as to say that it might be my favorite Windows software of all time. It's free, portable and comes from a trusted source. Although, technically the program is from Microsoft, the author, Mark Russinovich, worked at a software company, Sysinternals, with an outstanding reputation when he developed Process Explorer. Microsoft eventually bought Sysinternals. Highly recommended (this coming from the curmudgeon behind computergripes.com).

Dissecting an Svchost.exe Process

Svchost.exe is a most annoying process as it "hosts" multiple underlying components of Windows called services. Thus narrowing down a performance problem to a particular svchost process is far from the end of the detective work.

As Peter pointed out in his posting, Process Explorer can dissect an svchost processes, something that Task Manager can not. You can see an example of this below which shows the yellow pop-up window that Process Explorer displays when the mouse is hovered over an svchost.exe process. In Windows XP there are multiple instances of the svchost process and each hosts a different group of services. The example below is a worst case scenario, there are 18 different services sharing a single process. Must get crowded in there.

Process Explorer showing the services in an svchost process

Peter is not correct, however, when he says, referring to this list of services, that we "... can then use that list to determine which, if any, of the Windows services is killing their productivity." Process Explorer** does not break down CPU usage, or anything else for that matter, by service. The closest it comes, is displaying information about the individual threads in the process (see below). The problem is that there isn't a one to one correspondence between a thread and a service. A service is a logical thing and a thread is a physical thing.

Process Explorer showing the threads svchost process

Task Scheduler and Automatic Updates

Somehow Peter tracked down the excessive CPU usage on his computer to two services, Task Scheduler and Automatic Updates. He says "Both of these services are critical to the health of my PC ...". This not true.

The Automatic Updates service is Windows Update, that is, it's the part of Windows that applies bug fixes. Even when you use the GUI in Windows XP to turn off Automatic Updates, the underlying Automatic Updates service remains running at all times. Think of it like a car with the engine running, but in Park rather than Drive. Microsoft has abused the running engine to silently install updates, even on a computer where the owner told them not to. (See my Windows is Spyware posting from September 13, 2007).

Thus, I previously argued (Defending yourself against Microsoft) that the Automatic Updates service is best turned off (disabled) all the time. That's what I've done personally for quite a while with no regrets. Once a month I turn it on, run Windows Update manually and then off it goes.

The Task Scheduler does nothing more than run programs on a schedule. In and of itself, it is not critical to the health of a Windows machine. Peter was referring to anti-malware software that is scheduled using the Task Scheduler on his machine. This is not always the case. Much anti-malware software is capable of scheduling its own activities without assistance from the Windows scheduler.

Next up...

Next, more about using Process Explorer: Process Explorer Part 2.

*From the posting it sounds like Peter Butler is a CNET employee. Members of the CNET Blog Network, such as myself, are paid by CNET but we are not employees of CNET. I don't know Peter Butler.
**This discussion is based on version 11.04 of Process Explorer, which was the latest as of this writing.

See a summary of all my Defensive Computing postings.