*** Welcome to piglix ***

Svchost.exe


svchost.exe (Service Host, or SvcHost) is a system process that hosts multiple Windows services in the Windows NT family of operating systems. Svchost is essential in the implementation of so-called shared service processes, where a number of services can share a process in order to reduce resource consumption. Grouping multiple services into a single process conserves computing resources, and this consideration was of particular concern to NT designers because creating Windows processes takes more time and consumes more memory than in other operating systems, e.g. in the Unix family. However, if one of the services causes an unhandled exception, the entire process may crash. In addition, identifying component services can be more difficult for end users. Problems with various hosted services, particularly with Windows Update, get reported by users (and headlined by the press) as involving svchost.

The svchost process was introduced in Windows 2000, although the underlying support for shared service processes has existed since Windows NT 3.1.

Its executable image, %SystemRoot%\System32\Svchost.exe or %SystemRoot%\SysWOW64\Svchost.exe (for 32-bit services running on 64-bit systems) runs in multiple instances, each hosting one or more services.

Services running in SvcHost are implemented as dynamically-linked libraries (DLLs). Such service's registry key must have a value named ServiceDll under the Parameters subkey, pointing to the respective service's DLL file. Their ImagePath definition is of the form %SystemRoot%\System32\svchost.exe -k (service group; i.e. netsvcs). Services sharing the same SvcHost process specify the same parameter, having a single entry in the SCM's database. The first time that a SvcHost process is launched with a specific parameter, it looks for a value of the same name under the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost key, which it interprets as a list of service names. Then, it notifies the SCM of all the services that it hosts. SCM doesn't launch a second SvcHost process for any of those received services: instead, it simply sends a "start" command to the respective SvcHost process containing the name of the service that should be launched within its context, and whose respective DLL SvcHost loads.


...
Wikipedia

...