Share this question

Welcome to Teachnovice Q&A, where you can ask questions and receive answers from other members of the community.

This is a collaboratively edited question and answer site for computer enthusiasts and power users. It's 100% free, no registration required.

Finegrained performance reporting on svchost.exe?

0 like 0 dislike

This is something that's always bothered me, so I'll ask the Server Fault community.

I love Process Explorer for keeping track of more than just the high-level tasks you get in the Task Manager. But I constantly want to know which of those dozen services hosted in a single process under svchost is making my processor spike.

So... is there any non-intrusive way to find this information out?

asked Feb 20, 2015 by Randolpho  

4 Answers

0 like 0 dislike
Best answer

Yes, there is an (almost) non-intrusive and easy way:

Split each service to run in its own SVCHOST.EXE process and the service consuming the CPU cycles will be easily visible in Process Explorer (the space after "=" is required):

SC Config Servicename Type= own

Do this in a command line window or put it into a BAT script. Administrative privileges are required and a restart of the computer is required before it takes effect.

The original state can be restored by:

SC Config Servicename Type= share

Example: to make Windows Management Instrumentation run in a separate SVCHOST.EXE:

SC Config winmgmt Type= own

This technique has no ill effects, except perhaps increasing memory consumption slightly. And apart from observing CPU usage for each service it also makes it easy to observe page faults delta, disk I/O read rate and disk I/O write rate for each service. For Process Explorer, menu View/Select Columns: tab Process Memory/Page Fault Delta, tab Process Performance/IO Delta Write Bytes, tab Process Performance/IO Delta Read Bytes, respectively.

On most systems there is only one SVCHOST.EXE process that has a lot of services. I have used this sequence (it can be pasted directly into a command line window):

rem  1. "Automatic Updates"
SC Config wuauserv Type= own

rem  2. "COM+ Event System"
SC Config EventSystem Type= own

rem  3. "Computer Browser"
SC Config Browser Type= own

rem  4. "Cryptographic Services"
SC Config CryptSvc Type= own

rem  5. "Distributed Link Tracking"
SC Config TrkWks Type= own

rem  6. "Help and Support"
SC Config helpsvc Type= own

rem  7. "Logical Disk Manager"
SC Config dmserver Type= own

rem  8. "Network Connections"
SC Config Netman Type= own

rem  9. "Network Location Awareness"
SC Config NLA Type= own

rem 10. "Remote Access Connection Manager"
SC Config RasMan Type= own

rem 11. "Secondary Logon"
SC Config seclogon Type= own

rem 12. "Server"
SC Config lanmanserver Type= own
answered Feb 20, 2015 by Peter Mortensen  
For the PowerShell users out there: Get-Service | ForEach-Object {C:\Windows\System32\SC.EXE config $_.Name type= own}
To the poster that recommended the PowerShell script: I tried it and it succesfully changed all my services. However, upon reboot an error box popped up and a restart was triggered. I had to restore with 'last good configuration'. Be careful.
0 like 0 dislike
While I don't know of easy way to do it directly, you can often infer it from the Process Explorer properties page for the svchost process. The Services tab on the process properties will tell you which services are hosted in that process. And the Threads tab will show you the threads and thread stacks running as well as their CPU usage. Often the Start Address on the thread will give an indication of the entry point DLL, and by extension the service, that's running on that thread. Other times you can look at the thread callstack and will see the module name in the call stack that tells you which piece of code is running.
answered Feb 20, 2015 by Kevin Dente  
0 like 0 dislike
I don't know if this is still a question you want answers, but while troubleshooting a customer's svchost error, I learned that there is a command line for exactly this: "tasklist /svc" It gives a complete list of the processes running, with the process ID and the services each process is running. It doesn't give a processor usage, but you can close them one process at a time by process ID, and learn at least which group of services is clogging up your CPU.
answered Feb 20, 2015 by Rev Danger  
0 like 0 dislike

Please try Service Disclosure tool. It

  1. Stores services which share svchost.exe process.
  2. Configures services to run in separate process. After reboot you will see each service in separate process.
  3. Returns all stored at step #1 services back to one process.

Your comments and suggestions are welcome.

@Peter Mortensen: Thanks for idea.

answered Feb 20, 2015 by Dmytro Ovdiienko  
Dmytro, where can I learn how to use your Service Disclosure tool? I downloaded and ran service_disclosure.exe on Windows 7. Briefly I saw a black command window open and close, but nothing more seemed to happen. This was disconcerting! I'd like to know what it did to my computer and how to properly use the tool.
Hi Dan. Please consider this step-by-step guide (