Analyzing svchost Processes

by Sep 15, 2015

Occasionally, you may see a bunch of processes named “svchost” in your task monitor or Get-Process output. These processes are hosts for Windows services. So each “svchost” process hosts one or more Windows services.

To better understand just which service hides behind these processes, you could use a code like this:

#requires -Version 2
# Hash table defines two keys: 
# Name and Expression
# they can be used with Select-Object
# to produce "calculated" properties
$Service = @{
  Name = 'Service'
  Expression = {
    # if the process is "svchost"...
    if ($_.Name -eq 'svchost')
      # ...find out the current process ID...
      $processID = $_.ID
      # ...and look up the services attached to it
      ($serviceList.$processID).Name -join ', '

# create a service lookup table with ProcessID as a key
$serviceList = Get-WmiObject -Class Win32_Service |
Group-Object -Property ProcessID -AsString -AsHashTable
# get all running processes...
Get-Process |
# add the new calculated column defined in $Service...
Select-Object -Property Name, ID, CPU, $Service |
# and output results to a grid view Window

When you run this code, you see the process list of all currently running processes. Whenever the process is “svchost”, you find the service names in the new column “Service”.

Twitter This Tip! ReTweet this Tip!