Source : http://www.langa.com/blog/2006/10/unlocking-mysteries-of-svchostexe.htm Svchost.exe, which you'll find in the WINDOWS\System32 folder, launches at startup and loads any services from dynamic-link libraries (DLLs) that the Registry tells it to run. Svchost.exe can, and usually does, run several instances of itself at any given time, each instance running several associated services. When you use some common tools, such as the Task Manager, you can see Svchost.exe running, but you can't see the specific services. Svchost.exe also shows up when you use Windows' DOS-like utility Task List (Start/Run/cmd, then type TASKLIST at the command prompt). When you use the SVC switch with Task List (type TASKLIST /SVC at the command prompt), you can see the names of the processes within each service. These common methods show you some, but often not enough, information about Svchost.exe services. You can use an unlikely utility to get the details you're looking for: Microsoft's own Windows Defender (a free, beta anti-spyware tool) actually has a little-known feature that provides detailed information about each instance of Svchost.exe running, and all the services therein. In Windows Defender, click Tools, then choose Software Explorer. In the Category drop-down menu, choose "Currently Running Programs" or "Network Connected Programs." In either or both of those categories, you'll probably find items called "Microsoft Generic Host Process for Win32 Services"--- these are the Svchost.exe instances. By clicking on one instance in the left pane, you'll see details in the right. You can match these individual "Microsoft Generic Host Process for Win32 Services" instances with Svchost.exe instances in the TASKLIST /SVC list most easily by matching Process IDs. In the command prompt version, the services are abbreviated--- for example, you might see AudioSrv and BITS. But when you look in the associated "Services" item in Windows Defender, those are spelled out--- Windows Audio and Background Intelligent Transfer Service." Best of all, each "Host Process" in Defender is Classified as "Allowed" or "Not Yet Classified." Any process that's "not allowed" will be blocked or terminated (one hopes) by Windows Defender. You can also download the excellent and free Process Explorer from Sysinternals.