Quickly Identify Malicious Svchost Processes in Windows

If you have ever checked the process details in the Task Manager in Windows (you can launch Task Manager using the hotkey Ctrl+Shit+Esc), you will find dozens of svchost.exe processes running in the background. The svchost.exe process is used by Windows to run system services of many different kinds. Since there are so many svchost.exe processes in the background, some malicious programs make use of the confusion and masquerade as a legitimate svchost.exe process. Only a security expert can tell the malicious svchost.exe and legitimate svchost.exe apart by looking at their file size, their location and by verifying their digital signatures.

One way to verify whether a svchost.exe process is legitimate is to use Process Explorer – a very useful tool designed by Sysinternals/Microsoft. Here is how:

  1. Download Process Explorer from https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx.
  2. Launch Process Explorer with administrator privileges (right-click on procexp.exe and choose Run as administrator).
  3. From menubar choose View → Select Columns. Then choose Verified Signer and Command Line columns to appear in the Process Explorer and click OK.Find Malicious SVCHOST in Windows
  4. Now select Options → Verify Image Signatures from the menubar.Find Malicious SVCHOST in Windows
  5. If the svchost.exe process is not legitimate then you will find that it is not located in C:\Windows\System32. This can be checked under the Command Line column.
  6. If the svchost.exe process is not legitimate then you will find that it has an image signature (Verified Signer column) different than Microsoft Windows Publisher.
  7. If the svchost.exe process is not legitimate then you might find that Process Explorer is showing it under purple color. Purple color is for user owned processes and light red color is for the Windows services. All the legitimate svchost.exe are highlighted with the light red color.Find Malicious SVCHOST in Windows

Of course, you can always right-click on any process in Process Explorer and check it using VirusTotal where it will be scanned using more than 50 antivirus engines. But if you can quickly find out malicious or illegitimate programs masquerading as Microsoft Windows’ svchost.exe process.

And if you do find any of the illegitimate and perhaps malicious svchost.exe running in your PC, then you should scan your PC using Bitdefender Rescue Disk, Trend Micro Rescue Disk or similar bootable disks offered by other vendors for free. The benefit of these bootable rescue disks is that your PC is scanned without booting into Windows which eliminates any chances of the malware interfering in the scanning.