Whenever there is a consistent high utilization of CPU or MEMORY, we check Task Manager to verify which process is consuming high resources. And if we find the culprit as SVCHOST.EXE we simply say its SVCHOST process and try to kill the process without thinking much on it.

Killing the process may sometime resolve the issue or may crash the system. However one should know SVCHOST is not a process, it’s a container in which various window’s services run. So if you kill svchost.exe, there is a chance that you are killing more than one window’s services. 

So in order to understand what are those services which is running in this SVCHOST container, please follow the steps mentioned below :-

1.      Open command prompt with administrative privilege. [CMD -> run as administrator]

2.      Run without quote “tasklist /svc” ,below is the fragment of the output.
 tasklist command to check all the running process , with its process id i.e PID

You can view one or more services running in a single container of SVCHOST.

3.      Since you are already aware of the SVCHOST consuming high resource, note the PID i.e process identity number of the SVCHOST. 

4.      Now you are aware of the PID of SVCHOST which is consuming high resource. Note how many services are running in the SVCHOST container.

Next steps are to separate the services:-

1.      In order to separate a service from a container which is running along with multiple services in the same container we will be using SC command.

2.      Command should be used without quote “ sc config <Service_Name> type= own”

3.      For example you can see CryptSvc ,Dnscache, LanmanWorkstation, NlaSvc, TapiSrv ,these all services are running in a single container. We will be using above mentioned command on one of the services “CryptSvc” . So the command will be “ sc config CryptSvc type= own ” .

4.      Now restart the CryptSvc .

 Command  used to separate CryptSvc from its shared SVChost.exe container

5.       Now we can see that the process ID 1120 doesn’t have CryptSvc service in SVCHOST container.

 verifying that the container does not run CryptSvc service in itself

6.      However we can view that a new PID 440 is running with the service CryptSvc under SVCHOST container.

 Process running in a seperate container

7.      You may experience different PID in your machine . If you have to separate multiple services, you can run “ sc config <Service_Name> type= own” with all service name first and in place of restarting the service restart the machine.

8.      Once all services are running in an individual SVCHOST container , it is easy for the user to understand which service is consuming high resource .

And based on the service consuming high resources, next part of troubleshooting starts.