Detecting Service Host (svchost.exe) Abuse

What is Service Host?

Service Host also known as Svchost runs as the Windows executable svchost.exe. It can be abused by malicious actors, because of this, cyber security teams must understand how to detect service host abuse.

It runs from the path “C:\Windows\System32\svchost.exe” or “C:\SysWOW64\Svchost.exe” (for 32-bit services on 64-bit systems

What does Service Host do?

Service Host is a Windows system process that hosts multiple services in a single process and helps to reduce resource consumption on a computer. Service Host loads DLL (Dynamically-linked Libraries) and runs them as a Service.

Why is Understanding the Detection of Service Host Abuse Important?

All computers require the need to run background processes All computers run background processes continuously, in Windows these are known as Services. Threat actors abuse services to run malicious processes.

  1. Background processes, cannot generate User Interface screens that would tip off a computer user.
  2. They run with high levels of privilege
  3. Services can automatically run when a computer starts and run continuously.

Two Windows utilities run Services.

  1. Services (Services.exe) – Runs an executable as a child process
  2. Service Host (Svchost.exe) – Loads a DLL directly into the application to run a service.

Detecting Abuse of Service Host

Detection is easier when malware runs under Services.exe because an executable will be running on the system with Services as a parent process. If a security team observe suspicious activity, they can easily investigate the child process executable and understand if the process is malicious.

Services.exe being abused to run a malicious application
A malicious executable being started as a service using Services.exe

Security teams need to have a good understanding of detecting Service Host abuse to protect against malware because abusing this process is more effective for evading detection. This is due to the fact that malicious files loaded into Service Host will run under svchost.exe, which is a legitimate Windows process. This makes detection difficult for security teams.

A malicious DLL file being loaded into Svchost.exe to abuse Service Host on the Windows operating system.
An example of Service Host abuse, loading a malicious DLL file into a service.

The command “tasklist /svc” shows all services run by Svchost. There will be multiple instances of svchost.exe running on a system. The output below documents what one instance looks like in the output of “tasklist /svc”.

Tasklist /svc showing services running under svchost.exe, this command can be used to detect potential Service Host abuse
Output of the command “tasklist /svc”

Command line execution shows the Service run by Svchost. Svchost uses the “-k” flag to specify the service group it should load. Read more on the flags used here.

Svchost.exe starting netsvcs service using "-k" flag
An output of Process Explorer, showing the command line of Service Host

Malware uses the name Svchost.exe to blend in with Windows processes. These malicious programs are not abusing Service Host because they are not loading DLL files into Service Host, but simply using the name to evade detection.

How to Detect Service Host Abuse

The key points on how to detect the abuse of malicious files being loaded into Service Host.

  • Unusual DLL loads into svchost.exe
  • Unusual Services started by Service Host.
  • Abnormal patterns of network activity from Svchost.exe
  • Creation of new services that utilise Service Host

To detect Malware masquerading as Service Host, look for.

  • Programs with similar names to Svchost.exe, e.g. svch0st.exe
  • Svchost.exe running from an unexpected location.
  • Unsigned versions of Svchost.exe
Scroll to Top