.. / svchost.exe

Generic host process for Windows services. It is used for running service DLLs. Windows will run multiple instances of svchost.exe, each using a unique “-k” parameter for grouping similar services. Typical “-k” parameters include DcomLaunch, RPCSS, LocalServiceNetworkRestricted, LocalServiceNoNetwork, LocalServiceAndNoImpersonation, netsvcs, NetworkService, and more. Malware authors often take advantage of the ubiquitous nature of svchost.exe and use it either to host a malicious DLL as a service, or run a malicious process named svchost.exe or similar spelling. Beginning in Windows 10 version 1703, Microsoft changed the default grouping of similar services if the system has more than 3.5 GB of RAM. In such cases, most services will run under their own instance of svchost.exe. On systems with more than 3.5 GB RAM, expect to see more than 50 instances of svchost.exe

Image Path

Executable’s image path.

Parent Process

A process which spawned the analyzed process.

Number of Instances

Expected number of processes running which may normally run on Windows.

User Account

Windows account with which the process was launched. This defines what privileges given process has.

Start Time

Expected time of process to be launched.