Tip of the Day: SvcHost Service Refactoring in Windows 10 v1703
The Service Host (svchost.exe) is system process capable of hosting multiple Windows services. Using this shared-service process, numerous Windows services can share a single process, reducing overall resource consumption. The service-host groups are determined by combining the services with matching security requirements. For the services critical to network and internet connectivity this translates to at least 16 services across 11 different service groups. While on the plus-side, this helps reduce the security vulnerability footprint, it increases the likelihood that a user-mode crash from a non-critical service can affect network connectivity.
Separating SvcHost Services
Beginning with the Windows 10 Creators Update (v1703), previously grouped services will be separated such that each will run in its own SvcHost process. This change is automatic for systems with greater than 3.5 GB of RAM running the Client Desktop SKU. On systems with 3.5 GB or less RAM, services will continue to be grouped into a shared SvcHost process.
Benefits of this design change include:
- Increased Reliability by insulating critical network services from the failure of another non-network service in the host, and adding the ability to restore networking connectivity seamlessly when networking components crash.
- Reduced Support Costs by eliminating the troubleshooting overhead associated with isolating misbehaving services in the shared host.
- Increased Security by providing additional inter-service isolation
- Increased Scalability by allowing per-service settings and privileges
- Improved Resource Management through per-service CPU, I/O and memory management and increase clear telemetry (report CPU, I/O and network usage per service).
To see Service Host Refactoring behavior for yourself, create a Windows 10 v1703 virtual machine and configure its memory settings as follows:
- RAM: 3484 MB or less. Reboot to see the VM's SvcHost processes grouped.
- RAM: 3486 MB or greater. Reboot to see the VM's SvcHost processes separated.
Some services will continue to be grouped on machines running 3.5GB or higher. For example, the Base Filtering Engine (BFE) and the Windows Firewall (Mpssvc) will be grouped together in a single host group, as will the RPC Endpoint Mapper and Remote Procedure Call services.
Aside from this being visible in the Task Manager and command line tools, these exceptions can be distinguished by the presence of the SvcHostSplitDisable value in their respective service keys under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\. The default value of '1' prevents the service from being split.