Sign of infected/Compromised/false svchost.exe

NIS 19.9.0.14

Vista Home Premium 32 bit

Vista SP 2

 

"High Disk Write Usage by : Host Process for Windows Services"

 

Shows that svchost.exe had disk write activity of  682 MB

 

When I check the location of this file, it shows

C:\Windows\winsxs\x 86-Microsoft_windows-services-svchost_ ( a whole long list of letters and numbers)\svchost.exe

 

I thought if svchost.exe is anywhere outside system32 folder, it is  illegitimate?

 

NIS 19.9.0.14

Vista Home Premium 32 bit

Vista SP 2

 

"High Disk Write Usage by : Host Process for Windows Services"

 

Shows that svchost.exe had disk write activity of  682 MB

 

When I check the location of this file, it shows

C:\Windows\winsxs\x 86-Microsoft_windows-services-svchost_ ( a whole long list of letters and numbers)\svchost.exe

 

I thought if svchost.exe is anywhere outside system32 folder, it is  illegitimate?

 

Thanks-

 

So svchost.exe is legitimately located in other areas besides windows/system 32?

From a post by Jeff Hughes on the Technet blog:

 


All of the components in the operating system are found in the WinSxS folder – in fact we call this location the component store.  Each component has a unique name that includes the version, language, and processor architecture that it was built for.  The WinSxS folder is the only location that the component is found on the system, all other instances of the files that you see on the system are “projected” by hard linking from the component store.  Let me repeat that last point – there is only one instance (or full data copy) of each version of each file in the OS, and that instance is located in the WinSxS folder.   So looked at from that perspective, the WinSxS folder is really the entirety of the whole OS, referred to as a "flat" in down-level operating systems.  This also accounts for why you will no longer be prompted for media when running operations such as System File Checker (SFC), or when installing additional features and roles.


 

What is the WINSXS directory in Windows 2008 and Windows Vista and why is it so large?

 

Yes, each svchost.exe you have running is made up of one or more of Microsoft services. If you open Task Manager, click "Show processes for all users", you should see a number of svchost.exe. The more services you have running, the more svchost.exe. Right click on one of them and select "Go to service(s)" and you will see which services make up that particular svchost.exe. So a svchost.exe is not a particular program, but a process made up of services, and their executables do not have be located in one particular folder.

 

Your particular "warning" issued from the "main" storage unit of Windows, where everything originates from. It is legitimate.