Windows – Did svchost.exe behaviour change in Windows 10 Creators Update (Build 1703)

windows 10windows-10-v1703

Today I upgraded to the Creators Update by running setup from the ISO mounted locally. When I got back to my computer I opened Task Manager and saw my memory usage was a lot higher than it was previously (it's now almost 6GB memory usage at idle after logging in instead of 2-3GB with the previous Windows build) – the processes tab revealed that there were upwards of 60 different instances of svchost.exe running. This 6GB figure is just for process memory – not including memory used for caching or "standby".

I ran tasklist /svc to get a listing of which services were in which processes and it lists almost every svchost.exe instance as only having one running service contained within (with the exception of a handful of instances that are running a few system services).

Here's my output:

Image Name                     PID Services
========================= ======== ============================================
System Idle Process              0 N/A
System                           4 N/A
smss.exe                       440 N/A
csrss.exe                      612 N/A
wininit.exe                    700 N/A
csrss.exe                      708 N/A
services.exe                   776 N/A
lsass.exe                      784 KeyIso, Netlogon, SamSs, VaultSvc
svchost.exe                    888 PlugPlay
svchost.exe                    908 BrokerInfrastructure, DcomLaunch, Power,
                                   SystemEventsBroker
fontdrvhost.exe                936 N/A
svchost.exe                   1000 RpcEptMapper, RpcSs
svchost.exe                    104 LSM
winlogon.exe                   544 N/A
fontdrvhost.exe                420 N/A
svchost.exe                   1072 DeviceInstall
dwm.exe                       1136 N/A
svchost.exe                   1164 BFE, CoreMessagingRegistrar, MpsSvc
svchost.exe                   1424 lmhosts
svchost.exe                   1432 W32Time
svchost.exe                   1440 nsi
svchost.exe                   1448 wudfsvc
svchost.exe                   1528 hidserv
svchost.exe                   1628 Dhcp
svchost.exe                   1716 Dnscache
svchost.exe                   1748 EventLog
WUDFHost.exe                  1792 N/A
svchost.exe                   1908 TimeBrokerSvc
svchost.exe                   1952 NlaSvc
NVDisplay.Container.exe       1968 NVDisplay.ContainerLocalSystem
svchost.exe                   1324 Themes
svchost.exe                   1596 ProfSvc
svchost.exe                   1944 EventSystem
svchost.exe                   1052 netprofm
svchost.exe                   2116 StateRepository
svchost.exe                   2256 SENS
svchost.exe                   2296 AudioEndpointBuilder
svchost.exe                   2304 FontCache
(etc)...

I know you can configure individual services to run in their own instance of svc with the sc config <serviceName> type= own command, but to my knowledge I've never run this command.

I took a quick look at Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and it looks like the Type key values for most of these services is missing the flag bit at 0x10 which controls if a service runs in its own svchost.exe instance or not. I wonder what could have effected this change.

Has anyone else observed this behaviour before or after installing Windows 10 Creators Update? If it is a default configuration change, will it have any implications on system performance or stability?

I suspect it will increase system stability because if a service crashes it won't bring down other services – but this comes at a massive cost of RAM – but I've never experienced a service crashing on me – or at least ever noticed it (instead the worst problem I've had is with wuauserv consuming 100% CPU for hours on end – and that's not a problem process isolation will solve).

(I just noticed: they finally added an address bar to the Registry Editor!)

Best Answer

Yes, this is a change in the Creators Update if you use a PC with more than 3.5GB of RAM. Here all services run in their own svchost.exe to better see which service causes issue or prevent crash of other services if a service crashes a svchost.exe.

If your PC has 3.5+ GB of memory, you may notice an increased number of processes in Task Manager. While this change may look concerning at first glance, many will be excited to find out the motivation behind this change. As the number of preinstalled services grew, they began to get grouped into processes known as service hosts (svchost.exe’s) with Windows 2000. Note that the recommended RAM for PC’s for this release was 256 MB, while the minimum RAM was 64MB. Because of the dramatic increase in available memory over the years, the memory-saving advantage of service hosts has diminished. Accordingly, ungrouping services on memory-rich (3.5+ GB of RAM) PCs running Windows now offers us the opportunity to do the following:

  • Increase reliability: When one service in a service host fails, all services in the service host fail. In other words, the service host
    process is terminated resulting in termination of all running
    services within that process.

  • Increase transparency: Task Manager will now give you a better view into what is going on behind the scenes. You can now see how much CPU, Memory, Disk & Network individual services are consuming.

    enter image description here

  • Increase security: Process isolation and individual permission sets for services will increase security.

So, don't worry, this is a good change in v1703 and everything is fine.

But there is a way to revert it. This was discovered by an user of a website that deals with Windows tweaking.

So, run regedit.exe, go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control and create a 32Bit DWORD SvcHostSplitThresholdInKB and set it to a large number (larger compared to your install RAM).

Related Question