0

I found the process “Service Host: Secondary Logon” running under windows processes in task manager, with command line file in system32 svchost.exe, which I‘ve found running under my username at least ten times as well (not just SYSTEM and LOCAL SERVICE). I also have Service Host: Remote Procedure Call, and about 80 other service hosts running, but with low CPU.

My question is, is this a clear sign of malware, and how do I disable it? Windows security has found no threats and I‘ve kept my computer offline since noticing this in case it helps.

Improve this question

1 Answer 1

Reset to default
2

There is nothing to panic about.

Service Host: Secondary Logon is a service that runs to allow Run as different user to work.

Secondary Logon The Secondary Logon (seclogon) service enables processes to be started under alternate credentials. This allows a user to create processes in the context of different security principals. A common use of this service is by administrators who may log on as restricted users but must have administrative privileges to run a specific application. They can use a secondary logon to temporarily run such applications. If the service is disabled, this type of logon access is unavailable and calls to the CreateProcessWithLogonW API fail.

This service starts when a program or application is started by using the Run as different user option in the extended context menu (which can be opened by holding down the shift key when you right-click an item).

From Windows security encyclopedia

Multiple sessions of svchost are always present on modern Windows. I have 14 running on my system.

The Service Host (svchost.exe) is a shared-service process that serves as a shell for loading services from DLL files.

You, therefore, see multiple such svchost.exe running at the same time. This grouping of services also assists in better control and debugging should the need arise. Services run in svchost are implemented as dynamically linked libraries or dll files.

From Windows Club

Regardless, you should have a decent virus scanner and/or malware detector running on your system.

Improve this answer
3
  • Thank you very much! Looks fine. I am wondering if 80 svchost files is normal and can‘t find info about this online. Them running under my username is also concerning according to windows help.. if you have any idea how to figure out if this is normal behaviour I would appreciate it - and thank you for your answer!
    – user3709
    Commented Feb 2, 2023 at 3:06
  • 1
    Please remember that you can also contribute to this community that helps you. As per site guidelines when an answer addresses your question, accept it and even upvote it so others can benefit as well.
    – Rohit Gupta
    Commented Feb 2, 2023 at 3:08
  • Update: a few other windows systems I’ve now checked have the same behaviour, with the user’s username running a few svchost.exe files. Miso most likely this is fine (not sure of course).
    – user3709
    Commented Feb 2, 2023 at 17:35

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .