Separating Svchost-Hosted Services

Today I had an issue with one of our file servers. One instance of svchost, which was hosting LanmanServer and couple more, was crashing. Windows uses svchost.exe for hosting DLL-based services. There are couple instances running and each instance hosts more than one service. Therefore neither event log entries or dump logs were helpful to me.

I have decided to separate the important services from failing instance. The way to do this is changing couple registry keys. Unfortunately I cannot guarantee that you will not get into much more trouble than you are already in, even Microsoft warns modifications to registry can cause serious issues.

First of all take a backup of each entry mentioned below. Grouping of services are handled in two locations:

1. HKLM\Software\Microsoft\Windows NT\Current Version\svchost\[parameter]
2. HKLM\System\CurrentControlSet\Services\[ServiceName]\ImagePath

My problem was with the "netsvcs" group.

• I have created a duplicate key with same values and called it as "important". 
• I have created a reg_multi_sz value, named "important", at HKLM\Software\Microsoft\Windows NT\Current Version\svchost and moved important services from "netsvcs" to "important" value. (One service each line)
• Checked services for dependencies and moved dependencies as well. 
• Restarted the services

I still cannot find the cause of the issue but it at least does not effect the operation anymore. That gives me a change to further and more carefully investigate it.