The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services allows for better control and easier debugging.
http://support.microsoft.com/kb/314056
Through the solitary file svchost.exe, the DLLs efficiently contain and dispense Win32 services as well as neatly facilitate the execution of svchost.exe’s own operations. Acting as a host, the file svchost.exe creates multiple instances of itself. The multiple executions of the file svchost.exe contribute to the stability and security of the operating system by reducing the possibility of a crashing process that causes a domino effect on its neighbor processes, thereby creating a system-wide crash in the machine.
If you do Tasklist /SVC on the command prompt, it would show all the services that run under it.
This will also show the PID of each svchost.
Then what yo need to do from the alert get the PID and see which service is doing so.
Once you get the service find the name of service name and the path.
Create a new svchost for that service and see.
For example say the workstation service is the one that is causing the issue
The steps that we need to separate the workstation service from the Svchost.exe as follows:
1. Take a Backup of the Registry
2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\
3. Modify the vale for ImagePath from %SystemRoot%\system32\svchost.exe -k netsvcs to %SystemRoot%\system32\svchost1.exe -k netsvcs
4. Go to C:\Windows\ system32\ copied svchost.exe and pasted it and rename it to svchost1.exe.
5. Restart the work station