1. OCAU Merchandise is available! Check out our 20th Anniversary Mugs, Classic Logo Shirts and much more! Discussion in this thread.
    Dismiss Notice

SVCHOST.EXE what does this service actually do?

Discussion in 'Windows Operating Systems' started by Dutch Woman, Aug 28, 2003.

  1. Dutch Woman

    Dutch Woman Member

    Joined:
    Jun 27, 2001
    Messages:
    658
    Location:
    Melbourne, 3032
    as above^

    Im asking becuase my brother has recently gotten a virus that after about being on the internet for about 15mins this service fails and you are then unable to double click, right click, cut & paste and all sorts of things
     
  2. D_Web

    D_Web Member

    Joined:
    Jul 9, 2001
    Messages:
    1,538
    Location:
    Gold Coast, Sunny Qld
    svchost.exe is a host process for services that run from DLL's. You'll find that a lot of Windows functionality is executed by methods found within DLL's, and svchost is the 'gateway' that allows these methods to be executed.
     
  3. zetter

    zetter Member

    Joined:
    Sep 5, 2001
    Messages:
    274
    Location:
    Woodcroft, SA
  4. Whisper

    Whisper Member

    Joined:
    Jun 27, 2001
    Messages:
    8,297
    Location:
    Sydney
    svchost is just a new way Microsoft have found to fuck things up, by making things as obscure as possible.
     
  5. HumbleBum

    HumbleBum Member

    Joined:
    Feb 3, 2002
    Messages:
    16,770
    Location:
    United States
    :rolleyes:

    -----------------------

    http://support.microsoft.com/?kbid=314056

    A Description of Svchost.exe in Windows XP
    The information in this article applies to:
    Microsoft Windows XP Professional

    This article was previously published under Q314056
    For a Microsoft Windows 2000 version of this article, see 250320.

    SUMMARY
    This article describes Svchost.exe and its functions. Svchost.exe is a generic host process name for services that run from dynamic-link libraries (DLLs).
    MORE INFORMATION
    The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can run, depending on how and where Svchost.exe is started. This allows for better control and easier debugging.

    Svchost.exe groups are identified in the following registry key:
    HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost

    Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service names that are extracted from the following registry key, whose Parameters key contains a ServiceDLL value:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Service

    To view the list of services that are running in Svchost:
    Click Start on the Windows taskbar, and then click Run.
    In the Open box, type CMD, and then press ENTER.
    Type Tasklist /SVC, and then press ENTER.
    Tasklist displays a list of active processes. The /SVC switch shows the list of active services in each process. For further information about a process, type the following command, and then press ENTER:
    Tasklist /FI "PID eq processID" (with the quotation marks)

    The following example of Tasklist output shows two instances of Svchost.exe that are running. Image Name PID Services
    ========================================================================
    System Process 0 N/A
    System 8 N/A
    Smss.exe 132 N/A
    Csrss.exe 160 N/A
    Winlogon.exe 180 N/A
    Services.exe 208 AppMgmt,Browser,Dhcp,Dmserver,Dnscache,
    Eventlog,LanmanServer,LanmanWorkstation,
    LmHosts,Messenger,PlugPlay,ProtectedStorage,
    Seclogon,TrkWks,W32Time,Wmi
    Lsass.exe 220 Netlogon,PolicyAgent,SamSs
    Svchost.exe 404 RpcSs
    Spoolsv.exe 452 Spooler
    Cisvc.exe 544 Cisvc
    Svchost.exe 556 EventSystem,Netman,NtmsSvc,RasMan,
    SENS,TapiSrv
    Regsvc.exe 580 RemoteRegistry
    Mstask.exe 596 Schedule
    Snmp.exe 660 SNMP
    Winmgmt.exe 728 WinMgmt
    Explorer.exe 812 N/A
    Cmd.exe 1300 N/A
    Tasklist.exe 1144 N/A

    The registry setting for the two groupings for this example are as follows:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost:
    Netsvcs: Reg_Multi_SZ: EventSystem Ias Iprip Irmon Netman Nwsapagent Rasauto Rasman Remoteaccess SENS Sharedaccess Tapisrv Ntmssvc
    RApcss :Reg_Multi_SZ: RpcSs


    Last Reviewed: 8/6/2002
    Keywords: kbinfo KB314056
     
  6. Whisper

    Whisper Member

    Joined:
    Jun 27, 2001
    Messages:
    8,297
    Location:
    Sydney
    Thats exactly the sort of crap I am talking about.

    What Microsoft choose and not to choose to put in plain sight is a complete mystery to me.

    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:\Documents and Settings\Administrator>tasklist /svc

    Image Name PID Services
    ========================= ====== =============================================
    System Idle Process 0 N/A
    System 4 N/A
    smss.exe 376 N/A
    csrss.exe 424 N/A
    winlogon.exe 448 N/A
    services.exe 492 Eventlog, PlugPlay
    lsass.exe 504 PolicyAgent, ProtectedStorage, SamSs
    svchost.exe 684 RpcSs
    svchost.exe 736 AudioSrv, CryptSvc, Dhcp, dmserver, ERSvc,
    EventSystem, lanmanworkstation, Netman,
    RasAuto, RasMan, SENS, ShellHWDetection,
    srservice, TapiSrv, Themes, TrkWks, winmgmt
    svchost.exe 904 Dnscache
    explorer.exe 1048 N/A
    spoolsv.exe 1056 Spooler
    point32.exe 1140 N/A
    nvsvc32.exe 1212 NVSvc
    svchost.exe 1236 stisvc
    LVComS.exe 1320 N/A
    CookiePatrol.exe 1380 N/A
    PPControl.exe 1420 N/A
    AU30TRAY.EXE 1464 N/A
    PPMemCheck.exe 1504 N/A
    BPA Usage.exe 1712 N/A
    AsusProb.exe 1728 N/A
    rundll32.exe 1736 N/A
    Icq.exe 1764 N/A
    BPALogin.exe 1776 N/A
    cogs.exe 712 N/A
    iexplore.exe 1856 N/A
    cmd.exe 2020 N/A
    tasklist.exe 1976 N/A
    wmiprvse.exe 1024 N/A

    Typing in Tasklist /FI "PID eq 736" does fuck all.

    Why on earth they just dont stick them in taskmanager as a branch under each instance of svchost is beyond me. Its a bloody perfect way for people to hide a process from plain sight, if they wanted to.
     

Share This Page

Advertisement: