SVCHOST.EXE what does this service actually do?

as above^

Im asking becuase my brother has recently gotten a virus that after about being on the internet for about 15mins this service fails and you are then unable to double click, right click, cut & paste and all sorts of things

 

svchost.exe is a host process for services that run from DLL's. You'll find that a lot of Windows functionality is executed by methods found within DLL's, and svchost is the 'gateway' that allows these methods to be executed.

 

Google is your friend.

 

svchost is just a new way Microsoft have found to fuck things up, by making things as obscure as possible.

 

-----------------------

http://support.microsoft.com/?kbid=314056

A Description of Svchost.exe in Windows XP
The information in this article applies to:
Microsoft Windows XP Professional

This article was previously published under Q314056
For a Microsoft Windows 2000 version of this article, see 250320.

SUMMARY
This article describes Svchost.exe and its functions. Svchost.exe is a generic host process name for services that run from dynamic-link libraries (DLLs).
MORE INFORMATION
The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can run, depending on how and where Svchost.exe is started. This allows for better control and easier debugging.

Svchost.exe groups are identified in the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost

Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service names that are extracted from the following registry key, whose Parameters key contains a ServiceDLL value:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Service

To view the list of services that are running in Svchost:
Click Start on the Windows taskbar, and then click Run.
In the Open box, type CMD, and then press ENTER.
Type Tasklist /SVC, and then press ENTER.
Tasklist displays a list of active processes. The /SVC switch shows the list of active services in each process. For further information about a process, type the following command, and then press ENTER:
Tasklist /FI "PID eq processID" (with the quotation marks)

The following example of Tasklist output shows two instances of Svchost.exe that are running. Image Name PID Services
========================================================================
System Process 0 N/A
System 8 N/A
Smss.exe 132 N/A
Csrss.exe 160 N/A
Winlogon.exe 180 N/A
Services.exe 208 AppMgmt,Browser,Dhcp,Dmserver,Dnscache,
Eventlog,LanmanServer,LanmanWorkstation,
LmHosts,Messenger,PlugPlay,ProtectedStorage,
Seclogon,TrkWks,W32Time,Wmi
Lsass.exe 220 Netlogon,PolicyAgent,SamSs
Svchost.exe 404 RpcSs
Spoolsv.exe 452 Spooler
Cisvc.exe 544 Cisvc
Svchost.exe 556 EventSystem,Netman,NtmsSvc,RasMan,
SENS,TapiSrv
Regsvc.exe 580 RemoteRegistry
Mstask.exe 596 Schedule
Snmp.exe 660 SNMP
Winmgmt.exe 728 WinMgmt
Explorer.exe 812 N/A
Cmd.exe 1300 N/A
Tasklist.exe 1144 N/A

The registry setting for the two groupings for this example are as follows:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost:
Netsvcs: Reg_Multi_SZ: EventSystem Ias Iprip Irmon Netman Nwsapagent Rasauto Rasman Remoteaccess SENS Sharedaccess Tapisrv Ntmssvc
RApcss :Reg_Multi_SZ: RpcSs


Last Reviewed: 8/6/2002
Keywords: kbinfo KB314056

 

Thats exactly the sort of crap I am talking about.

What Microsoft choose and not to choose to put in plain sight is a complete mystery to me.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>tasklist /svc

Image Name PID Services
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 376 N/A
csrss.exe 424 N/A
winlogon.exe 448 N/A
services.exe 492 Eventlog, PlugPlay
lsass.exe 504 PolicyAgent, ProtectedStorage, SamSs
svchost.exe 684 RpcSs
svchost.exe 736 AudioSrv, CryptSvc, Dhcp, dmserver, ERSvc,
EventSystem, lanmanworkstation, Netman,
RasAuto, RasMan, SENS, ShellHWDetection,
srservice, TapiSrv, Themes, TrkWks, winmgmt
svchost.exe 904 Dnscache
explorer.exe 1048 N/A
spoolsv.exe 1056 Spooler
point32.exe 1140 N/A
nvsvc32.exe 1212 NVSvc
svchost.exe 1236 stisvc
LVComS.exe 1320 N/A
CookiePatrol.exe 1380 N/A
PPControl.exe 1420 N/A
AU30TRAY.EXE 1464 N/A
PPMemCheck.exe 1504 N/A
BPA Usage.exe 1712 N/A
AsusProb.exe 1728 N/A
rundll32.exe 1736 N/A
Icq.exe 1764 N/A
BPALogin.exe 1776 N/A
cogs.exe 712 N/A
iexplore.exe 1856 N/A
cmd.exe 2020 N/A
tasklist.exe 1976 N/A
wmiprvse.exe 1024 N/A

Typing in Tasklist /FI "PID eq 736" does fuck all.

Why on earth they just dont stick them in taskmanager as a branch under each instance of svchost is beyond me. Its a bloody perfect way for people to hide a process from plain sight, if they wanted to.