Wednesday, August 10

Info - svchost.exe

HORRIBLE  MICROSOFT  DEFINITON
 “svchost.exe is a generic host process name for services that run from dynamic-link libraries”


WHY svchost.exe IS FORMED ?
  • Some time ago, Microsoft started moving all of the functionality from internal Windows services into .dll files instead of .exe files. From a programming perspective this makes more sense for re-usability. 
  • But the problem is that you can’t launch a .dll file directly from Windows, it has to be loaded up from a running executable (.exe). Thus the svchost.exe process was born.
  • Svchost.exe is a generic process name for Windows services that run from Microsoft DLLs (dynamically linked libraries). Each of those instances of svchost.exe in the process lists actually represents a group of services that each process is managing.

WHY SO MANY svchost.exe's RUNNING ?
  • If you’ve ever taken a look at the Services section in control panel you might notice that there are a Lot of services required by Windows. If every single service ran under a single svchost.exe instance, a failure in one might bring down all of Windows… so they are separated out.
  • Those services are organized into logical groups, and then a single svchost.exe instance is created for each group. For instance, one svchost.exe instance runs the 3 services related to the firewall. 

  • Another svchost.exe instance might run all the services related to the user interface, and so on. 
  • This grouping of services allows for better control and easier debugging.



WHERE svchost.exe IS LOCATED ?
  • The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load. Multiple instances of Svchost.exe can run at the same time. 
  • Svchost.exe groups are identified in the following registry key : 
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost

Each value under this key represents a separate Svchost group and appears as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group.




SOME MORE INFO...
  • A problem tends to arise when one .dll can’t complete its task, which in turn bogs down the rest of the svchost programs. Unfortunately, the svchost.exe is used as a favourite access point for viruses and other malicious programs.
  • Additionally, if you are noticing very heavy CPU usage on a single svchost.exe instance you can restart the services running under that instance. 
    The biggest problem is identifying what services are being run on a particular svchost.exe instance.



EXAMINE svchost.exe's IN TASK MANAGER & SERVICES RUNNING UNDER PARTICULAR svchost.exe INSTANCE

  • Press "Ctrl+alt+del" or Open RUN & Type "TASKMGR", to Open TASK MANAGER.
  • Click "Show processes from all users". Here you can see lots of "svchost.exe" Processes running.

  • Now to see What Services are running under any Instance of svchost.exe. Right Click on any "svchost.exe", Click "Go to Service(s)".

 

  • You can see this selected svchost.exe, is holding 3 services, Those are Highlighted.



CHECKING FROM COMMAND LINE
  • If you want to see what services are being hosted by a particular svchost.exe instance, you can use the tasklist command from the command prompt in order to see the list of services.
  • TYPE : tasklist /SVC
  • The problem with using the command line method is that you don’t necessarily know what these cryptic names refer to.

********************************************************************************************************************************************************************************************************************************


No comments:

Post a Comment