Parsing Svchost.exe and Explorer.exe two major system processes

In this article we will focus on the Windows system Svchost.exe and Explorer.exe two processes, as two important processes in the Windows system, let's take a look at their characteristics and in each operating system Applications.

Explorer

In the Windows family of operating systems, a process called Explorer.exe is started at runtime. This process is mainly responsible for displaying the icons on the system desktop and the taskbar, which has different magical effects in different systems.

Explorer in Windows 9x

In Windows 9x, this process is required to run the system. If you end the Explorer.exe process with the "end task" method, the system will refresh the desktop and update the registry. Therefore, we can also use this method to quickly update the registry. Here's how:

Press Ctrl+Alt+Del to bring up the End Task dialog. Select the "Explorer" option in the dialog and then click the "End Task" button, the "Close Windows" dialog box will appear. Click the "No" button, the system will appear another dialog box after a while, telling you that the program is not responding, asking if you want to end the task. Click the "End Task" button to update the registry and return to the Windows 9x system environment. Is this much more convenient than the cumbersome restart process?

Explorer in Windows 2000/XP

In Windows 2000/XP and other Windows NT kernel systems, the Explorer.exe process is not required for system operation, so it can Ending it with the Task Manager does not affect the normal operation of the system. Open the program you need to run, such as Notepad. Then right click on the taskbar, select "Task Manager", select the "Processes" tab, select the Explorer.exe process in the window, click the "End Process" button, and then on the desktop in addition to the wallpaper (Active Desktop Active Desktop Except for the wallpaper), all icons and taskbars disappeared. At this point you can still operate all the software as usual.

What if you want to run other software, but there is nothing on the desktop at this time? Don't worry, there are two ways to subtly open other software:

The first method: press Ctrl+Alt+Del, the “Windows Security” dialog box appears, click “Task Manager” Button (or directly press Ctrl+Shift+Esc), select the “Applications” tab in the Task Manager window, click “New Task”, in the “Create New Task” dialog box that pops up, Enter the path and name of the software you want to open.

You can also select "File → Open" on the running software. In the "Open" dialog box, click the "File Type" drop-down list, select "All Files", and then browse to the Open the software, right click on it, select the "Open" command in the shortcut menu, you can start the software you need. Note that it is not possible to open the software by clicking the "Open" button at this time. This method is suitable for most software, except for the Office series.

By ending the Explorer.exe process, you can also reduce the memory used by the system around 4520KB, which will undoubtedly speed up the system and free up valuable space for users with tight resources.

Svchost.exe

Svchost.exe is a very important process of the NT core system. It is indispensable for 2000 and XP. Many viruses and Trojans will also call it. Therefore, an in-depth understanding of this program is one of the compulsory courses for playing computer.

Everyone is familiar with the Windows operating system, but have you noticed the "Svchost.exe" file in the system? Attentive friends will find multiple "Svchost" processes in Windows (open the task manager via the "ctrl+alt+del" key, which can be seen in the "Processes" tab). Why is this? Let's unveil its mysterious veil.

In the Windows operating system family based on the NT kernel, different versions of Windows have different numbers of "Svchost" processes, and users can use the "Task Manager" to view the number of processes. In general, Win 2000 has two Svchost processes, and Win XP has four or more Svchost processes (you will see multiple such processes in the system later, don't immediately determine that the system has a virus) And more in the Win 2003 server. These Svchost processes provide many system services, such as: rpcss service (remote procedure call), dmserver service (logical disk manager), dhcp service (dhcp clieNT).

If you want to know how many system services each Svchost process provides, you can enter the "tlist -s" command in the Win 2000 command prompt window, which is provided by Win 2000 support tools. In Win XP, the "tasklist /svc" command is used.

Svchost can contain multiple services

Windows system processes are divided into independent processes and shared processes. The "Svchost.exe" file exists in the "%systemroot%system32" directory. Belongs to the shared process. With the increasing number of Windows system services, in order to save system resources, Microsoft has made many services into a shared mode, which is started by the Svchost.exe process. However, the Svchost process only serves as a service host and cannot implement any service functions. That is, it can only provide conditions for other services to be started here, but it cannot provide any services to users. How are these services implemented?

Originally these system services were implemented in the form of dynamic link libraries (DLLs), which point the executable program to Svchost, and Svchost calls the dynamic link library of the corresponding service to start the service. Then how does Svchost know which dynamic link library is called by a system service? This is done by the parameters set by the system service in the registry.

It can be seen from the startup parameters that the service is started by Svchost.

Because the Svchost process starts various services, viruses and Trojans also try their best to use it in an attempt to use its features to confuse users and achieve infection, intrusion, and destruction (such as shockwave variant virus "w32" .welchia.worm"). But it is normal for Windows system to have multiple Svchost processes. Which virus process is in the infected machine? Here is an example to illustrate.

Suppose the Windows XP system is infected with "w32.welchia.worm". The normal Svchost file exists in the "c:Windowssystem32" directory. If you find that the file appears in another directory, be careful. The "w32.welchia.worm" virus exists in the "c:Windowssystem32Win s" directory, so it is easy to find out if the system is infected with a virus by using the process manager to view the executable file path of the Svchost process. The task manager that comes with the Windows system cannot view the path of the process. You can use third-party process management software, such as the Windows Optimizer process manager. These tools can easily view the execution files of all Svchost processes. The path should be detected and processed as soon as it finds that its execution path is unusual.