The role of Svchost.exe process in Windows system

Windows system Svchost.exe and Explorer.exe are very important two processes, last time we introduced the application skills of the Explorer.exe process, today we introduce Svchost. The characteristics of the exe process and its application in various operating systems.

Svchost.exe is a very important process of the NT core system. It is indispensable for 2000 and XP. Many viruses and Trojans will also call it. Therefore, an in-depth understanding of this program is one of the compulsory courses for playing computer.

Everyone is familiar with the Windows operating system, but have you noticed the "Svchost.exe" file in the system? Attentive friends will find multiple "Svchost" processes in Windows (open the task manager via the "ctrl+alt+del" key, which can be seen in the "Processes" tab). Why is this? Let's unveil its mysterious veil.

In the Windows operating system family based on the NT kernel, different versions of Windows have different numbers of "Svchost" processes, and users can use the "Task Manager" to view the number of processes. In general, Win 2000 has two Svchost processes, and Win XP has four or more Svchost processes (you will see multiple such processes in the system later, don't immediately determine that the system has a virus) And more in the Win 2003 server. These Svchost processes provide many system services, such as: rpcss service (remote procedure call), dmserver service (logical disk manager), dhcp service (dhcp clieNT). ]

Viewing Multiple Services in Svchost

If you want to know how many system services are provided by each Svchost process, you can type "tlist -s" in the Command Prompt window of Win 2000. The command to view, the command is provided by Win 2000 support tools. In Win XP, the "tasklist /svc" command is used.

Windows system processes are divided into independent processes and shared processes. The "Svchost.exe" file exists in the "%systemroot% system32" directory, which belongs to the shared process. With the increasing number of Windows system services, in order to save system resources, Microsoft has made many services into a shared mode, which is started by the Svchost.exe process.

But the Svchost process is only a service host, and can not implement any service functions, that is, it can only provide conditions for other services to be started here, but it can not provide any services to users. How are these services implemented?

Originally these system services were implemented in the form of dynamic link libraries (DLLs), which point the executable program to Svchost, and Svchost calls the dynamic link library of the corresponding service to start the service. Then how does Svchost know which dynamic link library is called by a system service? This is done by the parameters set by the system service in the registry.

It can be seen from the startup parameters that the service is started by Svchost.

Check if there is a virus process in Svchost

Because the Svchost process starts various services, the virus and Trojan also try their best to use it in an attempt to use its features to confuse users and achieve infection. , the purpose of invasion, destruction. But it is normal for Windows system to have multiple Svchost processes. Which virus process is in the infected machine? Here is an example to illustrate.

Suppose the Windows XP system is infected with a virus. The normal Svchost file exists in the "c:\\Windows\\system32" directory. If you find that the file appears in another directory, be careful. The virus exists in the "c:\\Windows\\system32\\Wins" directory, so using the Process Manager to view the executable file path of the Svchost process makes it easy to see if the system is infected with a virus.

The task manager that comes with Windows system can't view the path of the process. You can use the third-party process management software. You can easily view the execution file path of all Svchost processes through these tools. The execution path should be detected and processed immediately if it is in an unusual position.