Svchost.exe is a very important process in the Windows operating system family based on the NT kernel. Many viruses and Trojans are closely related to this process, so it is necessary to have a deep understanding of the process. This article focuses on the capabilities of the Svchost process and the knowledge associated with it.
Svchost Process Overview
Microsoft's definition of "Svchost Process" is: Svchost.exe is the generic host process name of the service running from the dynamic link library (DLL). The Svchost.exe file is located in the “%SystemRoot%\\System32” folder. When the system boots, Svchost will check the services section of the registry to build a list of services that need to be loaded. Multiple instances of Svchost can run simultaneously. Each Svchost session can contain a set of services to run different services depending on how Svchost is launched and where it is located, which allows for better control and easier debugging.
The Svchost group is identified by the registry [HKEY_LOCAL_MACHINE\\ Software\\Microsoft\\Windows NT\\CurrentVersion\\Svchost]. Each value under this registry key represents a separate Svchost group and is displayed as a separate instance when we view the active process. The key values here are all of the values of type REG_MULTI_SZ and contain the name of the service running in the Svchost group (see Figure 1).
Figure 1 Svchost in the registry
In fact, Svchost is only a host of services, and does not implement any functions. If you need to use Svchost to start a service implemented by a DLL, the DLL's carrier Loader points to Svchost. When the service is started, Svchost calls the DLL of the service to achieve the purpose of startup. The use of Svchost to start a service DLL file is determined by the parameters in the registry. Under the registry key that needs to start the service, there is a sub-item "Parameters", where the "ServiceDll" key indicates the service. Which DLL file is responsible for, and this DLL file must export a ServiceMain() function to support the processing of service tasks.
Tip: Different versions of Windows have different numbers of Svchost processes. In general, Windows 2000 has two Svchost processes, while Windows XP has four or more Svchost processes.
Svchost Process Instances
To view a list of services running in Svchost, you can enter the “Tasklist /svc” command in the Windows XP Command Prompt window and press Enter to execute ( If you are using Windows 2000, you can use the Tlist tool provided by Support Tools to view the command as “Tlist -s”). The Tasklist command displays a list of active processes, and the /svc command switch specifies a list of active services in each process. As you can see from the figure, the Svchost process starts many system services, such as: RpcSs (Remote Procedure Call), Dhcp (DHCP Client), Netman (Network Connections) services, etc. (Figure 2).
Figure 2 Svchost service list
Here we take RpcSs service as an example to learn more about the relationship between Svchost process and service. Run Regedit, open the Registry Editor, expand the [HKEY_LOCAL_MACHINE\\SYSTEM\\
CurrentControlSet\\Services\\RpcSs] branch, and have a key named "ServiceDll" in the "Parameters" section. The value is “%SystemRoot%\\system32\
pcss.dll”. This means that when the system starts the RpcSs service, it calls the Rpcss.dll dynamic link library file in the directory "%SystemRoot%\\system32".
Next, double-click “Administrative Tools & Rarr; Service" from the Control Panel to open the Service Console. In the right pane, double-click the “Remote Procedure Call (RPC)” service item to open its properties dialog box. You can see that the path of the executable file of the RpcSs service is “C:\\Windows\\system32\\svchost -k Rpcss”, which means that the RpcSs service is started by Svchost, “-k rpcss” indicates that this service is included in the Rpcss service group of Svchost.
Figure 3 Module information in the Svchost process
Svchost process Trojan analysis
From the previous introduction we already know, in the registry [HKEY_LOCAL_MACHINE The \\SOFTWARE\\Microsoft\\Windows NT\\Current- Version\\Svchost] branch stores the services that are started by Svchost and the services in the group. Many Trojans and viruses use this to achieve automatic loading. The usual methods are:
· Add a new group, add the service name to the group;
· Add the service name to the existing group or use the existing group Uninstalled service;
· Modify the service in the existing group and point its ServiceDll to its own DLL file.
For example, PortLess BackDoor is a typical backdoor tool that uses the Svchost process to load. So how do you detect and remove Trojans and viruses like PortLess BackDoor? Take Windows XP as an example. First, we can use the process tool such as “Process Spy” to view the module information in the Svchost process (see Figure 3). Compared with the previous module information, we can find that there is a suspicious Svchost process. DLL file & ldquo; SvchostDLL.dll & rdquo;. At the same time, in the “Administrative Tools & Rarr; Service” list, you will see a new service “Intranet Services” (display name), this service name is: Iprip, started by Svchost, “-k netsvcs” This service is included in the Netsvcs service group.
Tip: In Windows 2000, the system's Iprip service listens for routing update information sent by routers using Routing Information Protocol version 1 (RIPv1). The name displayed in the service list is “RIP Listener”. .
Run Regedit, open the Registry Editor, expand the [HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\
Services\\IPRIP] branch, and view its <;Parameters” subkey, where “ServiceDll” The value points to the path and full name of the calling DLL file, which is the backdoor DLL file. Knowing this, you can clear it by right-clicking on the service list and right-clicking the "Intranet Services" service, selecting "Stop" from the menu, and then deleting the "Iprip" item in the registry branch above. Restart the computer, and then delete the backdoor main file according to the location of the “ServiceDll” key. Finally, the reader needs to be reminded that before the registry is modified, the backup should be done so that it can be restored in time when an error occurs.
4, clear the page file There is a ClearPageFileAtShutdown in the same location, set the value It is
Apples mobile phone is very popular among many users. Recently, some users are reporting that Apples
The NetBIOS protocol is primarily intended for small LAN protocols and allows user software to use L
After work, many employees do not turn off the computer. After the discovery, the leader asked to so
Ingeniously solve the problem of the number key failure on the right side of the computer keyboard.
Big data migration WinXP software is moving around
Modify Windows 98 System Icon Prompt Function
10 great ideas to make your Vista firewall better
How to uninstall the graphics card driver in XP system?
How can I solve the problem that the content of the webpage cannot be copied?
How to install the system for the netbook-U disk boot installation system
Win xp system and infrared new technology intimate contact
Ghost backup Windows XP can't find it?
If the local connection is limited or there is no connection solution
Fun with Win7 weapon: little knowledge about resource monitors
Practical recommendation: 12 Linux system recovery tools
Easily solve the common problems of the six major graphics cards
5 steps to easily deal with the problem of replacing win7 desktop wallpaper
Win10 official version "born" 20 days, how many Chinese users?
Win10 Mobile Preview 10534 system screenshot first exposure: new Ethernet connection