The function and related knowledge of the Svchost.exe process is revealed

        Svchost Process Overview
Microsoft defines "Svchost Process" as: Svchost.exe is the generic host process name of the service running from the dynamic link library (DLL). The Svchost.exe file is located in the "%SystemRoot%\\System32" folder. When the system boots, Svchost will check the service part of the registry to build a list of services that need to be loaded.

Multiple instances of Svchost can run simultaneously. Each Svchost session can contain a set of services to run different services depending on how Svchost is launched and where it is located, which allows for better control and easier debugging.

The Svchost group is identified by the registry [HKEY_LOCAL_MacHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Svchost]. Each value under this registry key represents a separate Svchost group and is displayed as a separate instance when we view the active process. The key values ​​here are all of the values ​​of type REG_MULTI_SZ and contain the name of the service running in the Svchost group (see Figure 1).

Figure 1 Svchost in the registry

In fact, Svchost is only a host of services, and does not implement any functions. If you need to use Svchost to start a service implemented by a DLL, the DLL's carrier Loader points to Svchost. When the service is started, Svchost calls the DLL of the service to achieve the purpose of startup. The use of Svchost to start a service DLL file is determined by the parameters in the registry, there is a "Parameters" subkey under the registry key that needs to start the service, where the "ServiceDll" key value indicates which service The DLL file is responsible, and this DLL file must export a ServiceMain() function to support the processing of service tasks.

Tip: Different versions of Windows have different numbers of Svchost processes. In general, Windows 2000 has two Svchost processes, while Windows XP has four or more Svchost processes.

Svchost Process Instances
To view a list of running services in Svchost, type "Windows XP Command Prompt" After the Tasklist /svc command, press Enter (if you are using Windows 2000, you can view it with the Tlist tool provided by Support Tools, the command is "Tlist -s"). The Tasklist command displays a list of active processes, and the /svc command switch specifies a list of active services in each process. As you can see from the figure, the Svchost process starts many system services, such as: RpCSS (Remote Procedure Call), Dhcp (DHCP ClIEnt), Netman (Network Connections) services, etc. (Figure 2).

Figure 2 Svchost service list

Here we take the RpcSs service as an example to learn more about the relationship between Svchost process and service. Run Regedit, open the registry editor, expand the [HKEY_LOCAL_MacHINE\\SYSTEM\\CurrentControlSet\\Services\\RpcSs] branch, and in the "Parameters" subkey there is a key named "ServiceDll" with the value "%SystemRoot%\\system32". \ pcss.dll". This means that when the system starts the RpcSs service, it calls the RpCSS.dll dynamic link library file in the "%SystemRoot%\\system32" directory.

Next, double-click "Administrative Tools → Services" from the Control Panel to open the service console. Double-click the "Remote Procedure Call (RPC)" service item in the right pane to open its properties dialog box. You can see that the path to the executable file of the RpcSs service is "C:\\Windows\\system32\\svchost -k rpcss". This shows that the RpcSs service is started by Svchost, and "-k rpcss" means that this service is included in the RpCSS service group of Svchost.

Svchost process Trojan analysis
From the previous introduction we already know that in the registry [HKEY_LOCAL_MacHINE\\SOFTWARE\\Microsoft\\Windows NT\\Current- Version\\Svchost] branch, the Svchost startup group is stored And the various services within the group, many Trojans and viruses use this to achieve automatic loading. The usual methods are:

· Add a new group and add the service name to the group;

· Now Some groups add service names or use an existing group to install an un-installed service;

· Modify the service in the existing group and point its ServiceDll to its own DLL file.

For example, PortLess BackDoor is a typical backdoor tool that uses the Svchost process to load. So how do you detect and remove Trojans and viruses like PortLess BackDoor? Take Windows XP as an example. First, we can use the process tool such as "process spy" to view the module information in the Svchost process (as shown in Figure 3). Compared with the previous module information, we can find that there is a suspicious DLL file in the Svchost process. "SvchostDLL.dll". At the same time, you will see a new service "Intranet Services" (display name) in the "Administrative Tools → Services" list, the service name is: Iprip, started by Svchost, "-k netsvcs" indicates that this service is included in Netsvcs In the service group.

Figure 3 Module information in the Svchost process

Tip: In Windows 2000, the system's Iprip service listens by using the Routing Information Protocol version 1 ( The routing update information sent by the router of RIPv1) is displayed in the service list as "RIP Listener".

Run Regedit, open the registry editor, expand the [HKEY_LOCAL_MacHINE\\SYSTEM\\CurrentControlSet\\Services\\IPRIP] branch, and view its "Parameters" subkey, where the "ServiceDll" key value points to the path of the called DLL file and Full name, this is the backdoor DLL file. Knowing this, you can clean it up by right-clicking the "Intranet Services" service in the list of services, selecting "Stop" from the menu, and then deleting the "Iprip" item in the registry branch above. Restart the computer, and then delete the backdoor main file according to the location of the "ServiceDll" key value prompt. Finally, the reader needs to be reminded that before the registry is modified, the backup should be done so that it can be restored in time when an error occurs.