svchost.exe is a very important process of nt core system, for 2000, xp, is indispensable. Many viruses and Trojans will also call it. Therefore, an in-depth understanding of this program is one of the compulsory courses for playing computer. Everyone is no stranger to the Windows operating system, but have you noticed the file "svchost.exe" in the system? Attentive friends will find multiple "svchost" processes in Windows (open the task manager via the “ctrl+alt+del” key, the "process" can be seen here), why is this? ? Let's unveil its mysterious veil.
In the Windows operating system family based on the nt kernel, different versions of the windows system, there are different numbers of "svchost" process, users use the "task manager" to view the number of processes. In general, win2000 has two svchost processes, and winxp has four or more svchost processes (you will see multiple such processes in the system later, don't immediately determine that the system has a virus), and Win2003 server is more. These svchost processes provide many system services, such as: rpcss service (remote procedure call), dmserver service (logical disk manager), dhcp service (dhcp client).
If you want to know how many system services each svchost process provides, you can enter the “tlist -s” command in win2000 command prompt window to view, the command is provided by win2000 support tools. In winxp, use the “tasklist /svc” command.
Svchost can contain multiple services
Deep
Windows system processes are divided into independent processes and shared processes, "svchost.exe" file exists in the "%systemroot% system32" directory, it Belongs to the shared process. With the increasing number of windows system services, in order to save system resources, Microsoft has made many services into a shared mode, which is started by the svchost.exe process. However, the svchost process only serves as a service host and cannot implement any service functions. That is, it can only provide conditions for other services to be started here, but it cannot provide any services to users. How are these services implemented?
The original system services are implemented in the form of dynamic link libraries (DLLs), which point the executable program to svchost, and svchost calls the dynamic link library of the corresponding service to start the service. Then how does svchost know which dynamic link library is called by a system service? This is done by the parameters set by the system service in the registry. The following is an example of the rpcss (remote procedure call) service.
The service is visible from the startup parameters.
Instances are started by svchost. Take Windows XP as an example. Click “Start”/“Run”, enter the “services.msc” command, Pop up the service dialog box, and then open the “remote procedure call” properties dialog box, you can see the path of the executable file of the rpcss service is "c:windowssystem32svchost -k rpcss", which means that the rpcss service is called by svchost “rpcss&rdquo The parameters are implemented, and the contents of the parameters are stored in the system registry.
Enter "ldedit;exe" in the Run dialog box, press Enter, open the Registry Editor, find the [hkey_local_machine systemcurrentcontrolsetservicesrpcss] item, and find the key type "ld_;regand_sz" “%systemroot%system32svchost -k rpcss” (this is the service startup command seen in the service window), in addition, there is a key named "ldld; servicedll" in the "parameters" category, the value is "ld"; % systemroot%system32rpcss.dll”, where “rpcss.dll” is the dynamic link library file to be used by the rpcss service. This way the svchost process can start the service by reading the “rpcss” service registry information.
解解
Because the svchost process starts various services, viruses and Trojans also try their best to use it in an attempt to use its features to confuse users and achieve infection, intrusion, and destruction (such as shockwave variant viruses). “w32.welchia.worm”). But it is normal for windows system to have multiple svchost processes. Which one is a virus process in the infected machine? Here is an example to illustrate.
Assume that the windows xp system is infected with “w32.welchia.worm”. The normal svchost file exists in the directory of “c:windowssystem32”, and you should be careful if it finds the file in other directories. “w32.welchia.worm” The virus exists in the "c:windowssystem32wins" directory, so using the process manager to view the executable file path of the svchost process is easy to find out if the system is infected with a virus. Windows system comes with the task manager can not view the path of the process, you can use third-party process management software, such as "windows optimization master" process manager, through these tools can easily see all the svchost process Execute the file path and detect and process it as soon as it finds that its execution path is unusual.