Svchost as the name implies stands for "Service Host". Many of components of the Windows operating system are implemented as what are called "services", a fancy name for programs that run in the background and aren't necessarily associated with whomever is logged into the machine. A fair number of those services are implemented in DLLs rather than in stand-alone executables. Since DLL can't run on its own, svchost is the one that loads the DLL.
Problem with svchost.exe nowadays is the common disguise used by malware to hide its presence from the user. As you can see from the image below, the svchost.exe doesn't show up much information in Windows Task Manager. You wouldn't even know if it is loading a legitimate DLL or not...
Here's how to identify what's really running as Svchost.exe on Windows XP Professional.In command prompt, type the command below and hit enter.
"tasklist /svc /fi "imagename eq svchost.exe"
The service name is displayed on the right side of the tasklist result.
To do a final match up of the somewhat cryptic service name to something more meaningful, you'll need to go to the service browser in Windows. An easy way to get there when running XP is to right click on "My Computer", and select "Manage". This opens the "Computer Management" application. On the left side you'll see a variety of locations, but in this case, you'll need the last one, "Services and Applications". Expand that (use the +), and click on the first item, "Services".
Now comes the tricky part. You'll need to guess to try to match the human readable name of the service with Windows name of the service. For example, one of the named services in the list on my computer was PID 1404, Dnscache. I looked through the lists of names and the most likely service was "DNS Client". I double clicked on the entry which shows the properties for that service:
The "Service Name" exactly matches what I was looking for: Dnscache. Now I know that PID 1404 is the Dnscache service.
What you want to see there is that the executable that is being run is "svchost.exe". In this case, PID 1404 is the DNS Client service. If you're not using Windows XP Professional, you might not have the "tasklist.exe" to display the task list. You can download tasklist.exe from here.
If you find it too troublesome, of course there's an easier way. Use Process Explorer by Sysinternals. Just move your mouse over on top of the svchost.exe and a balloon message will tell you the service name.
4 comments:
Informative 1.
You always post good topics, thanx ralvy
Thanx Bayo
18 takes viagra viagra benefits what is viagra buying viagra online buy viagra meds online super viagra pro non prescription viagra cheapest uk supplier viagra viagra side affects viagra stories cheapest uk supplier viagra buy viagra on line cheap viagra overnight generic soft tab viagra
Post a Comment