Analyze the role and principle of the SVCHOST Process

Source: Internet
Author: User

Enter SVCHOST

The SVCHOST process is notorious now. It was originally used by Windows to start various services, but virus and Trojan horses also tried their best to use it and attempt to confuse users by using its features, to infect, intrude, and damage (for example, the shock wave variant virus W32.Welchia. worm "). When we look at SVCHOST, we suspect that we have won the trick. In fact, it is normal that there are multiple SVCHOST processes in the Windows system, in the infected machine, which is the virus process? Here is only an example.

Suppose Windows XP is infected with W32.Welchia. Worm. The normal SVCHOST file exists in the "C: Windowssystem32" directory. Be careful if the file appears in other directories. The "W32.Welchia. Worm" virus exists in the "C: Windowssystem32wins" directory. Therefore, you can use the Process Manager to check the execution file path of the SVCHOST process to easily find whether the system is infected with the virus. The Job Manager in Windows cannot view the process path. You can use a third-party process management software, such as the "Windows optimization master" Process Manager, using these tools, you can easily view the execution file paths of all the SVCHOST processes. Once the execution path is found to be unusual, you should immediately detect and process it.

In the NT kernel-based Windows operating system family, different versions of Windows systems have different numbers of "SVCHOST" processes. You can use the "Task Manager" to view the number of processes. In general, Win2000 has two SVCHOST processes, and WinXP has four or more SVCHOST processes (we can see that there are multiple such processes in the system, so do not immediately determine that the system has a virus ), there are more Win2003 servers. These SVCHOST processes provide many system services, such as Remote Procedure Call, dmserver Logical Disk Manager, and Dhcp Client.

To learn how many system services each SVCHOST process provides, enter the "Tlist-S" command in the Win2000 Command Prompt window. This command is provided by Win2000 Support Tools. In WinXP, run the "tasklist/svc" command.

In-depth analysis of SVCHOST

Windows system processes are divided into two types: independent processes and shared processes. The "SVCHOST. EXE" file is stored in the "% SystemRoot % system32" directory and is a shared process. With the increasing number of Windows system services, Microsoft has made many services shared to the svchost. EXE process to save system resources. But the SVCHOST process only acts as a service host and cannot implement any service functions. That is, it can only provide conditions for other services to be started here, but it cannot provide any services to users. How are these services implemented?

Originally, these system services were implemented in the form of Dynamic Link Libraries (DLL). They direct executable programs to SVCHOST, and SVCHOST calls the dynamic link libraries of the corresponding services to start the service. So how does SVCHOST know which dynamic link library should be called by a system service? This is achieved through the parameters set by the System Service in the registry. The following describes the RpcSs (Remote Procedure Call) service as an example. Example: Taking Windows XP as an example, click "start"/"run" and enter "services. run the msc command to bring up the service dialog box. Then open the "Remote Procedure Call" attribute dialog box. You can see that the path of the executable file of the RpcSs Service is "C: WINDOWSsystem32svchost-k rpcss ", this indicates that the RpcSs Service relies on SVCHOST to call the "rpcss" parameter, and the parameter content is stored in the system registry.

Enter regedit.exe in the running dialog box and press Enter. Open the Registry Editor, find the [HKEY_LOCAL_MACHINE SYSTEMCurrentControlSetServicesRpcSs] item, and find the magePath key of the type "REG_EXPAND_SZ ", its key value is "% SystemRoot % system32svchost-k rpcss" (this is the Service Startup Command seen in the service window ), in addition, there is a key named "ServiceDll" in the "Parameters" subitem, and its value is "% SystemRoot % system32pcss. dll, where "rpcss. dll is the dynamic link library file to be used by the rpcss. In this way, the SVCHOST process can start the service by reading the registry information of the "RpcSs" service.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.