Completely clear the svchost.exe file in the system

Completely clear the svchost.exe file in the system

Reprinted: http://blog.csdn.net/kencharles/

Many people do not know much about the svchost process in the system. Many svchost processes think they are infected with viruses.

Svchost.exe is an important file in the NT core system and is indispensable for Win2000/XP. These svchost processes provide many system services, such as RPCSS (remoteprocedure call), dmserver (Logical Disk Manager), and DHCP client.

To learn how many system services each svchost process provides, enter the "tasklist/svc" command in the WINXP Command Prompt window.

Working Principle

Generally, Windows processes are divided into two types: independent processes and shared processes. The svchost.exe file exists in the % SystemRoot %/system32 directory and belongs to the shared process.

With the increasing number of windows system services, Microsoft has made many services shared to the svchost process to save system resources. But the svchost process only acts as a service host and cannot implement any service functions. That is, it can only provide conditions for other services to be started here, but it cannot provide any services to users.

How are these services implemented? Originally, these system services were implemented in the form of Dynamic Link Libraries (DLL). They direct executable programs to svchost, and SVCHOST calls the dynamic link libraries of the corresponding services to start the service.

So how does svchost know which dynamic link library should be called by a system service? This is achieved through the parameters set by the System Service in the registry.

Specific instance

The following uses the remote registry service as an example to see how the svchost process calls the DLL file. In WINXP, click Start> Run and enter services. the MSC command will pop up the service dialog box, and then open the "Remote Registry" attribute dialog box, you can see that the path of the Remote Registry Service Executable File is "C: /Windows/system32/svchost-K LocalService ", which indicates that the Remote Registry Service relies on svchost to call the" LocalService "parameter, and the parameter content is stored in the system registry.

Enter regedit.exe in the running dialog box and press Enter. Open the Registry Editor, find the "HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/Remote Registry" item, and find the "ImagePath" item of the type "reg_expand_sz, the key value is "% SystemRoot %/system32/svchost-K LocalService" (this is the Service Startup Command seen in the service window ), in addition, there is a key named "servicedll" in the "Parameters" subitem, and its value is "% SystemRoot %/system32/regsvc. DLL, where "regsvc. DLL is the dynamic link library file to be used by the RemoteRegistry Service. In this way, the svchost process can start the service by reading the registry information of the Remote Registry Service.

Because of the importance of svchost, viruses and Trojans try their best to use it and try to confuse users with its characteristics to infect, intrude, and destroy users. How can we determine which virus process is used? The normal svchost.exe file should exist in the "C:/Windows/system32" directory. Be careful if the file appears in other directories.

Tip: You can view the call path of the svchost.exe file through "system information> software environment> running task ".