How to fully understand the svchost process of the Operating System

Many workers do not know much about the svchost.exe process. Sometimes, once you see multiple processes in the Task Manager (six in Figure 1), you will think that your computer is infected with viruses or Trojans, this is not the case! Normally, multiple svchost.exe processes can run simultaneously in windows. For example, Windows 2000 has at least two svchost processes, Windows XP has more than four, and Windows 2003 has more. So when you see multiple svchost processes, not necessarily a virus!

What is the svchost.exe process?

The svchost.exe file exists in the "% system root % \ System32" Directory (for example, c: \ windows \ system32). It is an important process of Windows NT core (Windows 9x does not have this process ), it is dedicated to starting various services for the system. For example, if svchost.exe calls the RPCSS. dll file, the RPCSS Service (Remote Procedure Call) is started ).

Svchost.exe is actually a service host. It does not provide users with any services, but it can be used to run dynamic link library DLL files to start the corresponding services. The svchost.exe process can start multiple services at the same time.

How does svchost start system services?

Because system services are implemented in the form of dynamic link library (DLL), they can executeProgramPoint to svchost, so svchost only needs to call a dynamic link library to start the corresponding service. How does svchost know which dynamic link library should be called when starting a service? Because system services have set relevant parameters in the registry, svchost can know which dynamic link library should be called by reading the information of a service in the Registry to start the service.

The following describes how svchost starts the helpsvc (Help and Support) service. In Windows XP, click Start and run, and enter services. run the "MSC" command to bring up the service dialog box. Double-click to open the "Help and Support" service attribute dialog box. You can see that the path of the executable file of the helpsvc service is "C: \ windows \ system32 \ svchost.exe-K netsvcs "(2) indicates that the helpsvc service is implemented by svchost calling the" netsvcs "parameter, the parameter content is stored in the system registry.

Enter regedit.exe in the running dialog box and press Enter. Open the Registry Editor, find the [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ helpsvc] item, and find the key "magepath" of the type "reg_expand_sz ", the key value is "% SystemRoot % \ system32 \ svchost.exe-K netsvcs" (this is the Service Startup Command seen in the service window ), in addition, there is a key named "servicedll" in the "Parameters" subitem, and its value is "% WinDir % \ pchealth \ helpctr \ binaries \ pchsvc. DLL, where "pchsvc. DLL is the dynamic link library file to be used by the helpsvc service. In this way, the svchost process can start the service by reading the "helpsvc" service registry information.

What services does svchost start?

If you want to know which system services are currently provided by each svchost process, you can enter a command at the command prompt to view them. For example, in Windows XP, open a "command prompt" and type the tasklist/svc command to view the information. in Windows 2000, enter the "tlist-s" command to view the information.

If you want to obtain detailed information about all processes in Windows XP, open a "command prompt" and type tasklist/svc> abc.txt command. In the current directory, an abc.txt file will be generated, the content is the status of all processes currently running, such as the process name, PID Number, and services started by the process.

How can I find a problem with the svchost process?

Because the svchost process can start various services, viruses and Trojans are often disguised as system DLL files so that svchost can call them to run, infect, and control the computer in the memory.

We recommend that you use the "Windows optimization master" Process Manager (you can go to the personal computer download ChannelHttp://download.pcpro.com.cnTo view the path of the execution file of all svchost processes (3). The normal svchost file should exist in the "C: \ WINDOWS \ System32" directory, if you find that the execution path is in another directory, it may be infected with viruses or Trojans. You should immediately detect and process them.

What should I do if the svchost process cannot be killed?

If some svchost processes cannot be closed in the task manager, you can use the ntsd command to kill them as follows:

First, you need to know the svchost process to be killed. What is its PID? In Windows XP, press CTRL + ALT + DEL to open the task manager, click "process tab", "View", and "Select column". In the displayed window (figure 4 ), select "PID (process identifier)" and return to the task manager to view the PID. For example, the pid of the svchost process to be killed is 844 ).

Next, close the process. Click Start, program, attachment, and command prompt. at the command prompt, enter the ntsd-C q-P 844 command to kill the svchost process (PID is 844 ).

TIPS: apart from the system, SMSs. EXE, and CSRSS. EXE processes, the ntsd command can kill any system process. Microsoft has provided ntsd since Windows 2000. After executing this command, you can obtain the debug permission of the system. Therefore, it can be used to close most system processes, if you encounter a process that cannot be closed, you can use this command. The command format for killing a process is ntsd-C q p XXX.

The above XXX is the PID of the process to be killed;

Ntsd p xxx indicates opening a process in the debugger (PID is XXX );

The-C q parameter indicates that the debugger is exited. After the debugger is closed, the opened process exits with the debugger, so the ntsd command can close the process.