How does svchost start system services?
Because system services are implemented in the form of dynamic link library (DLL), they can executeProgramPoint to svchost, so svchost only needs to call a dynamic link library to start the corresponding service. How does svchost know which dynamic link library should be called when starting a service? This is because the system service has set relevant parameters in the registry. Therefore, svchost can read the information of a service in the Registry to know which dynamic link library should be called and start the service.
The following describes how svchost starts the helpsvc (Help and Support) service. In Windows XP, click Start and run, and enter services. run the "MSC" command to bring up the service dialog box. Double-click to open the "Help and Support" service attribute dialog box. You can see that the path of the executable file of the helpsvc service is "C: \ windows \ system32 \ svchost.exe-K netsvcs "(2) indicates that the helpsvc service is implemented by svchost calling the" netsvcs "parameter, the parameter content is stored in the system registry.
Enter regedit.exe in the running dialog box and press Enter. Open the Registry Editor, find the [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ helpsvc] item, and find the key "magepath" of the type "reg_expand_sz ", the key value is "% SystemRoot % \ system32 \ svchost.exe-K netsvcs" (this is the Service Startup Command seen in the service window ), in addition, there is a key named "servicedll" in the "Parameters" subitem, and its value is "% WinDir % \ pchealth \ helpctr \ binaries \ pchsvc. DLL, where "pchsvc. DLL is the dynamic link library file to be used by the helpsvc service. In this way, the svchost process can start the service by reading the "helpsvc" service registry information.
What services does svchost start?
If you want to know which system services are currently provided by each svchost process, you can enter a command at the command prompt to view them. For example, in Windows XP, open a "command prompt" and type the tasklist/svc command to view the information. in Windows 2000, enter the "tlist-s" command to view the information.
If you want to obtain detailed information about all processes in Windows XP, open a "command prompt" and type tasklist/svc> abc.txt command. In the current directory, an abc.txt file will be generated, the content is the status of all processes currently running, such as the process name, PID Number, and services started by the process.
How can I find a problem with the svchost process?
Because the svchost process can start various services, viruses and Trojans are often disguised as system DLL files so that svchost can call them to run, infect, and control the computer in the memory.
We recommend that you use the "Windows optimization master" Process Manager (you can go to the "Personal Computer" Download channel http://download.pcpro.com.cn to download the "System Tools ), view the execution file path of all svchost processes (3). The normal svchost file should exist in the "C: \ WINDOWS \ System32" directory, if you find that the execution path is in another directory, it may be infected with viruses or Trojans. You should immediately detect and process them.
What should I do if the svchost process cannot be killed?
If some svchost processes cannot be closed in the task manager, you can use the ntsd command to kill them as follows:
First, you need to know the svchost process to be killed. What is its PID? In Windows XP, press CTRL + ALT + DEL to open the task manager, click "process tab", "View", and "Select column". In the displayed window (figure 4 ), select "PID (process identifier)" and return to the task manager to view the PID. For example, the pid of the svchost process to be killed is 844 ).
Next, close the process. Click Start, program, attachment, and command prompt. at the command prompt, enter the ntsd-C q-P 844 command to kill the svchost process (PID is 844 ).
TIPS: apart from the system, SMSs. EXE, and CSRSS. EXE processes, the ntsd command can kill any system process. Microsoft has provided ntsd since Windows 2000. After executing this command, you can obtain the debug permission of the system. Therefore, it can be used to close most system processes, if you encounter a process that cannot be closed, you can use this command. The command format for killing a process is ntsd-C q-p xxx.
The above XXX is the PID of the process to be killed;
Ntsd-p xxx indicates to open a process in the debugger (PID is XXX );
The-C q parameter indicates that the debugger is exited. After the debugger is closed, the opened process exits with the debugger, so the ntsd command can close the process.