Svchost.exe Process Knowledge Total solution

Many friends are not familiar with the Svchost.exe process, sometimes in Task Manager once see a number of this process (Figure 1 in 6), think their computer virus or trojan, in fact, not so! Normally, You can have multiple Svchost.exe processes running at the same time in Windows, such as Windows 2000 with at least 2 svchost processes, more than 4 in Windows XP, and more in Windows 2003, so when you see multiple svchost processes , is not necessarily the virus!

What is the Svchost.exe process?

The Svchost.exe file exists in the "%system Root%system32" (for example, c:windowssystem32) directory, which is an important process in Windows NT core (Windows 9X does not have the process) and specifically initiates various services for the system. For example, Svchost.exe invokes the RpCss.dll file and starts the RPCSS Service (remote procedure Call).

Svchost.exe is actually a service host that does not provide any service to the user, but can be used to run dynamic-link library DLL files to start the corresponding service. The Svchost.exe process can start multiple services at the same time.

How does Svchost start the system service?

Because system services are implemented as dynamic-link libraries (DLLs), they point the executable program to Svchost, so svchost can start the corresponding service just by invoking a dynamic-link library. So when Svchost starts a service, how does it know which dynamic link library should be invoked? This is because the system service sets the relevant parameters in the registry, so Svchost starts the service by reading the information in the Registry of a service to know which dynamic link library should be invoked.

Let's take the Svchost startup Helpsvc (Help and Support) service as an example of how to start the service. Click "Start" In Windows XP, enter the "services.msc" command, pop Up the service dialog box, and then double-click to open the Help and Support Service Properties dialog box to see that the Helpsvc service's executable path is "C: Windowssystem32svchost.exe-k Netsvcs "(Figure 2) shows that the HELPSVC service relies on Svchost to invoke the" Netsvcs "parameter, while the contents of the parameter are stored in the system registry.

In the Run dialog box, enter "Regedit.exe" and return, open Registry Editor, locate the [HKEY_LOCAL_MACHINESYSTEMCURRENTCONTROLSETSERVICESHELPSVC] item, and locate the type "Reg_ EXPAND_SZ "Magepath" with the key value "%systemroot%system32svchost.exe-k Netsvcs" (This is the service startup command seen in the service window), and the "Parameters" There is a key named "ServiceDll" in the subkey whose value is "%windir%pchealthhelpctrbinariespchsvc.dll", where "Pchsvc.dll" is the dynamic-link library file to be used by the HELPSVC service. This enables the Svchost process to start the service by reading the "HELPSVC" Service registry information.

What services did Svchost start?

If you want to know what system services are currently provided by each svchost process, you can enter commands at the command prompt to view them. For example, in Windows XP, open a command prompt, type the TASKLIST/SVC command to view it, and in Windows 2000, enter the "tlist-s" command to view it.

If you are in Windows XP and want the details of all the processes, you can open the command prompt, type the tasklist/svc>abc.txt command, and in the current directory, A abc.txt file will be generated, which is the content of all currently running processes, such as the process name, the PID number, and which services the process started.

How do I find a problem with the svchost process?

Because the Svchost process can start a variety of services, viruses, Trojans are often disguised as a system of DLL files, so that svchost call it, so into memory running, infection and control of the computer.

It is recommended that you use the "Windows Optimizer Master" process Manager (which you can download in the "System Tools" of the PC's Download channel http://download.pcpro.com.cn) to view the path of the execution file for all Svchost processes (Figure 3). Normal svchost files should exist in the "C:windowssystem32" directory, if you find that its execution path in other directories, it may be infected with a virus or trojan, should be immediately detected and processed.

What if the svchost process can't kill?

If you have some svchost processes that you cannot shut down in Task Manager, you can use the NTSD command to kill it by using the following methods:

First need to understand to kill the svchost process, its PID is how much? Under Windows XP, press Ctrl+alt+del to open Task Manager, click Process tab to view Select columns, and in the pop-up window (Figure 4), tick "PID (process identifier)". Then return to the Task Manager, you can see the PID (such as the svchost process to kill, its PID is 844).

Next, close the process. Click "Start" program "attachment" "Command Prompt", at the command prompt, enter command ntsd-c q-p 844 to kill Svchost process (PID is 844).

Tips: Except system, SMSS. EXE and CSRSS.EXE these three processes, the NTSD command can kill any one of the system processes. Starting with Windows 2000, Microsoft has provided the NTSD tool, which allows you to get debug power to the system, so it can be used to shut down most system processes, and if you encounter a process that cannot be shut down, you can use the command, and the command format for the kill process is: Ntsd-c q–p Xxx

The above xxx is to kill the process PID;

Ntsd–p XXX Indicates that a process is open in the debugger (PID is XXX);

and the-C q parameter indicates exiting the debugger. Since the debugger closes, the process it opens will exit along with the debugger, so the NTSD command can close the process.