Svshost process Introduction

I opened the task manager today and found that 11 svshost.exe processes have network services, local services, and system services. My system is "Windows tomato garden 2003" and I think it is not a problem. I immediately checked the information, now I will share my knowledge about the svchost process with my friends who support it. Svchost.exe is a very important process of the NT core system and is indispensable for 2000 and XP. Many viruses and Trojans will also call it. Therefore, to learn more about this Program Is one of the required courses for playing computer games. Everyone is familiar with the Windows operating system, but you just need to upload svchost.exe to the system. What about this file? Careful friends will find that there are multiple "svchost" processes in Windows (open the Task Manager through the "CTRL + ALT + DEL" key and you can see it in the "process" tab here ), why? Let's unveil its secret. In the NT kernel-based Windows operating system family, different versions of Windows have different numbers of "svchost" processes. You can use the "Task Manager" to view the number of processes. In general, Win2000 has two svchost processes, and WINXP has four or more svchost processes (we can see that there are multiple such processes in the system, so do not immediately determine that the system has a virus ), there are more win2003 servers. These svchost processes provide many system services, such as Remote Procedure Call, dmserver Logical Disk Manager, and DHCP client. To learn how many system services each svchost process provides, enter the "tlist-s" command in the Win2000 Command Prompt window. This command is provided by Win2000 support tools. In WINXP, run the "tasklist/svc" command. Svchost can contain multiple services. The windows system is divided into two steps: independent process and shared process. The svchost.exe file is stored in the "% SystemRoot % System32" directory and belongs to the shared process. With the increasing number of windows system services, Microsoft has made many services shared to the svchost.exe process to save system resources. But the svchost process only acts as a service host and cannot implement any service functions. That is, it can only provide conditions for other services to be started here, but it cannot provide any services to users. How are these services implemented? Originally, these system services were implemented in the form of Dynamic Link Libraries (DLL). They direct executable programs to svchost, and SVCHOST calls the dynamic link libraries of the corresponding services to start the service. So how does svchost know which dynamic link library should be called by a system service? This is achieved through the parameters set by the System Service in the registry. The following uses the Remote Procedure Call (RPCSS) service as an example to explain that the service is started by svchost from the startup parameters. Take Windows XP as an example. Click Start/run and enter services. run the MSC command to bring up the service dialog box, and then open the "Remote Procedure Call" attribute dialog box. You can see that the path of the executable file of the RPCSS Service is "C: \ windows \ system32 \ svchost-k rpcss ", which indicates that the RPCSS Service relies on svchost to call the" RPCSS "parameter, while the parameter content is stored in the system registry. Enter regedit.exe in the running dialog box and press Enter. Open the Registry Editor, find the [HKEY_LOCAL_MACHINE systemcurrentcontrolsetservicesrpcss] item, and find the magepath key of the type "reg_expand_sz ", its key value is "% SystemRoot % system32svchost-k rpcss" (this is the Service Startup Command seen in the service window ), in addition, there is a key named "servicedll" in the "Parameters" subitem, and its value is "% SystemRoot % system32rpcss. DLL, where "RPCSS. DLL is the dynamic link library file to be used by the RPCSS. In this way, the svchost process can start the service by reading the registry information of the "RPCSS" service. As the svchost process starts various services, viruses and Trojans try their best to use them and try to confuse users with their features, to infect, intrude, and damage (for example, the shock wave variant virus w32.welchia. worm "). However, in Windows, it is normal to have multiple svchost processes. Which of the infected machines is a virus process? Here is only an example. Suppose Windows XP is infected with w32.welchia. worm. The normal svchost file exists in the "C: \ WINDOWS \ System32" directory. Be careful if the file appears in other directories. The "w32.welchia. Worm" virus exists in the "C: \ WINDOWS \ system32wins" directory. Therefore, you can use the Process Manager to check the execution file path of the svchost process to easily detect whether the system is infected with viruses. The Job Manager in Windows cannot view the process path. You can use a third-party process management software, such as the "Windows optimization master" Process Manager, using these tools, you can easily view the execution file paths of all the svchost processes. Once the execution path is found to be unusual, you should immediately detect and process it.