Svchost.exe is a very important process in the Windows operating system based on ntversions. Many viruses and Trojans reside in the system and are closely related to this process. Therefore, it is necessary to have a deep understanding of this process. This article describes the functions of the svchost process and its knowledge.
Svchost Process Overview
Microsoft defines "svchost process" as: svchost.exe is the name of the common host process of the Service running from the dynamic link library (DLL. The svchost.exe file is located in the "% SystemRoot %/system32" folder. When the system starts, svchost checks the service section in the Registry to build a list of services to be loaded. Multiple instances of svchost can run simultaneously. Each svchost session can contain a set of services to run different services based on the svchost Startup Mode and location. This allows for better control and debugging.
The svchost group is identified by the registry [HKEY_LOCAL_MACHINE/software/Microsoft/Windows NT/CurrentVersion/svchost. Each value under this registry key represents a separate svchost group and is displayed as a separate instance when we view the active process. The key values here are of the reg_multi_sz type and contain the name of the Service running in the svchost group (1 ).
In fact, svchost serves only as the service host and does not implement any functions. If you need to use svchost to start a service implemented in the form of a DLL, the loader of the DLL points to SVCHOST. when starting the service, svchost calls the DLL of the Service to start the service. The DLL file that uses svchost to start a service is determined by the parameters in the registry. Each registry key that needs to start the service has a "Parameters" subitem, the "servicedll" key value indicates which DLL file is responsible for the service, and this DLL file must export a servicemain () function to support processing service tasks.
Tip: different versions of Windows have different numbers of svchost processes. In general, Windows 2000 has two svchost processes, while Windows XP has four or more svchost processes.
Svchost process example
To view the list of services running in svchost, enter the "tasklist/svc" command in the Windows XP Command Prompt window and press enter to run the command (If Windows 2000 is used, you can use the tlist tool provided by support tools. The command is "tlist-s "). The tasklist command displays the list of active processes, and the/svc command switch specifies to display the list of active services in each process. As you can see, the svchost process starts many system services, such as Remote Procedure Call, DHCP client, and netman.
Connections) services and so on (2 ).
Here we take the RPCSS Service as an example to learn more about the relationship between the svchost process and the service. Run regedit, open registry editor, and expand [HKEY_LOCAL_MACHINE/System
CurrentControlSet/services/RPCSS] branch. In the parameters subitem, there is a key named "servicedll" with the value "% SystemRoot %/system32/RPCSS. dll ". This indicates that when the system starts the RPCSS Service, it calls the RPCSS. dll dynamic link library file under the "% SystemRoot %/system32" directory.
Next, double-click "Administrative Tools> Services" from the Control Panel to open the service console. In the right pane, double-click the Remote Procedure Call (RPC) service item to open its properties dialog box. You can see that the path of the RPCSS executable file is "C: /Windows/system32/svchost-k rpcss ", which indicates that the RPCSS is started by SVCHOST."-k rpcss "indicates that this service is included in the RPCSS Service Group of SVCHOST.
Svchost process Trojan Analysis
We have learned from the previous introduction that, in the branch of the registry [HKEY_LOCAL_MACHINE/software/Microsoft/Windows NT/current-version/svchost, stores the groups started by svchost and various services in the group. Many Trojans and viruses use this to automatically load the data. Their common methods include:
• Add a new group and a service name to the group;
• Add a service name to an existing group or use an uninstalled service from the existing group;
• Modify the service in an existing group and point its servicedll to its own DLL file.
For example, portless backdoor is a typical backdoor tool loaded using the svchost process. How can we detect and clear Trojans and viruses like portless backdoor? Take Windows XP as an example. First, we can use a process tool such as "process spyware" to view the module information in the svchost process (3) and compare it with the previous module information, the svchost process contains a suspicious DLL file "svchostdll. DLL ". In the "Administrative Tools> Services" list, a new service "Intranet services" (display name) is displayed. The service name is iprip, started by svchost, and "-K
Netsvcs indicates that this service is included in the netsvcs Service Group.
Tip: in Windows 2000, the system's iprip service listens for route update information sent by a router that uses the routing information Protocol Version 1 (r00001, the name displayed in the service list is "Rip listener ".
Run regedit, open registry editor, and expand [HKEY_LOCAL_MACHINE/system/CurrentControlSet
Services/iprip] branch, view its "Parameters" subitem, where the "servicedll" key value points to the called DLL file path and full name, which is the backdoor DLL file. After knowing this, you can clear it by right-clicking the "Intranet services" service in the service list and selecting "stop" from the menu ", then, delete the "iprip" entry in the Registry branch. Restart the computer and delete the main file of the backdoor program according to the location indicated by the "servicedll" key value. The reader should be reminded that the registry should be backed up before modification so that the registry can be restored in time when an error occurs.