Comprehensive understanding of Svchost.exe documents

The following article mainly tells you about a comprehensive understanding of the system Svchost.exe files, inadvertently in some anti-virus forum browsing, found that some friends of the system in the Svchost process is not very understanding, see there are many svchost process to think of their own virus, is not. The author often in some anti-virus forum browsing, found that some friends of the system in the Svchost process is not very understanding, see there are many svchost process to think of their own virus, is not. Svchost.exe is an important document of NT core system, which is indispensable for win2000/xp. These svchost processes provide many system services, such as the RPCSS Service (remote Procedure Call), the Dmserver service (Logical Disk Manager), the DHCP service (DHCP client), and so on. If you want to know how many system services are provided by each svchost process, you can view them by entering the "tasklist/svc" command in the WinXP Command Prompt window. Working principle in general, Windows system processes are divided into two separate processes and shared processes. The Svchost.exe file exists in the%SystemRoot%\System32 directory and belongs to the shared process. As Windows system services continue to increase, in order to save system resources, Microsoft has a lot of services are shared way, to the svchost process to start. But the Svchost process serves only as a service host and does not implement any service function, that is, it can only provide the conditions for other services to be started here, and it cannot provide any service to the user. How are these services implemented? Originally, these system services are implemented as dynamic-link libraries (DLLs), which point the executable program to Svchost, and Svchost invoke the corresponding service's dynamic link library to start the service. How does svchost know which dynamic link library A system service should call? This is done through the parameters set by the system service in the registry. Example of a remote Registry service is given below to see how the Svchost process invokes the DLL file. In WinXP, click "Start → run", enter "services.msc" Command, Pop-up Service dialog box, then open the Remote Registry Properties dialog box, you can see the remote Registry Service executable path is "C:\ Windows\system32\svchost-k LocalService "(Figure 1), which shows that the Remote Registry service relies on Svchost to invoke the" LocalService "parameter, The contents of the parameters are stored in the system registry. Enter "Regedit.exe" in the Run dialog box, and open Registry Editor to find the "Hkey_local_machine\system\currentcontrolset\services\remote Registry" item, The "ImagePath" Item of type "REG_EXPAND_SZ" is then found with the key value "%systemroot%\system32\svchost-k LocalService" (which is the service startup command seen in the service window), and the The parameters "subkey" has a key named "ServiceDll" with the value "% systemroot%\system32\regsvc.dll" where "regsvc.dll" is remote Registry The dynamic link library file to be used by the service. This allows the Svchost process to start the service by reading the Remote Registry Service registry information. It is precisely because of the importance of svchost, so viruses, Trojans also try to use it, trying to use its characteristics to confuse users, to achieve infection, invasion, destruction purposes. So how do you know which is the virus process? A normal Svchost.exe file should exist in the "C:\Windows\system32" directory, and be careful if you find that the file appears in a different directory. Hint: The call path to the Svchost.exe file can be viewed through the system information → software environment → running tasks. "Responsible Editor: Sun Chaohua TEL: (010) 68476606" Original: A comprehensive understanding of Svchost.exe files return to network security home