SVChost Tutorial
by Aeon
Svchost.exe is just an easy name to say. What this means is that you have services running from dynamic-link libraries (DLLs). The
Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services portion of the registry to
construct a list of services that it needs to load. There can be multiple instances of Svchost.exe running at the same time.
Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is
started. This allows for better control and debugging.
Svchost.exe groups are identified in the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost
Each value under this key represents a separate Svchost group, and represents one instance of Svchost.exe. Each value is a REG_MULTI_SZ value
and contains the services that run under that Svchost group. Each Svchost group can have more than one service_names extracted from the
following registry key, whose Parameters key contains a ServiceDLL value:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ service
If you go to Start --> Run and type command (XP) or cmd (Win2k), you can find out what the svchost.exe files correspond to.
(Windows XP) Once you have the command line up, type Tasklist /SVC.
(Windows 2K) Tasklist does NOT work in Windows 2K!
Use Tlist.exe from the Windows 2000 Diagnostics Tools CD-ROM: the syntax is tlist -s at the command prompt.
|