Uncover the mystery of SVCHOST.EXE process

xiaoxiao2021-03-06  75

Find

In a Windows operating system family based on NT kernel, different versions of Windows systems have different quantities of "SVCHOST" process, and users use the Task Manager to view the number of processes. In general, Win2000 has two SVCHOST processes. There are four or more SVCHOST processes in WinXP (there are many such processes in the system later, don't immediately determine if there is a virus in the system), and More in Win2003 Server. These SVCHOST processes offer a lot of system services such as RPCSS services, DMSERVER services, DHCP services (DHCP Client).

If you want to know how much system service is provided in each SVCHOST process, you can enter the "TLIST -S" command in the Win2000 command prompt window, which is provided by Win2000 Support Tools. Use the "tasklist / svc" command in WinXP.

Multiple services can be included in SVCHOST

In-depth

The Windows system process is divided into independent processes and shared processes. The "svchost.exe" file exists in the "% systemroot% system32 directory, which is a shared process. As Windows system services are increasing, in order to save system resources, Microsoft puts many services, and will be launched by the SVCHOST.EXE process. However, the SVCHOST process only acts as a service host, which does not implement any service functions, that is, it can only provide conditions to make other services are started here, but it cannot provide users with any services. How do these services implement?

It turns out that these system services are implemented in the Dynamic Link Library (DLL), they point the executable to SVCHOST, and call the dynamic link library of the SVCHOST to start the service. How do the svchost know which dynamic link library is a system service call? This is achieved by the parameters set in the registry through the system service. Here, take the RPCSS (Remote Procedure Call) service as an example to explain.

From the startup parameters, the service is started by SVCHOST.

Example

Take Windows XP as an example, click "Start" / "Run", enter the "Services.msc" command, pop up the service dialog, then open the Remote Procedure Call Properties dialog, you can see the path to the RPCSS service For "C: / Windows / System32 / SVCHOST -K RPCSS", this indicates that the RPCSS service is implemented by SVCHOST calling "RPCSS" parameters, and the content of the parameters is stored in the system registry.

Enter "regedit.exe" in the Run dialog, Enter, open the Registry Editor, find the [HKEY_LOCAL_MACHINE SystemCurrentControlSetServicesRPCSS] item, find the key "MAGEPATH" type "REG_EXPAND_SZ", whose key value is "% systemroot% system32svchost" K rpcss "(this is the service launch command you see in the service window), and there is a key called" serviceDLL "in the" parameters "child, its value is"% systemroot% system32rpcss.dll "," Rpcss.dll "is the dynamic link library file for the RPCSS service. Such the SVCHOST process can start the service by reading the "RPCSS" service registry information. Confuse

Because the SVCHOST process starts a variety of services, the virus, Trojans also try to use it, trying to use its characteristics to confuse users, to achieve infection, invading, and destruction purposes (such as impact wave variants "w32.welchia.worm") . But the Windows system has multiple SVCHOST processes very normal. Which is a virus process in an infected machine? Here is only an example.

Suppose the Windows XP system is infected by "W32.welchia.worm". Normal SVCHOST files exist in the "C: / Windows / System32" directory, if this file is found to be careful in other directories. "W32.welchia.worm" virus exists in the "C: / Windows / System32wins" directory, so the execution file path of the SVCHOST process is easily found infected with viruses using the Process Manager. The Task Manager comes with the Windows system cannot view the path to the process, you can use third-party process management software, such as "Windows Optimization Master" process manager, can easily see all SVCHOST processes Path, once it is found that it is discovered that the path is in an unexpected position, it should be immediately detected.

转载请注明原文地址:https://www.9cbs.com/read-120859.html

New Post(0)