Uncover the mystery of SVCHOST.EXE process

zhaozj2021-02-16  77

Author: Time: 2004-7-2 Document Type: Reprinted from: NEW YORK been accessed year: 7849 | Quarter: 7849 | Month: 7849 | Week: 1006 | today: 382

Svchost.exe is a very important process for the NT core system, which is indispensable for 2000, XP. Many viruses, Trojans will also call it. Therefore, in-depth understanding of this program is one of the compulsory courses. Everyone must be unfamiliar with the Windows operating system, but you noticed the "svchost.exe" file in the system? Careful friends will find multiple "svchost" processes in Windows ("Ctrl Alt Del" keys open the task manager, you can see it in the "Process" tab), why is this? Let's uncover its mysterious veil. Found in a Windows operating system family based on NT kernel, there are different versions of Windows systems, there are different number of "SVCHOST" processes, and users use "Task Manager" to view the number of processes. In general, Win2000 has two SVCHOST processes. There are four or more SVCHOST processes in WinXP (there are many such processes in the system later, don't immediately determine if there is a virus in the system), and More in Win2003 Server. These SVCHOST processes offer a lot of system services such as RPCSS services, DMSERVER services, DHCP services (DHCP Client). If you want to know how much system service is provided in each SVCHOST process, you can enter the "TLIST -S" command in the Win2000 command prompt window, which is provided by Win2000 Support Tools. Use the "tasklist / svc" command in WinXP. SVCHOST can contain multiple services to deepen the Windows system process to be divided into independent processes and shared processes. The "svchost.exe" file exists in the "% systemroot% system32" directory, which belongs to the sharing process. As Windows system services are increasing, in order to save system resources, Microsoft puts many services, and will be launched by the SVCHOST.EXE process. However, the SVCHOST process only acts as a service host, which does not implement any service functions, that is, it can only provide conditions to make other services are started here, but it cannot provide users with any services. How do these services implement? It turns out that these system services are implemented in the Dynamic Link Library (DLL), they point the executable to SVCHOST, and call the dynamic link library of the SVCHOST to start the service. How do the svchost know which dynamic link library is a system service call? This is achieved by the parameters set in the registry through the system service. Here, take the RPCSS (Remote Procedure Call) service as an example to explain. From the startup parameters, the service is started by SVCHOST. The instance uses Windows XP as an example, click "Start" / "Run", enter the "Services.msc" command, pop up the service dialog, and open the Remote Procedure Call Properties dialog box, you can see the executable of the RPCSS service. The path is "C: / Windows / System32 / SVCHOST -K RPCSS", which means that the RPCSS service is implemented by SVCHOST calling "RPCSS" parameters, and the content of the parameter is stored in the system registry.

转载请注明原文地址:https://www.9cbs.com/read-14793.html

New Post(0)