When the author often browsses on some anti-virus forums, some friends find that some friends don't know much about the SVCHOST process in the task manager, and see that there are many SVCHOST processes to think that they have a virus in themselves.
Svchost.exe is a very important file for NT core systems, which is indispensable for Win2000 / XP. These SVCHOST processes offer many system services such as RPCSS services, DMSERVER services (Logical Disk Manager), DHCP Services (DHCP Client), and more.
If you want to know how much system service is provided in each SVCHOST process, you can view the "tasklist / svc" command in the WinXP command prompt window.
working principle
In general, Windows system processes are divided into independent processes and sharing processes. The SVCHOST.EXE file exists in the% systemroot% / system32 directory, which belongs to the sharing process.
As Windows system services are increasing, in order to save system resources, Microsoft makes many services, and will be launched by the SVCHOST process. However, the SVCHOST process only acts as a service host, which does not implement any service functions, that is, it can only provide conditions to make other services are started here, but it cannot provide users with any services.
How is these services implemented? These system services are implemented in the Dynamic Link Library (DLL), which points the executable to SVCHOST, and calls the dynamic link library of the SVCHOST to start the service.
How do the svchost know which dynamic link library is a system service call? This is implemented by the parameters set in the registry through the system service.
Specific example
Let's take a look at how the SVCHOST process calls the DLL file as an example. In WinXP, click "Start → Run", enter the "Services.msc" command, pop up the service dialog box, then open the Remote Registry property dialog, you can see the path to the Remote Registry service is "C" : / Windows / System32 / SVCHOST -K LOCALVICE "(Figure 1), this shows that the Remote Registry service is implemented by SVCHOST calling the" localservice "parameter, and the content of the parameter is stored in the system registry.
Enter "regedit.exe" after the Run dialog, open the Registry Editor, find the "HKEY_LOCAL_MACHINE / System / CurrentControlset / Services / Remote Registry" item, then find the "imagePath" item type "reg_expand_sz", The key value is "% systemroot% / system32 / svchost -k localservice" (this is the service launch command you see in the service window), and there is a key name "serviceDLL" in the "parameters" child. For "% systemroot% / system32 / regc.dll", "regc.dll" is the dynamic link library file to use by the Remote Registry service. Such a SVCHOST process can start the service by reading the "Remote Registry" service registry information.
It is also because of the importance of SVCHOST, so virus, Trojans also try to use it, trying to use its characteristics to confuse users, to achieve infection, invading, and destruction. So, how should it be judged? Which is a virus process? The normal svchost.exe file should exist in the "C: / Windows / System32" directory, if this file is found to be careful in other directories. Tip: The call path of the svchost.exe file can be viewed through "System Information → Software Environment → Running Tasks".
