When you look at the taskman­ager you’ll see sev­eral svchost processes. If you want to know what a spe­cific svchost process does keep on reading…

Use the CLI com­mand “tasklist /svc” to see it’s cor­re­spond­ing PID

1
2
3
4
5
6
7
8
9
10
c:> tasklist /SVC

svchost.exe                    744 Dcom­Launch, Plug­Play
svchost.exe                    804 RpcSs
svchost.exe                    836 Dhcp, Event­log, lmhosts, wscsvc
svchost.exe                    964 AeLookupSvc, Appinfo, Cert­PropSvc, gpsvc,
Lan­manServer, MMCSS, ProfSvc, Sched­ule,
secl­o­gon, SENS, Ses­sio­nEnv, Win­mgmt,
wuauserv

PID 744 for exam­ple started the ser­vices Dcom­Launch and PlugPlay.

Now we need cmd­line, a nice lit­tle tool by dia­mondcs. It dis­plays the start para­me­ter for each run­ning process:

1
2
3
4
5
C:> cmd­line

744 — C:Windowssystem32svchost.exe
C:Windowssystem32svchost.exe –k Dcom­Launch

Process with PID 744 was started with the “-k Dcom­Launch” para­me­ter. When you check the reg­istry key
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCur­rentVer­sionSv­chost
you will see a string value called Dcom­Launch. It’s data value con­tains all ser­vices this spe­cific svchost ser­vice load. You can now mod­ify the which ser­vices are loaded an which aren’t.

SvcHost.exe… or Windows run level

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*