Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

What is really running under Svchost.exe? 2

Status
Not open for further replies.
TroyMcClure

TroyMcClure

Technical User
Oct 13, 2003
137
US
In XP Pro, I see the svchost.exe in task manager. I know that this is generally a benign process--I know it's a Windows thing, etc. etc....

But...isn't it true that spyware can use this or be run through this? I ask because I have a machine that runs very slowly and at bootup--with nothing in the registry key Run, or Run Services (except for the plain vanilla stuff that I know is safe), and nothing in Start folder, etc, etc., I see Svchost.exe in task manager with over 20 meg!!!

Again, I have nothing that I know of running other than the plain vanilla stuff, and in other machines I may see one or two intances of svchost, but only with a few hunred K each.

I've used ProcessExplorer, which does show what .dlls each process may be using, but all I could see were ones in the Windows\system32 directory, so it's hard to tell if it's a 'bad' process or a benign one.

Is there a way to find out what's really being hosted by this .exe, or how it was started? Thanks,
T
 
Sort by date Sort by votes
Hmm, tasklist must be a command native to XP only. I tried this on a W2K box, doesn't exist.
 
Upvote 0 Downvote
SVCHOST has been used by several virus's. It's in another folder but since all you see on the task manager is just the svchost process it's not all that obvious it's not the real thing.

Also, using the tasklist command supplied by amen1973 (Thanks BTW - I hadn't run across that one yet) I see that one of my svchost processes is running a large number of things that could account for a lot of memory usage.

 
Upvote 0 Downvote
I believe the command is tlist and pulist(adds info about the owner of the process) are the win2k equivalent. If it is not found in cmd you might have to install it from the windows 2k server resource kit.

In winxp you can call up the tasklist with its command. TSKILL is a command that you can kill a process. tskill pid ( process id number) will kill a task using its PID.
works in both XP and Win2k and I believe NT as well
 
Upvote 0 Downvote
TroyMcClure

a virus can run svchost.exe to create an exploitation such as an Delay of Services Attack or Distributed Denial Of Service Attack in your registry.
 
Upvote 0 Downvote
Best way to know what is running under svchost.exe is to run ProcessExplorer (excellent freebie from Sysinternals.com). When it first comes up, it will show processes in the upper pane. Go to View - Lower Pane View and set it to show dlls.

Highlight each instance of svchost (or any other process) in the top pane to show the dlls it is using. The lower pane will show the name, description, vendor and version. Be suspicious of any dll that omits any of this info.

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

2ffat
  • Locked
  • News
Audacity is Spyware?
Replies
2
Views
246
2ffat
2ffat
iambob
  • Locked
  • Question
Avast Anti-Virus is.. a virus?! 3
Replies
5
Views
305
Oorde
Oorde
Henry Pence
  • Locked
  • Question
Is Norton Antivirus Necessary?
Replies
2
Views
224
Henry Pence
Henry Pence
Shimmy613
  • Locked
  • Question
Avira Free: "Your computer is not secure! A Service is not working correctly"
Replies
14
Views
506
ChrisHirst
ChrisHirst
xit
  • Locked
  • News
Just a sad, sad story. What are people thinking? 2
Replies
4
Views
140
edfair
edfair

Part and Inventory Search

Sponsor

Back
Top