Introduction: "svchost.exe" file in Windows.

14 views
Skip to first unread message

chaman pandey

unread,
Dec 2, 2008, 1:44:05 AM12/2/08
to icomputer-te...@googlegroups.com
This article describes Svchost.exe and its functions. Svchost.exe is a generic host process name for services that run from dynamic-link libraries (DLLs).

Note Tasklist is not included in Windows XP Home Edition. This article is intended for advanced users in commercial environments. If you are not comfortable with advanced information, you might want to ask someone for help or contact support. For information about how to contact support, visit the following Microsoft Web site:

MORE INFORMATION
The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup...

The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services allows for better control and easier debugging.

Svchost.exe groups are identified in the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost
Each value under this key represents a separate Svchost group and appears as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service names that are extracted from the following registry key, whose Parameters key contains a ServiceDLL value:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Service
To view the list of services that are running in Svchost:
  1. Click Start on the Windows taskbar, and then click Run.
  2. In the Open box, type CMD, and then press ENTER.
  3. Type Tasklist /SVC, and then press ENTER.
Tasklist displays a list of active processes. The /SVC switch shows the list of active services in each process. For more information about a process, type the following command, and then press ENTER:
Tasklist /FI "PID eq processID" (with the quotation marks)
The following example of Tasklist output shows two instances of Svchost.exe that are running. 
   Image Name         PID      Services
   ======================================================================== 
   System Process        0     N/A
   System                8     N/A    
   Smss.exe            132     N/A
   Csrss.exe           160     N/A
   Winlogon.exe        180     N/A
   Services.exe        208     AppMgmt,Browser,Dhcp,Dmserver,Dnscache,
                               Eventlog,LanmanServer,LanmanWorkstation,
                               LmHosts,Messenger,PlugPlay,ProtectedStorage,
                               Seclogon,TrkWks,W32Time,Wmi
   Lsass.exe            220    Netlogon,PolicyAgent,SamSs 
   Svchost.exe          404    RpcSs 
   Spoolsv.exe          452    Spooler 
   Cisvc.exe            544    Cisvc 
   Svchost.exe          556    EventSystem,Netman,NtmsSvc,RasMan,
                           
    SENS,TapiSrv 
   Regsvc.exe           580    RemoteRegistry 
   Mstask.exe           596    Schedule 
   Snmp.exe             660    SNMP 
   Winmgmt.exe          728    WinMgmt 
   Explorer.exe         812    N/A
   Cmd.exe             1300    N/A
   Tasklist.exe        1144    N/A
The registry setting for the two groupings for this example are as follows:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost:
Netsvcs: Reg_Multi_SZ: EventSystem Ias Iprip Irmon Netman Nwsapagent Rasauto Rasman Remoteaccess SENS Sharedaccess Tapisrv Ntmssvc
RApcss :Reg_Multi_SZ: RpcSs



Add more friends to your messenger and enjoy! Invite them now.
Reply all
Reply to author
Forward
0 new messages