Generic Host For Services

Generic Host For Services
Last Updated: 11 Jul 2004
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

*** PLEASE NOTE: Link(s), If Provided, May Be Wrapped ***


In Windows 2000 and XP, there is a new service which is
responsible for spawning other Win32 processes: SVCHOST
This is very similar to the role that MTX and DLLHOST
have in IIS4 & 5, respectively, as it pertains to hosting
multiple instances of out-of-process web applications.

To find out what processes are being hosted by SVCHOST
and to determine what these processes/services are doing,
you will need to make use of a couple built in tools,
such as TLIST (Support Tools) and FIND (Native Util).

Once you have the names of the processes, you can search
http://msdn.microsoft.com/ for more information about
those processes/services.


SCRIPTING SAMPLES

The following batch file will parse your task list for
every instance of SVCHOST and determine what processes
it has spawned.

*** Requires Win2K (plus ResKit) ***
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@ECHO OFF
 TLIST SVCHOST | FIND /I "-k"
 TLIST -S | FIND /I "svchost"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


*** Requires WinXP or higher ***
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@TASKLIST /SVC /FI "IMAGENAME eq SVCHOST.EXE"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


TOOLS

• ActivePorts ............ http://www.snapfiles.com/get/activeports.html
• Active Net Monitor ..... http://www.ntutility.com/anm/


DEFAULT/NATIVE SERVICES

• https://brainwavecc.com/TechDocs/Tweaking.html
• http://www.3dspotlight.com/tweaks/win2k_services/
• http://www.3dspotlight.com/tweaks/winxp_services/
• http://www.systemsbysteve.com/winguides/w2kservices.htm
• http://www.blkviper.com/WinXP/servicecfg.htm
• http://snakefoot.fateback.com/tweak/winnt/services.html
• http://www.microsoft.com/windows2000/techinfo/howitworks/management/w2kservices.asp
• http://www.microsoft.com/TechNet/prodtechnol/windows2000serv/deploy/prodspecs/win2ksvc.asp
• http://www.microsoft.com/technet/security/topics/hardsys/tcg/tcgch07.asp
• http://www.greatis.com/regrun3useless.htm


WHITEPAPERS & TECH DOCUMENTS

• http://www.jsifaq.com/SUBJ/tip4600/rh4660.htm
• http://www.winnetmag.com/windowsnt20002003faq/Article/ArticleID/20609/windowsnt20002003faq_20609.html
• http://support.microsoft.com/?KBID=250320
• http://www.microsoft.com/windows2000/techinfo/howitworks/management/w2kservices.asp
• http://www.microsoft.com/TechNet/prodtechnol/windows2000serv/deploy/prodspecs/win2ksvc.asp


PERSONAL NOTES

• TLIST can be found in the NT Resource Kit, and as
  part of the Support Tools with Windows 2000
  (under the SUPPORT folder).

• TASKLIST, a more powerful version of TLIST, comes
  native with Windows XP and Windows.NET

• You can also determine what remote connectivity the
  various SVCHOST processes are attempting to connect
  to by using Active Network Monitor or ActivePorts.