svchost.exe debugging
Results 1 to 8 of 8

Thread: svchost.exe debugging

  1. #1
    Member
    Join Date
    Jun 2004
    Posts
    77

    svchost.exe debugging

    hi
    anyone knows how to debug/trace what exactly svchost.exe is doing in Windows XP?
    this is becos i have some suspicious traffic going out to the internet from a PC and the traffic seems to be initiated by svchost.exe.
    thanks.

  2. #2
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  3. #3
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Under XP (may require SP2, not sure):
    tasklist /svc


    Ammo
    Credit travels up, blame travels down -- The Boss

  4. #4
    Member
    Join Date
    Jun 2004
    Posts
    77
    hi

    hmm maybe i am not too clear in my last post, but anyway, i manage to find strace for NT and am now fiddling with it..becos the command have an option that can "tag" onto the process id svchost.exe is using and can see low level calls going on in svchost.exe.

    By the way, the suspicious traffic is started by svchost.exe and is going to download.windowsupdate.com. Even if i turn off the automatic update services in control panel->administration tools->services, the same traffic still goes to the site.
    Anyone knows what's going on ?thanks

  5. #5
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743
    Haveing not used strace for NT I am unable to fully comment..

    The comment was to use a program Process explorer (procexp.exe) this shows a mine of information..I also recommend to have a look at. TCPView.. this tells you what port is being used by a process..

    realise that svchost is just a slave to other processes in your pc..it on its own is not the perpetrator..

    also .. svchosd, scvhost, svvhost, svcbost, snchost..etc are not legit windows progs..bit like Isass and lsass.. be aware of the spelling of the process your looking at..
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  6. #6
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    To just add a little to what Undies has said..............

    svchost may have several instances running at once, that can be quite legitimate, but there should only be one copy of the program on your system.

    Cheers

  7. #7
    Member
    Join Date
    Jun 2004
    Posts
    77
    thanks guys.

    i manage to find out a little on the problem..seems like my internal LAN pcs are trying to access download.windowsupdate.com directly w/o going thru my internet proxy server.
    thanks again.

  8. #8
    In And Above Man Black Cluster's Avatar
    Join Date
    Feb 2005
    Posts
    912
    sec_ware's tutorial might help you

    http://www.antionline.com/showthread...hreadid=264811

    Cheers
    \"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts\".....Spaf
    Everytime I learn a new thing, I discover how ignorant I am.- ... Black Cluster

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •