svchost.exe debugging

hi
anyone knows how to debug/trace what exactly svchost.exe is doing in Windows XP?
this is becos i have some suspicious traffic going out to the internet from a PC and the traffic seems to be initiated by svchost.exe.
thanks.

Process Explorer.

http://www.sysinternals.com/ntw2k/fr.../procexp.shtml

-Maestr0

Under XP (may require SP2, not sure):
tasklist /svc


Ammo

hi

hmm maybe i am not too clear in my last post, but anyway, i manage to find strace for NT and am now fiddling with it..becos the command have an option that can "tag" onto the process id svchost.exe is using and can see low level calls going on in svchost.exe.

By the way, the suspicious traffic is started by svchost.exe and is going to download.windowsupdate.com. Even if i turn off the automatic update services in control panel->administration tools->services, the same traffic still goes to the site.
Anyone knows what's going on ?thanks

Haveing not used strace for NT I am unable to fully comment..

The comment was to use a program Process explorer (procexp.exe) this shows a mine of information..I also recommend to have a look at. TCPView.. this tells you what port is being used by a process..

realise that svchost is just a slave to other processes in your pc..it on its own is not the perpetrator..

also .. svchosd, scvhost, svvhost, svcbost, snchost..etc are not legit windows progs..bit like Isass and lsass.. be aware of the spelling of the process your looking at..

To just add a little to what Undies has said..............

svchost may have several instances running at once, that can be quite legitimate, but there should only be one copy of the program on your system.

Cheers

thanks guys.

i manage to find out a little on the problem..seems like my internal LAN pcs are trying to access download.windowsupdate.com directly w/o going thru my internet proxy server.
thanks again.:)

sec_ware's tutorial might help you

http://www.antionline.com/showthread...hreadid=264811

Cheers