-
March 2nd, 2005, 01:32 AM
#1
svchost.exe
ok stupid question time. When I run my IB Process Manager it lists svchost.exe as running 3 different times in the same directory. C:\WINNT\System32\svchost.exe
Is this normal ? and if it isn't does anyone know the cause and or resolution to making just show up once in the proc manager ???
I am using windows 2000 pro and have latest windows security updates
-
March 2nd, 2005, 01:46 AM
#2
Senior Member
lol, yeah mate its normal... In task manager you'l see it also runs under different user control...
Go to Control Panel -> Admin Tools -> Services
then look at each service (disable if you dont need it) and you'll see many services execute SVCHost with different parameters...
It is normal, HOWEVER, rootkits etc do use that file name, so make sure you dont let a C:\Program Fies\Inet\svchost.exe run instead of C:\windows\system32\svchost
-
March 2nd, 2005, 01:47 AM
#3
from http://www.computerhope.com/issues/ch000517.htm
Why do I have multiple svchost.exe files listed in Windows Task Managers processes?
Multiple svchost.exe files are loaded when a program needs to be grouped from other Windows services. This is a normal operation of Windows and it is common to see three or four svchost.exe in the Task Manager processes.
Google is your friend! That was the first search result.
-
March 2nd, 2005, 01:49 AM
#4
In google, this is the second thing that came up under "svchost.exe" search:
(From Microsoft)
Svchost.exe groups are identified in the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost
Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service_names extracted from the following registry key, whose Parameters key contains a ServiceDLL value:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Service
Link:
http://support.microsoft.com/kb/250320/EN-US/
http://www.google.com
Alright Brain, you don\'t like me, and I don\'t like you. But let\'s just do this, and I can get back to killing you with beer.
-- Homer S.
-
March 2nd, 2005, 01:52 AM
#5
thanks
thanks they are all C:\windows\system32\svchost as far as I can see.
now as far as going into specific services I can see that some are manual and some are disabled and some are automatic. how would I know which ones I need to be running and which ones should be disabled etc etc ??
ok iron curtain I am reading what you're saying, but I comprehend only 85% of it lol
are you saying I need to go into the registry and alter values or merely pointing out why this occurs ??
-
March 2nd, 2005, 01:56 AM
#6
For example, you can www.google.com every service that you're doubtful about, learn about it, then decide if you don't need it. If you're still having problems deciding which ones to turn off and on, post the specific services you're having doubts about.
Alright Brain, you don\'t like me, and I don\'t like you. But let\'s just do this, and I can get back to killing you with beer.
-- Homer S.
-
March 2nd, 2005, 02:04 AM
#7
Perhap I could do one better and post a screen shot gif for you to see ?? also thanks for that webpage it was very helpful in letting me understand further about svchost.
I uploaded an animation of services and my proc manager here:
http://infamous4ever.0catch.com/Animation.gif
-
March 2nd, 2005, 02:56 AM
#8
Hi
If you want to know a bit more about svchost.exe and how it is
related to services and listening ports on your box, you find that
information here on AO. A search for "svchost.exe" on this site
gives you several hits, among them:
second hit: a tutorial[1]. If you follow that one, you would end up with
a running box without any listening TCP/UDP port. It also explains the
svchost.exe in more words than the microsoft article. It refers to
another thread[2], where svchost.exe is explained in detail (sixth hit or so).
Just another way to secure your box a little bit more.
Cheers
P.s. I feel a bit idiotic to "advertise" articles of mine
[1] http://www.antionline.com/showthread...hlight=svchost
[2] http://www.antionline.com/showthread...hlight=svchost
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
-
March 2nd, 2005, 03:12 AM
#9
sec_ware not idiotic at all. I am always up for some good reading material... thanks
-
March 2nd, 2005, 05:53 AM
#10
Something of interest. I disabled Telnet in my service because I never use it, and then I deleted TlntSvr.exe and tlntsvrp.dll but those 2 files keep coming back, and I believe telnet is dependent on Remote Procedure Call (RPC) however even after disabling RPC the 2 files still reappear. any suggestions ?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|