Although usually benign svchost actually is somewhat of a 'wrapper' really for something executing as a service and it is possible for malware to run under this context. If you would like to examine just exactly what IS running inside of svchost there is a program with the Windows Resource Kit called "tlist.exe" (For Win2k) which shows all the currently running threads and can be used to peek inside svchost.
Here is a link to some of the common services and their process names http://www.ss64.com/ntsyntax/services.htmlSample "tlist -s" output:
312 LSASS.EXE Svcs: Netlogon,PolicyAgent,SamSs
496 svchost.exe Svcs: RpcSs
572 CDANTSRV.EXE Svcs: C-DillaSrv
628 DefWatch.exe Svcs: DefWatch
120 svchost.exe Svcs: EventSystem,Netman,NtmsSvc,RasMan,SENS,TapiSrv
716 Rtvscan.exe Svcs: Norton AntiVirus Server
796 PGPsdkServ.exe Svcs: PGPsdkServ
856 mstask.exe Svcs: Schedule
772 WinMgmt.exe Svcs: WinMgmt
952 svchost.exe Svcs: wuauserv
724 svchost.exe Svcs: BITS
104 explorer.exe Title: Program Manager
-Maestr0
I believe Windows XP comes with a version called tasklist which can be used with the /SVC switch, but I'm not sure if its on Home and Pro.
Reply With Quote