Pilli
July 7th, 2004, 05:54 AM
SVCHosts usually has multiple entries in Port Explorer and in Task Manager using the Tasklist command allows one to list all the programs associated with each instance of svchost and many other details.
Below is my current list and below that the parameters that are available to the Tasklist Command.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
Start - Run - CMD at the prompt type 'tasklist /svc' without the quotes
Image Name PID Services
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 468 N/A
csrss.exe 524 N/A
winlogon.exe 548 N/A
services.exe 596 Eventlog, PlugPlay
lsass.exe 608 NtLmSsp, PolicyAgent, ProtectedStorage, SamSs
svchost.exe 776 RpcSs
svchost.exe 796 AudioSrv, BITS, Browser, CryptSvc, Dhcp,
dmserver, EventSystem,
FastUserSwitchingCompatibility, helpsvc,
HidServ, lanmanserver, lanmanworkstation,
Netman, Nla, NtmsSvc, RasMan, seclogon,
SENS, ShellHWDetection, srservice, TapiSrv,
TermService, Themes, TrkWks, uploadmgr,
W32Time, winmgmt, wuauserv, WZCSVC
svchost.exe 940 Dnscache
svchost.exe 968 LmHosts, WebClient
spoolsv.exe 1144 Spooler
explorer.exe 1308 N/A
schedul2.exe 1568 AcrSch2Svc
DCSUserProt.exe 1592 DCSUserProt
GhostStartService.exe 1620 GhostStartService
kavsvc.exe 1656 kavsvc
MDM.EXE 1728 MDM
nvsvc32.exe 1756 NVSvc
PERSFW.exe 1784 PersFw
GhostStartTrayApp.exe 1904 N/A
TrueImageMonitor.exe 1912 N/A
schedhlp.exe 1920 N/A
kav.exe 1932 N/A
Ad-watch.exe 1952 N/A
mmtask.exe 1972 N/A
svchost.exe 1996 stisvc
jusched.exe 2012 N/A
tlntsvr.exe 2020 TlntSvr
upsd.exe 312 UPSentry_Smart
B9.exe 384 N/A
TeaTimer.exe 496 N/A
AcroTray.exe 764 N/A
SNXUACP.exe 920 N/A
MUPS.exe 984 N/A
procguard.exe 656 N/A
CNMSM5m.EXE 980 N/A
sgmain.exe 1208 N/A
sgbhp.exe 168 N/A
MailWasher.exe 2592 N/A
OUTLOOK.EXE 3876 N/A
WINWORD.EXE 3236 N/A
iexplore.exe 3344 N/A
wmiprvse.exe 964 N/A
cmd.exe 932 N/A
tasklist.exe 2664 N/A
Also try tasklist /? - This gives a list of the available parameters
TASKLIST [/S system [/U username [/P [password]]]]
[/M [module] | /SVC | /V] [/FI filter] [/FO format] [/NH]
Description:
This command line tool displays a list of application(s) and
associated task(s)/process(es) currently running on either a local or
remote system.
Parameter List:
/S system Specifies the remote system to connect to.
/U [domain\]user Specifies the user context under which
the command should execute.
/P [password] Specifies the password for the given
user context. Prompts for input if omitted.
/M [module] Lists all tasks that have DLL modules loaded
in them that match the given pattern name.
If the module name is not specified,
displays all modules loaded by each task.
/SVC Displays services in each process.
/V Specifies that the verbose information
is to be displayed.
/FI filter Displays a set of tasks that match a
given criteria specified by the filter.
/FO format Specifies the output format.
Valid values: "TABLE", "LIST", "CSV".
/NH Specifies that the "Column Header" should
not be displayed in the output.
Valid only for "TABLE" and "CSV" formats.
/? Displays this help/usage.
Filters:
Filter Name Valid Operators Valid Value(s)
----------- --------------- --------------
STATUS eq, ne RUNNING | NOT RESPONDING
IMAGENAME eq, ne Image name
PID eq, ne, gt, lt, ge, le PID value
SESSION eq, ne, gt, lt, ge, le Session number
SESSIONNAME eq, ne Session name
CPUTIME eq, ne, gt, lt, ge, le CPU time in the format
of hh:mm:ss.
hh - hours,
mm - minutes, ss - seconds
MEMUSAGE eq, ne, gt, lt, ge, le Memory usage in KB
USERNAME eq, ne User name in [domain\]user
format
SERVICES eq, ne Service name
WINDOWTITLE eq, ne Window title
MODULES eq, ne DLL name
Examples:
TASKLIST
TASKLIST /M
TASKLIST /V
TASKLIST /SVC
TASKLIST /M wbem*
TASKLIST /S system /FO LIST
TASKLIST /S system /U domain\username /FO CSV /NH
TASKLIST /S system /U username /P password /FO TABLE /NH
TASKLIST /FI "USERNAME ne NT AUTHORITY\SYSTEM" /FI "STATUS eq running"
Below is my current list and below that the parameters that are available to the Tasklist Command.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
Start - Run - CMD at the prompt type 'tasklist /svc' without the quotes
Image Name PID Services
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 468 N/A
csrss.exe 524 N/A
winlogon.exe 548 N/A
services.exe 596 Eventlog, PlugPlay
lsass.exe 608 NtLmSsp, PolicyAgent, ProtectedStorage, SamSs
svchost.exe 776 RpcSs
svchost.exe 796 AudioSrv, BITS, Browser, CryptSvc, Dhcp,
dmserver, EventSystem,
FastUserSwitchingCompatibility, helpsvc,
HidServ, lanmanserver, lanmanworkstation,
Netman, Nla, NtmsSvc, RasMan, seclogon,
SENS, ShellHWDetection, srservice, TapiSrv,
TermService, Themes, TrkWks, uploadmgr,
W32Time, winmgmt, wuauserv, WZCSVC
svchost.exe 940 Dnscache
svchost.exe 968 LmHosts, WebClient
spoolsv.exe 1144 Spooler
explorer.exe 1308 N/A
schedul2.exe 1568 AcrSch2Svc
DCSUserProt.exe 1592 DCSUserProt
GhostStartService.exe 1620 GhostStartService
kavsvc.exe 1656 kavsvc
MDM.EXE 1728 MDM
nvsvc32.exe 1756 NVSvc
PERSFW.exe 1784 PersFw
GhostStartTrayApp.exe 1904 N/A
TrueImageMonitor.exe 1912 N/A
schedhlp.exe 1920 N/A
kav.exe 1932 N/A
Ad-watch.exe 1952 N/A
mmtask.exe 1972 N/A
svchost.exe 1996 stisvc
jusched.exe 2012 N/A
tlntsvr.exe 2020 TlntSvr
upsd.exe 312 UPSentry_Smart
B9.exe 384 N/A
TeaTimer.exe 496 N/A
AcroTray.exe 764 N/A
SNXUACP.exe 920 N/A
MUPS.exe 984 N/A
procguard.exe 656 N/A
CNMSM5m.EXE 980 N/A
sgmain.exe 1208 N/A
sgbhp.exe 168 N/A
MailWasher.exe 2592 N/A
OUTLOOK.EXE 3876 N/A
WINWORD.EXE 3236 N/A
iexplore.exe 3344 N/A
wmiprvse.exe 964 N/A
cmd.exe 932 N/A
tasklist.exe 2664 N/A
Also try tasklist /? - This gives a list of the available parameters
TASKLIST [/S system [/U username [/P [password]]]]
[/M [module] | /SVC | /V] [/FI filter] [/FO format] [/NH]
Description:
This command line tool displays a list of application(s) and
associated task(s)/process(es) currently running on either a local or
remote system.
Parameter List:
/S system Specifies the remote system to connect to.
/U [domain\]user Specifies the user context under which
the command should execute.
/P [password] Specifies the password for the given
user context. Prompts for input if omitted.
/M [module] Lists all tasks that have DLL modules loaded
in them that match the given pattern name.
If the module name is not specified,
displays all modules loaded by each task.
/SVC Displays services in each process.
/V Specifies that the verbose information
is to be displayed.
/FI filter Displays a set of tasks that match a
given criteria specified by the filter.
/FO format Specifies the output format.
Valid values: "TABLE", "LIST", "CSV".
/NH Specifies that the "Column Header" should
not be displayed in the output.
Valid only for "TABLE" and "CSV" formats.
/? Displays this help/usage.
Filters:
Filter Name Valid Operators Valid Value(s)
----------- --------------- --------------
STATUS eq, ne RUNNING | NOT RESPONDING
IMAGENAME eq, ne Image name
PID eq, ne, gt, lt, ge, le PID value
SESSION eq, ne, gt, lt, ge, le Session number
SESSIONNAME eq, ne Session name
CPUTIME eq, ne, gt, lt, ge, le CPU time in the format
of hh:mm:ss.
hh - hours,
mm - minutes, ss - seconds
MEMUSAGE eq, ne, gt, lt, ge, le Memory usage in KB
USERNAME eq, ne User name in [domain\]user
format
SERVICES eq, ne Service name
WINDOWTITLE eq, ne Window title
MODULES eq, ne DLL name
Examples:
TASKLIST
TASKLIST /M
TASKLIST /V
TASKLIST /SVC
TASKLIST /M wbem*
TASKLIST /S system /FO LIST
TASKLIST /S system /U domain\username /FO CSV /NH
TASKLIST /S system /U username /P password /FO TABLE /NH
TASKLIST /FI "USERNAME ne NT AUTHORITY\SYSTEM" /FI "STATUS eq running"