How do I track down what initiated a process?

I recently started the following post:

https://www.wilderssecurity.com/showthread.php?t=28875

One problem that I had was that SVCHost was running several times. One of those SVCHost processes was momentarily freezing my system. I used MSConfig to find the offending service that initiated the offending process after countless reboots. It turned out that the "IPv6 Helper Service" was initiating the freezing SVCHost process. Is there a simpler way to track down what initiates individual SVCHost processes?

Close Hauled

 

Hi Close_Hauled,

SCVhosts does have a lot of entries, to see what these are in more detail you could try Faber Toys http://www.faberbox.com/fabertoys.asp or Sys internal Process Explorer http://www.sysinternals.com/

HTH Pilli

 

Thanks. I try them both.

Close Hauled

 

Does rightclicking on the process not tell which application is connected to that specific service ("what is .....")

 

Jooske;

First, thanks for your time.

To answer your question. Not from Port EXplorer or Task Manager. There is nothing that associates the SVCHost process with the service that initiated it. In this case I am looking for something that associates the SVCHost process with the IPv6 Helper Service.

Close Hauled

 

Pilli;

Thanks! Process Explorer does the trick. Makes it real easy to find the service that initiated the process! Just right click on the process. Then click on the "Services" tab, and BINGO! Thank you, thank you, thank you!


Close Hauled

 

You are most welcome Close_Hauled.

 

CH, glad you found it, but can you tell me what was wrong when i asked you in PortExplorer to rightclick on the process to see the connected application?
I even typed the "what is..." to use eventually.
Maybe because i'm not running XP and thus have no "services" nor a tab with that name -- was not aware of extra tabs for NT/2000/XP users.

 

Jooske;

Maybe I am a little confused. Using Port Explorer, when I right click on the SVCHost process, I get the following items in the popup menu;

Process
Socket
What is Local Port 123?
What is Remote Port 0?
What is svchost.exe (696)?
Resolve 0.0.0.0
Ping 0.0.0.0
Trace 0.0.0.0
Whois 0.0.0.0
Whois Resolved Host
Clipboard

"What is svchost.exe (696)?" only tells me about SVCHost, not what service initiated it.

Process Explorer, which Pilli recommended, and can be downloaded at;

http://www.sysinternals.com

It's what showed me which service initiated the SVCHost process. With Process Explorer, I right click on the SVCHost process and select "Properties...", it displays a dialog box with several tabs. Click on the "Services" tab, and there it is! The service that initiated the SVCHost process.

I hope this clears things up.

Close Hauled

 

Ah thank you for clarification, that shows the important differences of not using XP; so i was not aware of this important difference between the programs which' names look very much alike!
Hoped that the full pathname displayed when pressing that "what is ..." would give the clue you needed!
Suppose they will lead to other programs on the various svchosts instances?

 

Jooske;

Yes it does. That's what makes Process Explorer so great!

 

Nice to hear Close_Hauled, I have it instead of Task Manager using the Process Explorer's "Replace Task Manager option"

Enjoy your weekend - Pilli