why so many svchost.exe

Discussion in 'other anti-virus software' started by synapse, Dec 3, 2004.

Thread Status:
Not open for further replies.
  1. synapse

    synapse Registered Member

    Joined:
    Oct 31, 2004
    Posts:
    50
  2. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Generic Host Process for Win 32 (svchost.exe) supports a number of different services, for example one instance of svchost.exe hosts Terminal Services and DCOM, while another supports Remote Procedure Call etc. You can find quite a few services bundled up under the svchost banner and I suppose it is more convenient to split them up rather than have them all in just one running process.

    Indeed the inter-relationship between some of the services can be mighty inconvenient at times - the rather annoying and unnecessary epmap is always trying get through your FW port 135 and it would be nice to disable the parent service but since this is RPC which is vital to other tasks you cannot do so. If all services were in one process it would be even worse, so it is a good thing to have them split up.

    I realise this is not a very good explanation, but it's certainly the best you're going to get out of me!!!

    Maybe someone with a bit of knowledge will come along and enlighten us both!
     
  3. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    It's just a service that's part of the operating system's internals.
    svchost.exe is important for windows XP to function properly. It should not be terminated in any way.
     
  4. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    One instance of SVCHOST.EXE loads for every DWI received by any member of "Destiny's Child", for every pirated copy of a song of theirs that you download.
     
  5. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
  6. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    How do you know he diddn't burn those and then break the CDs? :p
     
  7. Avatar

    Avatar Guest

    If you'd like to see what's running in those svchost.exe you can get from www.sysinternals.com 'Process explorer' Run it, and select properties of any svchost.exe process.....
    Then select the tab 'services' and here you go.... you can see exactly what's hiding under this service....
     
  8. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    I think I read somewhere that Microsoft decided to make several svchost.exe for stability reasons. I think the reasoning was that if the svchost crashed it would bring down the whole system in a BSOD if the hosting process contained everything under one umbrella. All you would need is just one minor function in svchost to fail and it would crash the whole system if it was contained all under one umbrella.

    I think they decided to make a few seperate umbrellas for svchost for stability reasons. With a few different svchost's if a function under one of the umbrellas failed it would be less likely to crash the whole system. If I am not mistaken this was one of the many reasons WIN 98 crashes more than XP but I am unsure about this because it has been awhile since I read the article.

    So, I am not completely sure about this...I just remember reading this as a answer somewhere at some point in time.


    Starrob


     
    Last edited: Dec 4, 2004
  9. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Task Manager is showing a list of running processes, some of which will be auto-starts and some of which may not be. I'm not sure what baddies are being referred to since I cannot see any obvious candidates!

    To know whether Generic Host Process has been hijacked by a bad service you would need to look into each instance of svchost.exe (eg by using Process Explorer, as explained above) and then do some detective work!

    Ugh! Edit the above, trillian.exe, is one possible candidate for a start!!!
     
  10. bigbuck

    bigbuck Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    4,877
    Location:
    Qld, Aus
    From; www.answersthatwork
     
  11. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Thanks Buck, that comprehensively answers the question!

    Just to add though, that File paths can be obtained via Process Explorer (and similar tools). It is possible for malware to insinuate it's DLL into a genuine instance of svchost.exe, so you cannot rely on file path alone.

    As to whether trillian.exe is a baddy, it is just something to look into as it has been associated with nasties (see http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.astef.html); but that does not mean this case is certainly bad!!
     
  12. synapse

    synapse Registered Member

    Joined:
    Oct 31, 2004
    Posts:
    50
    thanks for your support guys, and naw, that trillian.exe that i have was trillian that i was running at the time for my instant messenger, and about those nasties, what did you see in my process list exactly?
     
  13. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    I don't know about anyone else's opinion - but your process list is clean as far as I can see.

    Blue
     
Loading...
Thread Status:
Not open for further replies.