*3* instances of svchost.exe

F

Fred Ma

Hello,

I just went through the procedure of
http://vil.nai.com/vil/content/v_100559.htm
to get rid of Nachi worm. I did the service
removal, file removal, stinger, SP2 upgrade,
the MS03-026 patch, etc. etc. (gasp!).
I didn't get much work done on my thesis tonight. :( :( :(

I still have *3* instances of svchost.exe in my
task manager. Is this normal??

Thanks.

Fred

P.S. Posted to:
alt.comp.anti-virus
alt.comp.virus
grc.security.software
 
D

David

Yes. Three is actually probably better than "normal". It probably means you
have already shut off some of your unnecessary services. If you look through
the services you have running in the service manager, you should have three
services currently running that show something similar to this as the path
to the executable:
C:\WINNT\System32\svchost.exe -k parameter

The name and description of each service tells you what they are.
 
G

GSV Three Minds in a Can

from the said:
Yes. Three is actually probably better than "normal". It probably means you
have already shut off some of your unnecessary services. If you look through
the services you have running in the service manager, you should have three
services currently running that show something similar to this as the path
to the executable:
C:\WINNT\System32\svchost.exe -k parameter

The name and description of each service tells you what they are.
Click to expand...

And if you want to find out what's going on in each one, use 'tasklist'
with the /svc switch (start, help, tasklist for more info). I've got 4.
8>.
 
J

John Coutts

Hello,

I just went through the procedure of
http://vil.nai.com/vil/content/v_100559.htm
to get rid of Nachi worm. I did the service
removal, file removal, stinger, SP2 upgrade,
the MS03-026 patch, etc. etc. (gasp!).
I didn't get much work done on my thesis tonight. :( :( :(
Click to expand...
I still have *3* instances of svchost.exe in my
task manager. Is this normal??

Thanks.
Fred
P.S. Posted to:
Click to expand...
************** REPLY SEPARATER *****************
SvcHost.exe is what Microsoft uses to load and manage DLL based services. For
most of them, that is not much of a problem and others have outlined how to
find out what is in them. The exception is the "NetSvc" group which handles
everything from soup to nuts, and this will be the largest memory user in the
Task List. Good luck trying to separate things in that group.

Also note that it is very easy to add another SvcHost.exe to the list of
services without conflict. Virus makers have already caught onto that one.
 
?

=?iso-8859-1?Q?Eep=B2?=

Why not just run all the services under a SINGLE svchost.exe instead of cluttering up Task Manager with multiple instances (which progressively increased with each new service pack)? Sheesh...Microslop inefficiency strikes again.
 
?

=?iso-8859-1?Q?Eep=B2?=

So how are such rogue svchost.exe services detected? Sheesh...can Windows 2000 BE any more insecure?
 
G

GSV Three Minds in a Can

from the wonderful person Eep² said:
What is "tasklist"? It's not in Windows 2000's help or a
path-accessible program.
Click to expand...


Sorry, I was assuming you were on XP. I don't know if Win2k has anything
comparable .. although doubtless there is some freeware out there on the
www that does the same thing.
 
J

Johnny B

Fred,

Ignore the troll... There are plenty here who actually KNOW what they're
talking about....

Three instances of svchost.exe is absolutely normal, nothing to worry about
there... You still having a problem ?

JB

--



*** All outgoing mail scanned by Ontrack System Suite Anti-virus ***



Eep² said:
Why not just run all the services under a SINGLE svchost.exe instead of
Click to expand...
cluttering up Task Manager with multiple instances (which progressively
increased with each new service pack)? Sheesh...Microslop inefficiency
strikes again.
 
D

Duane Arnold

Eep² said:
Why not just run all the services under a SINGLE svchost.exe instead
of cluttering up Task Manager with multiple instances (which
progressively increased with each new service pack)?
Sheesh...Microslop inefficiency strikes again.
Click to expand...

As some of the other posters have indicated, three are the norm, but I
have really never noticed three of them active at one time at start-up.
But there can be more than 3 active. That's because not only does the O/S
use SVChost.exe but other non O/S program dll's like third party
application program may request the services of SVChost.exe to perform a
task and the other svchost.exe may be busy performing other duties. So if
that is the case, the O/S is going to start another svchost.exe to honor
the request.

Why is there not just one svchost.exe doing everything? Well not all
services on a NT based O/S need be loaded at one time and if one
svchost.exe was honoring all the requested tasks, I would think that
would slow the O/S down, because something would have to wait until
SVChost was free to honor the request. Using multiple occurrences of
svchost.exe along with the multi tasking, dual processors/cpu(s) usage
that can be accomplished with the NT based O/S makes for better
performance. This is also due to the fact that the workstation and sever
versions of a NT based O/S such as NT 4, Win 2K, XP, and 2K3 do not have
that much of a difference in the core components and the functionality of
the two versions. Think about it, you have 100 users or so using one
server, so the O/S needs to honor the requests and not be bottle necked,
because there is only one svchost.exe performing the tasks for
everything. So, your workstaion version has a lot of the fuctionality of
the server version.

HTH

Duane :)
 
D

David

So how are such rogue svchost.exe services detected? Sheesh...can Windows
2000 BE any more insecure?

It depends on how slick the malware writer is. Do a search on some of the AV
sites and they will show you how the known exploits have done it. Something
can put malware on the machine in a different directory named svchost.exe,
it could try to install a malware dll that runs off of the valid copy of
svchost, or it could try to overwrite the valid copy of svchost with a
modified executable. The windows file protection mechanism and file
integrity software should catch a modified exe unless the malware writer is
good enough to defeat that also. A good AV definition will catch a rouge
registry entries from known malware and some heuristic engines, particularly
ones associated with trojan detection, will notice that specific registry
keys are being added or modified. Desktop firewalls with file integrity
protection(as well as standalone file integrity software) can detect new or
modified executables or dll's.

In general when a machine is configured take note of the number of instances
running before it is attached to a network. Look at the task manager now and
then, after installing new software, after installing service packs, etc.
and research any cases when the number of instances changes.

Be sure to check after installing service packs and maybe even some updates.
MS has added new functionality along the way that they enable by default
which you may or may not want to disable. I will often disable new
"features" because they are unneeded, but also because their new features
tend to be lightly tested and more often than not exploitable.
 
D

Duane Arnold

(e-mail address removed)> wrote in
I just checked two W2K-SP4 systems, three instances of SVCHOST running
on each of them, seems normal to me.
Click to expand...
You can easily see the components/module that a svchost.exe or any is
servicing by using PRCview and selecting the svchost.exe and right-clicking
and selecting *Module*. This can be done for any program that is running to
see waht it is using. That PRCview utility has a lot of nice features and
it is informative as to what is happening when things are running on any MS
O/S(s), and it's (free).

Duane :)
 
T

Torgeir Bakken (MVP)

Eep² said:
It wasn't normal for Win2K without any service packs. Only ONE (1) svchost.exe ran. SP2 added another, and SP3 still another. Dunno about SP4 since I haven't bothered with it but I wouldn't be surprised if it added yet another instance.
Click to expand...

3 svchost.exe runs under SP4.
 
D

David

The number of instances of svchost.exe you have running depends on how many
services you have enabled that run under this executable, and how the
specific services are grouped together by functionality. I suspect MS has
further separated the grouping of services over time for stability and
security reasons. You don't want problems in a single service crashing
unrelated services, and you don't want vulnerabilities in one service
exposing the interfaces of other unrelated services.
If you look in the services control panel you will probably find more than a
dozen services which run under svchost.exe. If you look at the command line
for each of these services you will see that they are run using various
groupings: netsvcs, rpcss, wugroup,tapisrv, BITSgroup,iptelsvcs, etc. So for
example all that use the netsvcs command line option will be running under
the same instance of svchost. Many home users these days will have services
running using atleast the rpcss and netsvcs groupings so they will have
atleast two instances running. If you use windows autoupdate that adds a
third, and the BITS service which runs intermittently will add a fourth
while it is active. And so on.....So the number of instances may vary
somewhat from machine to machine, will vary on the same machine at times if
it uses manually activated services that run with a different group setting,
and is not a good indication "by itself" of whether something that uses this
executable maliciously has been installed on the machine.
It wasn't normal for Win2K without any service packs. Only ONE (1)
Click to expand...
svchost.exe ran. SP2 added another, and SP3 still another. Dunno about SP4
since I haven't bothered with it but I wouldn't be surprised if it added yet
another instance.
 
J

jason bean

Eep² said:
It wasn't normal for Win2K without any service packs. Only ONE (1) svchost.exe ran. SP2 added another, and SP3 still another. Dunno about SP4 since I haven't bothered with it but I wouldn't be surprised if it added yet another instance.
Click to expand...
I don't have any service packs and I have two running right now.

jason
Johnny B wrote:
Click to expand...


--
((¯`'·.¸(¯`'·.((¯`'·.¸ * jason bean* ¸.·'´¯))¸.·'´¯)¸.·'´¯))

View my WeBpaGes
http://home.cogeco.ca/~jbean3
http://www.electrichaos.azn.nu/
 
D

David T. Croft

Does anyone know how to find out the name of the dll/dlls loaded by a
svchost.exe?
 
K

kurt wismer

David said:
Does anyone know how to find out the name of the dll/dlls loaded by a
svchost.exe?
Click to expand...

folks are probably going to get tired of me saying this but, process
explorer from http://www.sysinternals.com can give you this
information... in fact it has a toolbar button dedicated to this very
task...
 
A

Ant

David T. Croft said:
Does anyone know how to find out the name of the dll/dlls loaded by a
svchost.exe?
Click to expand...

Microsoft have a utility called tlist. It's part of Windows 2000
support tools, and can be downloaded from some MS web site. It
may also be on the XP CD.
 
J

Judy

Duane Arnold said:
As some of the other posters have indicated, three are the norm, but I
have really never noticed three of them active at one time at start-up.
But there can be more than 3 active. That's because not only does the O/S
use SVChost.exe but other non O/S program dll's like third party
application program may request the services of SVChost.exe to perform a
task and the other svchost.exe may be busy performing other duties. So if
that is the case, the O/S is going to start another svchost.exe to honor
the request.

Why is there not just one svchost.exe doing everything? Well not all
services on a NT based O/S need be loaded at one time and if one
svchost.exe was honoring all the requested tasks, I would think that
would slow the O/S down, because something would have to wait until
SVChost was free to honor the request. Using multiple occurrences of
svchost.exe along with the multi tasking, dual processors/cpu(s) usage
that can be accomplished with the NT based O/S makes for better
performance. This is also due to the fact that the workstation and sever
versions of a NT based O/S such as NT 4, Win 2K, XP, and 2K3 do not have
that much of a difference in the core components and the functionality of
the two versions. Think about it, you have 100 users or so using one
server, so the O/S needs to honor the requests and not be bottle necked,
because there is only one svchost.exe performing the tasks for
everything. So, your workstaion version has a lot of the fuctionality of
the server version.

HTH

Duane :)
Click to expand...
I have 4 instances of svchost.exe - 1 for local service, 1 for network
service, and 2 for system services. My question is actually tied to
an ActiveX that becomes "active" when I access the internet and it has
the capacity to change it name. The following are some of the names
it has used:

□□þ□x□М□

□□€□x□М□

□□q□x□М□

□□~□x□М□

□□□□x□М□

□□

□□□□x□K□

□□€□x□L□

What gives here? Is this a rogue program? How do I find out more
about it? Any help will be greatly appreciated!!

Thanks!
 
D

Duane Arnold

(e-mail address removed) (Judy) wrote in
I have 4 instances of svchost.exe - 1 for local service, 1 for network
service, and 2 for system services. My question is actually tied to
an ActiveX that becomes "active" when I access the internet and it has
the capacity to change it name. The following are some of the names
it has used:

□□þ□x□М□

□□€□x□М□

□□q□x□М□

□□~□x□М□

□□□□x□М□

□□

□□□□x□K□

□□€□x□L□

What gives here? Is this a rogue program? How do I find out more
about it? Any help will be greatly appreciated!!

Thanks!
Click to expand...


Yes, on my Win 2k Pro machine, 2 svchost.exe(s) are active. While on my
Win 2K Adv Server machine, there are 8 svchost.exe(s) with 2 hanging on
the loop back IP 127.0.0.1.

Are you sure that it's an ActiveX component? If it is an ActiveX
component, then it's going to need a hosting program so that it can run.

If it is an ActiveX component that is renaming itself, then the renamed
component is regeristing itself too, most likely using regsvr32. You
could use something like the 30 day full trial version of the the Cleaner
which will alert to the Registry being changed, then you can get rid of
the Cleaner, if it's any help. There are other Registry utilities that
have the alert on registry change.

Another thing you could do is use PRCview and when you know this program
is trying to access the Internet, start PRCview and view each running
program. You can highlight the prorgam and right-click and select
Modules. The Modules will show you all program elements that are being
used by the running program, including ActiveX components (OCX). PRCview
is free.

Another one is Active Ports that is free too.

You may also want to *harden* the NT based O/S from attack.

http://www.uksecurityonline.com/husdg/windows2000.php

This may help a little bit too.

http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and
_Rootkit_Tools_in_a_Windows_Environment.html


HTH

Duane :)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Nachi Worm (works same way as blaster) 1
Ping: Ken Blake 4
LSASS.EXE Terminated Unexpectedely Code 1073741819 15
KB articles and other 3
PSS Critical Security Alert - New Worm: Nachi, Blaster-D, Welschia 7
Cant update or install Norton AV after clean install 1
Remote Procedure Call error? DCOMX.EXE, RPC.EXE, RPCTEST.EXE on your computer? Possible hacking. 3
My version of the MSBLAST RPC worm. 5

Top