Interesting observation when killing svchost

  • Thread starter Thread starter Steve N.
  • Start date Start date
S

Steve N.

While troubleshooting a system that wouldn't install a/v and a/sw from a
CD this morning I was in Taskman / processes and was killing some off.
When I killed one svchost process the NT Authority 60 second shutdown
box popped up. As it turns out the machine is clean, just has a problem
with the CDROM drive. However, I was under the impression that the
svchost attacking worms were what produced the shutdown countdown box,
obvioulsy it is a "feature" of Windows when svchost dies.

Steve
 
Svchost is a container service that has a number of Sub Services
running inside it. To view the internal code, do the following.
Start, Run, (Type) Cmd [Enter]
Enlarge the CMD window to full screen & (type)
Tasklist /SVC
In the Right side of the display you can see the internal code
that Svchost is running
(To end CMD Type ) Exit
 
BTDTGTTS. But thank you anyway. ;-)

--
Hope this helps. Let us know.
Wes

In
R. McCarty said:
Svchost is a container service that has a number of Sub Services
running inside it. To view the internal code, do the following.
Start, Run, (Type) Cmd [Enter]
Enlarge the CMD window to full screen & (type)
Tasklist /SVC
In the Right side of the display you can see the internal code
that Svchost is running
(To end CMD Type ) Exit

Wesley Vogel said:
I found that out myself a while back. :-)
Sure made me wonder for a couple of minutes.

--
Hope this helps. Let us know.
Wes

In
Click to expand...
Click to expand...
 
R. McCarty said:
Svchost is a container service that has a number of Sub Services
running inside it. To view the internal code, do the following.
Start, Run, (Type) Cmd [Enter]
Enlarge the CMD window to full screen & (type)
Tasklist /SVC
In the Right side of the display you can see the internal code
that Svchost is running
(To end CMD Type ) Exit
Click to expand...

Interesting. It seems to show what processes it hosts but not what I'd
think of as "internal code".

Thanks
Steve
 
Steve said:
However, I was under the impression that the
svchost attacking worms were what produced the shutdown countdown box,
obvioulsy it is a "feature" of Windows when svchost dies.
Click to expand...

SVChost.exe is a vital windows component - it runs a whole slew of
essential (and inessential) services on behalf of the system. They get
loaded in groups which is why you see several versions of it running.
There is a malware around that introduces itself under the same name,
putting itself in a different folder. The correct one should be in
windows\system32 and should be about 12 or 14 k in size (depending on
what Service Pack level you are at). If you rename that with a
different extension, eg svchost.ex it should be replaced quickly by
File Protection (you may be asked for your CD). If that does not happen,
name it back before going on (if it says it can't because the file
exists then the backup *has* been retrieved but you did not see it). If
there are any others around, delete them (or if they will not delete,
again rename, then reboot so they do not load next time around)
 
Perhaps the description isn't right. SvcHost is the actual
service and the components in it are more like DLL's than
actual .Exe's.

Maybe somebody would volunteer to create us a Dictionary,
so we can all use the same terms or have Microsoft create a
Semantics checker to adjust names.

Steve N. said:
R. McCarty said:
Svchost is a container service that has a number of Sub Services
running inside it. To view the internal code, do the following.
Start, Run, (Type) Cmd [Enter]
Enlarge the CMD window to full screen & (type)
Tasklist /SVC
In the Right side of the display you can see the internal code
that Svchost is running
(To end CMD Type ) Exit
Click to expand...

Interesting. It seems to show what processes it hosts but not what I'd
think of as "internal code".

Thanks
Steve
Click to expand...
 
Alex said:
Steve N. wrote:




SVChost.exe is a vital windows component - it runs a whole slew of
essential (and inessential) services on behalf of the system. They get
loaded in groups which is why you see several versions of it running.
There is a malware around that introduces itself under the same name,
putting itself in a different folder. The correct one should be in
windows\system32 and should be about 12 or 14 k in size (depending on
what Service Pack level you are at). If you rename that with a
different extension, eg svchost.ex it should be replaced quickly by
File Protection (you may be asked for your CD). If that does not happen,
name it back before going on (if it says it can't because the file
exists then the backup *has* been retrieved but you did not see it). If
there are any others around, delete them (or if they will not delete,
again rename, then reboot so they do not load next time around)
Click to expand...

Thanks Alex. I know what SVCHOST is, I was under the impression that the
shutdown timer box was part of the worm, not part of SVCHOST.

Steve
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Svchost - Round 2 3
Self-Healing Blank Desktop? 1
svchost problem 4
svchost & wuauclt - 100% CPU 5
SVCHOST taking up to 99% CPU - continuation 9
wbemcore.dll using 100% CPU through SVCHOST 2
svchost rpc call hogs the cpu 7
Microsoft .NET Framework update leads to virus-like symptoms? 1

Back
Top