01-02-2010, 10:59 PM
Determining the services running under a SVCHOST.EXE process using Process Explorer
Process Explorer, from Sysinternals, is a process management program that allows you to see the running processes on your computer and a great deal of information about each process. One of the nice features of Process Explorer is that it also gives you the ability to see what services a particular SVCHOST.EXE process is controlling.
First you need to download Process Explorer from the following site:
Process Explorer
Download the file and save it to your hard drive. When it has finished downloading, extract the file into its own folder and double-click on the procexp.exe to start the program. If this is your first time running the program, it will display a license agreement. Agree to the license agreement and the program will continue. When it is finished loading you will be presented with a screen containing all the running processes on your computer as shown in the figure below. Remember that the processes you see in this image will not be the same as what is running on your computer.
![[Image: procexp.jpg]](http://img.bleepingcomputer.com/tutorials/svchost/procexp.jpg)
Scroll through the list of processes until you see the SVCHOST.EXE process(es). To find out which services are running within a particular SVCHOST.EXE process we need to examine the properties for the process. To do this double-click SVCHOST.EXE entry in Process Explorer and you will see the properties screen for the process like in the image below.
![[Image: SVCHOST-prop.jpg]](http://img.bleepingcomputer.com/tutorials/svchost/SVCHOST-prop.jpg)
Finally, to view the services running in this process, click on the Services tab. You will now see a screen similar to the one below.
![[Image: services.jpg]](http://img.bleepingcomputer.com/tutorials/svchost/services.jpg)
Determining the services running under a SVCHOST.EXE process using Task List
For those who like to tinker around in a Windows command prompt/console window, and have Windows XP Pro or Windows 2003, there is a Windows program called tasklist.exe that can be used to list the running processes, and services, on your computer. To use task list to see the services that a particular SVCHOST.EXE process is loading, just follow these steps:
1. Click on the Start button and then click on the Run menu command.
2. In the Open: field type cmd and press enter.
3. You will now be presented with a console window. At the command prompt type tasklist /svc /fi "imagename eq svchost.exe" and press the enter key. You will see a list of the processes on your computer as well as the services that a SVCHOST.EXE process is managing. This can be seen in the image below.
![[Image: tasklist.jpg]](http://img.bleepingcomputer.com/tutorials/svchost/tasklist.jpg)
When you are done examining the output, you can type exit and press the enter key to close the console window.
Determining the services running under a SVCHOST.EXE process in Windows Vista
Windows vista has enhanced their Windows Task Manager and one of its features allows us to easily see what services are being controlled by a particular SVCHOST.EXE process. To start, simply start the task manager by right clicking on the task bar and then selecting Task Manager. When Task Manager opens click on the Processes tab. You will now be presented with a list of processes that your Vista user account has started as shown in the image below.
![[Image: processes.jpg]](http://img.bleepingcomputer.com/tutorials/svchost/processes.jpg)
We, though, need to see all of the processes running on the computer. To do this click on the button labeled Show All Processes. When you do this Windows Vista will prompt you to allow authorization to see all the processes as shown below.
![[Image: confirmation.jpg]](http://img.bleepingcomputer.com/tutorials/svchost/confirmation.jpg)
Press the Continue button and the Vista task manager will reload, but this time showing all the processes running in the operating system. Scroll down through the list of processes until you see the SVCHOST processes as shown in the image below.
![[Image: all-processes.jpg]](http://img.bleepingcomputer.com/tutorials/svchost/all-processes.jpg)
Right-click on a SVCHOST process and select the Go to Service(s) menu option. You will now see a list of services on your computer with the services that are running under this particular SVCHOST process highlighted. Now you can easily determine what services a particular SVCHOST process is running in Windows Vista.
Process Explorer, from Sysinternals, is a process management program that allows you to see the running processes on your computer and a great deal of information about each process. One of the nice features of Process Explorer is that it also gives you the ability to see what services a particular SVCHOST.EXE process is controlling.
First you need to download Process Explorer from the following site:
Process Explorer
Download the file and save it to your hard drive. When it has finished downloading, extract the file into its own folder and double-click on the procexp.exe to start the program. If this is your first time running the program, it will display a license agreement. Agree to the license agreement and the program will continue. When it is finished loading you will be presented with a screen containing all the running processes on your computer as shown in the figure below. Remember that the processes you see in this image will not be the same as what is running on your computer.
Scroll through the list of processes until you see the SVCHOST.EXE process(es). To find out which services are running within a particular SVCHOST.EXE process we need to examine the properties for the process. To do this double-click SVCHOST.EXE entry in Process Explorer and you will see the properties screen for the process like in the image below.
Finally, to view the services running in this process, click on the Services tab. You will now see a screen similar to the one below.
Determining the services running under a SVCHOST.EXE process using Task List
For those who like to tinker around in a Windows command prompt/console window, and have Windows XP Pro or Windows 2003, there is a Windows program called tasklist.exe that can be used to list the running processes, and services, on your computer. To use task list to see the services that a particular SVCHOST.EXE process is loading, just follow these steps:
1. Click on the Start button and then click on the Run menu command.
2. In the Open: field type cmd and press enter.
3. You will now be presented with a console window. At the command prompt type tasklist /svc /fi "imagename eq svchost.exe" and press the enter key. You will see a list of the processes on your computer as well as the services that a SVCHOST.EXE process is managing. This can be seen in the image below.
When you are done examining the output, you can type exit and press the enter key to close the console window.
Determining the services running under a SVCHOST.EXE process in Windows Vista
Windows vista has enhanced their Windows Task Manager and one of its features allows us to easily see what services are being controlled by a particular SVCHOST.EXE process. To start, simply start the task manager by right clicking on the task bar and then selecting Task Manager. When Task Manager opens click on the Processes tab. You will now be presented with a list of processes that your Vista user account has started as shown in the image below.
We, though, need to see all of the processes running on the computer. To do this click on the button labeled Show All Processes. When you do this Windows Vista will prompt you to allow authorization to see all the processes as shown below.
Press the Continue button and the Vista task manager will reload, but this time showing all the processes running in the operating system. Scroll down through the list of processes until you see the SVCHOST processes as shown in the image below.
Right-click on a SVCHOST process and select the Go to Service(s) menu option. You will now see a list of services on your computer with the services that are running under this particular SVCHOST process highlighted. Now you can easily determine what services a particular SVCHOST process is running in Windows Vista.
