If you've ever taken a look at the Services section in control panel you might notice that there are a Lot of services required by Windows. If every single service ran under a single svchost.exe instance, a failure in one might bring down all of Windows… so they are separated out.
Those services are organized into logical groups, and then a single svchost.exe instance is created for each group. For instance, one svchost.exe instance runs the 3 services related to the firewall. Another svchost.exe instance might run all the services related to the user interface, and so on.
Svchost.exe file from a dynamic link library for those who run the service is a generic host process name. Svhost.exe file positioning system% systemroot% \ system32 folder. Start time, Svchost.exe checks the location of the registry (HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ SvcHost) to build a list of services need to be loaded. This results in multiple Svchost.exe running at the same time. Each Svchost.exe contains a set of call back services during the period, so that separate services must rely on how and where Svchost.exe start. This is more easy to control and search for errors.
Svchost.exe groups are used to identify the following registry value.
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Svchost
Each value under this key represents a separate Svchost group, and when you are watching the activities of the process, it displays as a separate example. Each key is of type REG_MULTI_SZ values but also run on Svchost group services. Each Svchost group contains one or more of the selected value from the registry service name, the service parameter value includes a ServiceDLL value.
HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services
Simply do not have this RPC service, the machine almost can not go net. Many applications are dependent on the RPC interface, and if found that the process took too much CPU resources, directly to the RPC service is disabled the system will be a disaster: because even the restoration of this interface, the system interface for all service settings can not be used. Recovery method requires the use of Registry Editor, locate the HKEY_LOCAL_MACHINE>> SYSTEM>> CurrentControlSet>> Services>> RpcSs, the right to find Start property, the value of it can be changed to 2 and then restart
Svchost causing CPU 100% of the total system, not due to svchost service itself: The above situation is due to Windows Update service to download / install the update service failures caused by repeated retry making. The Windows Automatic Updates is also dependent on the svchost service a background application, which showed a very high load svchost.exe. This problem often occurs the machine is generally access conditions (in particular, is to go abroad site) unstable machine, such as the parents of the machine at home, often in a few months after the installation of the machine from time to time occur, the second week of every month is a high-fat period: Since MS very laws in recent years in the second week of each month issued a patch). The above solution does not guarantee against re-attack, but the svchost files every few months in order to reinstall an operating system or a waste of time.
More information
In order to be able to see the list is being run in Svchost services.
Start - Run - type in cmd
And then typing tlist-s (tlist should be win2k toolbox of Dongdong)
Tlist displays a list of active processes. Switch-s is displayed in the activities of each process in the list of services. If you want to know more about the process of information, you can knock tlist pid.
Svchost.exe running Tlist shows two examples.
0 System Process
8 System
132 smss.exe
160 csrss.exe Title:
180 winlogon.exe Title: NetDDE Agent
208services.exe
Svcs: AppMgmt, Browser, Dhcp, dmserver, Dnscache, Eventlog, lanmanserver, LanmanWorkst
ation, LmHosts, Messenger, PlugPlay, ProtectedStorage, seclogon, TrkWks, W32Time, Wmi
220 lsass.exe Svcs: Netlogon, PolicyAgent, SamSs
404 svchost.exe Svcs: RpcSs
452 spoolsv.exe Svcs: Spooler
544 cisvc.exe Svcs: cisvc
556 svchost.exe Svcs: EventSystem, Netman, NtmsSvc, RasMan, SENS, TapiSrv
580 regsvc.exe Svcs: RemoteRegistry
596 mstask.exe Svcs: Schedule
660 snmp.exe Svcs: SNMP
728 winmgmt.exe Svcs: WinMgmt
852 cidaemon.exe Title: OleMainThreadWndName
812 explorer.exe Title: Program Manager
1032 OSA.EXE Title: Reminder
1300 cmd.exe Title: D: \ WINNT5 \ System32 \ cmd.exe - tlist-s
1080 MAPISP32.EXE Title: WMS Idle
1264 rundll32.exe Title:
1000 mmc.exe Title: Device Manager
1144 tlist.exe
In this example, the registry settings of the two groups.
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Svchost:
netsvcs: Reg_Multi_SZ: EventSystem Ias Iprip Irmon Netman Nwsapagent RasautoRa
sman Remoteaccess SENS Sharedaccess Tapisrv Ntmssvc
rpcss: Reg_Multi_SZ: RpcSs
smss.exe
csrss.exe
This is a user-mode part of Win32 subsystem. csrss behalf of a client / server running subsystem and is an essential subsystem that must always run. csrss responsible for controlling windows, create or delete a thread, and some 16-bit virtual MS-DOS environment.
No comments:
Post a Comment