From TCC/LE, or TCC 16.x, if I run;
Code:
tasklist.exe /svc /fi "imagename eq svchost.exe"
it tells me that FontCache is running under svchost.exe with PID 1672.
Next, take a look at the following Windows Registry Key;
Code:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SVCHOST
These are the group names for services that are started with SVHOST.EXE. Each group name has several service names that belong to each group.
Look at the Data value for each group. It shows the services that are part of each respective group.
On my Microsoft Vista system, I have a group named LocalServiceAndNoImpersonation. In the Data value is FontCache. I now take a look at the following Windows Registry Key;
Code:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
I expand services, and look for the FontCache entry. Clicking on FontCache, under the ImagePath name, it shows;
Code:
%SystemRoot%\system32\svchost.exe -k LocalServiceAndNoImpersonation
If you look at the DisplayName, it shows;
Code:
@%systemroot%\system32\FntCache.dll,-100
Thus, this SVCHOST is running the FntCache.dll on my system under PID 1672.
Not sure if this is what you are looking for, but it may help.
Joe