By registering with us, you'll be able to discuss, share and private message with other members of our community.
SignUp Now!v:\> help pstat
Display process data
PSTAT [ pid | string | * ] [ /F format ]
string: case-insensitive unqualified module name substring match criterion
Format elements (lowercase suppresses description; default: QIBRUKTWVP)
I - PID Q - File (qualified) F - File
B - Begin R[s|m|h|d] - Running U - User CPU
K - Kernel CPU T - Total CPU P - Priority class
W - Working Set V - Virtual Memory N - Newline
CPU times in seconds; R defaults to Rs; memory in KB
v:\> echo %@wmi[root\CIMV2,"SELECT CommandLine FROM Win32_Process WHERE ProcessId=700"]
C:\Windows\system32\svchost.exe -k RPCSS
v:\> echo %@wmi[root\CIMV2,"SELECT CommandLine FROM Win32_Process WHERE ProcessId = 852"]
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
v:\> echo %@wmi[root\CIMV2,"SELECT CommandLine FROM Win32_Process WHERE ProcessId = 624"]
C:\Windows\system32\svchost.exe -k DcomLaunch
tasklist.exe /svc /fi "imagename eq svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SVCHOST
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
%SystemRoot%\system32\svchost.exe -k LocalServiceAndNoImpersonation
@%systemroot%\system32\FntCache.dll,-100
%SystemRoot%\system32\FntCache.dll
echo %@regquery[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv\Parameters\ServiceDLL]
%SystemRoot%\System32\bthserv.dll
echo %@regquery[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FontCache\Parameters\ServiceDLL]
%SystemRoot%\system32\FntCache.dll
::----------------------------------------------
:: Get-ServiceDetails.btm
:: Determine the process that SvcHost is running
::
:: Requires TaskList.exe
::
:: Tested on TCC/LE 13.06.77 and
:: TCC 16.02.48
::----------------------------------------------
@setlocal
@echo off
iff %# eq 0 then
echo USAGE: %_batchname pid
echo.
tasklist.exe /nh /svc /fi "imagename eq svchost.exe"
quit
endiff
set services=%@execstr[tasklist.exe /nh /svc /fi "imagename eq svchost.exe" /fi "pid eq %1" /fo csv]
set services=%@word[2,%services]
set services=%@unquote[%services]
do kount=0 to %@dec[%@words[%services]]
echo %@word[%kount,%services] - %@regquery[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%@word[%kount,%services]\Parameters\ServiceDLL]
enddo
endlocal
Code:::---------------------------------------------- :: Get-ServiceDetails.btm :: Determine the process that SvcHost is running :: :: Requires TaskList.exe :: :: Tested on TCC/LE 13.06.77 and :: TCC 16.02.48 ::---------------------------------------------- @setlocal @echo off iff %# eq 0 then echo USAGE: %_batchname pid echo. tasklist.exe /nh /svc /fi "imagename eq svchost.exe" quit endiff set services=%@execstr[tasklist.exe /nh /svc /fi "imagename eq svchost.exe" /fi "pid eq %1" /fo csv] set services=%@word[2,%services] set services=%@unquote[%services] do kount=0 to %@dec[%@words[%services]] echo %@word[%kount,%services] - %@regquery[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%@word[%kount,%services]\Parameters\ServiceDLL] enddo endlocal
Run the program with no arguments to get a list of svchost's with their PIDs.
Next, run the program with the PID from the svchost that you want.
Joe
I only looked at "lmhosts". It fails here also. But it works when TCC is elevated. If you look deeper you'll see that the "lmhosts\Parameters" key does not have the normal inherited permissions that many/most "Parameters" keys have, and it has no permissions at all for "users". I'll bet something similar is true of the other ones for which @regquery fails.some of the regquerys are failing - I will include / attach the results....
some of the regquerys are failing - I will include / attach the results....
echo %@wmi[root\CIMV2,"SELECT CommandLine FROM Win32_Process WHERE ProcessId=%1"]
I only looked at "lmhosts". It fails here also. But it works when TCC is elevated. If you look deeper you'll see that the "lmhosts\Parameters" key does not have the normal inherited permissions that many/most "Parameters" keys have, and it has no permissions at all for "users". I'll bet something similar is true of the other ones for which @regquery fails.
::----------------------------------------------
:: Get-ServiceDetails.btm
:: Determine the process that SvcHost is running
::
:: Requires TaskList.exe
::
:: Tested on TCC/LE 13.06.77 and
:: TCC 16.02.48
::----------------------------------------------
@setlocal
@echo off
NET FILE 1>NUL 2>NUL
iff %? ne 0 then
echo %_batchname needs to be run in an elevated TCC session.
quit
endiff
iff %# eq 0 then
echo USAGE: %_batchname pid
echo.
tasklist.exe /nh /svc /fi "imagename eq svchost.exe"
quit
endiff
echo %@wmi[root\CIMV2,"SELECT CommandLine FROM Win32_Process WHERE ProcessId=%1"]
echo.
set services=%@execstr[tasklist.exe /nh /svc /fi "imagename eq svchost.exe" /fi "pid eq %1" /fo csv]
set services=%@word[2,%services]
set services=%@unquote[%services]
do kount=0 to %@dec[%@words[%services]]
echo %@word[%kount,%services] - %@regquery[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%@word[%kount,%services]\Parameters\ServiceDLL]
enddo
endlocal