Determine process svchost is running

May 20, 2008
11,400
99
Syracuse, NY, USA
I don't think so. I think the best possible would be to get the process's command line from its PID. The command lines for svchost.exe can be seen with the Windows TaskMrg and are a little cryptic. I also suspect the command lines can only be retrieved by an elevated process. I'll experiment with adding it to SYSUTILS's PSTAT. PSTAT's help is broken (I'll fix that tomorrow). Now, it does this.
Code:
v:\> help pstat
Display process data

PSTAT [ pid | string | * ]  [ /F format ]

  string: case-insensitive unqualified module name substring match criterion

  Format elements (lowercase suppresses description; default: QIBRUKTWVP)

  I - PID  Q - File (qualified)  F - File
  B - Begin  R[s|m|h|d] - Running  U - User CPU
  K - Kernel CPU  T - Total CPU  P - Priority class
  W - Working Set  V - Virtual Memory  N - Newline

  CPU times in seconds; R defaults to Rs; memory in KB
 
May 20, 2008
11,400
99
Syracuse, NY, USA
I still think the command line is the best you can do. And you can do it with an elevated TCC. Here are a few examples. It seems a good candidate for a user defined function.
Code:
v:\> echo %@wmi[root\CIMV2,"SELECT CommandLine FROM Win32_Process WHERE ProcessId=700"]
C:\Windows\system32\svchost.exe -k RPCSS

v:\> echo %@wmi[root\CIMV2,"SELECT CommandLine FROM Win32_Process WHERE ProcessId = 852"]
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

v:\> echo %@wmi[root\CIMV2,"SELECT CommandLine FROM Win32_Process WHERE ProcessId = 624"]
C:\Windows\system32\svchost.exe -k DcomLaunch
 
From TCC/LE, or TCC 16.x, if I run;
Code:
tasklist.exe /svc /fi "imagename eq svchost.exe"

it tells me that FontCache is running under svchost.exe with PID 1672.

Next, take a look at the following Windows Registry Key;
Code:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SVCHOST

These are the group names for services that are started with SVHOST.EXE. Each group name has several service names that belong to each group.

Look at the Data value for each group. It shows the services that are part of each respective group.

On my Microsoft Vista system, I have a group named LocalServiceAndNoImpersonation. In the Data value is FontCache. I now take a look at the following Windows Registry Key;
Code:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

I expand services, and look for the FontCache entry. Clicking on FontCache, under the ImagePath name, it shows;
Code:
%SystemRoot%\system32\svchost.exe -k LocalServiceAndNoImpersonation

If you look at the DisplayName, it shows;
Code:
@%systemroot%\system32\FntCache.dll,-100

Thus, this SVCHOST is running the FntCache.dll on my system under PID 1672.

Not sure if this is what you are looking for, but it may help.

Joe
 
I have made an error in my above explanation.

For the FontCache entry, you need to expand it, and take a look at the Parameters key. There you will see the ServiceDLL name, with a data value of;
Code:
%SystemRoot%\system32\FntCache.dll

I was looking at my notes when I wrote this, instead of the original MSKB article. Thus, for each service, you need to expand the entry, look at the Parameters key, and the data for the ServiceDLL is the DLL that is being run via SVCHOST.EXE

Apologies for the confusion.

Joe
 
Further, once you know the name of the service, you can use the @regquery function from TCC/LE and TCC 16.x instead of regedit;
Code:
echo %@regquery[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv\Parameters\ServiceDLL]

%SystemRoot%\System32\bthserv.dll

echo %@regquery[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FontCache\Parameters\ServiceDLL]

%SystemRoot%\system32\FntCache.dll

I have to start organizing my notes better. I write so much stuff down, but need to add more details when I do.

Joe
 
Last edited:
Code:
::----------------------------------------------
:: Get-ServiceDetails.btm
:: Determine the process that SvcHost is running
::
:: Requires TaskList.exe
::
:: Tested on TCC/LE 13.06.77 and
::  TCC  16.02.48
::----------------------------------------------
@setlocal
@echo off
iff %# eq 0 then
  echo USAGE: %_batchname pid
  echo.
  tasklist.exe /nh /svc /fi "imagename eq svchost.exe"
  quit
endiff
set services=%@execstr[tasklist.exe /nh /svc /fi "imagename eq svchost.exe" /fi "pid eq %1" /fo csv]
set services=%@word[2,%services]
set services=%@unquote[%services]
do kount=0 to %@dec[%@words[%services]]
  echo %@word[%kount,%services] - %@regquery[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%@word[%kount,%services]\Parameters\ServiceDLL]
enddo
endlocal

Run the program with no arguments to get a list of svchost's with their PIDs.

Next, run the program with the PID from the svchost that you want.

Joe
 
Last edited:
May 20, 2008
3,515
4
Elkridge, MD, USA
I recommend one change in all your distributed batch code, using %_batchname to report its usage. This allows each user to chose their own filename, including retainig your own choice for yourself.
 
Apr 2, 2011
1,441
10
54
North Carolina, USA
some of the regquerys are failing - I will include / attach the results....

Code:
::----------------------------------------------
:: Get-ServiceDetails.btm
:: Determine the process that SvcHost is running
::
:: Requires TaskList.exe
::
:: Tested on TCC/LE 13.06.77 and
::  TCC  16.02.48
::----------------------------------------------
@setlocal
@echo off
iff %# eq 0 then
  echo USAGE: %_batchname pid
  echo.
  tasklist.exe /nh /svc /fi "imagename eq svchost.exe"
  quit
endiff
set services=%@execstr[tasklist.exe /nh /svc /fi "imagename eq svchost.exe" /fi "pid eq %1" /fo csv]
set services=%@word[2,%services]
set services=%@unquote[%services]
do kount=0 to %@dec[%@words[%services]]
  echo %@word[%kount,%services] - %@regquery[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%@word[%kount,%services]\Parameters\ServiceDLL]
enddo
endlocal

Run the program with no arguments to get a list of svchost's with their PIDs.

Next, run the program with the PID from the svchost that you want.

Joe
 

Attachments

  • svchost.txt
    2.3 KB · Views: 118
May 20, 2008
11,400
99
Syracuse, NY, USA
some of the regquerys are failing - I will include / attach the results....
I only looked at "lmhosts". It fails here also. But it works when TCC is elevated. If you look deeper you'll see that the "lmhosts\Parameters" key does not have the normal inherited permissions that many/most "Parameters" keys have, and it has no permissions at all for "users". I'll bet something similar is true of the other ones for which @regquery fails.
 
some of the regquerys are failing - I will include / attach the results....

Interesting.

Looking at just two of the regquery's that are failing (NlaSvc and nsi), can you use regedit to browse to those registry entries, and see if they exist?

On my Windows Vista system, those two do not fail, and the registry entries exist.

NlaSvc is part of C:\Windows\system32\svchost.exe -k NetworkService

while nsi is part of C:\Windows\system32\svchost.exe -k LocalService.

I have added
Code:
echo %@wmi[root\CIMV2,"SELECT CommandLine FROM Win32_Process WHERE ProcessId=%1"]

to just after the endiff in the batch file so as to better identify the command line for the PID.

Joe
 
I only looked at "lmhosts". It fails here also. But it works when TCC is elevated. If you look deeper you'll see that the "lmhosts\Parameters" key does not have the normal inherited permissions that many/most "Parameters" keys have, and it has no permissions at all for "users". I'll bet something similar is true of the other ones for which @regquery fails.

Vince, that may be it. I run TCC in elevated mode all the time.

Also, Charles, are you running on a 64-bit TCC?

Joe
 
Here's an update to my .BTM;
Code:
::----------------------------------------------
:: Get-ServiceDetails.btm
:: Determine the process that SvcHost is running
::
:: Requires TaskList.exe
::
:: Tested on TCC/LE 13.06.77 and
::  TCC  16.02.48
::----------------------------------------------
@setlocal
@echo off
NET FILE 1>NUL 2>NUL
iff %? ne 0 then
  echo %_batchname needs to be run in an elevated TCC session.
  quit
endiff
iff %# eq 0 then
  echo USAGE: %_batchname pid
  echo.
  tasklist.exe /nh /svc /fi "imagename eq svchost.exe"
  quit
endiff
echo %@wmi[root\CIMV2,"SELECT CommandLine FROM Win32_Process WHERE ProcessId=%1"]
echo.
set services=%@execstr[tasklist.exe /nh /svc /fi "imagename eq svchost.exe" /fi "pid eq %1" /fo csv]
set services=%@word[2,%services]
set services=%@unquote[%services]
do kount=0 to %@dec[%@words[%services]]
  echo %@word[%kount,%services] - %@regquery[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%@word[%kount,%services]\Parameters\ServiceDLL]
enddo
endlocal

The .BTM will now check to see if it is being run in elevated mode.

While I could have used the _ELEVATED variable of TCC 16.x, it is not available in TCC/LE, which is why I chose another method to determine if the TCC process is elevated.

Joe
 
Similar threads
Thread starter Title Forum Replies Date
Joe Caverly How to? Determine size of file via download link Support 13
Joe Caverly Determine if program started from command prompt Support 2
Jay Sage How to Determine INI File Used by TCMD Support 6
MickeyF how to determine which program will execute a file Support 10
M How to? How to determine if this is the first time that... Support 5
C How to determine if system is 32 or 64 bit? Support 5
M How to? Determine a whether vars beginning with certain characters exist... Support 5
vefatica SETP usually fails with a 32 bit process Support 4
x13 Check if process is elevated? Support 11
Alpengreis Remaining TCMD background process (v26) ... Support 19
vefatica Tmp files from in-process pipes not deleted Support 6
Jay Sage TASKLIST Command Process Count Support 5
Joe Caverly PSHELL and out-of-process servers Support 2
CWBillow Upgrade process Support 7
Joe Caverly SETP and 32-bit process Support 2
rps V20 In-process pipes problem Support 8
R Fixed Internal ZIP command fails to process multiple files Support 3
fpefpe WAD Python support does not process command line Support 14
M WAD tcmd.exe crashes and leaves an orphaned tcc.exe process Support 6
Stefano Piccardi replace tcc process space? Support 8
Q TCC: (Sys) The process cannot access the file because it is being used by another process. Support 0
D Environment in elevated process Support 1
cgunhouse ProcessMonitor Does Not Work With Quoted Process Name Support 5
cgunhouse ProcessMonitor Does Not Work With Quoted Process Name Support 0
Phileosophos ren /s does not process subdirectories Support 3
T Starting a process blocks TCC window... Support 2
nikbackm Find out when a process has stopped Support 5
N Unable to end tcc.exe process Support 1
E CPU usage of a process Support 2
I shralias causes svchost.exe to use 100% cpu Support 10

Similar threads