Determine process svchost is running

#2
I don't think so. I think the best possible would be to get the process's command line from its PID. The command lines for svchost.exe can be seen with the Windows TaskMrg and are a little cryptic. I also suspect the command lines can only be retrieved by an elevated process. I'll experiment with adding it to SYSUTILS's PSTAT. PSTAT's help is broken (I'll fix that tomorrow). Now, it does this.
Code:
v:\> help pstat
Display process data

PSTAT [ pid | string | * ]  [ /F format ]

  string: case-insensitive unqualified module name substring match criterion

  Format elements (lowercase suppresses description; default: QIBRUKTWVP)

  I - PID  Q - File (qualified)  F - File
  B - Begin  R[s|m|h|d] - Running  U - User CPU
  K - Kernel CPU  T - Total CPU  P - Priority class
  W - Working Set  V - Virtual Memory  N - Newline

  CPU times in seconds; R defaults to Rs; memory in KB
 
#3
I still think the command line is the best you can do. And you can do it with an elevated TCC. Here are a few examples. It seems a good candidate for a user defined function.
Code:
v:\> echo %@wmi[root\CIMV2,"SELECT CommandLine FROM Win32_Process WHERE ProcessId=700"]
C:\Windows\system32\svchost.exe -k RPCSS

v:\> echo %@wmi[root\CIMV2,"SELECT CommandLine FROM Win32_Process WHERE ProcessId = 852"]
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

v:\> echo %@wmi[root\CIMV2,"SELECT CommandLine FROM Win32_Process WHERE ProcessId = 624"]
C:\Windows\system32\svchost.exe -k DcomLaunch
 
#4
From TCC/LE, or TCC 16.x, if I run;
Code:
tasklist.exe /svc /fi "imagename eq svchost.exe"
it tells me that FontCache is running under svchost.exe with PID 1672.

Next, take a look at the following Windows Registry Key;
Code:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SVCHOST
These are the group names for services that are started with SVHOST.EXE. Each group name has several service names that belong to each group.

Look at the Data value for each group. It shows the services that are part of each respective group.

On my Microsoft Vista system, I have a group named LocalServiceAndNoImpersonation. In the Data value is FontCache. I now take a look at the following Windows Registry Key;
Code:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
I expand services, and look for the FontCache entry. Clicking on FontCache, under the ImagePath name, it shows;
Code:
%SystemRoot%\system32\svchost.exe -k LocalServiceAndNoImpersonation
If you look at the DisplayName, it shows;
Code:
@%systemroot%\system32\FntCache.dll,-100
Thus, this SVCHOST is running the FntCache.dll on my system under PID 1672.

Not sure if this is what you are looking for, but it may help.

Joe
 
#5
I have made an error in my above explanation.

For the FontCache entry, you need to expand it, and take a look at the Parameters key. There you will see the ServiceDLL name, with a data value of;
Code:
%SystemRoot%\system32\FntCache.dll
I was looking at my notes when I wrote this, instead of the original MSKB article. Thus, for each service, you need to expand the entry, look at the Parameters key, and the data for the ServiceDLL is the DLL that is being run via SVCHOST.EXE

Apologies for the confusion.

Joe
 
#6
Further, once you know the name of the service, you can use the @regquery function from TCC/LE and TCC 16.x instead of regedit;
Code:
echo %@regquery[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv\Parameters\ServiceDLL]

%SystemRoot%\System32\bthserv.dll

echo %@regquery[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FontCache\Parameters\ServiceDLL]

%SystemRoot%\system32\FntCache.dll
I have to start organizing my notes better. I write so much stuff down, but need to add more details when I do.

Joe
 
Last edited:
#7
Code:
::----------------------------------------------
:: Get-ServiceDetails.btm
:: Determine the process that SvcHost is running
::
:: Requires TaskList.exe
::
:: Tested on TCC/LE 13.06.77 and
::  TCC  16.02.48
::----------------------------------------------
@setlocal
@echo off
iff %# eq 0 then
  echo USAGE: %_batchname pid
  echo.
  tasklist.exe /nh /svc /fi "imagename eq svchost.exe"
  quit
endiff
set services=%@execstr[tasklist.exe /nh /svc /fi "imagename eq svchost.exe" /fi "pid eq %1" /fo csv]
set services=%@word[2,%services]
set services=%@unquote[%services]
do kount=0 to %@dec[%@words[%services]]
  echo %@word[%kount,%services] - %@regquery[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%@word[%kount,%services]\Parameters\ServiceDLL]
enddo
endlocal
Run the program with no arguments to get a list of svchost's with their PIDs.

Next, run the program with the PID from the svchost that you want.

Joe
 
Last edited:
#9
some of the regquerys are failing - I will include / attach the results....

Code:
::----------------------------------------------
:: Get-ServiceDetails.btm
:: Determine the process that SvcHost is running
::
:: Requires TaskList.exe
::
:: Tested on TCC/LE 13.06.77 and
::  TCC  16.02.48
::----------------------------------------------
@setlocal
@echo off
iff %# eq 0 then
  echo USAGE: %_batchname pid
  echo.
  tasklist.exe /nh /svc /fi "imagename eq svchost.exe"
  quit
endiff
set services=%@execstr[tasklist.exe /nh /svc /fi "imagename eq svchost.exe" /fi "pid eq %1" /fo csv]
set services=%@word[2,%services]
set services=%@unquote[%services]
do kount=0 to %@dec[%@words[%services]]
  echo %@word[%kount,%services] - %@regquery[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%@word[%kount,%services]\Parameters\ServiceDLL]
enddo
endlocal
Run the program with no arguments to get a list of svchost's with their PIDs.

Next, run the program with the PID from the svchost that you want.

Joe
 

Attachments

#10
some of the regquerys are failing - I will include / attach the results....
I only looked at "lmhosts". It fails here also. But it works when TCC is elevated. If you look deeper you'll see that the "lmhosts\Parameters" key does not have the normal inherited permissions that many/most "Parameters" keys have, and it has no permissions at all for "users". I'll bet something similar is true of the other ones for which @regquery fails.
 
#11
some of the regquerys are failing - I will include / attach the results....
Interesting.

Looking at just two of the regquery's that are failing (NlaSvc and nsi), can you use regedit to browse to those registry entries, and see if they exist?

On my Windows Vista system, those two do not fail, and the registry entries exist.

NlaSvc is part of C:\Windows\system32\svchost.exe -k NetworkService

while nsi is part of C:\Windows\system32\svchost.exe -k LocalService.

I have added
Code:
echo %@wmi[root\CIMV2,"SELECT CommandLine FROM Win32_Process WHERE ProcessId=%1"]
to just after the endiff in the batch file so as to better identify the command line for the PID.

Joe
 
#12
I only looked at "lmhosts". It fails here also. But it works when TCC is elevated. If you look deeper you'll see that the "lmhosts\Parameters" key does not have the normal inherited permissions that many/most "Parameters" keys have, and it has no permissions at all for "users". I'll bet something similar is true of the other ones for which @regquery fails.
Vince, that may be it. I run TCC in elevated mode all the time.

Also, Charles, are you running on a 64-bit TCC?

Joe
 
#13
Here's an update to my .BTM;
Code:
::----------------------------------------------
:: Get-ServiceDetails.btm
:: Determine the process that SvcHost is running
::
:: Requires TaskList.exe
::
:: Tested on TCC/LE 13.06.77 and
::  TCC  16.02.48
::----------------------------------------------
@setlocal
@echo off
NET FILE 1>NUL 2>NUL
iff %? ne 0 then
  echo %_batchname needs to be run in an elevated TCC session.
  quit
endiff
iff %# eq 0 then
  echo USAGE: %_batchname pid
  echo.
  tasklist.exe /nh /svc /fi "imagename eq svchost.exe"
  quit
endiff
echo %@wmi[root\CIMV2,"SELECT CommandLine FROM Win32_Process WHERE ProcessId=%1"]
echo.
set services=%@execstr[tasklist.exe /nh /svc /fi "imagename eq svchost.exe" /fi "pid eq %1" /fo csv]
set services=%@word[2,%services]
set services=%@unquote[%services]
do kount=0 to %@dec[%@words[%services]]
  echo %@word[%kount,%services] - %@regquery[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%@word[%kount,%services]\Parameters\ServiceDLL]
enddo
endlocal
The .BTM will now check to see if it is being run in elevated mode.

While I could have used the _ELEVATED variable of TCC 16.x, it is not available in TCC/LE, which is why I chose another method to determine if the TCC process is elevated.

Joe