Solved

Discovering what is running on the svchost.exe stack

Posted on 2007-04-05
17
575 Views
Last Modified: 2013-11-22
How does one find out what services or applications are running under svchost.exe?  I have a situation where svchost.exe is peaking out the processor and the battery of av/am applications that I've run have not discovered anything (including three rootkit detection tools).  There is something going on here as it is causing terrible pauses in the system and it should be much more responsive with 768 MB of memory.

Again, I believe that the root is digging out what is going on exactly with svchost.exe.  I'm assuming that this process is some sort of a container process for services of some sort.
0
Comment
Question by:gpsocs
  • 5
  • 4
  • 3
  • +3
17 Comments
 
LVL 59

Assisted Solution

by:LeeTutor
LeeTutor earned 50 total points
ID: 18861906
This MSKB article gives you some info on SVCHOST.EXE:

http://support.microsoft.com/default.aspx?scid=kb;en-us;314056
A Description of Svchost.exe in Windows XP

In order to see what services are connected with each instance of Svchost.exe that is running under Task Manager, you should:  go to Start -> Run -> type CMD and hit Enter key -> type tasklist /svc in the DOS-like dialog box and hit the Enter key.
0
 
LVL 95

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 100 total points
ID: 18861918
You can also use ProcessExplorer to see more details on usage. - Formerly a sysinternals tool, it's currently available from Microsoft.

http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx
0
 

Author Comment

by:gpsocs
ID: 18861936
Oddly enough `Tasklist` is not available on this system it appears.  As you, and Microsoft, describe the command it cannot be run on this system.  Am I missing something, has this been deleted by an infection per chance?  I'll keep digging...
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 18861945
The article says it applies to XP Pro.  Are you running Home?
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 25 total points
ID: 18861961
Sometimes svchost problems are caused by the windows auto-update software.
If you have it on, try turning auto-update off and reboot, at least that's one cause that can be ruled out at least.

Svchost of course, usually malware/viruses are most common causes for this but not always.

Please show us your hijackthis log, most malware show up in the scan.
http://danborg.org/spy/hjt/alternativ.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.

0
 

Author Comment

by:gpsocs
ID: 18861992
Yes, it is Home.  I'll grab a copy off of a Pro box.  

With regards to HJT, I've already run that previously and scrubbed down what appeared to be infections and invalid entries as normal, but I can certainly check it again and post my result.

Give me a few minutes and I'll be back.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 18861998
Is there a reason you are not going to try Process Explorer?
0
 
LVL 2

Expert Comment

by:hvymtl0u812
ID: 18862006
I would agree with leew.  ProcessExplorer will give you a detailed description of all the images (files) being used by each instance of svchost.exe.  I have ProcessExplorer as a part of my standard "toolbox."  It can also be used to monitor network connections in a far more user-friendly manner than netstat.  VERY useful tool.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18862020
>>With regards to HJT, I've already run that previously and scrubbed down what appeared to be infections<<

Can you also please show us those entries that you already removed? it will help us. You can get it from the backup that hijackthis keeps, thanks.

A clean hijackthis log won't be helpful to us.
Bad entries once removed will no longer show up in the scan unless it's one of those persistent and stubborn malware.
0
 

Author Comment

by:gpsocs
ID: 18862029
Alright, I pulled the results of that unit on over and I'll paste it below.  First will be the `tasklist /svc` result.  Next will be the HJT result.

`tasklist /svc` output:
Image Name                     PID Services
========================= ======== ============================================
System Idle Process              0 N/A
System                           4 N/A
smss.exe                       624 N/A
csrss.exe                      672 N/A
winlogon.exe                   696 N/A
services.exe                   740 Eventlog, PlugPlay
lsass.exe                      752 PolicyAgent, ProtectedStorage, SamSs
svchost.exe                    900 DcomLaunch, TermService
svchost.exe                    964 RpcSs
MsMpEng.exe                   1052 WinDefend
svchost.exe                   1096 AudioSrv, BITS, CryptSvc, Dhcp, ERSvc,
                                   EventSystem,
                                   FastUserSwitchingCompatibility, helpsvc,
                                   lanmanserver, lanmanworkstation, Netman,
                                   Nla, RasMan, Schedule, seclogon, SENS,
                                   SharedAccess, ShellHWDetection, srservice,
                                   TapiSrv, Themes, TrkWks, W32Time, winmgmt,
                                   wscsvc, wuauserv
svchost.exe                   1208 Dnscache
svchost.exe                   1260 LmHosts, SSDPSRV, WebClient
explorer.exe                  1428 N/A
LEXBCES.EXE                   1464 LexBceS
spoolsv.exe                   1504 Spooler
LEXPPS.EXE                    1540 N/A
Nhksrv.exe                    1648 Nhksrv
guard.exe                     1664 AVG Anti-Spyware Guard
avgamsvr.exe                  1676 Avg7Alrt
avgupsvc.exe                  1748 Avg7UpdSvc
FrameworkService.exe          1820 McAfeeFramework
MDM.EXE                       1892 MDM
svchost.exe                    184 stisvc
naPrdMgr.exe                   508 N/A
DellMMKb.exe                   584 N/A
LXSUPMON.EXE                   320 N/A
iTunesHelper.exe               604 N/A
MSASCui.exe                    612 N/A
avgcc.exe                      588 N/A
avgas.exe                      644 N/A
PicasaMediaDetector.exe        648 N/A
ctfmon.exe                     652 N/A
OSD.exe                        856 N/A
AIRPLUS.EXE                   2508 N/A
iPodService.exe               2520 iPod Service
alg.exe                       2580 ALG
wuauclt.exe                    440 N/A
taskmgr.exe                   2892 N/A
UpdaterUI.exe                 3648 N/A
cmd.exe                       3720 N/A
tasklist.exe                  3964 N/A
wmiprvse.exe                  2928 N/A


HijackThis Output:
Logfile of HijackThis v1.99.1
Scan saved at 9:21:38 PM, on 4/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\D-Link AirPlus\AIRPLUS.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\cmd.exe
\192.168.0.3\gplymale\Repair\Repair USB\Repair CD\HijackThis\alternativ.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\tbu5\toolbaru.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program Files\ICQToolbar\tbu5\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: D-Link AirPlus Utility.lnk = ?
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174342726421
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18862066
Thanks for the log, sorry nothing stood out there, is it possible for us to see those bad entries that you removed? thanks.
0
 

Author Comment

by:gpsocs
ID: 18862114
No, sorry, those were removed some time ago and this unit is one that returned for a modem repair but I noticed those pauses were still existent and driving me nuts so I'm trying to figure out what might be going on.  I've only seen an issue like this once before of the last several years and it took a reinstallation (ie, not repair installation) to resolve the issue...  So I'm worried as to what could be causing this pause.

I really wish Windows had better diagnostic tools that could isolate pauses like this.  Are there any other deeper tools that pick up unresponsive apps and services as such that I'm overlooking?
0
 
LVL 32

Accepted Solution

by:
r-k earned 325 total points
ID: 18862384
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 18862411
Oh look - that article says to use process explorer - mentioned much earlier in your question... again... is there ANY reason you are ignoring my posts?
0
 

Author Comment

by:gpsocs
ID: 18863335
I apologize leew, I had already used that long ago.  I did check it again at your behest and did find another item, however this was not the issue, but useful nonetheless so thanks.  

It appears that the article referred to by r-k was the key in terms of a resolution even though the proc hanging was hard to isolate (read, I did not find it with process explorer again as it is acting very erratic, however after applying the hotfix things seem to have reached normalcy).
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18868086
So I was right in my very first post all along, that this was caused by windows auto-update software.
If you'd turned off autoupdates you would have found out that that was the one causing it.
0
 
LVL 32

Expert Comment

by:r-k
ID: 18869517
"So I was right in my very first post all along"

Yes, rpggamergirl, you are correct once again. We may only ignore your comments at our own peril :)
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

cPanel is a Unix based web hosting control panel that provides a graphical interface and automation tools designed to simplify the process of hosting a web site. cPanel utilizes a 3 tier structure that provides functionality for administrators, rese…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This video discusses moving either the default database or any database to a new volume.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now