Hinweis
Für den Zugriff auf diese Seite ist eine Autorisierung erforderlich. Sie können versuchen, sich anzumelden oder das Verzeichnis zu wechseln.
Für den Zugriff auf diese Seite ist eine Autorisierung erforderlich. Sie können versuchen, das Verzeichnis zu wechseln.
Due to the comments in my blog entry about the RemoteRegistry process, I figured I would try to educate myself about it and share that learning with all of you. In my attempt to educate myself on the RemoteRegistry process, I am having fun with a variety of command-line tools, such as SC and TaskList. These tools are useful for digging into any process, but my examples are focused on RemoteRegistry. Here is what I have dug into so far; complete with the description and outcome of each command-line task that I have found interesting:
Display services in each process. I deleted everything except the svchost.exe instance that is running RemoteRegistry:
C:\>tasklist /SVC
Image Name PID Services
========================= ====== ============================================
svchost.exe 256 LmHosts, RemoteRegistry, SSDPSRV, WebClient
Display a set of tasks that match the given criteria specified by the filter. The filter is for PIDs that equal “ 256”. Notice the extra space before the three-digit 256:
C:\>tasklist /FI "PID eq 256"
Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
svchost.exe 256 Console 0 1,812 K
Display the extended status of the service:
C:\>sc queryex RemoteRegistry
SERVICE_NAME: RemoteRegistry
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 256
FLAGS :
Query the configuration information for the service:
C:\>sc qc RemoteRegistry
[SC] GetServiceConfig SUCCESS
SERVICE_NAME: RemoteRegistry
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Registry
DEPENDENCIES : RPCSS
SERVICE_START_NAME : NT AUTHORITY\LocalService
So what do I do with this information now that I have it? Well, I haven’t gotten that far yet. If I do, I’ll update my blog.