Tricks with SVCHOST.EXE
Well, if you read what I wrote yesterday, you read that I put a service all
by itself in a separate SVCHOST.EXE proces.
Windows XP SP1
Service of interest: WebClnt
Binary of interest: WEBCLNT.DLL
Problem: Hangs on startup.
If you run a CMD.EXE prompt (command prompt) and type: TASKLIST
/SVC you'll see an output like this:
F:\Documents and Settings\danvdw>tasklist /SVC
Image Name
PID Services
========================= ====== =============================================
System Idle Process
0 N/A
System
4 N/A
services.exe
416 Eventlog, PlugPlay
lsass.exe
428 Netlogon, PolicyAgent, ProtectedStorage, SamSs
svchost.exe
636 RpcSs
svchost.exe
660 AudioSrv, BITS, CryptSvc, Dhcp, dmserver, ERSvc,
EventSystem,
lanmanserver, lanmanworkstation, Messenger, Netman, Nla,
Schedule, seclogon, SENS, ShellHWDetection,
srservice, TermService, Themes, uploadmgr,
W32Time,
winmgmt, wuauserv, WZCSVC
svchost.exe
772 Dnscache
svchost.exe
796 LmHosts, RemoteRegistry, SSDPSRV,
WebClient
spoolsv.exe
876 Spooler
inetinfo.exe
1084 IISADMIN, SMTPSVC,
W3SVC <Cut Short to Eliminate Boredom>
I'm interested in the one that has WebClient in it. I see it's Process
ID (PID) 796.
That's nice to know, but not really want I want. What I want to see
is WebClient all alone in an SVCHOST.EXE process. Exactly like DNSCACHE is doing.
Why can't my webclient do that too? I think it can!
If you read Raymond Chen's blog, you'll see he refers to Q314056 about SVCHOST.EXE.
Now, I mucked with the registry on this system. If you muck with your
registry, make sure you make backups of the stuff before you fool with it. I
will not be held responsible for anything you do to your registry even if it's something
I write about.
Are we clear on that?
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\svchost
Right there, under svchost, are keys and values. I'm interested in the
*value* that is Localservice and I see it's a REG_MULTI_SZ and is:
Alerter
WebClient
LmHosts
RemoteRegistry
upnphost
SSDPSRV
There's my WebClient. What if I just highlight it and take it out of
there with a DEL button press? That works.
Okay. But, I want it in it's own SVCHOST.EXE. Can I do that?
Well, I think I can if I hack some. So, let's hack:
I notice that the *keys* are similar to these values. Let's do a new
key and value. I'll call it WebClntSvc.
So, I add a Key and a Value called WebClntSvc. I could have called it
anything, like AnyNameAnything, but I called it WebClntSvc.
So, I make a REG_MULTI_SZ *value* entry called WebClntSvc and add: WebClient.
I also make a Value entry and call it WebClntSvc. What to add there?
Heck, I just copied what was in the Localservice key. That key had:
AuthenticationCapabilities, REG_DWORD, 0x2000 and CoInitializeSecurityParam,
REG_DWORD, 0x1
So, I added them both. Is that it?
No, because I see that HKLM\System\CurrentControlSet\Services is of interest
to me, based on the KB article.
If I look at HKLM\System\CurrentControlSet\Services\WebClient, I see an ImagePath
value that's a REG_SZ. I think I want to edit that and change it from:
%SystemRoot%\System32\svchost.exe -k LocalService
to
%SystemRoot%\System32\svchost.exe -k WebClntSvc
We can confirm this works by checking the interface. That's right-click
on My Computer, Select Manage, then go into the Services, find WebClient and open
it up.
Make sure the "Path to Executable" was changed. Mine would
say:
F:\WINDOWS\System32\svchost.exe -k WebClntSvc.
F: is my system drive here. Don't ask me why. You don't want to
know.
That would make sense, right? Does to me. Then, I reboot.
Now, I have a separate instance of SVCHOST.EXE running with WebClient in it.
I do.
Now, to debug it is simple. Right, I just attach my debugger to the
process that exists as SVCHOST.EXE with the one and only service in it that's WebClient.
However, I don't want to debug it as it is, I want to debug it as it starts.
Hmm... How do to that?
Well, it's tricky and I have one trick up my sleeve to use that is this:
Copy SVCHOST.EXE to SVCHOST1.EXE in the same place as SVCHOST.EXE and use SVCHOST1.EXE
in my ImageFileExecutionOptions registry setting and use SVCHOST1.EXE in the registry
location for the service for the executable.
Now, when I check the interface, my path says:
F:\WINDOWS\System32\svchost1.exe -k WebClntSvc.
There is a problem here. The default SVCHOST.EXE has a timeout for any
service. If it doesn't start in X seconds, you get a nifty dialog telling you
it didn't start, blah blah blah.
You don't get the dialog for the failure on startup, but it's not running
regarless.
I'm guessing there is a way around this, but I don't know what yet.....
Comments
- Anonymous
October 01, 2003
I see above that you've fixed this already, but IIRC John Robbins' book "Debugging Applications for Microsoft .NET and Microsoft Windows" details how to debug a service on startup. IIRC, it involves setting the ImageFileOptions key in the registry. - Anonymous
May 07, 2004
HI,
taht was a very nice articel.
by the way what is this webclient doing?
if you already debugged that thing feel free to mail me...
seven11@ny.com - Anonymous
May 17, 2004
Searching for Svchost.exe worms and found your site: It's seems to be easy to camouflage a (worm) service as svchost.exe process? (See http://www.neuber.com/taskmanager/process/svchost.exe.html) - Anonymous
May 25, 2004
I'm glad this is still up, still valuable, even in your absense!
EV - Anonymous
July 05, 2004
in our system there was some trouble that creat some problem we want some help from facilities provoiders - Anonymous
July 12, 2004
error:---
errors generated by svchost.exe & closed by windows
it cause inactive paste function
none of content shown in my network places - Anonymous
August 09, 2004
dear sir
whwnever I run my my computer connected to internet, a message appears noticing that "svchost.exe produced some errors and will be closed" and after this some links do not work. What can I do
thanks
- Anonymous
August 10, 2004
Please help
I am having a huge problem. Every time I am connected to the internet I get a message "SVCHOST.EXE has encoutered a problem and needs to close" I do send the error report and it keeps coming back, it is annoying. Also, some links does not work. Please, is there anything that can be done
Thanks