Computer running slower than usual? Most probably an application taking up too many resources. Up goes the task manager to have a look under the hood – nothing strange located in the default list. You click on “Show processes from all users” > accept the UAC warning > and up comes a super long list of processes running on your system.
While passing the list you come across a bunch of svchost.exe processes but you have no idea what each one is doing, why each is running, who is running it… and most importantly, whether they are legitimate.
This is a three part post in which I explore the world of svchost.exe. In part 1, I will introduce the topic; its usage and why it is something that we should understand more about. In part 2, I will go into more depth about how the operating system makes use of this Host Process for its needs. In part 3, I will show you how to create a Powershell script which can be used to investigate and discover potential malware which can be hiding behind this innocent-looking process on your own machines.
As mentioned earlier, when investigating the list of processes running on your system, you will come across a bunch of svchost.exe processes running with the most useful description ever to help you understand what they are there for i.e. “Host process for Windows Services”… Or maybe not!
What is worse is that the task manager does not show you the source path of this process by default, therefore making it pretty easy for an attacker to just name his process as “svchost.exe”; hence enabling the malware process to hide itself amongst these generic processes which I am so used to seeing in the list.
If you are running Windows Vista or later you can actually get to see the command which launched the process via View > Select Columns… > Travel to the bottom of the list and enable “Command Line”. If you are still on Windows XP, then your only option is to get to the process id, and delve into the world of the command line to discover more…
Even after a good hard look at the command line trigger and the description, you will most probably still have no idea what all of those entries are…they look legitimate in this case as they are running from the windows system, but relatively still in the dark due to a lack of proper description or understanding what they are; We just understand that most probably they are windows services (because that is what the description says).
Another feature improvement which Microsoft did in the Windows Vista Task Manager is that you can also right click on an svchost.exe process from the Processes tab > select go to services > you will be taken to yet another page where it will automatically highlight all of the services running under the context of that svchost.exe.
Ok, so far we are still looking at this and thinking ‘huh?’ We are still at a loss of what these processes really are etc. and there is no way we want to have to stay manually going through this list every time to discover if they are all legitimate. Nor do we want to wonder whether a new piece of malware was introduced in a system which is masking itself as one of these processes. Needless to say, if seeing a long list of svchost.exe entries will become taken as normal, the chances of noticing an infiltrated malware are below slim.
We have to find out more about them, as well as devise an even better way to root out the legitimate entries from the rest!
The learning experience continues in the second part of this post, in which I will explain the under wiring of the way Microsoft operating systems make use of the svchost.exe system for their needs.
In the meantime one of the most common tools available and recommended for your perusal when discovering the world of process management is a nifty tool from SysInternals called Process Monitor which is available from: http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
In the next segment I will go into more depth about how the operating system makes use of this Host Process for its needs.