JSI Tip 4660. What is the Svchost.exe process(es) in Windows XP?

In tip 2060, I explained the Svchost process in Windows 2000.

In tip 4310, you can see multiple Svchost processes in Windows XP.

%SystemRoot%System32Svchost.exe is a generic process name for services that run from dynamic-link libraries (DLLs). When you start Windows XP, Svchost,exe constructs multiple lists of service groupings that need to be loaded. Each instance can run at the same time. Svchost,exe groups are delineated at:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNTCurrentVersionSvchost.

Each Value Name contains a list of included serviceDLL values, in a REG_MULTI_SZ data type. These servies are extracted from HKEY_LOCAL_MACHINESystemCurrentControlSetServices.

To see the list of active services in each process, open a CMD prompt and Type:

Tasklist /SVC

The following was displayed from one of my Windows XP Professional computers:

Image Name                   PID Services====================

= =============================================System Idle Process            0 N/ASystem                         4 N/Asmss.exe                     372 N/Acsrss.exe                    484 N/Awinlogon.exe                 512 N/Aservices.exe                 572 Eventlog, PlugPlaylsass.exe                    584 Netlogon, PolicyAgent, ProtectedStorage,                                 SamSssvchost.exe                  748 RpcSssvchost.exe                  816 AudioSrv, Browser, CryptSvc, Dhcp, dmserver,                                 ERSvc, EventSystem, helpsvc, lanmanserver,                                 lanmanworkstation, Messenger, Netman, Nla,                                 Schedule, seclogon, SENS, ShellHWDetection,                                 srservice, TermService, Themes, TrkWks,                                 uploadmgr, W32Time, winmgmt, WmdmPmSp,                                 wuauserv, WZCSVCsvchost.exe                  920 Dnscachesvchost.exe                  964 Alerter, LmHosts, RemoteRegistry, SSDPSRV,                                 WebClientspoolsv.exe                 1048 Spoolerexplorer.exe                1328 N/ATaskSwitch.exe              1484 N/Ataskmgr.exe                 1512 N/Apoint32.exe                 1536 N/Amsmsgs.exe                  1560 N/Afastkey.exe                 1568 N/AIEXPLORE.EXE                1580 N/Aprntscrn.exe                1596 N/ASetiSpy.exe                 1604 N/Asetiathome-3.03.i386-winn   1676 N/Asvchost.exe                 1828 stisvcUdServe.exe                 1852 UndeleteServiceFast.exe                    1984 InteractiveLogondllhost.exe                 1224 COMSysAppmsdtc.exe                   1208 MSDTCwmiprvse.exe                3056 N/Acmd.exe                     3428 N/Atasklist.exe                3460 N/A

The matching registry entries are:

Key Name:          SOFTWAREMicrosoftWindows NTCurrentVersionSvcHost  Name:            imgsvc  Type:            REG_MULTI_SZ  Data:            StiSvc                     Name:            LocalService  Type:            REG_MULTI_SZ  Data:            Alerter                   WebClient                   LmHosts                   RemoteRegistry                   upnphost                   SSDPSRV                     Name:            netsvcs  Type:            REG_MULTI_SZ  Data:            6to4                   AppMgmt                   AudioSrv                   Browser                   CryptSvc                   DMServer                   DHCP                   ERSvc                   EventSystem                   FastUserSwitchingCompatibility                   HidServ                   Ias                   Iprip                   Irmon                   LanmanServer                   LanmanWorkstation                   Messenger                   Netman                   Nla                   Ntmssvc                   NWCWorkstation                   Nwsapagent                   Rasauto                   Rasman                   Remoteaccess                   Schedule                   Seclogon                   SENS                   Sharedaccess                   SRService                   Tapisrv                   Themes                   TrkWks                   W32Time                   WZCSVC                   Wmi                   WmdmPmSp                   winmgmt                   TermService                   wuauserv                   BITS                   ShellHWDetection                   helpsvc                   uploadmgr                     Name:            NetworkService  Type:            REG_MULTI_SZ  Data:            DnsCache                     Name:            rpcss  Type:            REG_MULTI_SZ  Data:            RpcSs                     Name:            termsvcs  Type:            REG_MULTI_SZ  Data:            TermService