4.13.1. Win32 services hosting

4.13.1. Win32 services hosting
Prev	4.13. Implication of multiple RPC services in one process	Next

The services.exe process host many services, which can be identified looking for services.exe in the following registry value of each service service_name:

Key: HKLM\SYSTEM\CurrentControlSet\Services\service_name\
Value: ImagePath

Three instances of svchost.exe processes can be found on a Windows 2000 system. Among them, one instance (netsvcs instance) typically hosts different services. Services hosted in svchost.exe processes appear in the registry:

Key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\
Values: netsvcs, rpcss, tapisrv

More precisely, on Windows 2000 systems, the following Win32 services run in the following processes:

lsass.exe: kdc, netlogon, NtLmSsp, PolicyAgent, SamSs
services.exe: Alerter, AppMgmt, Browser, Dhcp, dmserver, Dnscache, Eventlog, lanmanserver, lanmanworkstation, LmHosts, Messenger, PlugPlay, ProtectedStorage, seclogon, TrkSvr, TrkWks, W32Time, Wmi
svchost.exe (netsvcs instance): EventSystem, Ias, Iprip, Irmon, Netman, Nwsapagent, Rasauto, Rasman, Remoteaccess, SENS, Sharedaccess, Ntmssvc
svchost.exe (rpcss instance): rpcss
svchost.exe (tapisrv instance): Tapisrv

On Windows XP systems, Win32 services run in the following processes:

lsass.exe: Netlogon, NtLmSsp, PolicyAgent, ProtectedStorage, SamSs
services.exe: Eventlog, PlugPlay
svchost.exe (LocalService instance, running as LocalService): Alerter, WebClient, LmHosts, RemoteRegistry, upnphost, SSDPSRV
svchost.exe (NetworkService instance, running as NetworkService): DnsCache
svchost.exe (netsvcs instance): 6to4, AppMgmt, AudioSrv, Browser, CryptSvc, DMServer, DHCP, ERSvc, EventSystem, FastUserSwitchingCompatibility, HidServ, Ias, Iprip, Irmon, LanmanServer, LanmanWorkstation, Messenger, Netman, Nla, Ntmssvc, NWCWorkstation, Nwsapagent, Rasauto, Rasman, Remoteaccess, Schedule, Seclogon, SENS, Sharedaccess, SRService, Tapisrv, Themes, TrkWks, W32Time, WZCSVC, Wmi, WmdmPmSp, winmgmt, TermService, wuauserv, BITS, ShellHWDetection, helpsvc, uploadmgr
svchost.exe (rpcss instance): rpcss
svchost.exe (termsvcs instance): TermService
svchost.exe (imgsvc instance); StiSvc

On Windows Server 2003 systems, Win32 services are organized as follow:

lsass.exe: HTTPFilter, kdc, Netlogon, NtLmSsp, PolicyAgent, ProtectedStorage, SamSs
services.exe: Eventlog, PlugPlay
svchost.exe (LocalService instance, running as LocalService): Alerter, WebClient, LmHosts, WinHttpAutoProxySvc
svchost.exe (NetworkService instance, running as NetworkService): 6to4, DHCP, DnsCache
svchost.exe (netsvcs instance): AppMgmt, AudioSrv, Browser, CryptSvc, DMServer, EventSystem, HidServ, Ias, Iprip, Irmon, LanmanServer, LanmanWorkstation, Messenger, Netman, Nla, Ntmssvc, NWCWorkstation, Nwsapagent, Rasauto, Rasman, Remoteaccess, Sacsvr, Schedule, Seclogon, SENS, Sharedaccess, Themes, TrkWks, TrkSvr, W32Time, WZCSVC, Wmi, WmdmPmSp, winmgmt, wuauserv, BITS, ShellHWDetection, helpsvc, uploadmgr, WmdmPmSN
svchost.exe (rpcss instance): rpcss
svchost.exe (regsvc instance): RemoteRegistry
svchost.exe (swprv instance): swprv
svchost.exe (tapisrv instance): Tapisrv
svchost.exe (termsrv instance): TermService
svchost.exe (WinErr instance): ERsvc
svchost.exe (imgsvc instance): StiSvc

To determine which services are hosted by which services on a running system, the following tools can be used:

the Process Explorer tool [91]
option /s of the tlist utility (part of Windows 2000 support tools)
option /svc of the tasklist utility (available in Windows XP and later)