none
Identifying svchost.exe DLLs from registry keys RRS feed

  • Question

  • I'm writing a small security tool that investigates which .exes and .DLLs are being run by current services but I'm coming across a problem identifying .dlls from the appropriate registry keys.

    I understand that svchost.exe loads DLLs by using the -k parameter to define which group of DLLs to load as the services. The tag (string) following the -k parameter points to the registry key value at:

    HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\

    which has a value of a list of service names to find the list of services to load, and then each service in that list, use the key:

    HKLM:\SYSTEM\CurrentControlSet\Services\<NAME>\Parameters

    (with <NAME> replaced by each of the services in the list of services to load.) In this key, the value 'Service.Dll' gives the path to the DLL that svchost.exe will run.

    So far, all good... BUT... if you take the example from my Windows 10 Pro installation, there is an svchost.exe like this:

    svchost.exe -k netsvcs

    and in HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\, the key 'netsvcs' points to the list of services:

    CertPropSvc SCPolicySvc lanmanserver gpsvc IKEEXT iphlpsvc seclogon msiscsi EapHost schedule winmgmt ProfSvc SessionEnv wercplsupport PushToInstall InstallService TroubleshootingSvc LxpSvc shpamsvc XblGameSave DmEnrollmentSvc Themes WManSvc TokenBroker lfsvc FastUserSwitchingCompatibility Ias Irmon Nla Ntmssvc NWCWorkstation Nwsapagent Rasauto Rasman Remoteaccess SENS Sharedaccess SRService Tapisrv Wmi WmdmPmSp wuauserv BITS ShellHWDetection LogonHours PCAudit helpsvc uploadmgr dmwappushservice wisvc NetSetupSvc WpnService XboxNetApiSvc UsoSvc UserManager DsmSvc wlidsvc XboxGipSvc NcaSvc AppInfo XblAuthManager NaturalAuthentication browser BDESVC AppMgmt LxssManager

    but although many of these services have an appropriate registry entry - example: HKLM:\SYSTEM\CurrentControlSet\Services\ProfSvc\Parameters has a value of Service.Dll of "%systemroot%\system32\profsvc.dll" (which is the DLL loaded and executed) there are lots of services that don't have a corresponding key.

    For example, a service you can see in this list above is 'FastUserSwitchingCompatibility' from the list of services for the svchost.exe group 'netsvcs' listed abovem but it doesn't have a corresponding key:

    HKLM:\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility\Parameters

    So... finally... my question is... how do I know which DLL is loaded when there isn't a corresponding subkey in the key HKLM:\SYSTEM\CurrentControlSet\Services?

    There must be some way that Windows knows where to look ,but I can't see how it knows this!

    Saturday, November 9, 2019 9:59 AM

All replies

  • Hello,

    Thank you for posting in our forum.

    In order for you to solve the problem better, we recommend that you go to Microsoft to open a case。

    The following is the link to open the case:
    1.https://support.microsoft.com/en-in/gp/contactus81?forceorigin=esmc&Audience=Commercial
    2.https://support.microsoft.com/en-us/help/4051701/global-customer-service-phone-numbers

    Thank you for your understanding and support.

    Best regards,
    Cynthia

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 11, 2019 10:28 AM
  • Hi,

     

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

     

    Best Regards,

    Cynthia


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 13, 2019 2:19 AM