none
Identifying svchost.exe DLLs from registry keys RRS feed

  • Question

  • I'm writing a small security tool that investigates which .exes and .DLLs are being run by current services but I'm coming across a problem identifying .dlls from the appropriate registry keys.

    I understand that svchost.exe loads DLLs by using the -k parameter to define which group of DLLs to load as the services. The tag (string) following the -k parameter points to the registry key value at:

    HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\

    which has a value of a list of service names to find the list of services to load, and then each service in that list, use the key:

    HKLM:\SYSTEM\CurrentControlSet\Services\<NAME>\Parameters

    (with <NAME> replaced by each of the services in the list of services to load.) In this key, the value 'Service.Dll' gives the path to the DLL that svchost.exe will run.

    So far, all good... BUT... if you take the example from my Windows 10 Pro installation, there is an svchost.exe like this:

    svchost.exe -k netsvcs

    and in HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\, the key 'netsvcs' points to the list of services:

    CertPropSvc SCPolicySvc lanmanserver gpsvc IKEEXT iphlpsvc seclogon msiscsi EapHost schedule winmgmt ProfSvc SessionEnv wercplsupport PushToInstall InstallService TroubleshootingSvc LxpSvc shpamsvc XblGameSave DmEnrollmentSvc Themes WManSvc TokenBroker lfsvc FastUserSwitchingCompatibility Ias Irmon Nla Ntmssvc NWCWorkstation Nwsapagent Rasauto Rasman Remoteaccess SENS Sharedaccess SRService Tapisrv Wmi WmdmPmSp wuauserv BITS ShellHWDetection LogonHours PCAudit helpsvc uploadmgr dmwappushservice wisvc NetSetupSvc WpnService XboxNetApiSvc UsoSvc UserManager DsmSvc wlidsvc XboxGipSvc NcaSvc AppInfo XblAuthManager NaturalAuthentication browser BDESVC AppMgmt LxssManager

    but although many of these services have an appropriate registry entry - example: HKLM:\SYSTEM\CurrentControlSet\Services\ProfSvc\Parameters has a value of Service.Dll of "%systemroot%\system32\profsvc.dll" (which is the DLL loaded and executed) there are lots of services that don't have a corresponding key.

    For example, a service you can see in this list above is 'FastUserSwitchingCompatibility' from the list of services for the svchost.exe group 'netsvcs' listed abovem but it doesn't have a corresponding key:

    HKLM:\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility\Parameters

    So... finally... my question is... how do I know which DLL is loaded when there isn't a corresponding subkey in the key HKLM:\SYSTEM\CurrentControlSet\Services?

    There must be some way that Windows knows where to look ,but I can't see how it knows this!

    Saturday, November 9, 2019 9:59 AM

All replies

  • Hello,

    Thank you for posting in our forum.

    In order for you to solve the problem better, we recommend that you go to Microsoft to open a case。

    The following is the link to open the case:
    1.https://support.microsoft.com/en-in/gp/contactus81?forceorigin=esmc&Audience=Commercial
    2.https://support.microsoft.com/en-us/help/4051701/global-customer-service-phone-numbers

    Thank you for your understanding and support.

    Best regards,
    Cynthia

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 11, 2019 10:28 AM
  • Hi,

     

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

     

    Best Regards,

    Cynthia


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 13, 2019 2:19 AM
  • Hi,

     

    Just want to confirm the current situations.

     

    Please feel free to let us know if you need further assistance.

     

    Best Regards,

    Cynthia


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 15, 2019 9:48 AM
  • the support pages state that I don't have a support plan with the message 'We were unable to find an eligible support plan associated with your account. Please add a support plan from the options below'

    so that's a no starter for me!

    Thursday, November 28, 2019 11:39 AM
  • Try this Powershell script. Note, I do not know how MS processes services like UserDataSvc_782fa. Massaging the name appears to work. 

    Get-Service | %{
        ""
        "{0}  -  {1}" -f $_.name, $_.DisplayName
        $svc = Get-ItemProperty "HKLM:\System\CurrentControlSet\Services\$($_.name)" -ErrorAction SilentlyContinue
        "ImagePath - {0}" -f $svc.Imagepath
        if ($svc.servicedll -ne $null) {
            "ServiceDLL# - {0}" -f $svc.servicedll
        }
        else {        
            $svcp = Get-ItemProperty "HKLM:\System\CurrentControlSet\Services\$($_.name)\Parameters" -ErrorAction SilentlyContinue
            if ($svcp.servicedll -eq $null) {
                if (($svc.Imagepath -match 'windows\\system32\\svchost.exe')){ 
                    $sn = $_.name.substring(0,$_.name.Length -6)                       # appears to be string unique to each user  
                    $svcp = Get-ItemProperty "HKLM:\System\CurrentControlSet\Services\$sn\Parameters" -ErrorAction SilentlyContinue
                    if ($svcp.servicedll -eq $null) {
                        "********************************************************************************"
                        "     I don't know."
                        "********************************************************************************"
                    }
                    else {
                       "ServiceDLL* - {0}" -f $svcp.servicedll
                    }
                }
            }
            else {
                "ServiceDLL - {0}" -f $svcp.servicedll
            }
        }
    }
    

    Thursday, November 28, 2019 9:32 PM
  • thanks for taking the the time to do that and I feel like I'm really close to understanding this, BUT what's interesting is that I'm using 

    Get-WmiObject win32_service | Select-Object -Property PathName


    and it is returning all of the services in the same way as if I'd used Get-Service but I'm handling the svchost.exe service DLLs slightly differently to your script.

    For a service pathname such as

    PathName=C:\Windows\system32\svchost.exe -k netsvcs

    I look in the key 

    HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs

    and it lists the individual 'sub services' as

     CertPropSvc SCPolicySvc lanmanserver gpsvc IKEEXT iphlpsvc seclogon msiscsi EapHost schedule winmgmt ProfSvc SessionEnv wercplsupport PushToInstall InstallService TroubleshootingSvc LxpSvc shpamsvc   XblGameSave DmEnrollmentSvc Themes WManSvc TokenBroker lfsvc FastUserSwitchingCompatibility Ias Irmon Nla Ntmssvc NWCWorkstation Nwsapagent Rasauto Rasman Remoteaccess SENS Sharedaccess SRService Tapisrv Wmi WmdmPmSp wuauserv     BITS ShellHWDetection LogonHours PCAudit helpsvc uploadmgr dmwappushservice wisvc NetSetupSvc WpnService XboxNetApiSvc UsoSvc UserManager DsmSvc wlidsvc XboxGipSvc NcaSvc AppInfo XblAuthManager NaturalAuthentication browser       BDESVC AppMgmt LxssManager

    I then check each of these in 

    HKLM:\SYSTEM\CurrentControlSet\Services\<NAME>\Parameters

    e.g.

    HKLM:\SYSTEM\CurrentControlSet\Services\CertPropSvc\Parameters

    and check the .servicedll property (as you do).

    So that all seems peachy, but if you look at the 'sub service' Ias (from the list for netsvcs above) there is no registry entry of the form 

    HKLM:\SYSTEM\CurrentControlSet\Services\Ias\Parameters

    So... I'm wondering if this is because of the following reasoning: "if the sub service key is defined, a service dll starts ,otherwise the OS just ignores it and moves on"? 

    Seems feasible (if a bit of a kludge)

    Friday, November 29, 2019 10:00 AM
  • I look in the key 

    HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs

    and it lists the individual 'sub services' as

     Rasauto Rasman Remoteaccess 

    That appears to be just the base group definition. If the remote access feature is not installed, then those 3 services won't be defined. 

    Your Get-WmiObject call is already looping though all defined services, why are you looking at this key? 

    • Edited by MotoX80 Friday, November 29, 2019 7:18 PM
    Friday, November 29, 2019 3:38 PM
  • >> Your Get-WmiObject call is already looping though all defined services, why are you looking at this key? 

    it's not, it only points at svchost.exe with a generic service tag (e.g. 'netsvcs') so to work out which dll's this then loads you need to look at that key

    Friday, November 29, 2019 9:31 PM
  • Just use the name of the service. Sure, you only have a single executing svchost.exe for the RPCSS group, but they show up as individual services.

    Consider this:

    C:\WINDOWS\system32>tasklist /svc
    Image Name                     PID Services
    ========================= ========
    svchost.exe                    868 RpcEptMapper, RpcSs

    C:\WINDOWS\system32>reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost" /v rpcss
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
        rpcss    REG_MULTI_SZ    RpcEptMapper\0RpcSs

    And running my script:

    RpcEptMapper  -  RPC Endpoint Mapper
    ImagePath - C:\WINDOWS\system32\svchost.exe -k RPCSS -p
    ServiceDLL - C:\WINDOWS\System32\RpcEpMap.dll

    RpcSs  -  Remote Procedure Call (RPC)
    ImagePath - C:\WINDOWS\system32\svchost.exe -k rpcss -p
    ServiceDLL - C:\WINDOWS\system32\rpcss.dll

    Get-WmiObject win32_service | Select-Object -Property Name, PathName

    PS C:\> Get-WmiObject win32_service -filter "name like 'rpc%'" | Select-Object -Property Name, PathName
    Name         PathName
    ----         --------
    RpcEptMapper C:\WINDOWS\system32\svchost.exe -k RPCSS -p
    RpcLocator   C:\WINDOWS\system32\locator.exe
    RpcSs        C:\WINDOWS\system32\svchost.exe -k rpcss -p




     
    • Edited by MotoX80 Saturday, November 30, 2019 3:54 PM
    Saturday, November 30, 2019 1:41 AM
  • Hi,

     

    Just want to confirm the current situations.

     

    Please feel free to let us know if you need further assistance.

     

    Best Regards,

    Cynthia


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 2, 2019 1:43 AM
  • Hi,

     

    Was your issue resolved?

     

    If no, please reply and tell us the current situation in order to provide further help.

     

    Best Regards,

    Cynthia


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, December 4, 2019 1:40 AM