Friday, February 29, 2008

Display services running in the Svchost.exe process group

Last time, we explained how to view additional information for each process via Task Manager's Processes tab. In Task Manager, you'll notice a process named Svchost.exe. This process doesn't appear as an application in the Applications tab--it only appears in the Process tab, and there can be multiple instances of it on a system.

Svchost.exe is a generic Windows 2000 process that runs services from Dynamic Link Libraries (DLLs). When the system starts, Svchost.exe loads the services listed in this registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
\Svchost

Each entry in this key specifies a service group and is a REG_MULTI_SZ value, which means it can contain multiple string values. These values define service names for services that are members of the group. The service names themselves come from the Svchost registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Service

The Processes tab doesn't display the individual services that are part of the service group, nor can you add an optional column to view the services. However, you can view the service groups' individual services using the Tlist.exe utility included with the Windows 2000 Resource Kit.

After you install Tlist.exe from the Resource Kit, open a command console and issue the command:

Tlist.exe -s or tasklist /M

Scan the resulting output and look for instances of Svchost.exe. Each Svchost line will include a list of the services running under that instance of the process.

Knowing what processes are running on a system and being able to identify those processes is an important step when troubleshooting system problems or attempting to recover a hung system without rebooting. Once you identify the hung process, you can kill the process from the Task Manager.

1 comment:

Anonymous said...

Great work.