Ran into another issue today where I needed to set and IFEO for the particular instance of SVCHOST.exe running terminal service. Here is the easiest way of doing so:
1) Make a copy of SVCHOST.exe on the server, name it Mysvchost.exe and leave it in %Systemroot%\system32\
2) Open regedit and go to HKLM\System\CurrentControlSet\Services\TermService (this could be whatever service you’re trying to isolate)
3) Edit “ImagePath”, “%SystemRoot%\system32\svchost.exe -k termsvcs” and change svchost.exe to “Mysvchost.exe”
4) Then I set the IFEO for Mysvchost.exe with NTSD -d which send the output tot he kernel debugger.
6) In Business
Simple and effective…