How to isolate a service in its own scvhost.exe


This is a very good public link to read about service control manager internals and how to manage services.


download.microsoft.com/download/f/3/9/f3900e1e-a45c-45a4-b716-740e553e1f62/SPTCF_SYS.doc


Description of svchost.exe http://support.microsoft.com/kb/314056


C:\Documents and Settings\ganand>tasklist /svc


 


As you see right now my bits service is running under svchost along with other services…


 


Image Name                     PID Services


========================= ======== ============================================


System Idle Process              0 N/A


System                           4 N/A


smss.exe                       312 N/A


csrss.exe                      360 N/A


winlogon.exe                   384 N/A


services.exe                   432 Eventlog, PlugPlay


lsass.exe                      444 HTTPFilter, Netlogon, PolicyAgent,


                                   ProtectedStorage, SamSs


svchost.exe                    632 DcomLaunch


svchost.exe                    704 RpcSs


svchost.exe                    780 Dhcp, Dnscache


svchost.exe                    828 Alerter, LmHosts, W32Time,


                                   WinHttpAutoProxySvc


svchost.exe                    848 AeLookupSvc, AudioSrv, BITS, CryptSvc,


                                   dmserver, EventSystem, helpsvc,


                                   lanmanserver, lanmanworkstation, Netman,


                                   Nla, RasMan, Schedule, seclogon, SENS,


                                   ShellHWDetection, TrkWks, winmgmt,


                                   wuauserv, WZCSVC


spoolsv.exe                   1024 Spooler


msdtc.exe                     1052 MSDTC


svchost.exe                   1172 ERSvc


FwcAgent.exe                  1216 FwcAgent


inetinfo.exe                  1280 IISADMIN


InoRpc.exe                    1332 InoRPC


InoRT.exe                     1384 InoRT


InoTask.exe                   1420 InoTask


svchost.exe                   1528 Pml Driver HPZ12


svchost.exe                   1552 RemoteRegistry


SMAgent.exe                   1584 SoundMAX Agent Service (default)


svchost.exe                   1652 TermService


vmh.exe                       1824 vmh


searchindexer.exe             1912 WSearch


CcmExec.exe                   2052 CcmExec


vssrvc.exe                    2160 Virtual Server


svchost.exe                   2180 W3SVC


wmiprvse.exe                  2636 N/A


wmiprvse.exe                  2716 N/A


explorer.exe                  3276 N/A


GrooveMonitor.exe             3560 N/A


igfxtray.exe                  3568 N/A


hkcmd.exe                     3580 N/A


SMTray.exe                    3588 N/A


VM_STI.EXE                    3596 N/A


svchost.exe                   3780 TapiSrv


ctfmon.exe                    3768 N/A


communicator.exe              3856 N/A


Skype.exe                     4076 N/A


FwcMgmt.exe                   2644 N/A


WindowsSearch.exe             2672 N/A


ONENOTEM.EXE                  2864 N/A


wmiprvse.exe                  3260 N/A


VisualKB.exe                  3720 N/A


dexplore.exe                  1660 N/A


hh.exe                        3020 N/A


hh.exe                        3864 N/A


iexplore.exe                  1316 N/A


dllhost.exe                   3204 COMSysApp


OUTLOOK.EXE                   3904 N/A


AcroRd32.exe                   792 N/A


iexplore.exe                  4072 N/A


iexplore.exe                  3944 N/A


iexplore.exe                  2944 N/A


cmd.exe                       2084 N/A


regedit.exe                   3916 N/A


wmiprvse.exe                   816 N/A


tasklist.exe                  3492 N/A


 


 


for troubleshooting purposes if we want to isolate any one service running under svchost—we can do that using sc config  bits type= own


 


now as you see bits is running under its own scvhost  process.


 


C:\Documents and Settings\ganand>tasklist /svc


 


Image Name                     PID Services


========================= ======== ============================================


System Idle Process              0 N/A


System                           4 N/A


smss.exe                       312 N/A


csrss.exe                      360 N/A


winlogon.exe                   384 N/A


services.exe                   432 Eventlog, PlugPlay


lsass.exe                      444 HTTPFilter, Netlogon, PolicyAgent,


                                   ProtectedStorage, SamSs


svchost.exe                    632 DcomLaunch


svchost.exe                    704 RpcSs


svchost.exe                    780 Dhcp, Dnscache


svchost.exe                    828 Alerter, LmHosts, W32Time


svchost.exe                    848 AeLookupSvc, AudioSrv, CryptSvc, dmserver,


                                   EventSystem, helpsvc, lanmanserver,


                                   lanmanworkstation, Netman, Nla, RasMan,


                                   Schedule, seclogon, SENS, ShellHWDetection,


                                   TrkWks, winmgmt, wuauserv, WZCSVC


spoolsv.exe                   1024 Spooler


msdtc.exe                     1052 MSDTC


svchost.exe                   1172 ERSvc


FwcAgent.exe                  1216 FwcAgent


inetinfo.exe                  1280 IISADMIN


InoRpc.exe                    1332 InoRPC


InoRT.exe                     1384 InoRT


InoTask.exe                   1420 InoTask


svchost.exe                   1528 Pml Driver HPZ12


svchost.exe                   1552 RemoteRegistry


SMAgent.exe                   1584 SoundMAX Agent Service (default)


svchost.exe                   1652 TermService


vmh.exe                       1824 vmh


searchindexer.exe             1912 WSearch


CcmExec.exe                   2052 CcmExec


vssrvc.exe                    2160 Virtual Server


svchost.exe                   2180 W3SVC


wmiprvse.exe                  2636 N/A


wmiprvse.exe                  2716 N/A


explorer.exe                  3276 N/A


GrooveMonitor.exe             3560 N/A


igfxtray.exe                  3568 N/A


hkcmd.exe                     3580 N/A


SMTray.exe                    3588 N/A


VM_STI.EXE                    3596 N/A


svchost.exe                   3780 TapiSrv


ctfmon.exe                    3768 N/A


communicator.exe              3856 N/A


Skype.exe                     4076 N/A


FwcMgmt.exe                   2644 N/A


WindowsSearch.exe             2672 N/A


ONENOTEM.EXE                  2864 N/A


wmiprvse.exe                  3260 N/A


VisualKB.exe                  3720 N/A


dexplore.exe                  1660 N/A


hh.exe                        3020 N/A


hh.exe                        3864 N/A


iexplore.exe                  1316 N/A


dllhost.exe                   3204 COMSysApp


OUTLOOK.EXE                   3904 N/A


AcroRd32.exe                   792 N/A


iexplore.exe                  4072 N/A


iexplore.exe                  3944 N/A


iexplore.exe                  2944 N/A


cmd.exe                       2084 N/A


regedit.exe                   3916 N/A


wmiprvse.exe                   816 N/A


svchost.exe                   1780 BITS


tasklist.exe                   608 N/A


 


Gaurav Anand


This posting is provided “AS IS” with no warranties, and confers no rights.

Comments (6)

  1. Anonymous says:

    Neste outro artigo, Gaurav Anand mostra de maneira muito simples como isolar serviços que atuam como

  2. Blaine says:

    did this, seen it on several sites, did not work, says "SUCCESS" but after repopulating the table, it shows them all in the same group still. HELP

  3. Tingu says:

    You need to reboot the boix for getting it populated

  4. mike says:

    Doing this for RDP and the dreaded event 7011 umrdpservice

  5. KikoV says:

    @Mike, I haven’t got it. umrdpservice doesn’t start in own mode type.
    Did you got it?