How can I get to Dandong central hospital
Publish: 2021-05-16 23:48:40
1. In May 2017, Luban software group and Tongji University jointly researched and developed cityeye, a CIM platform based on "BIM + GSD + IOT", which integrates geospatial data (GSD) to form urban spatial database and integrates advanced digital technologies such as Internet of things, artificial intelligence, virtual reality, big data, cloud computing and blockchain, Grafting the storage management and information integration of multiple data sources to realize super large-scale city level CIM big data application, providing the whole process of visual simulation, intelligent perception and intelligent decision-making for the construction party, presenting a "visible future, computable city". At present, Luban CIM platform has been implemented in many parks and city level application demonstration projects in Yangpu Binjiang, Ouyang Road Street, Lingang Dafeng, etc., and formed strategic cooperation with smart city manufacturers such as Tencent, Hikvision, arm, Lingang, LG, etc., to jointly promote the construction of Digital China!
2. Svchost.exe is a very important process of NT core system, which is indispensable for 2000 and XP. Many viruses, Trojans will also call it. Therefore, in-depth understanding of this program is one of the required courses to play computer
you must be familiar with Windows operating system, but have you noticed the file "svchost. Exe" in the system? Careful friends will find that there are multiple "svchost" processes in windows (open the task manager with the "Ctrl + Alt + Del" key, and you can see it in the "process" tab here). Why is this so? Let's unveil its mystery
it is found that
in the windows operating system family based on NT kernel, there are different numbers of "svchost" processes in different versions of windows system, and users can view the number of "svchost" processes by using "task manager". Generally speaking, there are two svchost processes in WIN2000, four or more svchost processes in WinXP (if you see more than one of these processes in the system in the future, don't immediately determine that the system has a virus), while there are more in Win2003 server. These svchost processes provide many system services, such as rpcss service (remote process call), dmserver service (Logical Disk Manager), DHCP service (DHCP client), etc
if you want to know how many system services each svchost process provides, you can enter the "TList - s" command in the command prompt window of Win2000, which is provided by WIN2000 support tools. In WinXP, use the "tasklist / SVC" command<
svchost can contain multiple services
in depth
Windows system processes are divided into independent processes and shared processes. "Svchost.exe" file exists in the directory of% systemroot% system32, which belongs to shared process. With the increasing number of windows system services, in order to save system resources, Microsoft makes many services into sharing mode, which is started by svchost.exe process. However, svchost process only serves as a service host and can not realize any service functions, that is, it can only provide conditions for other services to be started here, but it can not provide any services to users. How are these services implemented
originally, these system services are implemented in the form of dynamic link library (DLL). They point the executable program to svchost, and svchost calls the DLL of the corresponding service to start the service. How does svchost know which DLL a system service should call? This is achieved through the parameters set by the system service in the registry. Next, take rpcss (remote Procere call) service as an example to explain
it can be seen from the startup parameters that the service is started by svchost
instance
take Windows XP as an example, click Start / run, enter the command "services. MSc" to open the service dialog box, and then open the "remote Procere call" attribute dialog box. You can see that the path of the executable file of rpcss service is "C: &# 92; windows\ system32\ This shows that the rpcss service is implemented by calling the "rpcss" parameter from svchost, and the content of the parameter is stored in the system registry
Enter "regedit. Exe" in the running dialog box and press enter to open the registry editor and find [HKEY_ local_ [machine] key, find the type 'reg'_ expand_ The key "magepath" of "SZ" is "% systemroot% system32svchost - K rpcss" (this is the service startup command seen in the service window). In addition, there is a key named "servicedll" in the "parameters" subkey, whose value is "% systemroot% system32rpcss. DLL", where "rpcss. DLL" is the DLL file to be used by rpcss service. In this way, the svchost process can start the service by reading the "rpcss" service registry information
puzzle solving
because svchost process starts various services, viruses and Trojans try their best to make use of it, trying to use its characteristics to confuse users and achieve the purpose of infection, invasion and destruction (such as shock wave variant virus "W32. Welchia. Worm"). But it is normal for Windows system to have multiple svchost processes. Which one is the virus process in the infected machine? Here is just one example
suppose Windows XP system is infected by "W32. Welchia. Worm". The normal svchost file exists in "C: & # 92; windows\ If you find that the file appears in other directories, you should be careful“ W32. Welchia. Worm "virus exists in" C: & # 92; windows\ Therefore, it is easy to find out whether the system is infected with virus by using the process manager to check the execution file path of svchost process. The task manager of windows system can't view the path of the process. You can use the third-party process management software, such as "windows optimization master" process manager. Through these tools, you can easily check and see the execution file path of all svchost processes. Once you find that the execution path is an unusual location, you should immediately detect and deal with it.
you must be familiar with Windows operating system, but have you noticed the file "svchost. Exe" in the system? Careful friends will find that there are multiple "svchost" processes in windows (open the task manager with the "Ctrl + Alt + Del" key, and you can see it in the "process" tab here). Why is this so? Let's unveil its mystery
it is found that
in the windows operating system family based on NT kernel, there are different numbers of "svchost" processes in different versions of windows system, and users can view the number of "svchost" processes by using "task manager". Generally speaking, there are two svchost processes in WIN2000, four or more svchost processes in WinXP (if you see more than one of these processes in the system in the future, don't immediately determine that the system has a virus), while there are more in Win2003 server. These svchost processes provide many system services, such as rpcss service (remote process call), dmserver service (Logical Disk Manager), DHCP service (DHCP client), etc
if you want to know how many system services each svchost process provides, you can enter the "TList - s" command in the command prompt window of Win2000, which is provided by WIN2000 support tools. In WinXP, use the "tasklist / SVC" command<
svchost can contain multiple services
in depth
Windows system processes are divided into independent processes and shared processes. "Svchost.exe" file exists in the directory of% systemroot% system32, which belongs to shared process. With the increasing number of windows system services, in order to save system resources, Microsoft makes many services into sharing mode, which is started by svchost.exe process. However, svchost process only serves as a service host and can not realize any service functions, that is, it can only provide conditions for other services to be started here, but it can not provide any services to users. How are these services implemented
originally, these system services are implemented in the form of dynamic link library (DLL). They point the executable program to svchost, and svchost calls the DLL of the corresponding service to start the service. How does svchost know which DLL a system service should call? This is achieved through the parameters set by the system service in the registry. Next, take rpcss (remote Procere call) service as an example to explain
it can be seen from the startup parameters that the service is started by svchost
instance
take Windows XP as an example, click Start / run, enter the command "services. MSc" to open the service dialog box, and then open the "remote Procere call" attribute dialog box. You can see that the path of the executable file of rpcss service is "C: &# 92; windows\ system32\ This shows that the rpcss service is implemented by calling the "rpcss" parameter from svchost, and the content of the parameter is stored in the system registry
Enter "regedit. Exe" in the running dialog box and press enter to open the registry editor and find [HKEY_ local_ [machine] key, find the type 'reg'_ expand_ The key "magepath" of "SZ" is "% systemroot% system32svchost - K rpcss" (this is the service startup command seen in the service window). In addition, there is a key named "servicedll" in the "parameters" subkey, whose value is "% systemroot% system32rpcss. DLL", where "rpcss. DLL" is the DLL file to be used by rpcss service. In this way, the svchost process can start the service by reading the "rpcss" service registry information
puzzle solving
because svchost process starts various services, viruses and Trojans try their best to make use of it, trying to use its characteristics to confuse users and achieve the purpose of infection, invasion and destruction (such as shock wave variant virus "W32. Welchia. Worm"). But it is normal for Windows system to have multiple svchost processes. Which one is the virus process in the infected machine? Here is just one example
suppose Windows XP system is infected by "W32. Welchia. Worm". The normal svchost file exists in "C: & # 92; windows\ If you find that the file appears in other directories, you should be careful“ W32. Welchia. Worm "virus exists in" C: & # 92; windows\ Therefore, it is easy to find out whether the system is infected with virus by using the process manager to check the execution file path of svchost process. The task manager of windows system can't view the path of the process. You can use the third-party process management software, such as "windows optimization master" process manager. Through these tools, you can easily check and see the execution file path of all svchost processes. Once you find that the execution path is an unusual location, you should immediately detect and deal with it.
3. Svchost process file: svchost.dll
process name: trojan.w32.agent
English Description:
svchost.dll is a mole which is registered as a Trojan. This Trojan allows attackers to access your computer from remote locations, steaming passwords, Internet banking and personal data. This process is a security risk and should be removed from your system. This program is very important for the normal operation of your system. Note: svchost.exe may also be a w32.welchia.worm virus, which uses Windows LSASS vulnerability to create a buffer overflow, causing your computer to shut down. For more details, please refer to: http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx , the security level of the process is recommended to be removed immediately
security level (0-5): n / a (n / a no danger, 5 most dangerous)
spyware: no
adware: no
virus: no
Trojan horse: no
system process: no
application: no
background program: Yes
access: Yes
access to the Internet: Yes
everyone should know that svchost.exe is an indispensable process of the system, Many services will use it more or less, but I think you all know that because of its particularity, it's brilliant; Hackers & quot; I'm sure we won't let it go. You should still remember the incident of svchost.exe Trojan horse some time ago. And now there are still many machines with this trojan horse hidden in them, because it disguises as the system process svchost.exe, so many people can't tell which is the process and which is the Trojan horse...
OK, Let's have a detailed understanding of the svchost.exe process
1. Advantages and disadvantages of multiple services sharing a svchost.exe process
Windows system services are divided into two types: independent process and shared process. In Windows NT, only SCM (services. Exe) has multiple shared services. With the increase of built-in services in the system, In Windows 2000, Ms makes many services into sharing mode, which is started by svchost.exe. Windows 2000 generally has two svchost processes, one is rpcss (remote process call) service process, and the other is svchost.exe shared by many services. In Windows XP, there are generally more than four svchost.exe service processes, while in Windows 2003 server, there are more. It can be seen that it is a trend for MS to start more built-in services from svchost in the form of shared processes. This reces the consumption of system resources to a certain extent, but it also brings some unstable factors, because any service of a shared process exits the process because of an error, which will cause all services in the whole process to exit. In addition, there is a little security risk. First of all, we should introce the implementation mechanism of svchost.exe< (2) svchost principle
svchost itself is only a service host and does not implement any service functions. The services that need to be started by svchost are implemented in the form of dynamic link library. When installing these services, the executable program of the service is pointed to svchost. When starting these services, svchost calls the dynamic link library of the corresponding service to start the service
how does svchost know which DLL is responsible for a service? This is not provided by the parameter part of the executable program path of the service, but by the parameter setting of the service in the registry. There is a parameters subkey under the service in the registry, and the servicedll indicates which DLL is responsible for the service. And all these service dynamic link libraries must export a servicemain() function to handle service tasks
for example, the location of rpcss in the registry is HKEY_ LOCAL_, There is such an item in its parameter subkey parameters:
& quot; ServiceDll"= REG_ EXPAND_ SZ:"% SystemRoot%system32 pcss.dll"
when starting the rpcss service, svchost will call rpcss.dll and execute its servicemain() function to execute the specific service
since these services are started by svchost using shared process mode, why are there multiple svchost processes in the system? MS divides these services into several groups. The same group of services shares a svchost process. Different groups of services use multiple svchost processes. The difference between groups is determined by the parameters behind the executable program of the service
for example, rpcss in the registry HKEY_ LOCAL_ There is such an item:
& quot; ImagePath"= REG_ EXPAND_ SZ:"% SystemRoot%system32svchost -k rpcss"
therefore, rpcss belongs to the rpcss group, which can also be seen in the service management console
all groups of svchost and all services within the group are in the following location in the registry: HKEY_ LOCAL_ Ntcurrentversionsvchost, for example, Windows 2000 has four groups of rpcss, Netsvcs, wugrup and bitsgroup, among which Netsvcs = reg is the most_ MULTI_ SZ: eventsystem. IAS. Iprip. Irmon. NetMan.
nwsapagent. Rasauto. Rasman. Remoteaccess. Sens. Sharedaccess. Tapisrv. Ntmssvc. Wzcsvc..
when starting a service in the charge of svchost.exe, the service manager will not start the second process svchost if imagepath, the executable content, already exists in the image library of the service manager, Instead, start the service directly. In this way, multiple services share a svchost process
3. Svchost code
now we are basically clear about the principle of svchost, but we need to write a DLL service and start it by svchost. Only the above information is unclear. For example, are the parameters we receive in the exported servicemain() function ANSI or Unicode? Do we need to call registerservicectrlhandler and startservicectrldispatcher to register service control and scheling functions
these questions can be obtained by looking at the svchost code. The following code is the svchost disassembly fragment of Windows 2000 + Service Pack 4. We can see that the svchost program is still very simple
main function first calls ProcCommandLine () to analyze the command line, gets the service group to start, then calls SvcHostOptions () to query the service group's options and all the services of the service group, and uses a data structure svcTable to save the DLL of these services and their services, and then calls the PrepareSvcTable () function to create SERVICE_. TABLE_ Enter structure, all the processing function service_ MAIN_ FUNCTION points to one of its functions FuncServiceMain (), and finally calls API StartServiceCtrlDispatcher () to register the scheling functions of these services.
process name: trojan.w32.agent
English Description:
svchost.dll is a mole which is registered as a Trojan. This Trojan allows attackers to access your computer from remote locations, steaming passwords, Internet banking and personal data. This process is a security risk and should be removed from your system. This program is very important for the normal operation of your system. Note: svchost.exe may also be a w32.welchia.worm virus, which uses Windows LSASS vulnerability to create a buffer overflow, causing your computer to shut down. For more details, please refer to: http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx , the security level of the process is recommended to be removed immediately
security level (0-5): n / a (n / a no danger, 5 most dangerous)
spyware: no
adware: no
virus: no
Trojan horse: no
system process: no
application: no
background program: Yes
access: Yes
access to the Internet: Yes
everyone should know that svchost.exe is an indispensable process of the system, Many services will use it more or less, but I think you all know that because of its particularity, it's brilliant; Hackers & quot; I'm sure we won't let it go. You should still remember the incident of svchost.exe Trojan horse some time ago. And now there are still many machines with this trojan horse hidden in them, because it disguises as the system process svchost.exe, so many people can't tell which is the process and which is the Trojan horse...
OK, Let's have a detailed understanding of the svchost.exe process
1. Advantages and disadvantages of multiple services sharing a svchost.exe process
Windows system services are divided into two types: independent process and shared process. In Windows NT, only SCM (services. Exe) has multiple shared services. With the increase of built-in services in the system, In Windows 2000, Ms makes many services into sharing mode, which is started by svchost.exe. Windows 2000 generally has two svchost processes, one is rpcss (remote process call) service process, and the other is svchost.exe shared by many services. In Windows XP, there are generally more than four svchost.exe service processes, while in Windows 2003 server, there are more. It can be seen that it is a trend for MS to start more built-in services from svchost in the form of shared processes. This reces the consumption of system resources to a certain extent, but it also brings some unstable factors, because any service of a shared process exits the process because of an error, which will cause all services in the whole process to exit. In addition, there is a little security risk. First of all, we should introce the implementation mechanism of svchost.exe< (2) svchost principle
svchost itself is only a service host and does not implement any service functions. The services that need to be started by svchost are implemented in the form of dynamic link library. When installing these services, the executable program of the service is pointed to svchost. When starting these services, svchost calls the dynamic link library of the corresponding service to start the service
how does svchost know which DLL is responsible for a service? This is not provided by the parameter part of the executable program path of the service, but by the parameter setting of the service in the registry. There is a parameters subkey under the service in the registry, and the servicedll indicates which DLL is responsible for the service. And all these service dynamic link libraries must export a servicemain() function to handle service tasks
for example, the location of rpcss in the registry is HKEY_ LOCAL_, There is such an item in its parameter subkey parameters:
& quot; ServiceDll"= REG_ EXPAND_ SZ:"% SystemRoot%system32 pcss.dll"
when starting the rpcss service, svchost will call rpcss.dll and execute its servicemain() function to execute the specific service
since these services are started by svchost using shared process mode, why are there multiple svchost processes in the system? MS divides these services into several groups. The same group of services shares a svchost process. Different groups of services use multiple svchost processes. The difference between groups is determined by the parameters behind the executable program of the service
for example, rpcss in the registry HKEY_ LOCAL_ There is such an item:
& quot; ImagePath"= REG_ EXPAND_ SZ:"% SystemRoot%system32svchost -k rpcss"
therefore, rpcss belongs to the rpcss group, which can also be seen in the service management console
all groups of svchost and all services within the group are in the following location in the registry: HKEY_ LOCAL_ Ntcurrentversionsvchost, for example, Windows 2000 has four groups of rpcss, Netsvcs, wugrup and bitsgroup, among which Netsvcs = reg is the most_ MULTI_ SZ: eventsystem. IAS. Iprip. Irmon. NetMan.
nwsapagent. Rasauto. Rasman. Remoteaccess. Sens. Sharedaccess. Tapisrv. Ntmssvc. Wzcsvc..
when starting a service in the charge of svchost.exe, the service manager will not start the second process svchost if imagepath, the executable content, already exists in the image library of the service manager, Instead, start the service directly. In this way, multiple services share a svchost process
3. Svchost code
now we are basically clear about the principle of svchost, but we need to write a DLL service and start it by svchost. Only the above information is unclear. For example, are the parameters we receive in the exported servicemain() function ANSI or Unicode? Do we need to call registerservicectrlhandler and startservicectrldispatcher to register service control and scheling functions
these questions can be obtained by looking at the svchost code. The following code is the svchost disassembly fragment of Windows 2000 + Service Pack 4. We can see that the svchost program is still very simple
main function first calls ProcCommandLine () to analyze the command line, gets the service group to start, then calls SvcHostOptions () to query the service group's options and all the services of the service group, and uses a data structure svcTable to save the DLL of these services and their services, and then calls the PrepareSvcTable () function to create SERVICE_. TABLE_ Enter structure, all the processing function service_ MAIN_ FUNCTION points to one of its functions FuncServiceMain (), and finally calls API StartServiceCtrlDispatcher () to register the scheling functions of these services.
4. Service host process is a standard dynamic connection library host processing service. The svchost.exe file is a common host process name for services running from a dynamic connection Library (DLL). The svhost.exe file is located in Windows & # 92 of the system; System32 folder. At startup, svchost.exe checks the location in the registry to build a list of services that need to be loaded. This causes multiple svchost.exes to run at the same time. Windows 2000 generally has two svchost processes, one is rpcss (remote Procere call) service process, the other is a svchost.exe shared by many services; In Windows XP, there are more than four svchost.exe service processes; More in Windows 2003 server. Svchost.exe is a core process of the system, not a virus process. However, e to the particularity of svchost.exe process, the virus will also try its best to invade svchost.exe. By looking at the execution path of the svchost.exe process, you can confirm whether it is poisoned. If you suspect that the computer may be infected by a virus and the service of svchost.exe is abnormal, you can find the abnormal situation by searching the svchost.exe file. In general, only in C: & # 92; Windows\ Find a svchost.exe program in the system32 directory. If you find svchost.exe in other directories, it's probably poisoned.
5. Svchost.exe is a very important process of NT core system, which is indispensable for 2000 and XP. Many viruses, Trojans will also call it. Therefore, in-depth understanding of this program is one of the required courses to play computer
you must be familiar with Windows operating system, but have you noticed the file "svchost. Exe" in the system? Careful friends will find that there are multiple "svchost" processes in windows (open the task manager with the "Ctrl + Alt + Del" key, and you can see it in the "process" tab here). Why is this so? Let's unveil its mystery
it is found that
in the windows operating system family based on NT kernel, there are different numbers of "svchost" processes in different versions of windows system, and users can view the number of "svchost" processes by using "task manager". Generally speaking, there are two svchost processes in WIN2000, four or more svchost processes in WinXP (if you see more than one of these processes in the system in the future, don't immediately determine that the system has a virus), while there are more in Win2003 server. These svchost processes provide many system services, such as rpcss service (remote process call), dmserver service (Logical Disk Manager), DHCP service (DHCP client), etc
if you want to know how many system services each svchost process provides, you can enter the "TList - s" command in the command prompt window of Win2000, which is provided by WIN2000 support tools. In WinXP, use the "tasklist / SVC" command<
svchost can contain multiple services
in depth
Windows system processes are divided into independent processes and shared processes. "Svchost.exe" file exists in the directory of% systemroot% system32, which belongs to shared process. With the increasing number of windows system services, in order to save system resources, Microsoft makes many services into sharing mode, which is started by svchost.exe process. However, svchost process only serves as a service host and can not realize any service functions, that is, it can only provide conditions for other services to be started here, but it can not provide any services to users. How are these services implemented
originally, these system services are implemented in the form of dynamic link library (DLL). They point the executable program to svchost, and svchost calls the DLL of the corresponding service to start the service. How does svchost know which DLL a system service should call? This is achieved through the parameters set by the system service in the registry. Next, take rpcss (remote Procere call) service as an example to explain
it can be seen from the startup parameters that the service is started by svchost
instance
take Windows XP as an example, click Start / run, enter the command "services. MSc" to open the service dialog box, and then open the "remote Procere call" attribute dialog box. You can see that the path of the executable file of rpcss service is "C: &# 92; windows\ system32\ This shows that the rpcss service is implemented by calling the "rpcss" parameter from svchost, and the content of the parameter is stored in the system registry
Enter "regedit. Exe" in the running dialog box and press enter to open the registry editor and find [HKEY_ local_ [machine] key, find the type 'reg'_ expand_ The key "magepath" of "SZ" is "% systemroot% system32svchost - K rpcss" (this is the service startup command seen in the service window). In addition, there is a key named "servicedll" in the "parameters" subkey, whose value is "% systemroot% system32rpcss. DLL", where "rpcss. DLL" is the DLL file to be used by rpcss service. In this way, the svchost process can start the service by reading the "rpcss" service registry information
puzzle solving
because svchost process starts various services, viruses and Trojans try their best to make use of it, trying to use its characteristics to confuse users and achieve the purpose of infection, invasion and destruction (such as shock wave variant virus "W32. Welchia. Worm"). But it is normal for Windows system to have multiple svchost processes. Which one is the virus process in the infected machine? Here is just one example
suppose Windows XP system is infected by "W32. Welchia. Worm". The normal svchost file exists in "C: & # 92; windows\ If you find that the file appears in other directories, you should be careful“ W32. Welchia. Worm "virus exists in" C: & # 92; windows\ Therefore, it is easy to find out whether the system is infected with virus by using the process manager to check the execution file path of svchost process. The task manager of windows system can't view the path of the process. You can use the third-party process management software, such as "windows optimization master" process manager. Through these tools, you can easily check and see the execution file path of all svchost processes. Once you find that the execution path is an unusual location, you should immediately detect and deal with it
e to the space, we can't introce all the functions of svchost in detail. This is a special process in windows. If you are interested, you can refer to the relevant technical materials for further understanding.
you must be familiar with Windows operating system, but have you noticed the file "svchost. Exe" in the system? Careful friends will find that there are multiple "svchost" processes in windows (open the task manager with the "Ctrl + Alt + Del" key, and you can see it in the "process" tab here). Why is this so? Let's unveil its mystery
it is found that
in the windows operating system family based on NT kernel, there are different numbers of "svchost" processes in different versions of windows system, and users can view the number of "svchost" processes by using "task manager". Generally speaking, there are two svchost processes in WIN2000, four or more svchost processes in WinXP (if you see more than one of these processes in the system in the future, don't immediately determine that the system has a virus), while there are more in Win2003 server. These svchost processes provide many system services, such as rpcss service (remote process call), dmserver service (Logical Disk Manager), DHCP service (DHCP client), etc
if you want to know how many system services each svchost process provides, you can enter the "TList - s" command in the command prompt window of Win2000, which is provided by WIN2000 support tools. In WinXP, use the "tasklist / SVC" command<
svchost can contain multiple services
in depth
Windows system processes are divided into independent processes and shared processes. "Svchost.exe" file exists in the directory of% systemroot% system32, which belongs to shared process. With the increasing number of windows system services, in order to save system resources, Microsoft makes many services into sharing mode, which is started by svchost.exe process. However, svchost process only serves as a service host and can not realize any service functions, that is, it can only provide conditions for other services to be started here, but it can not provide any services to users. How are these services implemented
originally, these system services are implemented in the form of dynamic link library (DLL). They point the executable program to svchost, and svchost calls the DLL of the corresponding service to start the service. How does svchost know which DLL a system service should call? This is achieved through the parameters set by the system service in the registry. Next, take rpcss (remote Procere call) service as an example to explain
it can be seen from the startup parameters that the service is started by svchost
instance
take Windows XP as an example, click Start / run, enter the command "services. MSc" to open the service dialog box, and then open the "remote Procere call" attribute dialog box. You can see that the path of the executable file of rpcss service is "C: &# 92; windows\ system32\ This shows that the rpcss service is implemented by calling the "rpcss" parameter from svchost, and the content of the parameter is stored in the system registry
Enter "regedit. Exe" in the running dialog box and press enter to open the registry editor and find [HKEY_ local_ [machine] key, find the type 'reg'_ expand_ The key "magepath" of "SZ" is "% systemroot% system32svchost - K rpcss" (this is the service startup command seen in the service window). In addition, there is a key named "servicedll" in the "parameters" subkey, whose value is "% systemroot% system32rpcss. DLL", where "rpcss. DLL" is the DLL file to be used by rpcss service. In this way, the svchost process can start the service by reading the "rpcss" service registry information
puzzle solving
because svchost process starts various services, viruses and Trojans try their best to make use of it, trying to use its characteristics to confuse users and achieve the purpose of infection, invasion and destruction (such as shock wave variant virus "W32. Welchia. Worm"). But it is normal for Windows system to have multiple svchost processes. Which one is the virus process in the infected machine? Here is just one example
suppose Windows XP system is infected by "W32. Welchia. Worm". The normal svchost file exists in "C: & # 92; windows\ If you find that the file appears in other directories, you should be careful“ W32. Welchia. Worm "virus exists in" C: & # 92; windows\ Therefore, it is easy to find out whether the system is infected with virus by using the process manager to check the execution file path of svchost process. The task manager of windows system can't view the path of the process. You can use the third-party process management software, such as "windows optimization master" process manager. Through these tools, you can easily check and see the execution file path of all svchost processes. Once you find that the execution path is an unusual location, you should immediately detect and deal with it
e to the space, we can't introce all the functions of svchost in detail. This is a special process in windows. If you are interested, you can refer to the relevant technical materials for further understanding.
6. It's OK. Svchost.exe is a very important process of NT core system. Never turn it off
7. It means that the virus has intruded into the system. You'd better reload it. Remember to format the C disk and reload it. Otherwise, it's a white one. If you can't do it by yourself, you can find a professional. In addition, when you get back to the last correct configuration, you can let it drag on for a while and do it by yourself. Amitabha~
8. Svchost.exe is a very important process of NT core system, which is indispensable for 2000 and XP. Many viruses, Trojans will also call it
in the windows operating system family based on NT kernel, there are different numbers of "svchost" processes in different versions of windows system. Users can view the number of "svchost" processes by using "task manager". Generally speaking, there are two svchost processes in WIN2000, four or more svchost processes in WinXP (if you see more than one of these processes in the system in the future, don't immediately determine that the system has a virus), while there are more in Win2003 server. These svchost processes provide many system services, such as rpcss service (remote process call), dmserver service (Logical Disk Manager), DHCP service (DHCP client), etc
if you want to know how many system services each svchost process provides, you can enter the "TList - s" command in the command prompt window of Win2000, which is provided by WIN2000 support tools. In WinXP, use the "tasklist / SVC" command
svchost can contain multiple services
in the windows operating system family based on NT kernel, there are different numbers of "svchost" processes in different versions of windows system. Users can view the number of "svchost" processes by using "task manager". Generally speaking, there are two svchost processes in WIN2000, four or more svchost processes in WinXP (if you see more than one of these processes in the system in the future, don't immediately determine that the system has a virus), while there are more in Win2003 server. These svchost processes provide many system services, such as rpcss service (remote process call), dmserver service (Logical Disk Manager), DHCP service (DHCP client), etc
if you want to know how many system services each svchost process provides, you can enter the "TList - s" command in the command prompt window of Win2000, which is provided by WIN2000 support tools. In WinXP, use the "tasklist / SVC" command
svchost can contain multiple services
Hot content