許多的木馬、間諜、廣告、病毒等相關程式,都會利用 svchost.exe 程式名稱來偽裝成正常程式。我們可以利用 tasklist 來檢查。

在 XP 環境下執行 cmd 進入到命令列視窗,然後執行下列指令:

1
C:\>tasklist /svc /fi "imagename eq svchost.exe"

就會出現下列資訊 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Image Name                   PID Services
========================= ====== =============================================
svchost.exe                 1212 DcomLaunch, TermService
svchost.exe                 1300 RpcSs
svchost.exe                 1440 AudioSrv, Browser, CryptSvc, Dhcp, dmserver,
                                 ERSvc, EventSystem, helpsvc, HidServ, Irmon,
                                 lanmanserver, lanmanworkstation, Netman,
                                 Nla, RasMan, Schedule, seclogon, SENS,
                                 SharedAccess, ShellHWDetection, srservice,
                                 TapiSrv, Themes, TrkWks, W32Time, winmgmt,
                                 wuauserv
svchost.exe                 1668 Dnscache
svchost.exe                 1824 Alerter, LmHosts, RemoteRegistry, SSDPSRV,
                                 WebClient
svchost.exe                  328 stisvc

可以很清楚的知道每個 svchost 與哪些系統服務掛鉤。