From: https://www.raymond.cc/blog/identify-loaded-svchostexe-in-windows-task-list/


Other than commonly using the Windows Task Manager to end a hung task or process, it is also very useful to quickly check the active running programs on your computer. You may noticed that there is quite a number of svchost.exe listed in the processes tab and is probably wondering what is it and how come there are so many of them running? Basically SVCHOST is used by Windows to run multiple Windows services and the reason why Windows services uses svchost.exe to run is because they are in DLL files and not an independent executable (.EXE) file. If you didn’t know, Windows Services is one of the startup method in Windows where it can automatically run in background without even requiring the user to login to their account in Windows, unlike other startup method where the programs will only run when the user is logged in to Windows.

svchost.exe in task manager

Normally users would ignore the existence of svchost.exe listed in the Windows Task Manager and only look for some dubious image name. This is where some malware takes advantage by using the file name as svchost.exe, hoping that you would not notice its presence. One easy way to find out a suspicious svchost.exe is by looking at the user name that is used to run the svchost.exe. If the svchost is ran by SYSTEM, NETWORK SERVICE or LOCAL SERVICE, then it should be legitimate but if it is ran under YOUR user account, then you need to investigate if the svchost.exe file is from another location than C:\Windows\System32\. If you’d like to identify the services that are ran behind the svchost.exe, here are 7 ways to do it. 1. Windows Task Manager

Starting from Windows Vista, Microsoft has made it easy because the Task Manager is capable of showing you the service name associated with the svchost.exe process. To run windows Task Manager, right click on the task bar and select “Start Task Manager”. Alternatively you can also simultaneously press Ctrl+Shift+Esc. Then all you need to do is right click on the svchost.exe process and select “Go to Service(s)” where you will automatically jump to the Services tab and the service name being highlight.

svchost.exe services

You are able to start or stop the service by right clicking on the service name. The problem is, some virus disables the Windows Task Manager by changing a registry value and it is important to know other methods of identifying the svchost.exe service name.


2. Command Prompt

Another method to reveal the service that is associated with the svchost.exe is by using tasklist.exe from command prompt. In command prompt, type the command below, hit enter and the service name will be displayed at the right side of the tasklist output.

tasklist /svc /fi “IMAGENAME eq svchost.exe”

Tasklist svchost.exe

There are some limitations in using the tasklist.exe command line tool because it only the cryptic service name, not the display name or description. Just like Task Manager, command prompt too can be disabled from running by malware which is why sometimes it is good to have third party tools in hand.


3. Process Explorer

Process Explorer is the grandfather of all task managers. So far it seems to be the most comprehensive tool to control and view the information associated with svchost.exe. Simply double click on the svchost.exe in Process Explorer and click on the Services tab.

Process Explorer services

First you get to see all the services registered in the process that you’re viewing, then it shows the service name, display name and the path to do DLL file that was loaded. You are also able to configure the permissions for the service plus stopping, restarting, pausing and resuming the service.

Download Process Explorer 


4. Process Hacker

Process Hacker is another popular free and powerful open source task manager that is capable of showing and controlling the services from svchosts.exe process. Just like Process Explorer, double click on svchost.exe process and go to the Services tab. The list of associates services is shown and you can stop or pause the service. Double clicking on the service will bring up a more advanced property window to configure the permissions, startup type, error control and many more.

Process Hacker Services Properties

There are both installer and portable versions available including 32-bit and 64-bit builds.

Download Process Hacker 


5. Svchost Process Analyzer

Svchost Process Analyzer

Svchost Process Analyzer is a free and portable program that analyzes the svchost.exe and shows services that is associated with the process. Clicking on any ID on the top window will display the services at the bottom together with the DLL file and status. The description of the service will automatically refresh and shown at the top bar of the program. This tool can only display information but lack of control options.

Download Svchost Process Analyzer 


6. Svchost Viewer

Svchost Viewer

Svchost Viewer is another free and open source utility hosted at CodePlex that gives you the basic information such as service name and description. There are also two checkboxes to show if the service can be paused or stopped. If it can be stopped, click on the Service Control menu bar and select “Stop Selected Service”. A piece of interesting information shown in Svchost Viewer is the amount of data written and read.

Download Svchost Viewer 


7. Services In Svchost

Services In Svchost is a very simple program that simply shows the services in the svchosts.exe. There is no description, no control, or DLL file information. The only unique feature found in this utility is the ability to view the services on remote computers by entering the computer name or IP address.

Services in Svchost

There are requirements if you want to get the services on remote computer. Firstly it requires a user account that has a password set (empty password is not allowed) and the Remote Registry service must be manually started. Make sure the Windows Firewall is not blocking the connection. Once all this 3 requirements are met, you need to manually authenticate with the remote computer by accessing the shared folders. After authentication, simply enter the computer name and click Get Services button.

Download Services In Svchost 
Read More: 
https://www.raymond.cc/blog/identify-loaded-svchostexe-in-windows-task-list/

 1,580 total views

From: https://www.howtoforge.com/tutorial/installing-nginx-with-php7-fpm-and-mysql-on-ubuntu-16.04-lts-lemp/


Nginx (pronounced “engine x”) is a free, open-source, high-performance HTTP server. Nginx is known for its stability, rich feature set, simple configuration, and low resource consumption. This tutorial shows how you can install Nginx on an Ubuntu 16.04 server with PHP 7 support (through PHP-FPM) and MySQL 5.7 support (LEMP = Linux + nginx (pronounced “engine x”) + MySQL + PHP).

 

1 Preliminary Note

In this tutorial, I use the hostname server1.example.com with the IP address 192.168.1.100. These settings might differ for you, so you have to replace them where appropriate.

I’m running all the steps in this tutorial with root privileges, so make sure you’re logged in as root:

sudo -s

 

2 Installing MySQL 5.7

In order to install MySQL, we run:

apt-get -y install mysql-server mysql-client

You will be asked to provide a password for the MySQL root user – this password is valid for the user [email protected] as well as [email protected], so we don’t have to specify a MySQL root password manually later on:

New password for the MySQL “root” user: <– yourrootsqlpassword
Repeat password for the MySQL “root” user: <– yourrootsqlpassword

To secure the database server and remove  the anonymous user and test database, run the mysql_secure_installation command.

mysql_secure_installation

You will be asked these questions:

[email protected]:~# mysql_secure_installation

Securing the MySQL server deployment.

Enter password for user root: <– Enter the MySQL root password

VALIDATE PASSWORD PLUGIN can be used to test passwords
and improve security. It checks the strength of password
and allows the users to set only those passwords which are
secure enough. Would you like to setup VALIDATE PASSWORD plugin?

Press y|Y for Yes, any other key for No: <– Press y if you want this function or press Enter otherwise.
Using existing password for root.
Change the password for root ? ((Press y|Y for Yes, any other key for No) : <– Press enter

… skipping.
By default, a MySQL installation has an anonymous user,
allowing anyone to log into MySQL without having to have
a user account created for them. This is intended only for
testing, and to make the installation go a bit smoother.
You should remove them before moving into a production
environment.

Remove anonymous users? (Press y|Y for Yes, any other key for No) : <– y
Success.

Normally, root should only be allowed to connect from
‘localhost’. This ensures that someone cannot guess at
the root password from the network.

Disallow root login remotely? (Press y|Y for Yes, any other key for No) : <– y
Success.

By default, MySQL comes with a database named ‘test’ that
anyone can access. This is also intended only for testing,
and should be removed before moving into a production
environment.

Remove test database and access to it? (Press y|Y for Yes, any other key for No) : <– y
– Dropping test database…
Success.

– Removing privileges on test database…
Success.

Reloading the privilege tables will ensure that all changes
made so far will take effect immediately.

Reload privilege tables now? (Press y|Y for Yes, any other key for No) : <– y
Success.

All done!

MySQL is secured now.

3 Installing Nginx

In case that you have installed Apache2 already, then remove it first with these commands & then install nginx:

service apache2 stop
update-rc.d -f apache2 remove
apt-get remove apache2

Nginx is available as a package for Ubuntu 16.04 which we can install.

apt-get -y install nginx

Start nginx afterwards:

service nginx start

Type in your web server’s IP address or hostname into a browser (e.g. http://192.168.1.100), and you should see the following page:

The Ubuntu Nginx default page.

The default nginx document root on Ubuntu 16.04 is /var/www/html.

 

4 Installing PHP 7

We can make PHP work in nginx through PHP-FPM (PHP-FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation with some additional features useful for sites of any size, especially busier sites) which we install as follows:

apt-get -y install php7.0-fpm

PHP-FPM is a daemon process (with the init script php7.0-fpm) that runs a FastCGI server on the socket /run/php/php7.0-fpm.sock.

 

5 Configuring nginx

The nginx configuration is in /etc/nginx/nginx.conf which we open now:

nano /etc/nginx/nginx.conf

The configuration is easy to understand (you can learn more about it here: http://wiki.nginx.org/NginxFullExample and here: http://wiki.nginx.org/NginxFullExample2)

First (this is optional) adjust the keepalive_timeout to a reasonable value:

[...]
    keepalive_timeout   2;
[...]

The virtual hosts are defined in server {} containers. The default vhost is defined in the file /etc/nginx/sites-available/default – let’s modify it as follows:

nano /etc/nginx/sites-available/default

[...]
server {
 listen 80 default_server;
 listen [::]:80 default_server;

 # SSL configuration
 #
 # listen 443 ssl default_server;
 # listen [::]:443 ssl default_server;
 #
 # Note: You should disable gzip for SSL traffic.
 # See: https://bugs.debian.org/773332
 #
 # Read up on ssl_ciphers to ensure a secure configuration.
 # See: https://bugs.debian.org/765782
 #
 # Self signed certs generated by the ssl-cert package
 # Don't use them in a production server!
 #
 # include snippets/snakeoil.conf;

 root /var/www/html;

 # Add index.php to the list if you are using PHP
 index index.html index.htm index.nginx-debian.html;

 server_name _;

 location / {
 # First attempt to serve request as file, then
 # as directory, then fall back to displaying a 404.
 try_files $uri $uri/ =404;
 }

 # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
 #
 location ~ \.php$ {
 include snippets/fastcgi-php.conf;

 # With php7.0-cgi alone:
 # fastcgi_pass 127.0.0.1:9000;
 # With php7.0-fpm:
 fastcgi_pass unix:/run/php/php7.0-fpm.sock;
 }

 # deny access to .htaccess files, if Apache's document root
 # concurs with nginx's one
 #
 location ~ /\.ht {
  deny all;
 }
}
[...]

server_name _; makes this a default catchall vhost (of course, you can as well specify a hostname here like www.example.com).

root /var/www/html; means that the document root is the directory /var/www/html.

The important part for PHP is the location ~ \.php$ {} stanza. Uncomment it to enable it.

Now save the file and reload nginx:

service nginx reload

Next open /etc/php/7.0/fpm/php.ini

nano /etc/php/7.0/fpm/php.ini

… and set cgi.fix_pathinfo=0:

[...]
; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI.  PHP's
; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok
; what PATH_INFO is.  For more information on PATH_INFO, see the cgi specs.  Setting
; this to 1 will cause PHP CGI to fix its paths to conform to the spec.  A setting
; of zero causes PHP to behave as before.  Default is 1.  You should fix your scripts
; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.
; http://php.net/cgi.fix-pathinfo
cgi.fix_pathinfo=0
[...]

Reload PHP-FPM:

service php7.0-fpm reload

Now create the following PHP file in the document root /var/www/html:

nano /var/www/html/info.php

<?php
phpinfo();
?>

Now we call that file in a browser (e.g. http://192.168.1.100/info.php):

PHP Info on Ubuntu with Nginx.

As you see, PHP 7 is working, and it’s working through FPM/FastCGI, as shown in the Server API line. If you scroll further down, you will see all modules that are already enabled in PHP. MySQL is not listed there which means we don’t have MySQL support in PHP yet.

 

6 Getting MySQL Support In PHP 7

To get MySQL support in PHP, we can install the php7.0-mysql package. It’s a good idea to install some other PHP modules as well as you might need them for your applications. You can search for available PHP modules like this:

apt-cache search php7.0

Pick the ones you need and install them like this:

apt-get -y install php7.0-mysql php7.0-curl php7.0-gd php7.0-intl php-pear php-imagick php7.0-imap php7.0-mcrypt php-memcache  php7.0-pspell php7.0-recode php7.0-sqlite3 php7.0-tidy php7.0-xmlrpc php7.0-xsl php7.0-mbstring php-gettext

APCu is an extension for the PHP Opcache module that comes with PHP 7, it adds some compatibility features for software that supports the APC cache (e.g. WordPress cache plugins).

APCu can be installed as follows:

apt-get -y install php-apcu

Now reload PHP-FPM:

service php7.0-fpm reload

Now reload http://192.168.1.100/info.php in your browser and scroll down to the modules section again. You should now find lots of new modules there, including the MySQL module:

The PHP Modules have been installed.

 

7 Making PHP-FPM use a TCP Connection

By default PHP-FPM is listening on the socket /var/run/php/php7.0-fpm.sock. It is also possible to make PHP-FPM use a TCP connection. To do this, open /etc/php/7.0/fpm/pool.d/www.conf

nano /etc/php/7.0/fpm/pool.d/www.conf

… and make the listen line look as follows:

[...]
;listen = /var/run/php5-fpm.sock
listen = 127.0.0.1:9000
[...]

This will make PHP-FPM listen on port 9000 on the IP 127.0.0.1 (localhost). Make sure you use a port that is not in use on your system.

Then reload PHP-FPM:

php7.0-fpm reload

Next go through your nginx configuration and all your vhosts and change the line fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; to fastcgi_pass 127.0.0.1:9000;, e.g. like this:

nano /etc/nginx/sites-available/default

[...]
        location ~ \.php$ {
 include snippets/fastcgi-php.conf;

 # With php7.0-cgi alone:
 fastcgi_pass 127.0.0.1:9000;
 # With php7.0-fpm:
 # fastcgi_pass unix:/run/php/php7.0-fpm.sock;
 }
[...]

Finally, reload nginx:

service nginx reload

That’s it. The Nginx LEMP server is installed.

 2,192 total views,  1 views today

#!/bin/bash

LAN_INT="eth1" #Internal LAN Interface
BR_INT="br0"  #Bridge Interface
ZT_INT="zt0" #ZeroTier Interface

BRIDGE_IP="192.168.0.90/23"
GATEWAY_IP="192.168.0.2"

SLEEP_TIMER="30s"
RUN_TIME=`date`
#Delay Timer to give the system a chance to finish booting
sleep $SLEEP_TIMER

echo $RUN_TIME > /var/log/bridge.log

#Disable Interfaces, Remove IP addresses
echo "Disabling Interface" >> /var/log/bridge.log
/sbin/ifconfig $LAN_INT down >> /var/log/bridge.log
/sbin/ifconfig $ZT_INT down >> /var/log/bridge.log
/sbin/ip addr flush dev $LAN_INT >> /var/log/bridge.log
/sbin/ip addr flush dev $ZT_INT >> /var/log/bridge.log

echo "Setting up Bridging..." >> /var/log/bridge.log

/sbin/brctl addbr $BR_INT >> /var/log/bridge.log
/sbin/brctl addif $BR_INT $ZT_INT $LAN_INT >> /var/log/bridge.log

/sbin/ifconfig $LAN_INT promisc up >> /var/log/bridge.log
/sbin/ifconfig $ZT_INT promisc up >> /var/log/bridge.log
/sbin/ifconfig $BR_INT up >> /var/log/bridge.log

#/sbin/ip addr add $BRIDGE_IP dev br0 >> /var/log/bridge.log
/sbin/dhclient br0

/sbin/route add default gateway $GATEWAY_IP
echo "Finished!" >> /var/log/bridge.log

 

 1,871 total views,  1 views today

It’s often useful to know what logical and physical drives are available to Windows, and sometimes this needs to be done from the command line.

Logical drives

Here’s a handy command to return a list of logical drives in Windows.

1
wmic logicaldisk get caption,description,drivetype,providername,volumename

The Win32_LogicalDisk WMI class represents a data source that resolves to an actual local storage device on a computer system running Windows. While Caption, Description, DriveType, ProviderName, and VolumeName are useful in most cases, more properties are available, and a complete list is available at http://msdn.microsoft.com/en-us/library/windows/desktop/aa394173(v=vs.85).aspx. The output will be formatted as a table, the properties will be the column headings, and they will be placed into alphabetical order.

Caption is the drive letter of the logical disk. The Name property also returns the drive letter.

Description is the type of disk. For example: Local Fixed Disk, CD-ROM Disc, or Removable Disk.

DriveType is returned as an integer that corresponds to the type of disk drive the logical disk represents (and this matches the Description, making DriveType sort of superfluous).

0 = Unknown
1 = No Root Directory
2 = Removable Disk
3 = Local Disk
4 = Network Drive
5 = Compact Disc
6 = RAM Disk

ProviderName is the network path to the logical device.

VolumeName is the volume name of the logical disk.

Physical drives

And here is a command to return a list of physical drives.

1
wmic diskdrive list brief /format:list

The Win32_DiskDrive WMI class represents a physical disk drive as seen by a computer running Windows. Like the Win32_LogicalDisk WMI class, it has lots of properties, as listed at http://msdn.microsoft.com/en-us/library/windows/desktop/aa394132(v=vs.85).aspx.

For simplicity, though, and ease of reading in command window, wmic diskdrive list brief /format:list does the trick, particularly in combination with wmic logicaldisk.

 1,525 total views,  1 views today

FROM: http://ccm.net/faq/9200-shutdown-or-wake-up-a-pc-on-a-lan


Shutdown or Wake Up a PC on a LAN

In addition to serving as a host, a LAN (or local area network) also gives users a certain amount of control over the PCs that are connected to a network. Included in this is the ability to turn a computer on or off from a remote location.

This article will explain how to use the Shutdown command to turn off a computer remotely as well as how to use the WakeOnLan standard to wake or boot a PC.

This method was tested using a Windows XP Professional computer.

Remotely Shutdown a Computer on a LAN

In order to control a computer remotely, please note that you must be connected to the same local network as the target PC. You must also know the username and password required for login.

The first step is to open TCP port 445 on the target computer. To do this, open your Start menu and then go to Settings > Control Panel > Security Center.

Open Windows Firewall and click the Exceptions tab.

Select the line that reads File Sharing and printers and press OK. If this line is missing, click Add Port and choose TCP port 445 .

Next, head to Start > Settings > Control Panel > System. Select the Remote tab and check the option that reads Allow users to connect remotely to this computer.

It is now time to open the command prompt.

Head to Start/Run or use the keyboard shortcut Windows + R. Next, type cmd and then hit OK. This will open your command prompt.

To obtain the necessary rights to run a shutdown command on the target machine, you must first run the net use command. Use the Windows + R keyboard shortcut and then enter net use \\ip_address_of_target_machine. Enter an administrator username and password for the target computer to connect to the target PC.

Once connected to the target PC, we can run the shutdown command. An example of the command is given below, whereby instructions are given for the target computer to close all active applications and shutdown after 30 seconds of inactivity. Please note that you can substitute any of the variables according to your network or PC specifics:

 shutdown -s -f -t 30 - m \\192.168.3.4

-s: Shutdown the PC

-f: Force active applications to close without warning

-t xx: Set a countdown in seconds

-m \\xxx.xxx.xxx.xxx: The IP address of the target computer


The GUI is available by typing shutdown -i.

For any additional information about this command, type shutdown /?.

The WakeOnLAN Command

WakeOnLAN, as the name already suggests, is a tool that can boot or wake a computer by sending a Magic Packet to the network adapter of the target computer. It is important to note that not all network cards and BIOS are compatible with, or support, the use of Magic Packet.

In order to use the WakeOnLAN command, you must be connected to the same local area network (LAN) as the target computer. Knowledge of the physical location (MAC) and IP address of the target computer is also required.

Retrieve IP and MAC Address

The first step is to retrieve the IP address and MAC address of the target computer. To do this, go to Start/Run or use the keyboard shortcutWindows + R and type cmd > OK.

The command prompt will open. Now type ipconfig /all:


Copy the IP and physical (MAC) address of the target PC.

Compatibility Checks

It’s now time to check if your network card is compatible with Magic Packets. To do this, right-click on My Computer and click Manage. Next, go to Device Manager/Network Cards and do a right-click on your Network Card. Then click Properties.

Do a search for the following words and verify that all options that relate to them are currently active: Magic Packet, Wake On Magic Packet, Wake On Lan, or Wake. If none of these words appear, you may be required to update the drivers for your Network Card.

To see if your computer is BIOS compatible, enter the BIOS when you start the computer. You can do this by pressing ESC, F2, F5, F12 or DEL (depending on your system).

Once in the BIOS, go Power Options and enable Wake-On-LAN, or any similar option:


Open Port 8900

You can open Port 8900 in the same way as you would Port 445.

Wake On LAN (WOL)

Start by downloading the Symantec WOL tool on the source computer. Launch the tool and then fill in the empty fields using the information gathered above.

Mac Address: MAC address (the target machine)

Internet Address: Local IP address (target machine)

Subnet Mask: 255.255.255.255

Send Options: Local Subnet

Remote Port Number: 8900

Click the button: Wake Me Up

Once the packet has been received, the target computer will boot:

 1,262 total views