7 Ways to Easily Identify SVCHOST.EXE Service Name


From: https://www.raymond.cc/blog/identify-loaded-svchostexe-in-windows-task-list/

Other than commonly using the Windows Task Manager to end a hung task or process, it is also very useful to quickly check the active running programs on your computer. You may noticed that there is quite a number of svchost.exe listed in the processes tab and is probably wondering what is it and how come there are so many of them running? Basically SVCHOST is used by Windows to run multiple Windows services and the reason why Windows services uses svchost.exe to run is because they are in DLL files and not an independent executable (.EXE) file. If you didn’t know, Windows Services is one of the startup method in Windows where it can automatically run in background without even requiring the user to login to their account in Windows, unlike other startup method where the programs will only run when the user is logged in to Windows.

svchost.exe in task manager

Normally users would ignore the existence of svchost.exe listed in the Windows Task Manager and only look for some dubious image name. This is where some malware takes advantage by using the file name as svchost.exe, hoping that you would not notice its presence. One easy way to find out a suspicious svchost.exe is by looking at the user name that is used to run the svchost.exe. If the svchost is ran by SYSTEM, NETWORK SERVICE or LOCAL SERVICE, then it should be legitimate but if it is ran under YOUR user account, then you need to investigate if the svchost.exe file is from another location than C:\Windows\System32\. If you’d like to identify the services that are ran behind the svchost.exe, here are 7 ways to do it. 1. Windows Task Manager

Starting from Windows Vista, Microsoft has made it easy because the Task Manager is capable of showing you the service name associated with the svchost.exe process. To run windows Task Manager, right click on the task bar and select “Start Task Manager”. Alternatively you can also simultaneously press Ctrl+Shift+Esc. Then all you need to do is right click on the svchost.exe process and select “Go to Service(s)” where you will automatically jump to the Services tab and the service name being highlight.

svchost.exe services

You are able to start or stop the service by right clicking on the service name. The problem is, some virus disables the Windows Task Manager by changing a registry value and it is important to know other methods of identifying the svchost.exe service name.

2. Command Prompt

Another method to reveal the service that is associated with the svchost.exe is by using tasklist.exe from command prompt. In command prompt, type the command below, hit enter and the service name will be displayed at the right side of the tasklist output.

tasklist /svc /fi “IMAGENAME eq svchost.exe”

Tasklist svchost.exe

There are some limitations in using the tasklist.exe command line tool because it only the cryptic service name, not the display name or description. Just like Task Manager, command prompt too can be disabled from running by malware which is why sometimes it is good to have third party tools in hand.

3. Process Explorer

Process Explorer is the grandfather of all task managers. So far it seems to be the most comprehensive tool to control and view the information associated with svchost.exe. Simply double click on the svchost.exe in Process Explorer and click on the Services tab.

Process Explorer services

First you get to see all the services registered in the process that you’re viewing, then it shows the service name, display name and the path to do DLL file that was loaded. You are also able to configure the permissions for the service plus stopping, restarting, pausing and resuming the service.

Download Process Explorer 

4. Process Hacker

Process Hacker is another popular free and powerful open source task manager that is capable of showing and controlling the services from svchosts.exe process. Just like Process Explorer, double click on svchost.exe process and go to the Services tab. The list of associates services is shown and you can stop or pause the service. Double clicking on the service will bring up a more advanced property window to configure the permissions, startup type, error control and many more.

Process Hacker Services Properties

There are both installer and portable versions available including 32-bit and 64-bit builds.

Download Process Hacker 

5. Svchost Process Analyzer

Svchost Process Analyzer

Svchost Process Analyzer is a free and portable program that analyzes the svchost.exe and shows services that is associated with the process. Clicking on any ID on the top window will display the services at the bottom together with the DLL file and status. The description of the service will automatically refresh and shown at the top bar of the program. This tool can only display information but lack of control options.

Download Svchost Process Analyzer 

6. Svchost Viewer

Svchost Viewer

Svchost Viewer is another free and open source utility hosted at CodePlex that gives you the basic information such as service name and description. There are also two checkboxes to show if the service can be paused or stopped. If it can be stopped, click on the Service Control menu bar and select “Stop Selected Service”. A piece of interesting information shown in Svchost Viewer is the amount of data written and read.

Download Svchost Viewer 

7. Services In Svchost

Services In Svchost is a very simple program that simply shows the services in the svchosts.exe. There is no description, no control, or DLL file information. The only unique feature found in this utility is the ability to view the services on remote computers by entering the computer name or IP address.

Services in Svchost

There are requirements if you want to get the services on remote computer. Firstly it requires a user account that has a password set (empty password is not allowed) and the Remote Registry service must be manually started. Make sure the Windows Firewall is not blocking the connection. Once all this 3 requirements are met, you need to manually authenticate with the remote computer by accessing the shared folders. After authentication, simply enter the computer name and click Get Services button.

Download Services In Svchost 
Read More: 

404 total views, 1 views today

Shutdown or Wake Up a PC on a LAN


FROM: http://ccm.net/faq/9200-shutdown-or-wake-up-a-pc-on-a-lan

Shutdown or Wake Up a PC on a LAN

In addition to serving as a host, a LAN (or local area network) also gives users a certain amount of control over the PCs that are connected to a network. Included in this is the ability to turn a computer on or off from a remote location.

This article will explain how to use the Shutdown command to turn off a computer remotely as well as how to use the WakeOnLan standard to wake or boot a PC.

This method was tested using a Windows XP Professional computer.

Remotely Shutdown a Computer on a LAN

In order to control a computer remotely, please note that you must be connected to the same local network as the target PC. You must also know the username and password required for login.

The first step is to open TCP port 445 on the target computer. To do this, open your Start menu and then go to Settings > Control Panel > Security Center.

Open Windows Firewall and click the Exceptions tab.

Select the line that reads File Sharing and printers and press OK. If this line is missing, click Add Port and choose TCP port 445 .

Next, head to Start > Settings > Control Panel > System. Select the Remote tab and check the option that reads Allow users to connect remotely to this computer.

It is now time to open the command prompt.

Head to Start/Run or use the keyboard shortcut Windows + R. Next, type cmd and then hit OK. This will open your command prompt.

To obtain the necessary rights to run a shutdown command on the target machine, you must first run the net use command. Use the Windows + R keyboard shortcut and then enter net use \\ip_address_of_target_machine. Enter an administrator username and password for the target computer to connect to the target PC.

Once connected to the target PC, we can run the shutdown command. An example of the command is given below, whereby instructions are given for the target computer to close all active applications and shutdown after 30 seconds of inactivity. Please note that you can substitute any of the variables according to your network or PC specifics:

-s: Shutdown the PC

-f: Force active applications to close without warning

-t xx: Set a countdown in seconds

-m \\xxx.xxx.xxx.xxx: The IP address of the target computer

The GUI is available by typing shutdown -i.

For any additional information about this command, type shutdown /?.

The WakeOnLAN Command

WakeOnLAN, as the name already suggests, is a tool that can boot or wake a computer by sending a Magic Packet to the network adapter of the target computer. It is important to note that not all network cards and BIOS are compatible with, or support, the use of Magic Packet.

In order to use the WakeOnLAN command, you must be connected to the same local area network (LAN) as the target computer. Knowledge of the physical location (MAC) and IP address of the target computer is also required.

Retrieve IP and MAC Address

The first step is to retrieve the IP address and MAC address of the target computer. To do this, go to Start/Run or use the keyboard shortcutWindows + R and type cmd > OK.

The command prompt will open. Now type ipconfig /all:

Copy the IP and physical (MAC) address of the target PC.

Compatibility Checks

It’s now time to check if your network card is compatible with Magic Packets. To do this, right-click on My Computer and click Manage. Next, go to Device Manager/Network Cards and do a right-click on your Network Card. Then click Properties.

Do a search for the following words and verify that all options that relate to them are currently active: Magic Packet, Wake On Magic Packet, Wake On Lan, or Wake. If none of these words appear, you may be required to update the drivers for your Network Card.

To see if your computer is BIOS compatible, enter the BIOS when you start the computer. You can do this by pressing ESC, F2, F5, F12 or DEL (depending on your system).

Once in the BIOS, go Power Options and enable Wake-On-LAN, or any similar option:

Open Port 8900

You can open Port 8900 in the same way as you would Port 445.

Wake On LAN (WOL)

Start by downloading the Symantec WOL tool on the source computer. Launch the tool and then fill in the empty fields using the information gathered above.

Mac Address: MAC address (the target machine)

Internet Address: Local IP address (target machine)

Subnet Mask:

Send Options: Local Subnet

Remote Port Number: 8900

Click the button: Wake Me Up

Once the packet has been received, the target computer will boot:

558 total views, 1 views today

Pro tip: Override the 4GB memory barrier on 32-bit Windows 8.1 systems


From: http://www.techrepublic.com/blog/windows-and-office/override-the-4gb-memory-barrier-on-32-bit-windows-81-systems/

Pro tip: Override the 4GB memory barrier on 32-bit Windows 8.1 systems

By Matt Nawrocki in Windows and Office, November 19, 2013, 11:15 AM PST

Turn on Physical Address Extension mode and unleash the full potential of your 32-bit RAM memory.
50490C_Comal_Chip_Left_FINAL_pins_trans.jpgAlthough the 64-bit transition period has come and gone, there are a surprising number of active installations of the 32-bit Windows operating system, particularly in industrial or business environments. One plausible explanation is the fact that backwards compatibility with older 16-bit Windows code is not possible on 64-bit Windows. Virtual 8086 mode, which is what NT Virtual DOS Machine or NTVDM relies on, cannot be utilized when the CPU is in 64-bit long mode. To counter this limitation, 32-bit Windows is used instead of 64-bit Windows.
Initially, there wasn’t much of a difference between the two architectures in real world usage situations. However, over time, the base amounts of memory starting at 8GB and above exceed the maximum addressable memory space on 32-bit Windows, which is set at a rather paltry 4GB. And that doesn’t even take into consideration reserved memory overhead that comes into play when you max out the system memory, sometimes bringing usable memory down below 3GB.

Some operating systems like Linux implement a feature called Physical Address Extension or PAE mode, which switches to 36-bit memory addressing, allowing for access to a grand total of 64GB of main system memory, which is a massive improvement. Likewise, Microsoft has implemented PAE in the Windows kernel, albeit disabled by default and only accessible on server editions of Windows. To that end, a proper patch of the Windows kernel will be necessary on desktop editions in order to attain the same memory access benefit.

With only 3.5 GB out of 8 GB of main memory available, that’s just a sheer waste of potential resources

Aside from some notable exceptions, which will be mentioned in a bit, enabling PAE in Windows is a rather painless exercise with no harmful side-effects. Although you can address up to 64GB of memory in PAE mode, each process is limited to 2GB of memory space per active process. For certain memory hungry applications, like Adobe Photoshop, you are still far better off using a 64-bit version of Windows instead. For this reason, I would consider PAE mode to be more of a Band-Aid than an actual long-term solution. Luckily, for a good portion of business applications, this shouldn’t be a major concern.

Also read: Five Windows 7 Gadgets to keep you informed about your system

Activating proper PAE mode on Windows 8.1 is a fairly easy process. However, before you begin the procedure, be sure that no RAM disk or memory optimizer drivers are active in order to prevent possible conflicts. You can re-enable them once you have successfully booted into PAE mode on Windows. For safety purposes and easy recovery, you will be creating a boot menu item so that you can go back and forth between PAE and non-PAE modes in case additional troubleshooting is necessary.

Here are the steps:

Download the PAE Windows kernel patch from Wen Jia Liu’s personal webpage.
Enter the Desktop tile from the Start screen and open the downloaded zip file.
Extract PatchPae2.exe to your System32 folder. The default location is C:\Windows\System32.
Right-click on the Windows Start Button and click “Command Prompt (Admin)”
Execute the following commands in sequence:

cd %SYSTEMROOT%\System32

PatchPae2.exe -type kernel -o ntoskrnx.exe ntoskrnl.exe

PatchPae2.exe -type loader -o winloadp.exe winload.exe

bcdedit /copy {current} /d “Windows 8.1 (PAE Patched)”

Windows generates a unique boot ID, referencing the PAE option.

At this juncture, you will see a message stating the entry was successfully copied. Write down the long string of letters and numbers surrounded by braces, representing the boot ID, since you will need to use it for the next few commands:

bcdedit /set {PASTE BOOT ID HERE} kernel ntoskrnx.exe

bcdedit /set {PASTE BOOT ID HERE} path \Windows\System32\winloadp.exe

bcdedit /set {PASTE BOOT ID HERE} nointegritychecks 1

bcdedit /set {bootmgr} default {PASTE BOOT ID HERE}

bcdedit /set {bootmgr} timeout 5

Once all the commands are processed, you will need to reboot your system for changes to take effect. When you reboot, you will be presented with a Windows boot manager screen. The time out is set to five seconds, but you can change this if you wish using the following command, replacing the X with the desired number of seconds for the timeout, a 0 to boot immediately to the default entry, or a -1 to make the timeout indefinite.

bcdedit /set {bootmgr} timeout X
When Microsoft pushes updates to Windows 8.1, it can sometimes include updates to the kernel itself. If this ever happens, simply run the following command to refresh the PAE kernel.

PatchPae2.exe -type kernel -o ntoskrnx.exe ntoskrnl.exe

And finally, if you wish to return Windows back to its former non-PAE enabled state, you may do so by performing the following tasks:

Delete the boot entry for “Windows 8.1 (PAE Patched)” via msconfig.
Delete the files ntoskrnx.exe and winloadp.exe from System32.
Ahh! Much better!

With all this in mind, it’s important to note that certain hardware drivers might not work correctly in PAE mode. Intel HD series graphics starting at around Sandy Bridge will experience video buffer corruption issues, since the drivers written for 32-bit Windows 8.1 do not take the extended memory addressing that is present in PAE mode into account. The only known workaround at this time is to force install the Windows XP 32-bit version of the Intel HD display driver.

Bottom line
Depending on your needs, this workaround works rather well for the most part, with the only major drawbacks being an uglier desktop with no Aero Glass transparency in the user interface. The reason for this is the fact that the driver is not written to follow the latest WDDM framework. Another major sticking point is that switchable GPU graphics like Nvidia Optimus are rendered useless when the host integrated GPU isn’t running the correct drivers. This could very well be a make it or break it situation, especially if you have a work laptop that works in graphics heavy applications like AutoCAD. Dedicated, non-switchable graphics solutions from vendors like Nvidia and AMD are unaffected by the PAE limitation.

All that said, this PAE guide may still serve as a blessing for anyone clinging to legacy software, but might want to make the best use of all their system memory at the same time. Although 32-bit native Windows might not be around forever, there’s still some life left in the flagging platform and you won’t have to jump ship to 64-bit for the foreseeable future.

555 total views, no views today