Tampilkan postingan dengan label svchost. Tampilkan semua postingan
Tampilkan postingan dengan label svchost. Tampilkan semua postingan

Rabu, 01 Juli 2009

Understanding Svchost Part II

20.50    No comments

I have published a brief papers on svchost.exe: Svchost:To Whom and Why . It explains how to use a Mark Russinovich (Microsoft: www.Sysinternals.com) tool set to understand svchost.exe behavior. Microsoft uses Limelight Networks (among other 'CDNs') to help them distribute update content. What I do not like about this is that when you enable Microsoft update you do not explicitly give Microsoft permission to use a third party CDN to send and receive data from your PC. But that is exactly what happens in the world of Edge Networks, 'CDNs', 'Software Ecosystems' and 'Cloud computing'. Data from my computer is sent elsewhere without my permission to network locations that are not local to the Pacific Northwest or necessarily controlled by the software vendor of which I have service level agreements.

Read More

Selasa, 30 Juni 2009

Understanding Svchost

12.49    No comments

Some relatively simple code helps us understand svchost processes. You will need a large screen to display the output:

$global:svchost = get-wmiObject win32_process -filter "name='svchost.exe'"
$global:win32_handle = $svchost | foreach { gwmi -query "Select * from win32_service where processID = $($_.handle)" }
$global:Sort_handle = $win32_handle | sort processID, Name
$global:Sort_svchost = $svchost | sort processID
$Sort_handle | format-table processID,name,state, startmode,Started,AcceptStop,Description -AutoSize
$Sort_svchost | format-table ProcessID,ThreadCount,HandleCount,WS,VM,KernelModeTime,ReadOperationCount,ReadTransferCount,OtherTransferCount -Autosize

[Output]:

:.\Get-SvcHost_005.ps1

processID name state startmode Started AcceptStop Description
--------- ---- ----- --------- ------- ---------- -----------
840 SSDPSRV Running Manual True True Enables discovery of UPnP devices on your home network.
1168 stisvc Running Auto True True Provides image acquisition services for scanners and cameras.
1204 DcomLaunch Running Auto True False Provides launch functionality for DCOM services.
1292 RpcSs Running Auto True False Provides the endpoint mapper and other miscellaneous RPC services.
.....


ProcessID ThreadCount HandleCount WS VM KernelModeTime ReadOperationCount ReadTransferCount OtherTransferCount
--------- ----------- ----------- -- -- -------------- ------------------ ----------------- ------------------
840 9 236 6078464 39940096 468750 369 48936 129130
1168 5 210 6574080 41291776 11093750 438 53831 32770
1204 5 209 6381568 43548672 3125000 383 53947 330048
1292 10 457 7004160 45506560 24375000 506 465380 63666
.....

Read More
Langganan: Postingan (Atom)