Is there a site that has Windows "man pages"?

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
command /? isn't giving me any information, and Microsoft's site isn't human friendly.

Any links?
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: MrChad
Google Site search usually works for me.

Give me a link please. I'm trying to find more information on command line options to svchost.exe. Thanks!
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
That link doesn't have anything about it either. I just want to know what svchost.exe -k something does... I guess I've been spoiled by BSD. :p
 

greylica

Senior member
Aug 11, 2006
276
0
0
n0cmonkey, ask smilin what is it. He probably knows because he works or worked on Microsoft. All that I know is that the process are started by this service to run in kernel mode, and all of the process are started under services.exe wich is linked to the services under:
Control panel ->administrative tools -> computer management -> services.
Click on the service and dependencies to know what services are started and how.
I know these services have to be signed by microsoft to be started under svchost.exe, but is already hacked by a
great amount of viruses to start strange services like spywares and rootkits.
you can kill these spywares deleting them from the registry too if you know what is inside the normal operation under the windows task manager. afetr this you can restart and delete the file of the virus itself.
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: xtknight
http://www.google.com/search?hl=en&lr=&q=svchost+%22-k%22&btnG=Search

Probably just starts a set of kernel services. It is undocumented just as many of the Windows NT APIs. Is there a reason for concern (trying to slim down your services list?) tasklist /svc lists currently running services (and tells you which PID of svchost is responsible for which services).

Not to be rude, but don't you think I tried a basic google search? ;)

I'm not trying to do anything, except find out exactly what svchost.exe does. An good online source of microsoft documentation wouldn't be bad either, but it definitely isn't their site. ;)

It's not even that big of a deal now, just principle. :p
 

nweaver

Diamond Member
Jan 21, 2001
6,813
1
0
heh...man pages rock. I get angry when I have to use Redhat, due to their spotty and crappy manpages...
 

stash

Diamond Member
Jun 22, 2000
5,468
0
0
From "Windows Internals", 4th Ed. Chapter 4:

Running every service in its own process instead of having services share a process whenever possible wastes system resources. However, sharing processes means that if any of the services in the process has a bug that causes the process to exit, all the services in that process terminate.

Of the Windows built-in services, some run in their own process and some share a process with other services. For example, the SCM process hosts the Event Log service and the usermode Plug and Play service, and the LSASS process contains security-related services--such as the Security Accounts Manager (SamSs) service, the Net Logon (Netlogon) service, and the IPSec Policy Agent (PolicyAgent) service.

There is also a "generic" process named Service Host (SvcHost - \Windows\System32\Svchost.exe) to contain multiple services. Multiple instances of SvcHost can be running in different processes. Services that run in SvcHost processes include Telephony (TapiSrv), Remote Procedure Call (RpcSs) and Remote Access Connection Manager (RasMan). Windows implements services that run in SvcHost as DLLs and includes an ImagePath definition in the form "%SystemRoot%\System32\svchost.exe -k netsvcs" in the service's registry key. The service's registry key must also have a registry value named ServiceDll under a Parameters subkey that points to the service's DLL file.

All services that share a common SvcHost process specify the same parameter ("-k netsvcs" in the example in the preceeding paragraph) so that they have a single entry in the SCM's image database. When the SCM encounters the first service that has a SvcHost ImagePath with a particular parameter during service startup, it creates a new image database entry and lauches a SvcHost process with the parameter. The new SvcHost process takes the parameter and looks for a value having the same name as the parameter under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost. SvcHost reads the contents of the value, interpreting it as a list of service names, and notifies the SCM that it's hosting those services when SvcHost registers with the SCM.

When the SCM encounters a SvcHost service during system startup with an ImagePath matching an entry it already has in the image database, it doesn't launch a second process but instead just sends a start command for the service to the SvcHost it already started for that ImagePath value. The existing SvcHost process reads the ServiceDll parameter in the service's registry key and loads the DLL into its process to start the service.

Does that help? (Everyone should have a copy of this book if they are at all interested in how Windows works.)
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: stash
From "Windows Internals", 4th Ed. Chapter 4:

Running every service in its own process instead of having services share a process whenever possible wastes system resources. However, sharing processes means that if any of the services in the process has a bug that causes the process to exit, all the services in that process terminate.

Of the Windows built-in services, some run in their own process and some share a process with other services. For example, the SCM process hosts the Event Log service and the usermode Plug and Play service, and the LSASS process contains security-related services--such as the Security Accounts Manager (SamSs) service, the Net Logon (Netlogon) service, and the IPSec Policy Agent (PolicyAgent) service.

There is also a "generic" process named Service Host (SvcHost - \Windows\System32\Svchost.exe) to contain multiple services. Multiple instances of SvcHost can be running in different processes. Services that run in SvcHost processes include Telephony (TapiSrv), Remote Procedure Call (RpcSs) and Remote Access Connection Manager (RasMan). Windows implements services that run in SvcHost as DLLs and includes an ImagePath definition in the form "%SystemRoot%\System32\svchost.exe -k netsvcs" in the service's registry key. The service's registry key must also have a registry value named ServiceDll under a Parameters subkey that points to the service's DLL file.

All services that share a common SvcHost process specify the same parameter ("-k netsvcs" in the example in the preceeding paragraph) so that they have a single entry in the SCM's image database. When the SCM encounters the first service that has a SvcHost ImagePath with a particular parameter during service startup, it creates a new image database entry and lauches a SvcHost process with the parameter. The new SvcHost process takes the parameter and looks for a value having the same name as the parameter under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost. SvcHost reads the contents of the value, interpreting it as a list of service names, and notifies the SCM that it's hosting those services when SvcHost registers with the SCM.

When the SCM encounters a SvcHost service during system startup with an ImagePath matching an entry it already has in the image database, it doesn't launch a second process but instead just sends a start command for the service to the SvcHost it already started for that ImagePath value. The existing SvcHost process reads the ServiceDll parameter in the service's registry key and loads the DLL into its process to start the service.

Does that help? (Everyone should have a copy of this book if they are at all interested in how Windows works.)

Thanks, that helped. I'll have to take a look at that book next time I'm at the store.
 

xtknight

Elite Member
Oct 15, 2004
12,974
0
71
Originally posted by: n0cmonkey
Originally posted by: xtknight
http://www.google.com/search?hl=en&lr=&q=svchost+%22-k%22&btnG=Search

Probably just starts a set of kernel services. It is undocumented just as many of the Windows NT APIs. Is there a reason for concern (trying to slim down your services list?) tasklist /svc lists currently running services (and tells you which PID of svchost is responsible for which services).

Not to be rude, but don't you think I tried a basic google search? ;)

Yeah, I just wanted to make sure you enclosed the "-k" parameter in double quotes, or Google would just do a search and exclude everything with "k" in it.
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: xtknight
Originally posted by: n0cmonkey
Originally posted by: xtknight
http://www.google.com/search?hl=en&lr=&q=svchost+%22-k%22&btnG=Search

Probably just starts a set of kernel services. It is undocumented just as many of the Windows NT APIs. Is there a reason for concern (trying to slim down your services list?) tasklist /svc lists currently running services (and tells you which PID of svchost is responsible for which services).

Not to be rude, but don't you think I tried a basic google search? ;)

Yeah, I just wanted to make sure you enclosed the "-k" parameter in double quotes, or Google would just do a search and exclude everything with "k" in it.

I have strong google-fu. ;)
But I appreciate it. :)