Originally posted by: xtknight
MSDN is where all the developer documentation is.
Docs for typical command line apps in Windows XP are here: http://www.microsoft.com/resources/docu.../proddocs/en-us/ntcmds_o.mspx?mfr=true
The win equivalent of 'man' is 'help', 'help taskkill' for example but I think it's just the same as /? anyway.
Originally posted by: MrChad
Google Site search usually works for me.
Originally posted by: xtknight
http://www.google.com/search?hl=en&lr=&q=svchost+%22-k%22&btnG=Search
Probably just starts a set of kernel services. It is undocumented just as many of the Windows NT APIs. Is there a reason for concern (trying to slim down your services list?) tasklist /svc lists currently running services (and tells you which PID of svchost is responsible for which services).
Running every service in its own process instead of having services share a process whenever possible wastes system resources. However, sharing processes means that if any of the services in the process has a bug that causes the process to exit, all the services in that process terminate.
Of the Windows built-in services, some run in their own process and some share a process with other services. For example, the SCM process hosts the Event Log service and the usermode Plug and Play service, and the LSASS process contains security-related services--such as the Security Accounts Manager (SamSs) service, the Net Logon (Netlogon) service, and the IPSec Policy Agent (PolicyAgent) service.
There is also a "generic" process named Service Host (SvcHost - \Windows\System32\Svchost.exe) to contain multiple services. Multiple instances of SvcHost can be running in different processes. Services that run in SvcHost processes include Telephony (TapiSrv), Remote Procedure Call (RpcSs) and Remote Access Connection Manager (RasMan). Windows implements services that run in SvcHost as DLLs and includes an ImagePath definition in the form "%SystemRoot%\System32\svchost.exe -k netsvcs" in the service's registry key. The service's registry key must also have a registry value named ServiceDll under a Parameters subkey that points to the service's DLL file.
All services that share a common SvcHost process specify the same parameter ("-k netsvcs" in the example in the preceeding paragraph) so that they have a single entry in the SCM's image database. When the SCM encounters the first service that has a SvcHost ImagePath with a particular parameter during service startup, it creates a new image database entry and lauches a SvcHost process with the parameter. The new SvcHost process takes the parameter and looks for a value having the same name as the parameter under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost. SvcHost reads the contents of the value, interpreting it as a list of service names, and notifies the SCM that it's hosting those services when SvcHost registers with the SCM.
When the SCM encounters a SvcHost service during system startup with an ImagePath matching an entry it already has in the image database, it doesn't launch a second process but instead just sends a start command for the service to the SvcHost it already started for that ImagePath value. The existing SvcHost process reads the ServiceDll parameter in the service's registry key and loads the DLL into its process to start the service.
Originally posted by: stash
From "Windows Internals", 4th Ed. Chapter 4:
Running every service in its own process instead of having services share a process whenever possible wastes system resources. However, sharing processes means that if any of the services in the process has a bug that causes the process to exit, all the services in that process terminate.
Of the Windows built-in services, some run in their own process and some share a process with other services. For example, the SCM process hosts the Event Log service and the usermode Plug and Play service, and the LSASS process contains security-related services--such as the Security Accounts Manager (SamSs) service, the Net Logon (Netlogon) service, and the IPSec Policy Agent (PolicyAgent) service.
There is also a "generic" process named Service Host (SvcHost - \Windows\System32\Svchost.exe) to contain multiple services. Multiple instances of SvcHost can be running in different processes. Services that run in SvcHost processes include Telephony (TapiSrv), Remote Procedure Call (RpcSs) and Remote Access Connection Manager (RasMan). Windows implements services that run in SvcHost as DLLs and includes an ImagePath definition in the form "%SystemRoot%\System32\svchost.exe -k netsvcs" in the service's registry key. The service's registry key must also have a registry value named ServiceDll under a Parameters subkey that points to the service's DLL file.
All services that share a common SvcHost process specify the same parameter ("-k netsvcs" in the example in the preceeding paragraph) so that they have a single entry in the SCM's image database. When the SCM encounters the first service that has a SvcHost ImagePath with a particular parameter during service startup, it creates a new image database entry and lauches a SvcHost process with the parameter. The new SvcHost process takes the parameter and looks for a value having the same name as the parameter under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost. SvcHost reads the contents of the value, interpreting it as a list of service names, and notifies the SCM that it's hosting those services when SvcHost registers with the SCM.
When the SCM encounters a SvcHost service during system startup with an ImagePath matching an entry it already has in the image database, it doesn't launch a second process but instead just sends a start command for the service to the SvcHost it already started for that ImagePath value. The existing SvcHost process reads the ServiceDll parameter in the service's registry key and loads the DLL into its process to start the service.
Does that help? (Everyone should have a copy of this book if they are at all interested in how Windows works.)
Originally posted by: n0cmonkey
Originally posted by: xtknight
http://www.google.com/search?hl=en&lr=&q=svchost+%22-k%22&btnG=Search
Probably just starts a set of kernel services. It is undocumented just as many of the Windows NT APIs. Is there a reason for concern (trying to slim down your services list?) tasklist /svc lists currently running services (and tells you which PID of svchost is responsible for which services).
Not to be rude, but don't you think I tried a basic google search?![]()
Originally posted by: xtknight
Originally posted by: n0cmonkey
Originally posted by: xtknight
http://www.google.com/search?hl=en&lr=&q=svchost+%22-k%22&btnG=Search
Probably just starts a set of kernel services. It is undocumented just as many of the Windows NT APIs. Is there a reason for concern (trying to slim down your services list?) tasklist /svc lists currently running services (and tells you which PID of svchost is responsible for which services).
Not to be rude, but don't you think I tried a basic google search?![]()
Yeah, I just wanted to make sure you enclosed the "-k" parameter in double quotes, or Google would just do a search and exclude everything with "k" in it.
