The SvcHost File

Under the windows operation system the svchost (svchost.exe or Service Host) is a share way to host multi services under the same process; this method is in use to reduce the use of the host computing resources.

You may look under this registry key to get a list of share services that use the svchost.exe process:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost

Here is a dump of the file using the PEFile tool from this site:

File Name: svchost.exe
MD5 Hash: 54a47f6b5e09a77e61649109c6a08866
SHA1 Hash: 4af001b3c3816b860660cf2de2c0fd3c1dfb4878
File Entropy: 5.88
Overlay Count: 0
NT Offset: 000000d8
File-Overlay: 00000000 (0 bytes)

File Attributes:

  • [ ]System.
  • [X]Archive.
  • [ ]Read only.
  • [ ]Hidden.
  • [ ]Compressed.
  • [ ]Encrypted.
  • [ ]Normal.
  • [ ]Offline.

Time Stamp:

  • Creation Time: 2009.7.13 23:19:28
  • Last Access Time: 2009.7.13 23:19:28
  • Last Write Time: 2009.7.14 1:14:41
  • File Size: 20992 bytes

File Version Info:

  • Signature: 0xfeef04bdL
  • StrucVersion: 1.0
  • File Version: 6.1.7600.16385
  • Product Version: 6.1.7600.16385
  • FileType: 0x00000001L The file contains an application.
  • FileOS: 0x00040004L The file was designed for Windows NT.

Image ConfigInformation:

  • TimeDateStamp: 00000000
  • MajorVersion: 00000000
  • MinorVersion: 00000000
  • GlobalFlagsClear: 00000000
  • GlobalFlagsSet: 00000000
  • CriticalSectionDefaultTimeout: 00000000
  • DeCommitFreeBlockThreshold: 00000000
  • DeCommitTotalFreeThreshold: 00000000
  • LockPrefixTable: 00000000
  • MaximumAllocationSize: 00000000
  • VirtualMemoryThreshold: 00000000
  • ProcessAffinityMask: 00000000
  • ProcessHeapFlags: 00000000
  • CSDVersion: 00000000
  • Reserved1: 00000000
  • EditList: 00000000

Header Information:

  • Signature: 00004550
  • Is System Image: 0
  • Is DOS Image: 0
  • Size Of Image: 20992 bytes
  • Machine: x86 (0x014c)
  • NumberOfSections: 00000004
  • TimeDateStamp: 4A5BC100 [Tue Jul 14 02:19:28 2009 ]
  • PointerToSymbolTable: 00000000
  • NumberOfSymbols: 00000000
  • SizeOfOptionalHeader: 000000E0

Characteristics information:

  • The file is executable (there are no unresolved external references).
  • Computer supports 32-bit words.

Magic:

  • HDR, The file is an executable image.
  • MajorLinkerVersion: 00000009
  • MinorLinkerVersion: 00000000
  • SizeOfCode: 00003A00
  • SizeOfInitializedData: 00001400
  • SizeOfUninitializedData: 00000000
  • BaseOfData: 00005000
  • AddressOfEntryPoint: 00002104
  • BaseOfCode: 00001000
  • ImageBase: 01000000
  • SectionAlignment: 00001000
  • FileAlignment: 00000200
  • MajorOperatingSystemVersion: 00000006
  • MinorOperatingSystemVersion: 00000001
  • MajorImageVersion: 00000006
  • MinorImageVersion: 00000001
  • MajorSubsystemVersion: 00000006
  • MinorSubsystemVersion: 00000001
  • Win32VersionValue: 00000000
  • SizeOfImage: 00008000
  • SizeOfHeaders: 00000400
  • CheckSum: 000087D0

Subsystem:

  • Windows graphical user interface (GUI) subsystem…

Dll Characteristics:

  • SizeOfStackReserve: 00040000
  • SizeOfStackCommit: 00004000
  • SizeOfHeapReserve: 00100000
  • SizeOfHeapCommit: 00001000
  • LoaderFlags: 00000000
  • NumberOfRvaAndSizes: 00000010
  • VirtualAddress: 00003E90
  • Size: 000000B4
  • VirtualAddress: 00006000
  • Size: 00000810
  • VirtualAddress: 00007000
  • Size: 000003CC
  • VirtualAddress: 0000497C
  • Size: 00000038
  • VirtualAddress: 00003740
  • Size: 00000040
  • VirtualAddress: 00000270
  • Size: 0000011C
  • VirtualAddress: 00001000
  • Size: 000001A8
  • VirtualAddress: 00003DD4
  • Size: 00000040

Data directory sections:

Section Name: .text

    • Characteristics information:
    • Section contains executable code.
    • Section can be executed as code.
    • Section can be read.
    • VirtualSize: 000039DC (14812)
    • NumberOfRelocations: 00000000
    • NumberOfLinenumbers: 00000000
    • PointerToLinenumbers: 00000000
    • PointerToRawData: 00000400 (1024)
    • PointerToRelocations: 00000000
    • SizeOfRawData: 00003A00 (14848)
    • VirtualAddress: 00001000 (4096)
    • Entropy: 6.29
    • MD5: 2eb5bad67734deb71cf023259153ef53

Section Name: .data

    • Characteristics information:
    • Section contains initialized data.
    • Section can be read.
    • Section can be written to.
    • VirtualSize: 000005A8 (1448)
    • NumberOfRelocations: 00000000
    • NumberOfLinenumbers: 00000000
    • PointerToLinenumbers: 00000000
    • PointerToRawData: 00003E00 (15872)
    • PointerToRelocations: 00000000
    • SizeOfRawData: 00000600 (1536)
    • VirtualAddress: 00005000 (20480)
    • Entropy: 0.81
    • MD5: bdd64867dcbd8117aac049606aa40456

Section Name: .rsrc

    • Characteristics information:
    • Section contains initialized data.
    • Section can be read.
    • VirtualSize: 00000810 (2064)
    • NumberOfRelocations: 00000000
    • NumberOfLinenumbers: 00000000
    • PointerToLinenumbers: 00000000
    • PointerToRawData: 00004400 (17408)
    • PointerToRelocations: 00000000
    • SizeOfRawData: 00000A00 (2560)
    • VirtualAddress: 00006000 (24576)
    • Entropy: 3.76
    • MD5: 66f21324fc812e3bf717c9aae7a151ee

Section Name: .reloc

  • Characteristics information:
  • Section contains initialized data.
  • Section can be discarded as needed.
  • Section can be read.
  • VirtualSize: 000003CC (972)
  • NumberOfRelocations: 00000000
  • NumberOfLinenumbers: 00000000
  • PointerToLinenumbers: 00000000
  • PointerToRawData: 00004E00 (19968)
  • PointerToRelocations: 00000000
  • SizeOfRawData: 00000400 (1024)
  • VirtualAddress: 00007000 (28672)
  • Entropy: 6.40
  • MD5: 7d35466317c0fe1186bb026254385afe

DOS Signature: 5A4D

  • PE Signature:4550
  • Optional Header Magic Number: 10B

Imported DLL List:

Imported DLL [0]: msvcrt.dll

    • func: __wgetmainargs (Address: 6FF64E7C)
    • func: _exit (Address: 6FFBB2C0)
    • func: _XcptFilter (Address: 6FF7DC75)
    • func: exit (Address: 6FF636AA)
    • func: _initterm (Address: 6FF5C151)
    • func: _amsg_exit (Address: 6FFBB2EF)
    • func: __setusermatherr (Address: 6FFE77AD)
    • func: memcpy (Address: 6FF59910)
    • func: _controlfp (Address: 6FF5E1E1)
    • func: _except_handler4_common (Address: 6FF73E27)
    • func: ?terminate@@YAXXZ (Address: 6FFA61CF)
    • func: __set_app_type (Address: 6FF62804)
    • func: __p__fmode (Address: 6FF627CE)
    • func: __p__commode (Address: 6FF627C3)
    • func: _cexit (Address: 6FF637D4)
    • 15 functions imported (0 ordinal)

Imported DLL [1]: API-MS-Win-Core-ProcessThreads-L1-1-0.dll

    • func: TerminateProcess (Address: 77E2509B)
    • func: GetCurrentProcess (Address: 77E3060C)
    • func: OpenProcessToken (Address: 074010BF)
    • func: GetCurrentProcessId (Address: 77E30D23)
    • func: GetCurrentThreadId (Address: 77E2F212)
    • 5 functions imported (0 ordinal)

Imported DLL [2]: KERNEL32.dll

    • func: LocalAlloc (Address: 77E30594)
    • func: CloseHandle (Address: 77E305B7)
    • func: DelayLoadFailureHook (Address: 77E001A4)
    • func: GetProcAddress (Address: 77E31837)
    • func: GetLastError (Address: 77E2F176)
    • func: FreeLibrary (Address: 77E319E9)
    • func: InterlockedCompareExchange (Address: 77E2F23C)
    • func: LoadLibraryExA (Address: 77E2BC8B)
    • func: InterlockedExchange (Address: 77E2F25E)
    • func: Sleep (Address: 77E2EF66)
    • func: SetUnhandledExceptionFilter (Address: 77E33142)
    • func: GetModuleHandleA (Address: 77E328D7)
    • func: QueryPerformanceCounter (Address: 77E2F2A7)
    • func: GetTickCount (Address: 77E2EF76)
    • func: GetSystemTimeAsFileTime (Address: 77E2FE44)
    • func: UnhandledExceptionFilter (Address: 77E42B35)
    • func: DeactivateActCtx (Address: 77E2911E)
    • func: LoadLibraryExW (Address: 77E2B6BF)
    • func: ActivateActCtx (Address: 77E290ED)
    • func: LeaveCriticalSection (Address: 77F06B40)
    • func: lstrcmpW (Address: 77E31814)
    • func: EnterCriticalSection (Address: 77F06B7E)
    • func: RegCloseKey (Address: 77E2F9D0)
    • func: RegOpenKeyExW (Address: 77E2F729)
    • func: HeapSetInformation (Address: 77E3C41A)
    • func: lstrcmpiW (Address: 77E2DB75)
    • func: lstrlenW (Address: 77E2FE37)
    • func: LCMapStringW (Address: 77E30E51)
    • func: RegQueryValueExW (Address: 77E2FCF1)
    • func: ReleaseActCtx (Address: 77E291BD)
    • func: CreateActCtxW (Address: 77E275A3)
    • func: ExpandEnvironmentStringsW (Address: 77E2B606)
    • func: GetCommandLineW (Address: 77E3ECAB)
    • func: ExitProcess (Address: 77E32ACF)
    • func: SetProcessAffinityUpdateMode (Address: 77E6F6A1)
    • func: RegDisablePredefinedCacheEx (Address: 77E15E7D)
    • func: InitializeCriticalSection (Address: 77F1F8BE)
    • func: GetProcessHeap (Address: 77E2F24C)
    • func: SetErrorMode (Address: 77E31297)
    • func: RegisterWaitForSingleObjectEx (Address: 77E15DFD)
    • func: LocalFree (Address: 77E3057C)
    • func: HeapFree (Address: 77E2F198)
    • func: WideCharToMultiByte (Address: 77E30F86)
    • func: HeapAlloc (Address: 77F1209D)
    • 44 functions imported (0 ordinal)

Imported DLL [3]: ntdll.dll

    • func: RtlAllocateHeap (Address: 77F1209D)
    • func: RtlLengthRequiredSid (Address: 77F191B0)
    • func: RtlSubAuthoritySid (Address: 77F1F0F4)
    • func: RtlInitializeSid (Address: 77F224A1)
    • func: RtlCopySid (Address: 77F1883A)
    • func: RtlSubAuthorityCountSid (Address: 77F1C6C5)
    • func: RtlInitializeCriticalSection (Address: 77F1F8BE)
    • func: RtlSetProcessIsCritical (Address: 77EC1FA4)
    • func: RtlImageNtHeader (Address: 77F1BD55)
    • func: RtlUnhandledExceptionFilter (Address: 77F7C2E2)
    • func: EtwEventWrite (Address: 77EDF5AB)
    • func: EtwEventEnabled (Address: 77EEDD62)
    • func: EtwEventRegister (Address: 77F25A12)
    • func: RtlFreeHeap (Address: 77F11F31)
    • 14 functions imported (0 ordinal)

Imported DLL [4]: API-MS-Win-Security-Base-L1-1-0.dll

    • func: SetSecurityDescriptorDacl (Address: 0DCE9218)
    • func: AddAccessAllowedAce (Address: 0DCEC31F)
    • func: SetSecurityDescriptorOwner (Address: 0DCEA861)
    • func: SetSecurityDescriptorGroup (Address: 0DCEFA7C)
    • func: GetTokenInformation (Address: 0DCE73F1)
    • func: InitializeSecurityDescriptor (Address: 0DCE91CB)
    • func: GetLengthSid (Address: 0DCE73CE)
    • func: InitializeAcl (Address: 0DCE91F0)
    • 8 functions imported (0 ordinal)

Imported DLL [5]: API-MS-WIN-Service-Core-L1-1-0.dll

    • func: StartServiceCtrlDispatcherW (Address: 02B285B2)
    • func: SetServiceStatus (Address: 02B24F9C)
    • 2 functions imported (0 ordinal)

Imported DLL [6]: API-MS-WIN-Service-winsvc-L1-1-0.dll

    • func: RegisterServiceCtrlHandlerW (Address: 02B27D47)
    • 1 functions imported (0 ordinal)

Imported DLL [7]: RPCRT4.dll

    • func: RpcMgmtSetServerStackSize (Address: 77BB818D)
    • func: I_RpcMapWin32Status (Address: 77BEABAF)
    • func: RpcServerUnregisterIf (Address: 77BE1132)
    • func: RpcMgmtWaitServerListen (Address: 77BB1CFA)
    • func: RpcMgmtStopServerListening (Address: 77C115FE)
    • func: RpcServerUnregisterIfEx (Address: 77BBAECA)
    • func: RpcServerRegisterIf (Address: 77BB24DE)
    • func: RpcServerUseProtseqEpW (Address: 77BD29DD)
    • func: RpcServerListen (Address: 77BB8205)
    • 9 functions imported (0 ordinal)

8 DLL s Imported.

Stream (ADS) Information:

  • No Stream Found.

Resource Information:

Types: MUI

    • Name: 1
    • Language: 1033
    • ResInfo: 35edf18
    • Size: 176

Types: VERSION

    • Name: 1
    • Language: 1033
    • ResInfo: 35edf28
    • Size: 94

Types: MANIFEST

      • Name: 1
      • Language: 1033
      • ResInfo: 1044d8
      • Size: 688