The SvcHost File
Under the windows operation system the svchost (svchost.exe or Service Host) is a share way to host multi services under the same process; this method is in use to reduce the use of the host computing resources.
You may look under this registry key to get a list of share services that use the svchost.exe process:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost
Here is a dump of the file using the PEFile tool from this site:
File Name: svchost.exe
MD5 Hash: 54a47f6b5e09a77e61649109c6a08866
SHA1 Hash: 4af001b3c3816b860660cf2de2c0fd3c1dfb4878
File Entropy: 5.88
Overlay Count: 0
NT Offset: 000000d8
File-Overlay: 00000000 (0 bytes)
File Attributes:
- [ ]System.
- [X]Archive.
- [ ]Read only.
- [ ]Hidden.
- [ ]Compressed.
- [ ]Encrypted.
- [ ]Normal.
- [ ]Offline.
Time Stamp:
- Creation Time: 2009.7.13 23:19:28
- Last Access Time: 2009.7.13 23:19:28
- Last Write Time: 2009.7.14 1:14:41
- File Size: 20992 bytes
File Version Info:
- Signature: 0xfeef04bdL
- StrucVersion: 1.0
- File Version: 6.1.7600.16385
- Product Version: 6.1.7600.16385
- FileType: 0x00000001L The file contains an application.
- FileOS: 0x00040004L The file was designed for Windows NT.
Image ConfigInformation:
- TimeDateStamp: 00000000
- MajorVersion: 00000000
- MinorVersion: 00000000
- GlobalFlagsClear: 00000000
- GlobalFlagsSet: 00000000
- CriticalSectionDefaultTimeout: 00000000
- DeCommitFreeBlockThreshold: 00000000
- DeCommitTotalFreeThreshold: 00000000
- LockPrefixTable: 00000000
- MaximumAllocationSize: 00000000
- VirtualMemoryThreshold: 00000000
- ProcessAffinityMask: 00000000
- ProcessHeapFlags: 00000000
- CSDVersion: 00000000
- Reserved1: 00000000
- EditList: 00000000
Header Information:
- Signature: 00004550
- Is System Image: 0
- Is DOS Image: 0
- Size Of Image: 20992 bytes
- Machine: x86 (0x014c)
- NumberOfSections: 00000004
- TimeDateStamp: 4A5BC100 [Tue Jul 14 02:19:28 2009 ]
- PointerToSymbolTable: 00000000
- NumberOfSymbols: 00000000
- SizeOfOptionalHeader: 000000E0
Characteristics information:
- The file is executable (there are no unresolved external references).
- Computer supports 32-bit words.
Magic:
- HDR, The file is an executable image.
- MajorLinkerVersion: 00000009
- MinorLinkerVersion: 00000000
- SizeOfCode: 00003A00
- SizeOfInitializedData: 00001400
- SizeOfUninitializedData: 00000000
- BaseOfData: 00005000
- AddressOfEntryPoint: 00002104
- BaseOfCode: 00001000
- ImageBase: 01000000
- SectionAlignment: 00001000
- FileAlignment: 00000200
- MajorOperatingSystemVersion: 00000006
- MinorOperatingSystemVersion: 00000001
- MajorImageVersion: 00000006
- MinorImageVersion: 00000001
- MajorSubsystemVersion: 00000006
- MinorSubsystemVersion: 00000001
- Win32VersionValue: 00000000
- SizeOfImage: 00008000
- SizeOfHeaders: 00000400
- CheckSum: 000087D0
Subsystem:
- Windows graphical user interface (GUI) subsystem…
Dll Characteristics:
- SizeOfStackReserve: 00040000
- SizeOfStackCommit: 00004000
- SizeOfHeapReserve: 00100000
- SizeOfHeapCommit: 00001000
- LoaderFlags: 00000000
- NumberOfRvaAndSizes: 00000010
- VirtualAddress: 00003E90
- Size: 000000B4
- VirtualAddress: 00006000
- Size: 00000810
- VirtualAddress: 00007000
- Size: 000003CC
- VirtualAddress: 0000497C
- Size: 00000038
- VirtualAddress: 00003740
- Size: 00000040
- VirtualAddress: 00000270
- Size: 0000011C
- VirtualAddress: 00001000
- Size: 000001A8
- VirtualAddress: 00003DD4
- Size: 00000040
Data directory sections:
Section Name: .text
- Characteristics information:
- Section contains executable code.
- Section can be executed as code.
- Section can be read.
- VirtualSize: 000039DC (14812)
- NumberOfRelocations: 00000000
- NumberOfLinenumbers: 00000000
- PointerToLinenumbers: 00000000
- PointerToRawData: 00000400 (1024)
- PointerToRelocations: 00000000
- SizeOfRawData: 00003A00 (14848)
- VirtualAddress: 00001000 (4096)
- Entropy: 6.29
- MD5: 2eb5bad67734deb71cf023259153ef53
Section Name: .data
- Characteristics information:
- Section contains initialized data.
- Section can be read.
- Section can be written to.
- VirtualSize: 000005A8 (1448)
- NumberOfRelocations: 00000000
- NumberOfLinenumbers: 00000000
- PointerToLinenumbers: 00000000
- PointerToRawData: 00003E00 (15872)
- PointerToRelocations: 00000000
- SizeOfRawData: 00000600 (1536)
- VirtualAddress: 00005000 (20480)
- Entropy: 0.81
- MD5: bdd64867dcbd8117aac049606aa40456
Section Name: .rsrc
- Characteristics information:
- Section contains initialized data.
- Section can be read.
- VirtualSize: 00000810 (2064)
- NumberOfRelocations: 00000000
- NumberOfLinenumbers: 00000000
- PointerToLinenumbers: 00000000
- PointerToRawData: 00004400 (17408)
- PointerToRelocations: 00000000
- SizeOfRawData: 00000A00 (2560)
- VirtualAddress: 00006000 (24576)
- Entropy: 3.76
- MD5: 66f21324fc812e3bf717c9aae7a151ee
Section Name: .reloc
- Characteristics information:
- Section contains initialized data.
- Section can be discarded as needed.
- Section can be read.
- VirtualSize: 000003CC (972)
- NumberOfRelocations: 00000000
- NumberOfLinenumbers: 00000000
- PointerToLinenumbers: 00000000
- PointerToRawData: 00004E00 (19968)
- PointerToRelocations: 00000000
- SizeOfRawData: 00000400 (1024)
- VirtualAddress: 00007000 (28672)
- Entropy: 6.40
- MD5: 7d35466317c0fe1186bb026254385afe
DOS Signature: 5A4D
- PE Signature:4550
- Optional Header Magic Number: 10B
Imported DLL List:
Imported DLL [0]: msvcrt.dll
- func: __wgetmainargs (Address: 6FF64E7C)
- func: _exit (Address: 6FFBB2C0)
- func: _XcptFilter (Address: 6FF7DC75)
- func: exit (Address: 6FF636AA)
- func: _initterm (Address: 6FF5C151)
- func: _amsg_exit (Address: 6FFBB2EF)
- func: __setusermatherr (Address: 6FFE77AD)
- func: memcpy (Address: 6FF59910)
- func: _controlfp (Address: 6FF5E1E1)
- func: _except_handler4_common (Address: 6FF73E27)
- func: ?terminate@@YAXXZ (Address: 6FFA61CF)
- func: __set_app_type (Address: 6FF62804)
- func: __p__fmode (Address: 6FF627CE)
- func: __p__commode (Address: 6FF627C3)
- func: _cexit (Address: 6FF637D4)
- 15 functions imported (0 ordinal)
Imported DLL [1]: API-MS-Win-Core-ProcessThreads-L1-1-0.dll
- func: TerminateProcess (Address: 77E2509B)
- func: GetCurrentProcess (Address: 77E3060C)
- func: OpenProcessToken (Address: 074010BF)
- func: GetCurrentProcessId (Address: 77E30D23)
- func: GetCurrentThreadId (Address: 77E2F212)
- 5 functions imported (0 ordinal)
Imported DLL [2]: KERNEL32.dll
- func: LocalAlloc (Address: 77E30594)
- func: CloseHandle (Address: 77E305B7)
- func: DelayLoadFailureHook (Address: 77E001A4)
- func: GetProcAddress (Address: 77E31837)
- func: GetLastError (Address: 77E2F176)
- func: FreeLibrary (Address: 77E319E9)
- func: InterlockedCompareExchange (Address: 77E2F23C)
- func: LoadLibraryExA (Address: 77E2BC8B)
- func: InterlockedExchange (Address: 77E2F25E)
- func: Sleep (Address: 77E2EF66)
- func: SetUnhandledExceptionFilter (Address: 77E33142)
- func: GetModuleHandleA (Address: 77E328D7)
- func: QueryPerformanceCounter (Address: 77E2F2A7)
- func: GetTickCount (Address: 77E2EF76)
- func: GetSystemTimeAsFileTime (Address: 77E2FE44)
- func: UnhandledExceptionFilter (Address: 77E42B35)
- func: DeactivateActCtx (Address: 77E2911E)
- func: LoadLibraryExW (Address: 77E2B6BF)
- func: ActivateActCtx (Address: 77E290ED)
- func: LeaveCriticalSection (Address: 77F06B40)
- func: lstrcmpW (Address: 77E31814)
- func: EnterCriticalSection (Address: 77F06B7E)
- func: RegCloseKey (Address: 77E2F9D0)
- func: RegOpenKeyExW (Address: 77E2F729)
- func: HeapSetInformation (Address: 77E3C41A)
- func: lstrcmpiW (Address: 77E2DB75)
- func: lstrlenW (Address: 77E2FE37)
- func: LCMapStringW (Address: 77E30E51)
- func: RegQueryValueExW (Address: 77E2FCF1)
- func: ReleaseActCtx (Address: 77E291BD)
- func: CreateActCtxW (Address: 77E275A3)
- func: ExpandEnvironmentStringsW (Address: 77E2B606)
- func: GetCommandLineW (Address: 77E3ECAB)
- func: ExitProcess (Address: 77E32ACF)
- func: SetProcessAffinityUpdateMode (Address: 77E6F6A1)
- func: RegDisablePredefinedCacheEx (Address: 77E15E7D)
- func: InitializeCriticalSection (Address: 77F1F8BE)
- func: GetProcessHeap (Address: 77E2F24C)
- func: SetErrorMode (Address: 77E31297)
- func: RegisterWaitForSingleObjectEx (Address: 77E15DFD)
- func: LocalFree (Address: 77E3057C)
- func: HeapFree (Address: 77E2F198)
- func: WideCharToMultiByte (Address: 77E30F86)
- func: HeapAlloc (Address: 77F1209D)
- 44 functions imported (0 ordinal)
Imported DLL [3]: ntdll.dll
- func: RtlAllocateHeap (Address: 77F1209D)
- func: RtlLengthRequiredSid (Address: 77F191B0)
- func: RtlSubAuthoritySid (Address: 77F1F0F4)
- func: RtlInitializeSid (Address: 77F224A1)
- func: RtlCopySid (Address: 77F1883A)
- func: RtlSubAuthorityCountSid (Address: 77F1C6C5)
- func: RtlInitializeCriticalSection (Address: 77F1F8BE)
- func: RtlSetProcessIsCritical (Address: 77EC1FA4)
- func: RtlImageNtHeader (Address: 77F1BD55)
- func: RtlUnhandledExceptionFilter (Address: 77F7C2E2)
- func: EtwEventWrite (Address: 77EDF5AB)
- func: EtwEventEnabled (Address: 77EEDD62)
- func: EtwEventRegister (Address: 77F25A12)
- func: RtlFreeHeap (Address: 77F11F31)
- 14 functions imported (0 ordinal)
Imported DLL [4]: API-MS-Win-Security-Base-L1-1-0.dll
- func: SetSecurityDescriptorDacl (Address: 0DCE9218)
- func: AddAccessAllowedAce (Address: 0DCEC31F)
- func: SetSecurityDescriptorOwner (Address: 0DCEA861)
- func: SetSecurityDescriptorGroup (Address: 0DCEFA7C)
- func: GetTokenInformation (Address: 0DCE73F1)
- func: InitializeSecurityDescriptor (Address: 0DCE91CB)
- func: GetLengthSid (Address: 0DCE73CE)
- func: InitializeAcl (Address: 0DCE91F0)
- 8 functions imported (0 ordinal)
Imported DLL [5]: API-MS-WIN-Service-Core-L1-1-0.dll
- func: StartServiceCtrlDispatcherW (Address: 02B285B2)
- func: SetServiceStatus (Address: 02B24F9C)
- 2 functions imported (0 ordinal)
Imported DLL [6]: API-MS-WIN-Service-winsvc-L1-1-0.dll
- func: RegisterServiceCtrlHandlerW (Address: 02B27D47)
- 1 functions imported (0 ordinal)
Imported DLL [7]: RPCRT4.dll
- func: RpcMgmtSetServerStackSize (Address: 77BB818D)
- func: I_RpcMapWin32Status (Address: 77BEABAF)
- func: RpcServerUnregisterIf (Address: 77BE1132)
- func: RpcMgmtWaitServerListen (Address: 77BB1CFA)
- func: RpcMgmtStopServerListening (Address: 77C115FE)
- func: RpcServerUnregisterIfEx (Address: 77BBAECA)
- func: RpcServerRegisterIf (Address: 77BB24DE)
- func: RpcServerUseProtseqEpW (Address: 77BD29DD)
- func: RpcServerListen (Address: 77BB8205)
- 9 functions imported (0 ordinal)
8 DLL s Imported.
Stream (ADS) Information:
- No Stream Found.
Resource Information:
Types: MUI
- Name: 1
- Language: 1033
- ResInfo: 35edf18
- Size: 176
Types: VERSION
- Name: 1
- Language: 1033
- ResInfo: 35edf28
- Size: 94
Types: MANIFEST
- Name: 1
- Language: 1033
- ResInfo: 1044d8
- Size: 688