What process run SVCHOST.exe

[tdk007]

It is possible to know what process is running a svchost.exe in vb .net?

[chris128]

I'm assuming you mean you want to know which processes/services are running inside an instance of the service host process, svchost. There is nothing built into Vb.NET that will tell you that directly. Though you may be able to combine some of the .NET Process classes with some registry querying to come up with the answer, because the thing that determines which services run in an svchost instance is the command line argument passed to it. A name is passed in as the command line argument to svchost.exe and then that same name is listed in a specific location in the registry and in there it defines which services should actually be run.
Give me a minute and I'll see if I can put something together or at least give you something to get you started

[chris128]

Hmm OK well I think you probably could do it but its not going to be very straight forward... Unfortunately the .NET Process class does not let you get a process' command line arguments so here's my theoretical 'plan' - I might get round to actually trying to implement it tomorrow..

1. Use the NtQueryInformationProcess API
2. In the PROCESS_BASIC_INFORMATION structure that you get back from that, you get a PEB structure from the PebBaseAddress member
3. From the PEB structure you get an RTL_USER_PROCESS_PARAMETERS structure from the ProcessParameters member
4. You get the command line arguments from the CommandLine member of that structure

So that gets the command line argument for this particular svchost.exe instance, which might be "-k netsvcs" for example. So now we need to find out which services are contained in the "netsvcs" group (you can ignore the -k as that will be the first argument for all of them), which we do by:
1. Looking for a value named "netsvcs" in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
2. Reading the value - each string (separated by spaces) within this registry value is the name of a service that runs within this instance of svchost. Unfortunately this is the system name of the service, not the friendly name... for example the system name of the Group Policy Client service is gpsvc and the Application Experience service has a system name of aelookupsvc. So I'm guessing you want the friendly names rather than the system names.
3. To get the friendly name we have to look in the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services
for a subkey named with the name of the service we are currently looking up, so lets say the Winmgmt service (which is one of the service names we found in the registry value mentioned in Step 1 & 2). So we find a subkey named Winmgmt and look for a value within named DisplayName
4. Read this DisplayName value and then you have got your friendly service name Now repeate steps 3 and 4 for the other service names found in the registry key from step 1 and 2.

The only problem with my plan is that a lot of the actual values of the DisplayName values in the registry are not just plain strings (some are), they are reference points in a DLL... this is the winmgmt one that I used in my example above:
@%Systemroot%\system32\wbem\wmisvc.dll,-204
and I have no idea how to extract a string at a specific position in a DLL in VB.NET... so I guess I'll have to work on that before attempting to put this together.

So - have I put you off trying this or are you still interested?

[chris128]

The only problem with my plan is that a lot of the actual values of the DisplayName values in the registry are not just plain strings (some are), they are reference points in a DLL... this is the winmgmt one that I used in my example above:
@%Systemroot%\system32\wbem\wmisvc.dll,-204
and I have no idea how to extract a string at a specific position in a DLL in VB.NET... so I guess I'll have to work on that before attempting to put this together.

Well as per this thread http://www.vbforums.com/showthread.php?t=617497 I've now found a way of extracting a resource string from a DLL. So at some point today I'll try and get a full working example of all of the steps listed in my previous post up either in the codebank or on my blog, and I'll stick a link here.

[chris128]

OK I'm guessing you have forgotten about this thread (or lost interest) but I decided to try and get this working for my own knowledge and for anyone else wanting to do the same thing, so here's an update on my progress...

I have managed to get the command line arguments for each svchost process (which was a lot harder than I was expecting) but so far have only got this working 100% correctly on a 32 bit OS. See here for more info and an example: http://cjwdev.wordpress.com/2010/06/...ernal-process/
However, I have found a flaw in my original plan and that is that some of the services in a service group can be marked as "own process" (meaning they will not share a process with other services) so when svchost is passed a service group that contains one of these services it starts a separate svchost process for it. This means that you cannot simply find out which services belong to a service group and then assume that an svchost process that was started with that service group name as its command line parameter will be running all of the services from that group, if that makes sense. So I've thought of two other ways to do it, which are:

Option 1
For each svchost process running, get the service group name from the command line arguments. Find out which services are in this group by reading the relevant parts of the registry and then use the QueryServiceStatusEx API to find out the process ID of each service that is in this group - if the process ID matches the proces ID of the svchost process we are currently looking at then obviously this service is running in this instance of svchost.

Option 2
More of a brute force approach but would probably actually be more reliable in reality as it should work on both 32 bit and 64 bit OS. Basically this is the same as option 1 but instead of finding out which service group svchost was started with and which services are in that service group etc we just look at the proces ID for the svchost process we are currently inspecting and then loop through all services and check to see which ones have the same process ID as our svchost instance.

Going to try getting each of them working and see what happens

[chris128]

Well I've finally got it all working by using the EnumServicesStatusEx API to get the process ID for each service and then comparing this against the process ID of the svchost process we are interested in Here's an example and a class I've written to make it easier to do: http://cjwdev.wordpress.com/2010/06/...ng-in-svchost/