Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Question regarding svchost...


  • Please log in to reply
10 replies to this topic

#1 TarjaTaneli

TarjaTaneli

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 23 December 2016 - 04:55 AM

So I got two svchost, one in system32 and another in syswow64, as normal. I know how svchost works, but what I am wondering, since for example this scanner https://github.com/Neo23x0/Loki shows up the svchost process to be too large and having an odd owner and a few other things...

 

So, is it normal if svchost has a size in system32 and another in sys64 or could that mean it has been tampered by malware? Or maybe it's normal, I don't really know... so to be sure that this is not something odd and both svchost should not have the same size I am asking you this.

 

Maybe you find this question is silly or very simple, but an answer would be really appreciated. I am currently using windows10 and computer is fully updated at this date.

 

Thank you.



BC AdBot (Login to Remove)

 


#2 TarjaTaneli

TarjaTaneli
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 23 December 2016 - 07:23 AM

By the way, if someone out there is reading... if you got a windows 10 machine it would as simple as checking the sizes in your computer and write me back really... I would appreciate it (not monetarily sorry... got not much of that...)

Thanks...



#3 TarjaTaneli

TarjaTaneli
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 23 December 2016 - 07:25 AM

By the way, if someone out there is reading... if you got a windows 10 machine it would as simple as checking the sizes in your computer and write me back really... I would appreciate it (not monetarily sorry... got not much of that...)

Thanks...



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,940 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:39 PM

Posted 23 December 2016 - 07:47 AM

Svchost.exe is a generic host process name for a group of services that are run from dynamic-link libraries (.dll's) and can run other services underneath itself. This is a valid system process that belongs to the Windows Operating System which handles processes executed from .dll's. It runs from the registry key, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost where details of the services running under each instance of svchost.exe can be found. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. It is not unusual to find multiple instances of Svchost.exe running at the same time in Windows Task Manager in order to optimize the running of the various services.

  • svchost.exe SYSTEM
  • svchost.exe LOCAL SERVICE
  • svchost.exe NETWORK SERVICE

Each Svchost.exe session can contain a grouping of services, therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging. The process identifier (PID)'s must be checked in real time to determine what services each instance of svchost.exe is controlling at that particular time. The PID is not static and can change with each logon but generally they stay nearly the same because they are always running services.

Determining whether a file is malware or a legitimate process usually depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a legitimate or critical system file like svchost.exe. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there. The legitimate Svchost.exe file is located in the C:\WINDOWS\system32\ folder. In Windows 7/8 64-bit the file may be located in the SysWOW64 folder. Malicious svchost.exe files are commonly located in the C:\Users\[UserName]\AppData\Local\Temp folder. The user profile AppData, ProgramData, and temp folders are common hiding places for malicious files.

Another technique is for the maicious process to alter the registry and add itself as a startup program or service so that it can run automatically each time the computer is booted. If svchost.exe is running as a startup (shows in msconfig), it can be bad as shown here. Always make sure the spelling is correct. If it's scvhost.exe, then your dealing with a Trojan.

Investigating Svchost.exe Tutorials::

Windows Task Manager does not provide enough information. These are specific tools to investigate Svchost.exe:

These are more tools to investigate services, running processes, programs that run at startup, and gather additional information to identify them or resolve problems:

These tools will provide information about each process, CPU usage, file description and its location. Most of them are stand-alone portable apps in a zip file so no installation is necessary. The first five tools are especially useful and I use them all to compare the information each provides.

Effective security tools like Malwarebytes will typically find and remove malicious svchost files safely.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 TarjaTaneli

TarjaTaneli
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 23 December 2016 - 08:07 AM

Sorry for the double posting and thank you quietman7. I am already using frequently process hacker, autoruns, and before you wrote that also Svchost viewer and Svchost.exe Lookup tool (I found both tools today). Everything shows normal except two instances of svchost which doesn't appear running any service... however I already ran antimalware software and virustotal doesn't show anything suspicious at all (unless we are talking about zero access malware in my computer). As I say there are two copies of svchost in my system one in system32 and another in syswow64. I am using windows10 home 64bits... does it mean the one of system32 is bogus? :I Or is there any situation when having two svchost files is normal?

That answer would clarify my doubt 100% really.

Thanks.



#6 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:39 AM

Posted 23 December 2016 - 08:16 AM

So, is it normal if svchost has a size in system32 and another in sys64 or could that mean it has been tampered by malware? Or maybe it's normal, I don't really know... so to be sure that this is not something odd and both svchost should not have the same size I am asking you this.


The WoW64 portion stands for Windows 32-bit on Windows 64-bit. This folder is present on 64-bit systems and contains 32-bit system files that are necessary to run 32-bit programmes, whereas the system32 folder on a 64-bit system contains 64-bit files (even if it sounds nonintuitive).

That means both the system32 and syswow64 folder have svchost.exe but one is for 64-bit architecture and one for 32-bit architecture. These files are different in size because they support another architecture each.

 

So to answer your question: The size difference is normal and does not say anything about the presence of malware. If you are unsure an upload to virustotal.com will help you to see if the file is legitimate.



#7 TarjaTaneli

TarjaTaneli
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 23 December 2016 - 08:24 AM

Thanks Struppigel! That answers my question very good :) Virustotal says svchost files to be clean for now.

 

Also quietman7, thanks for the links, just a note, https://code.google.com/p/processhistory/ http://www.process-history.co.uk/ these links seems to no longer be available (Project "processhistory" has moved to another location on the Internet and is now too a shoe shop.)



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,940 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:39 PM

Posted 23 December 2016 - 01:11 PM

You're welcome on behalf of the Bleeping Computer community.

I have removed the broken links.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,638 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:39 AM

Posted 24 December 2016 - 03:48 PM

When you doubt if a Windows executable is legitimate, you can check if it has a valid signature from Microsoft.

 

I explain how in this video:


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#10 TarjaTaneli

TarjaTaneli
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 26 December 2016 - 08:36 AM

Good informative video Didier. Thank you.

#11 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,638 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:39 AM

Posted 26 December 2016 - 01:15 PM

You're welcome!


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users