Digging into running processes and services via the command-line

  • Article

Due to the comments in my blog entry about the RemoteRegistry process, I figured I would try to educate myself about it and share that learning with all of you. In my attempt to educate myself on the RemoteRegistry process, I am having fun with a variety of command-line tools, such as SC and TaskList. These tools are useful for digging into any process, but my examples are focused on RemoteRegistry. Here is what I have dug into so far; complete with the description and outcome of each command-line task that I have found interesting:

Display services in each process. I deleted everything except the svchost.exe instance that is running RemoteRegistry:

C:\>tasklist /SVC

Image Name PID Services

========================= ====== ============================================

svchost.exe 256 LmHosts, RemoteRegistry, SSDPSRV, WebClient

Display a set of tasks that match the given criteria specified by the filter. The filter is for PIDs that equal “ 256”. Notice the extra space before the three-digit 256:

C:\>tasklist /FI "PID eq 256"

Image Name PID Session Name Session# Mem Usage

========================= ====== ================ ======== ============

svchost.exe 256 Console 0 1,812 K

Display the extended status of the service:

C:\>sc queryex RemoteRegistry

SERVICE_NAME: RemoteRegistry

        TYPE : 20 WIN32_SHARE_PROCESS

        STATE : 4 RUNNING

                                (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

        WIN32_EXIT_CODE : 0 (0x0)

        SERVICE_EXIT_CODE : 0 (0x0)

        CHECKPOINT : 0x0

        WAIT_HINT : 0x0

        PID : 256

        FLAGS :

Query the configuration information for the service:

C:\>sc qc RemoteRegistry

[SC] GetServiceConfig SUCCESS

SERVICE_NAME: RemoteRegistry

        TYPE : 20 WIN32_SHARE_PROCESS

        START_TYPE : 2 AUTO_START

        ERROR_CONTROL : 1 NORMAL

        BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService

        LOAD_ORDER_GROUP :

        TAG : 0

        DISPLAY_NAME : Remote Registry

        DEPENDENCIES : RPCSS

        SERVICE_START_NAME : NT AUTHORITY\LocalService

So what do I do with this information now that I have it? Well, I haven’t gotten that far yet. If I do, I’ll update my blog.