Tricks with SVCHOST.EXE

  • Article

Well, if you read what I wrote yesterday, you read that I put a service all
by itself in a separate SVCHOST.EXE proces.

Windows XP SP1

Service of interest: WebClnt

Binary of interest: WEBCLNT.DLL

Problem: Hangs on startup.

If you run a CMD.EXE prompt (command prompt) and type: TASKLIST
/SVC you'll see an output like this:

F:\Documents and Settings\danvdw>tasklist /SVC

Image Name
PID Services
========================= ====== =============================================
System Idle Process
0 N/A
System
4 N/A
services.exe
416 Eventlog, PlugPlay
lsass.exe
428 Netlogon, PolicyAgent, ProtectedStorage, SamSs
svchost.exe
636 RpcSs
svchost.exe
660 AudioSrv, BITS, CryptSvc, Dhcp, dmserver, ERSvc,
EventSystem,     

                                                          
lanmanserver, lanmanworkstation, Messenger, Netman, Nla,

Schedule, seclogon, SENS, ShellHWDetection,

srservice, TermService, Themes, uploadmgr,
W32Time,
winmgmt, wuauserv, WZCSVC
svchost.exe
772 Dnscache
svchost.exe
796 LmHosts, RemoteRegistry, SSDPSRV,
WebClient
spoolsv.exe
876 Spooler
inetinfo.exe
1084 IISADMIN, SMTPSVC,
W3SVC <Cut Short to Eliminate Boredom>

I'm interested in the one that has WebClient in it. I see it's Process
ID (PID) 796.

That's nice to know, but not really want I want. What I want to see
is WebClient all alone in an SVCHOST.EXE process. Exactly like DNSCACHE is doing.
Why can't my webclient do that too? I think it can!

If you read Raymond Chen's blog, you'll see he refers to Q314056 about SVCHOST.EXE.

Now, I mucked with the registry on this system. If you muck with your
registry, make sure you make backups of the stuff before you fool with it. I
will not be held responsible for anything you do to your registry even if it's something
I write about.

Are we clear on that?

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\svchost

Right there, under svchost, are keys and values. I'm interested in the
*value* that is Localservice and I see it's a REG_MULTI_SZ and is:

Alerter
WebClient
LmHosts
RemoteRegistry
upnphost
SSDPSRV

There's my WebClient. What if I just highlight it and take it out of
there with a DEL button press? That works.

Okay. But, I want it in it's own SVCHOST.EXE. Can I do that?
Well, I think I can if I hack some. So, let's hack:

I notice that the *keys* are similar to these values. Let's do a new
key and value. I'll call it WebClntSvc.

So, I add a Key and a Value called WebClntSvc. I could have called it
anything, like AnyNameAnything, but I called it WebClntSvc.

So, I make a REG_MULTI_SZ *value* entry called WebClntSvc and add: WebClient.

I also make a Value entry and call it WebClntSvc. What to add there?
Heck, I just copied what was in the Localservice key. That key had:

AuthenticationCapabilities, REG_DWORD, 0x2000 and CoInitializeSecurityParam,
REG_DWORD, 0x1

So, I added them both. Is that it?

No, because I see that HKLM\System\CurrentControlSet\Services is of interest
to me, based on the KB article.

If I look at HKLM\System\CurrentControlSet\Services\WebClient, I see an ImagePath
value that's a REG_SZ. I think I want to edit that and change it from:

%SystemRoot%\System32\svchost.exe -k LocalService

to

%SystemRoot%\System32\svchost.exe -k WebClntSvc

We can confirm this works by checking the interface. That's right-click
on My Computer, Select Manage, then go into the Services, find WebClient and open
it up.

Make sure the "Path to Executable" was changed. Mine would
say:

F:\WINDOWS\System32\svchost.exe -k WebClntSvc.

F: is my system drive here. Don't ask me why. You don't want to
know.

That would make sense, right? Does to me. Then, I reboot.
Now, I have a separate instance of SVCHOST.EXE running with WebClient in it.

I do.

Now, to debug it is simple. Right, I just attach my debugger to the
process that exists as SVCHOST.EXE with the one and only service in it that's WebClient.

However, I don't want to debug it as it is, I want to debug it as it starts.
Hmm... How do to that?

Well, it's tricky and I have one trick up my sleeve to use that is this:
Copy SVCHOST.EXE to SVCHOST1.EXE in the same place as SVCHOST.EXE and use SVCHOST1.EXE
in my ImageFileExecutionOptions registry setting and use SVCHOST1.EXE in the registry
location for the service for the executable.

Now, when I check the interface, my path says:

F:\WINDOWS\System32\svchost1.exe -k WebClntSvc.

There is a problem here. The default SVCHOST.EXE has a timeout for any
service. If it doesn't start in X seconds, you get a nifty dialog telling you
it didn't start, blah blah blah.

You don't get the dialog for the failure on startup, but it's not running
regarless.

I'm guessing there is a way around this, but I don't know what yet.....