This article examines computer system processes and focuses, as an example, on the svchost process. We will examine and make recommendations on particular applications that can assist you to identify a process to determine if it is problematic.

Definition

To begin, a definition and brief outline of a computer process is required. Simply put, a process is a tool used by a program to execute one or more tasks. One way of looking at it is envisioning a program as a warehouse of instructions and a process is a truck shipment heading out to execute the instructions. Each shipment can have several “threads” to assist with the execution of instructions. Your computer has a memory system where several active processes are running at the same time. It’s as though these are in a holding station of sorts – waiting until the CPU (Central Processing Unit) can attend to the program requests. This is called multi-tasking and when threads are actively processed simultaneously, it is called multi-threading. One process can be using a multi-thread system.

Processes are running in the background so that you can use more than one program at a time. Even with a single program there are multiple threads occurring without your realization. For example, you could be typing in information in a word processing application and a spell check happens automatically as the words are typed to the document.

There are various states that a system process will go through during the sequential process of executing instructions for a program. You can get a good indication of this by following this link: http://en.wikipedia.org/wiki/Process_states. In short, a process is created and during the time it is running (in an active state), it is held in computer main memory. Main memory is RAM (Random Access Memory) and we will speak more to this later. Processes can also be placed in virtual memory for those operating systems that support this functionality such as most all recent Microsoft systems. See the article on virtual memory for more information: http://www.fix-pc-errors.com/virtual-memory.htm

States

Some examples of process states include: ready, waiting, running, blocked, and terminated. The reason they are placed in various states relate to how the system prioritizes them based on importance. Due to the multi-tasking nature of the system it is necessary to prioritize tasks. Some processes are blocked or are in a “sleeping” state until a resource becomes available. A process can be terminated once it has completed its instructions or if the operating system specifically kills it for reasons related to error or failure.

Viewing Processes

A well known method of viewing the processes is by opening the Task Manager that is common to Windows operating systems. While there are four ways to open the Task Manager we suggest doing one of the following:

• Use the key combination: Ctrl + Shift + Esc.
• Right-click an unoccupied area in the taskbar to bring up the context menu and select Task Manager.

Once you have done this you can click the Process tab in the Task Manager. The following appears:

There is a list of processes that are named in the first column. As can be seen here, you can right-click the process and bring up a menu of commands. When choosing the Set Priority option as above you can see that the svchost.exe is set at a Normal priority. Processes are assigned priority values by the system so that the more critical processes are executed first and more frequently than other processes. The highest priority is “Realtime” and then “High”, “AboveNormal”, “Normal”, “BelowNormal”, and “Low”. You can change these priorities by selecting a new setting.

Recommendation: There are some people that will advise changing these settings in instances when you want some running program to receive more attention than others. For example, in the evening you might increase the priority of a program and then decrease it during the day when you are doing more multi-tasking. However, generally speaking it is best not to change these as they are set by the system. If your system is running properly and you have sufficient system memory, there is little need to alter these settings.

Process Hog

There are instances when a process is running and you are not sure where it came from but it is hogging your system resources. If you look at the CPU column you will see the percentage of CPU resources that are being used for any process. These numbers fluctuate as the system handles the processes. There is also a “Mem Usage” column that you can examine to get an indication of how much memory is required for any given process. If a process is hogging up resources, you can get an indication of this by examining these columns. 

In the CPU column there is a “System Idle Process” which is an indication of the CPU idle state: it has handled the instructions given to it and is waiting for the next set of instructions. While it may seem that this is a process and is hogging the most CPU time this is not the case. As can be seen when attempting to right-click on the System Idle Process, this is not technically an actual process; there are no options available and it cannot be terminated. It is considered a counter that measures the CPU idle time. The System Idle should have the highest CPU value and should be fluctuating around 90 if your memory resources are not constrained and if you are not plagued by malware or process errors such as memory leaks. Memory leaks are from programs that fail in their ability to release memory after finishing a task. In some situations this can lead to diminishing amounts of memory which has a direct impact on performance. It can also result in application failure or a system crash.

One significant shortcoming of Task Manager has to do with examining where a particular process is generated. This is crucial in determining whether the application that spawned the process is valid and trustworthy or if it is a rogue program that has been downloaded via Internet browsing without your consent. These types of malicious software programs are known as malware and we will cover these in more detail later in the article. Microsoft has made improvements with Task Manager as is evident with Vista. With their latest operating system release, Vista, they have included a “Description” column that displays the full name and the path of each process as well as the option to right-click on the item to bring up the process properties so as to view the folder location of the process executable.

Free Process Viewing Applications

There are two free process applications by Windows SysInternals that are designed and created to work with running processes: Process Explorer and Process Monitor. SysInternals was acquired by Microsoft in July of 2006. There are several utility applications created by SysInternals that are available for downloading. Follow this link to find out more: http://www.microsoft.com/technet/sysinternals/default.mspx. Process Explorer is a worthwhile program and can serve as a replacement for Task Manager. It is covered in considerable detail here. The latter application, Process Monitor, is a sophisticated tool and is more than what the average user will require but is worth mentioning.

Process Explorer

This is an excellent diagnostic tool for examining processes to determine authenticity and CPU usage. It can also be used as a process command tool as will be seen. You can download Process Explorer by clicking on this link: http://www.microsoft.com/technet/sysinternals/utilities/processexplorer.mspx. There is descriptive information about the application and you will find the download link at the bottom of the page. Like the Process view of Task Manager, it lists the running processes on your computer. When you open the application it appears as seen here:

The top left panel shows the process tree which gives you an indication of the parent-child relationships. On the right side is the property information associated with each process which is color coded (you can customize the colors). With the default, as seen here, the colors to take note of are as follows:

There are other colors that are not of interest for the purpose if this article. The Purple items are the most important from the point of view of examination of a malware suspect. These items are compressed or encrypted and are referred to as “packed”. Malware is created to escape detection by hiding code such as application strings within these packed files. We will speak further to this shortly. When you begin using the program you will want to take advantage of the tools available for analyzing the running processes.

One interesting feature is the Window Finder tool that you can access from the toolbar. It has an icon as seen here. If you click on this and select an active window on your system, Process Explorer highlights the associated process. If you are unfamiliar with an item in the list, you can use the search tool. To run the search tool do the following:

1. Right-click on the process and select Search Online.
2. Enter the name of the item in the search field and run the search.

You can also double-click on a process item to see a detailed account of its associated properties. Here is an example of an item’s properties. 

There are several tabs available to examine including the associated threads, strings, the performance of the process, and more. The tab displayed here, the Image tab, has some important features and information that is useful. The location of the stored executable is displayed in the Path field. This process item is a child of the svchost.exe process. Also, there is an icon associated with this executable. Many malware items won’t have an icon, a company name, or descriptive information unless the malware creator took the time to fabricate the information. 

Looking For Malware

One way of uncovering suspicious items in this list it to look for non-verified processes. These items have not been digitally signed by a certificate root authority that is trusted by Microsoft. Keep in mind though, not all items that are unverified are malicious. Even Microsoft has some software items that have not gone through the verification process. However, this is a frequent practice by software authors that are distinguishing their application as legitimate.

To examine the verification status of each process you can do the following:

1. Click View | Select Columns.
2. Select the Verified Signer column.
3. Examine the column for any items that are listed as: Not Verified.
4. Double-click the process line to bring up the Properties.

You will see an area to the right of the icon with information related to verification. For example:

For items that have not been verified, you can try the Verify button located at the bottom of the Image tab. Process Explorer will check the digital signature of the item by contacting web sites if required. You can also take note of the process name and perform an online search to investigate the process further; right-click the item in the main Process Explorer window and select “Search Online”. After you do this a Microsoft web page will appear and you can enter the name of the item and search on it. In the example above it was discovered that: “Rpcss.dll primarily provides the infrastructure for COM…” This verifies that the DLL is familiar to Microsoft and is not a malicious item.

When displaying the Verified Signer column, there will likely be many items with no information displayed in this column. You can force a verification of all process images by doing the following:

1. In Process Explorer, click the Options menu and select Verify Image Signatures.
2. Examine the list now as items are listed as “Verified” or “Unable to Verify”.
3. There will be a performance hit to your system. Click the Options menu and clear the Verify Image Signatures.

The items are still tagged in the column and you can investigate the unverified ones. Keep in mind that the “Unable to Verify” items are either unsigned or have been signed by an untrustworthy source. It is advisable, if the process is suspicious in other ways as stated above, to investigate it further.

There is also an option for debugging should you want to examine an item that could be resulting in errors. When experiencing errors, you can right-click an item and select Debug. This launches the debugger tool that is found in Windows NT\CurrentVersion\AeDebug. See: http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/11500.mspx?mfr=true for more information on the debugger.

Process Monitor

Process Monitor is also a real-time monitoring tool but is more advanced then its Explorer counterpart. It can be used to examine process and thread activity as well as registry and file system activities. As can be seen on the Microsoft site, it is a tool that is useful in troubleshooting issues or hunting malware on your system. Process Monitor is the successor of two applications: Filemon and Regmon. There is a list of enhancements that set it apart from these legacy utilities. You can view the features and download the application at:

http://www.microsoft.com/technet/sysinternals/SystemInformation/processmonitor.mspx. Keep in mind that this can take time and effort to get familiar with the application and in many respects it may be more than what you are looking for.

Digging Down

The primary benefit of these applications is the ability to detect the origins of the process. Why is this important? This gives an indication of whether the process is a valid one and coming from a reliable source or whether it is in fact a “rogue” or malicious piece of code, otherwise referred to as malware. The creators of malware go to great lengths to produce items that download to your computer without your knowledge, install on your system, perform illegitimate activities, and avoid detection and removal. Unlike viruses that were created for personal reasons such as vandalism or a sense of pride, malware is created for monetary gain. 

Some types of malware are designed to acquire personal information from your computer or to monitor your activities. This means collecting information about such events such as your online usage, your online searches, or general computing activities. Other malware bombard you with advertisements or latch on to your system to direct you to online offers. The more serious offenders will go to greater lengths to exploit security vulnerabilities and to steal financial or personal information such as login credentials for the acquisition of funds.

One would think that it would be fairly easy to prevent or detect malware using available tools on your PC. There may be those that think that they are not likely to be affected. This modern form of thievery and deceit is more rampant than the average user may suspect. Even if you are using a new computer with the latest tools and the newest Vista operating system, you are not immune. Items can be downloaded to your system inadvertently from online browsing practices, from clicking inadvertently on popup ads or banners, or in conjunction with the installation of other trusted applications. These items install to your system automatically and then run in the background without your knowledge. You could notice a gradual decline in system performance. 

We recommend referencing our article related to signs of a slow computer ( http://www.fix-pc-errors.com/slow-computer.htm ). One possible cure for a slow computer is to add RAM (Random Access Memory). RAM is memory that is stored on a physical device – a chip or module. It is a crucial part of accessing stored data. See the article on Virtual Memory for more information on how this hardware component functions ( http://www.fix-pc-errors.com/virtual-memory.htm ). However, if the cause of the slow down is not a result of increased resource requirements from newly added applications, and if the slow down is due to malfunctioning system components or malware infection, you need to take other measures.

Solutions

In the Microsoft Tech-Ed IT Forum you can read how to remove malware items manually. The steps include the following:

1. Disconnect your system from the network.
2. Identify the malicious process and drivers using the Explorer or Monitor tool.
3. Terminate the process that you can identify as malicious.
4. Identify and then delete the malware items that autostart on your system.
5. Delete any malware files.
6. Reboot your system and repeat the process.

Unfortunately, this takes considerable effort and time and assumes a few things including: being able to detect and locate all the malicious items, being able to terminate all malicious processes, and deleting all aspects of the intruding malware. If you are using Task Manager, you might find that ending a process is not always a possibility when a process is in use. This is another advantage to Process Explorer as you can suspend a process that is disabling your system, locate the corresponding application, shut it down, and then terminate the process. The sophistication of some malware is so advanced that the process that is in question may have another process working in conjunction – known as a watchdog. In this buddy system, the watchdog is dedicated to watching the first process to ensure that it remains running. If something happens to the process, the watchdog starts up the first process again. This is one way malware can re-spawn or propagate itself. 

The best answer to detection and removal of these malicious items is to begin with an expert software solution, preferably one that is created by those dedicated to this endeavour. We recommend using a malware removal solutions provided by ParetoLogic. They have produced three viable alternatives including a U3 Portable application: XOFTspy Portable, a standard anti-spyware solution: XoftSpy SE, and a more deluxe version: ParetoLogic Anti-Spyware. The deluxe version also includes monitoring tools to prevent malware from infecting your system. 

The Svchost Process

As can be seen with the screenshots above, the “svchost.exe” process is a common process utilized by today’s Microsoft systems such as Windows 2000, 2003, XP, and Vista. In fact, there is usually more than one occurrence of this running at one time. These “instances” of svchost run simultaneously as each are considered a host for other services. There is some information about this on a Microsoft Vista site that you can view here: http://windowshelp.microsoft.com/Windows/en-US/help/057580a1-7002-4f43-9240-a74f42cb05c91033.mspx. If your operating system is Windows 95, 98, or ME and you encounter Svchost.exe running on your machine, it is most likely malicious. There are some so-called online experts that falsely judge this process of being malicious in all instances but this is not the case as we will delineate.

While there is considerable confusion about whether this process is malware, it is actually a required part of computer functioning (for Windows 2000 and beyond). First off, we recommend that you examine the spelling of the process closely. “Svchost” is an abbreviation for “service host”. This service host executable performs an essential task. Each instance has been created as a result of checking the registry for services that need to be loaded. It also handles processes that have been initiated from dynamic link libraries (DLL’s). If you are seeing other spellings such as: “scvhost”, “svchostc.exe”, “Svchost.exe.bak”, “svcchost”, “svchosts”, or “svcchosts” it is likely that these are malware disguised to escape detection. In such cases you can use Process Explorer to confirm this and you can use your ParetoLogic malware solution of choice. While there are new occurrences of malware threats that appear every day, you can take comfort in the fact that your ParetoLogic anti-spyware program receives ongoing free updates to its database.

Even with the correct spelling, an instance of the Svchost process could in fact be the result of a malicious item utilizing the service host. For example, a Svchost file could be registered by a Trojan, a form of malware that camouflages itself. The Trojan program will utilize acceptable computing mechanism, like a process or a DLL, to gain access to your computer. This is why even adequate investigation tools are essential in determining the originating executable or path of the source. However, even good investigation may not be enough. For one, you may not necessarily know by mere appearances if an item is malicious by discovering its name. And, if you can determine it is malicious you may not be able to remove it and all its components. This is where professional tools are required to properly eliminate the infecting agent.

There are also occurrences of malicious simulations of the Svchost file that are commonly spread as in the examples of W32/Jeefo, W32.Assarm@mm, and W32.Welchia.Worm. In certain instances, the first signs of concern come in the form of warning messages popping up stating that the svchost is undertaking an illegal operation. There could also be application failures or unexpected events occurring like having your system re-boot for no apparent reason. In many instances users will experience performance degradation as these items can tie up almost 100% of their system resources.

Rundll32

As stated in this article, process can host multiple components and this is how malicious software hooks into your system in an attempt to evade detection; they run inside of the service host. Another well known legitimate process is Rundll32 a process that runs DLLs and places their libraries into system memory. Once again, malware is known to utilize this or to even create a process by this name in an effort to blend into the crowd. It is not recommended to remove this item or to even terminate it. You need to use the tools described above so that this item can be safely removed or so that you can verify that it is legitimate or that it is in fact malicious.

To Sum Up

In the case of running processes you need to reverse the classic adage of a book and its cover – you need to judge the cover by the book. Using the proper tools is essential in attempting to uncover the offending or corrupt items on your system. But having expert tools doesn’t necessarily make anyone an expert. A lot of time, money, and effort has gone into the creation of these malicious items. Being certain that you have in fact detected a true malware item and not a necessary system executable or process is another expert skill in and of itself. In the particular case of svchost.exe, it is a true case of don’t kill the messenger. Detecting and extracting malicious software from the desired software can be a daunting task and not one that should be attempted without being properly equipped.