svchost.exe

This is the first entry in a project I’m going to do of trying to learn, document, and track my knowledge base. The purpose of these entries will be to have a one-stop shop for me to reference, so that way I’m not trying to store all this information in my head. It seems like every time I need this information I have to go and scour blog posts, videos, tweets, etc., and I just realized how stupid I am for doing that. So, this will be an attempt to categorize all this information. Let’s start.

svchost.exe is a Windows binary/PE/executable/<insert flavor/correct descriptor> that is the “generic host process for Windows services.” What that means to me is that if there’s a service running it’s thanks to svchost being alive. The three flags I’ve been asked about or had to use are the:

  • -k: which is used to define the service group that is being referenced in the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost registry key (I wasn’t able to find this on my own personal device or test boxes so I should find out what I’m doing wrong) and then iterates the HKLM\SYSTEM\CurrentControlSet\Services\<Service Name> registry key to run the services listed within
  • -s: which seems to be used to run a particular service within the defined service group
  • -p: appears to be enforcing a mitigation policy on whatever service or service group you’re running although this seems somewhat nebulous to me since I can’t find those policy definitions. Some examples I have been able to find are the DynamicCodePolicy, BinarySignaturePolicy, and the ExtensionPolicy.

Beyond the flags some pertinent items follow:

  • Standard Directory: %SystemRoot%\System32\svchost.exe
  • Typical Parent Process: services.exe
  • Generic Start Time: Whenever a service is launched, this could be on boot, on logon, etc.
  • Associated User Accounts: Typically the built-ins, e.g. Local\Network Service Accounts but it could also be a custom user account
  • How many can be running concurrently: Yes

Some anecdotal callouts, this typically has some user-land hook placed on it or some other detection wrapped around it, so if there’s an EDR on a box best of luck. I think most generically I’ve seen this just misspelled, or had it’s extension altered and then ran which always has me confused about the EDR telemetry, but that’s another post for another day. In my admittedly limited experience I haven’t ran into too many things that have successfully leveraged svchost as a victim to some implant (on a box with some EDR), but that doesn’t mean it’s not possible or that it’s not being done.

To anyone that isn’t me that is reading this and has questions, comments, or concerns please reach out to me on twitter. I am by no means publishing any of this with the intent of it being a beacon of truth, but I need somewhere I can always access this information so this will have to do. As I get more information I will update each entry, so for anyone reading this and shaking their fist at me please let me know if you have anymore information that I can add to this entry. Have a great day!

References: