Description of Windows service wrappers

What is a service wrapper ?
For a service to operate it has to present a certain interface to the operating system, f.ex. so the service can be stopped and started. The implementation of this interface is very similar for many services, so to minimize the size and complexity of the actual service it is placed inside a service wrapper. The service wrapper also saves resources by only using a single proces to have several services running.
When having problems with a service wrapper, then it is usually caused by one or more of the services running within the context of the service wrapper.
Which service wrappers exist ?
Some of the common service wrappers, which can be seen in the Task Manager:
  • Services.exe : Services Control Manager for system services.
  • Lsass.exe : Local Security Authority SubSystem for security services. More Info MS KB308356
  • Svchost.exe : Service Host for loading dynamic-link libraries (DLL) as a services
  • Dllhost.exe : DCOM DLL Host Process (Aka. COM Surrogate)supports DLL based COM objects. (Replaces Mtx.exe)
  • Svrany.exe : Applications as Services Utility. Related Install an application as a Windows service.
More Info MS KB263201
More Info MSDN - Componentized Windows Services
Why does the service wrappers request access to the Internet ?
When a service inside a service wrapper needs to access the network, then has to go through the service wrapper, so the service wrapper becomes the one trying to get access. Therefore one should be careful before using a firewall to block network access for a service wrapper. Usually one can see what service that wants access, by looking at the port number: Note if using a software firewall and gives access for a service wrapper, then it means that all services within the service wrapper is given access, unless specifying a rule where only a certain port number is allowed for the service wrapper.

Note to see the processes along with the port numbers used:
  • WinXP (Will show open ports and the process-id they belong to)

    netstat -ano

    Note to convert the process-id to a process-name use TList/Tasklist (See below), and if the process is a service wrapper then one can also see the services running within the service wrapper.

  • WinXP SP2 (Will show open ports and the process-name and component they belong to)

    netstat -b

  • CurrPorts by Nirsoft is a GUI version of netstat that works with WinNT/2k/XP
More Info MS KB832017
More Info MS Reskit: TCP and UDP Port Assignments
How to see the services currently loaded by the wrapper ?
The Task Manager will only show the wrapper process itself and not the actual services. Instead use this command to see what services are hidding behind the process names:
  • Vista:
    • Open the Task Manager (Hold down the keys CTRL + ALT + ESC) and right-click the service-wrapper proces and select "Go to Service(s)"
  • WinXP:

    Tasklist /SVC

  • WinNT4/Win2k (Found on CD in X:\Support\Tools):

    Tlist /S

Note if not into command line tools then try Sysinternals Process Explorer
Why is Svchost.exe listed several times in the task list ?
This is because Svchost.exe can load different groups of services, depending of the different user priviledges needed for a certain group or for isolating critical services for increased stability and ease of debugging.

To see the different groups of which Svchost uses go here with a registry editor (REG_MULTI_SZ):

[HKEY_LOCAL_MACHINE \Software \Microsoft \Windows NT \CurrentVersion \Svchost]
NetworkService = "..." (Network User)
LocalService = "..." (Local User)
netsvcs = "..." (System User)
rpcss = "RpcSs" (System User, Critical Service)

Note it is possible to create a new group, and move a service started with Svchost into this group. This can be useful to diagnose which in a group of services is causing unwanted behavior like high CPU / RAM usage.
  1. Find the group that contains the service to investigate (ex. netsvcs)
  2. Create a new group by adding another REG_MULTI_SZ value (ex. netsvcs2)
    • If there exists a sub-key with the name as the group (ex. netsvcs), then make a copy of the sub-key and give it the new name (ex. netsvcs2)
  3. Edit the REG_MULTI_SZ for the new group (ex. netsvcs2) and add the service to investigate (ex. wuauserv)
  4. Edit the REG_MULTI_SZ for the original group (ex. netsvcs) and remove the service (ex. wuauserv)
  5. Go to the registry key for the service (ex. wuauserv) and change the ImagePath value to reflect the new group (ex. svchost.exe -k netsvcs2)
More Info MS KB250320
More Info MS KB314056
What could cause a service wrapper to crash ?
If a single service running within the service wrapper performs a faulty operation, then it is possible for that single service to take down the whole service wrapper along with all other services running within the service wrapper. This can be experienced when open to these exploits:
Why is the service wrapper using 100 percent of the CPU ?
This is not normal behavior and is usually caused by a malfunctioning service running inside the service wrapper. To diagnose what service is causing the trouble:
  • Look in the Event Log for error messages, and if error messages are present then use them as starting point.
  • If no error messages then one can try to use the Windows Task Manager to find the service-wrapper causing the trouble, and then use the technique described above for discovering what services resides inside the service-wrapper.
    • Some trojans, spyware, malware software tries to hide themselves by using executable name of a service wrapper. Make sure the system is not infected.
  • If no clear evidence of what service is causing the trouble, try to close down each service in the service wrapper one by one and see when the problem goes away (be careful with critical services). Another way is to move each service out in its own service wrapper by using the method described above.
  • These services are usually causing trouble for people:

Updated: 13 February 2009

Comments:

  1. Randy Cordell says:

    WOW! really useful post. I've been trying to figure out who is driving my hyperactive SVCHOST.exe for a couple days now. I should be successful now. Really appreciate this info.

  2. Mary Boniface says:

    This is a very useful summary. Thanks for providing the appropriate command line commands and the registry tip.

  3. tarun says:

    Ultimate post!!!!!!!!!!!!!!!! it is very beneficial knowledge for an IT proffessonal .. thnk you very much

  4. Mr Security says:

    Microsoft uses all these wrappers to hide what they are doing as windows calls home every other second and it makes it just about impossible to see what is going on inside windows.

    Windows bloatware (win8=1000 X more memory needed than XP) does not include many .exe programs but who needs them when you have host processes to run 5000 plus .dll's and lets throw in the windows registry that no uses GUID linked to dll files that has over 400,000 keys (Yes I ran code to count them) and it is not to hard to see why windows has become a monster that few people understand and that includes me even after 20 year of working with windows.

    Run netstat -n -a -o from a command window to see the amount of ports locked up by windows and developers should also know that windows lies when asked for a list of locked files using windows API's and the sameis also try when asking for a process list.

    Developers now rely on calling windows .Net framework or ATL from C++ so much that few realy know what is going and its like saying that you are a top chef when all you are doing is buying tinned food from the local shop and serving it up. If the tin says it contains no sugar then thats the end of the argument so far as many are concerned.

    Just how big does the registry need to be or how many services/ processes / drivers and triggers inside schedules task do we need before people start to see that this is not good pratice, good code and will stop allowing microsoft "Experts" to keep pulling the wool over peoples eyes.

    Try finding and then deleting those hidden Index.dat files in windows to see that your machine is now little more than a remote terminal for windows.

Leave a Reply

Your email address will not be published. Required fields are marked *