What is SvcHost – Cyber Security Threat Analysis Guide

Table of Contents
. What is SvcHost?
. SvcHost and Windows 7
. SvcHost in Windows 10
. Using SysInternals Process Monitor to understand Service Host
. SvcHost parameters and Registry
. Checking Service Host for security threats
. Check if svchost.exe is legit
. Check the parent process of svchost.exe
. What can go wrong with legit Service Host?

Affiliate: Experience limitless no-code automation, streamline your workflows, and effortlessly transfer data between apps with Make.com.

What is SvcHost?

Got an alert from our EDR regarding execution of the “svchost.exe” via Command Line.
What is “svchost”? Basically, this is shared process for hosting Windows Services, hence the name SvcHost (Service Host). There can be one service or a group of services under one instance of “svchost.exe”.

SvcHost and Windows 7

The problem? In Windows 7 in Task Manager under [Processes] tab you would see number of “svchost.exe” instances with description of “Host Process for Windows Services”. No indication of what service or services are running. Off course you can add the Command Line column:

Task Manager => [View] => Select Columns
    [V] Command Line
    [OK]

And you will see the CMDs of the services. For example:

C:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k WerSvcGroupC:\Windows\system32\svchost.exe -k netsvc

In Task Manager you can

RightClick svchost.exe => Go to Service(s)

You will be redirected to the [Services] tab and the service that is running under this specific svchost will be shown.
Another way is to run a Command line, which will show you all the instances of svchost.exe and what services are running under it:

tasklist /SVC /fi “imagename eq svchost.exe”

SvcHost in Windows 10

In Windows 10 after build 1703, there’s only one service per svchost running if you have more than 3.5 GB of memory. In Task Manager under [Processes] tab you will see “Service Host: Background Intelligent Transfer Service”. Which makes it a lot easier to understand.

To know which Command line is responsible for which service, you can goto the services:

[Win] + [R] => services.msc => [OK]

Double Clicking the service will open its window. Let’s say that for example you’ve opened “Windows Time”. In the [General] tab you will see:

Service name: W32Time
Display name: Windows Time
Path to executable:
C:\Windows\system32\svchost.exe -k LocalService

Path to executable is how this service is executed. As you can see it is a Command line that executes “svchost.exe” with “-k” switch and the name of the service or a group of services (in this case “LocalService”, which is a group). In Windows 10 there were more switches added. Example of “WebClient” after execution:

C:\WINDOWS\system32\svchost.exe -k LocalService -p -s WebClient

“-s” used for “service name” and “WebClient” as in any service is the actual name of the service as it is written in the properties of the service. You won’t see this in service properties.

Using SysInternals Process Monitor to understand Service Host

Process Monitor from SysInternals Suite can be used (and not only for svchost).

Download it and “Run as Administrator” (in Windows 10 you won’t see any info without it).
After you run it, you will see all the processes in your system. To simplify the view:

[View] => Select Columns…
    [V] User Name
    [V] Command Line
    [OK]

This will add the “User Name” responsible for all the executables and the “Command Line” that ran it. Now you will see the exact command also in Windows 10.
Double Clicking any “svchost.exe” line will show you all the needed information.
[Image] tab will show you the Version of the executable, File location, Command line it was executed with, Parent process that executed this current process that you opened, User that executed this process. If the process is a service, you will see that it has [Services] tab. Inside this tab you will see the name of the services that this process runs or the paths to DLL files that this svchost.exe is running.

SvcHost parameters and Registry

What happens when the svchost is launched with a parameter?
Svchost.exe navigates in the registry to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost

Then the key with the name of the parameter is opened, like “LocalService”. If you open this key in Windows 10 most likely you will see the next list:

nsi
WdiServiceHost
w32time
EventSystem
RemoteRegistry
SstpSvc
netprofm
lltdsvc
FontCache
fdphost
bthserv
LicenseManager
bthavctpsvc
tzautoupdate
WpcMonSvc
SEMgrSvc
WinHttpAutoProxySvc
CDPSvc
workfolderssvc
PhoneSvc
DispBrokerDesktopSvc
SharedRealitySvc
CaptureService
WebClient

These are all the services that will run after command execution under this specific instance of svchost.exe. Let’s take for example “w32time”. After that all the services in this list will be run from the registry location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Each service with its key name, in our case:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32time

The path to the service DLL will be in the Parameters path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

In the “ServiceDll” key. So, the DLL from that path will run under svchost.exe. This will be done for all the services from the list of the “LocalService” group.

Parent process is the process that executes the svchost.exe itself. In a regular environment it Is always will be “services.exe” and some service account with the SID of S-1-5-18 (NT AUTHORITY\SYSTEM), S-1-5-19 (NT AUTHORITY\LOCAL SERVICE), S-1-5-20 (NT AUTHORITY\NETWORK SERVICE), which are reserved for system accounts. You can find the full list of Security Identifiers in Microsoft Support – Windows known SIDs.
You can read more about LocalSystem, LocalService, NetworkService accounts on their relative pages in Microsoft Docs.

In two words:
LocalSystem is a SYSTEM account that runs mostly OS core executables and services,
LocalService runs local services (there are also services that are executables and not DLLs, like “FontCache”),
NetworkService runs local services that are related mostly to network activities.
User SIDs that start with “S-1-5-21” will most likely be the domain users or local users on a computer. To find out whom the SID belongs, you can navigate in the registry to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\

Select your user that starts with “S-1-5-21-“ and check for the value of the key that is called “ProfileImagePath”. The value will be the path to the user’s folder on your computer like

C:\Users\YourUsersName

The local regular user (even if he is an administrator on the host) that logged in interactively – can’t run svchost.exe by design. So, if you run any command of the service (like the one for WebClient: C:\WINDOWS\system32\svchost.exe -k LocalService -p -s WebClient) nothing will happen. It will run for a second or two and terminate. Two of the standard methods of executing a service (that is not running) is from Services console (services.msc) and with Command line of the file

C:\Windows\System32\sc.exe

The commands to start and stop a service (for example WebClient):

sc start webclientsc stop webclient

In the second case you must run CMD with Administrative privileges. In both cases the Parent Process of this instance of “svchost.exe” will still be “services.exe”.

Checking Service Host for security threats

So, what is the issue from the security point of view?
1. Svchost.exe is not legit
2. Parent process of the svchost.exe is not legit
3. Svchost.exe is legit, but its usage is not or being compromised

Check if svchost.exe is legit

1. Process Monitor:

Run “Process Monitor” as Administrator => [View]
    [V] Command Line
    [V] User Name
    [OK]

2. Find the “svchost.exe” that you think is problematic => DoubleClick it => Goto [Image] tab
3. Check that the User Name in “User:” is one of the System accounts from above and not the Regular user account.
*** If a regular user account is running it then svchost.exe that is running doesn’t belong to system core and most likely is compromised!

4. Check that svchost.exe is running from “C:\Windows\System32”, look at the “Path:”. It should be “C:\Windows\System32\svchost.exe”.
*** If it is anything else, then your svchost.exe is compromised!

5. Check the file Hash over known services (the best way for most services is to use SHA256). If you’re using the computer at home, you can upload the file to a service for a check, but it is strongly not advised. If you’re in enterprise environment, you shouldn’t use file upload. Services like VirusTotal and Hybrid-Analysis are Public, so if your organization is targeted, by uploading the file it will be available online in these services and the attacker might know that your organization is aware of the attack.

So, in this case you will need the file Hash and check if it is already in the database of these services. If it is not, better use paid service like ThreatGrid From Cisco, which is Private for your organization (though there is still a way to know if a file hash is in ThreatGrid without having an account, you just won’t see any details regarding the investigation).

5.1. Run “powershell.exe”
5.1.1. [Win] + [R] will show you the “Run” window. Execute there

powershell.exe

and it will open you the powershell window.
5.2. Execute “Get-FileHash” cmdlet over “svchost.exe”:

Get-FileHash c:\windows\system32\svchost.exe

Or you can write “Get-FileHash” hit [Space] and drag the svchost.exe file in question (if the path to the file is not standard).
5.2.2. When you hit [Enter] you will see the “Algorithm” column (which by default is SHA256). Under the “Hash” column you will find your hash. Select the hash and hit [Enter], the hash will be copied to clipboard.

5.3. Goto VirusTotal Malware Databse (this is Public database of malicious file results over different engines)
5.3.1. You will be redirected to [Search] option, which is responsible to Search in VirusTotal database for Hashes (also URLs, domains, IPs).
5.3.2. Paste your Hash from the clipboard and hit [Enter]
5.3.3. If the results were found and it is green circle with 0 engines, it is a legit file, if it is not, you will see what the problem is in the [Details] tab.
*** If there are engines that found that your Hash is malicious – it might be!

5.4. Goto Hybrid-Analysis Sandbox (Public sandbox for malware analysis).
5.4.1. Goto [Report Search] tab, which is responsible for Hash search (also you can search by IP or Domain).
5.4.2. Paste your hash and hit [Enter] and check for the results.

5.5. Another site is Talos, which is part of Cisco intelligence. Talos connects to Cisco ThreatGrid sandbox database and shows if there is already an analysis of the file in ThreatGrid. Off course you will need ThreatGrid account in order to see the analysis itself. Talos File Reputation only works with SHA256 Hashes. Goto Cisco Talos File Reputation.
5.5.1. Paste you Hash, check that you’re not a robot
5.5.2. If the file is in the database you will be provided with the link to ThreatGrid login page and after login you should see any information about it, if the user that uploaded it made it public to the ThreatGrid users. By default, all the submissions are Private.

*** If you can’t find the hash of your svchost.exe file in any of the databases, most probably that it is malicious and the virus is new or you’re Operating System was updated recently, but in case of the update it should get very quick to the databases as it is a core process. Any way beware.

Check the parent process of svchost.exe

We need to find the parent process of our “svchost.exe”:
6. Return to “Process Monitor” that you left in stage 4.
6.1. Find the Parent process. It should be “services.exe”.
6.2. If you still have the svchost.exe window opened, check in the [Image] tab in “Parent:” option.
*** If it is not “services.exe” it is definitely malicious!
7. Close the window of your svchost.exe in question and find all the instances of “services.exe” in Process Monitor. Follow the same pattern that we did for “svchost.exe” from stage 1 to 5. There should be only 1 instance of “services.exe” though.

What can go wrong with legit Service Host?

If you’re using EDR software in Enterprise environment, you will see all the details prior to svchost execution in the logs. You should check for previous activities of “sc.exe” commands, like “sc create” (or “sc.exe create”) and registry changes in the keys that were stated above. This can indicate some messing around with svchost. With “sc create” you can create any service that you like including malicious executables. Some info about “sc.exe” Command Line Tool and “sc create” Command Switch can be found on Microsoft site.