Video of signing: Windows 7 Sneak-Peak from MGX

Congratulations to the engineering teams of both products! I am personally very much looking forward to using the latest code, as I was well impressed with the quality of the RC. The next question would be of course : When will I get it? The Microsoft Windows Team blog answered just that in their recent post titled “When will you get Windows 7 RTM?”

In summary:

Read more about the widespread build availability prior to October 22^nd 2009.

Related Links:

• Microsoft PressPass
• ComputerWorld
• Neowin.net

Powershell:

• Version 1.0
• If this is your first time with Powershell, it’s best to ensure that you have the PowerShell scripting engine installed on your system, as well as enabling the rights to run Powershell scripts on your system by using the command “Set-ExecutionPolicy RemoteSigned” from within the powershell prompt.

• To run script:

1. Save the script below to a file named “c:\myFiles\CheckSvc.ps1” .
2. Open the command prompt with administrator rights: Start > Programs > Accessories > Right click on “Command Prompt” and select “Run as Administrator”.
3. Start Powershell by typing “Powershell”.
4. Run the script by typing “c:\myFiles\CheckSvc.ps1”

This is what the script outputs:

• Directly enumerates and checks out all of the processes which have their process name ‘svchost.exe’.
• Get a clear view about how many such processes are running on your system and get a feeling of what is normal on your system when run over different days.
• For each of those processes, it checks if there are any services running under that instance. If there are, it extracts from them:

1. How many services are running under that svchost.exe instance.
2. The service group (as described in part 2) running under that svchost.exe instance.
3. The service names and descriptions (as described in part 1 and part 2) of the services running under that svchost.exe instance.  

• In cases where something out of the norm is detected such as a malformed command line initiator or no service running under that process a warning is displaced clearly to you. 

I hope that this three part series has been able to provide you with more visibility into the under wirings of those normally unknown processes which come up under your process explorer views via task manager or other tools, as well as their usage and meanings.

You can also customize this script to your needs. I only ask you keep me posted on your updates as for me to learn from them too by emailing me on andre@gfi.com.

You can download the script here.

$FgText1 = "DarkGreen"
$FgText2 = "DarkGray"
$FgError="Red"

Write-Host("==============================================================================") -foreground $FgText1;
Write-Host("SvcHost Explorer...") -foreground $FgText1;
Write-Host("==============================================================================") -foreground $FgText1;
Write-Host("");
$ProcessToCheckFor = "'svchost.exe'";
$TotalProcessesCount = 0;
$TotalServicesCount = 0;

# Create a list of process handles which are running on the system
$PidList = @(Get-WmiObject win32_process -Filter "name=$ProcessToCheckFor");
$TotalProcessesCount = $PidList.length;

$PidHandleList = $PidList | Foreach-Object { $_.Handle };

Write-Host("Total {0} Processes Count: {1}" -f $ProcessToCheckFor, $TotalProcessesCount) -foreground $FgText1;

Write-Host("------------------------------------------------------------------------------") -foreground $FgText1;
Write-Host("");
$CurrentPos = 0;

# For every process detected, check which windows services are running under
# that process
foreach ($procid in $PidHandleList){
$CurrentPos +=1;
$ServicesUnderThisPID = @(Get-WmiObject win32_service -Filter "processID = $procid");

if($ServicesUnderThisPID.length -gt 0){
$ShowHeader = $True;
$PossibleMalware = $False;

$ProcGroup = "";

# For every windows service, break down the command triggered to ensure of
# proper format
# Typical format: C:\Windows\system32\svchost.exe -k netsvcs

foreach($serv in $ServicesUnderThisPID){
if($ProcGroup -eq("")){
$ProcGroup = $serv.PathName;
$CommandComponents = @($ProcGroup.Split(" "));
if ($CommandComponents.length -eq 3 ){
$ProcGroup = $CommandComponents[2];
}
else{
$ProcGroup = "WARNING: POSSIBLE MALWARE - NON STANDARD RUN COMMAND DETECTED";
$PossibleMalware = $True;
}
}

if($ShowHeader){
if($PossibleMalware){
Write-Host("{0}" -f $ProcGroup);
}
else {
Write-Host("Process {0,2} - (Process ID: {1}) - (Services running under this process: {2})" -f $CurrentPos, $procid, $ServicesUnderThisPID.length) -foreground $FgText1;
Write-Host(" (Group {0})" -f $ProcGroup) -foreground $FgText1;
}
$ShowHeader = $False;
}

Write-Host(" {0}" -f $Serv.Name);
Write-Host(" {0}" -f $Serv.DisplayName) -foreground $FgText2;

$DescriptionProc = $Serv.Description;
$DescriptionProc = @($DescriptionProc.Split(" "));
$TempStr = " ";
foreach($word in $DescriptionProc){
if ($TempStr.length -lt 67){
$TempStr += $Word + " ";
}
else{
Write-Host( "{0}" -f $TempStr) -foreground $FgText2;
$TempStr = " ";
}
}
}
}
else {
Write-Host("WARNING: POTENTIAL MALWARE: NO WINDOWS SERVICE DETECTED") -foreground $FgError;
Write-Host(" AS RUNNING UNDER THIS PROCESS. CAN BE A MALWARE RUNNING") -foreground $FgError;
Write-Host(" UNDER THE NAME {0} TO DISGUISE ITSELF" -f $ProcessToCheckFor) -foreground $FgError;
}
" ";
$TotalServicesCount += $ServicesUnderThisPID.length;
}

Write-Host("------------------------------------------------------------------------------") -foreground $FgText1;
Write-Host("Summary:") -foreground $FgText1;
Write-Host("------------------------------------------------------------------------------") -foreground $FgText1;
Write-Host("Total {0} processes counted: {1}" -f $ProcessToCheckFor, $PidList.length) -foreground $FgText1;
Write-Host("Total services running under these processes: {0}" -f $TotalServicesCount) -foreground $FgText1;
Write-Host("==============================================================================") -foreground $FgText1;
Write-Host("");
Write-Host("");

For those of you who have been using the Microsoft OS since the beginning, a memory jog through the evolution of this operating system leading to Windows 7 will definitely strike a bell and bring back a myriad of memories.

Enjoy…

This release means a lot to us, and we can understand the excitement around it.

I have personally been using Windows 7 RC since its availability, and was very impressed from my first installation. I admittedly did manage to hang it a couple of times, but my experiences were not reproduced by my fellow colleagues and required a particular combination to reproduce. Even with the unique hang combination, I still enjoy using this OS on a daily basis reliably and without compromise on performance.

My positive experience seems to resound with the rest of the evaluators’ reviews I went through, as well as discussions with other evaluators, MVPs and other sources.

Sites you can monitor for the announcement:
• Bink.Nu
• IStartedSomething
• Neowin

Now…we wait…

Tick Tock…Tick Tock…

The under-wires of the svchost.exe

A bit of searching around on the process svchost.exe lets you know that this process is indeed legitimate and used by Microsoft. At startup the OS loads a number of services in the background. For the most part these services are executable files (*.exe); however, it is not uncommon that some services are actually dynamic link libraries (*.dll) files which get loaded by a hosting executable file which is started as a service.

In this case, the svchost.exe is the “Host Process” which Microsoft uses to load and manage one or more of its Windows services (via dll files). You also get a number of svchost.exe entries in your task manager because each one of those processes is hosting one or more Microsoft services separately. Let us explore further:

• Open command prompt (Start > Run > cmd.exe)
• Type in “tasklist /SVC /fi “imagename eq svchost.exe””
• You should get a screen similar to the one below:

The table you get shows you:

• How many svchost.exe processes you have which are actually hosting one or more services.
• How many services, as well as which, are being hosted under which svchost.exe.
  o Again their names do not really help you out but hang on in there…it is not that bad.

Let’s understand what is happening by focusing on the first line:

• The first svchost.exe which I have is running under process ID 1208.
• From the task manager view with “Command Line” column enabled, I can see that the trigger is: C:\Windows\system32\svchost.exe -k DcomLaunch.

This is what Microsoft does when this process is launched as a service:

• Svchost.exe is launched with a parameter DcomLaunch.
• The Svchost.exe goes to the registry location
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
• Locates the key which matches the parameter entry DcomLaunch as specified and reads it (in this case the string is “PlugPlay DcomLaunch”. This string contains the names of the services it will load and run within the context of that svchost.exe instance.
• In this case what it means is that the SvcHost.exe host instance launched with the parameter “-k DcomLaunch” will be the process instance within which two services will be running. One service is the one with name “PlugPlay”, and the other is “Dcomlaunch”.

• Now that Windows knows the name of the services to load under that instance it needs to actually load them. The way it does it is by following the normal procedure of loading services which is to:
• Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<servicename> to find out the parameters pertinent to that service.
• For the service PlugPlay which we already established will be a dll file which will be loaded into svchost.exe context it needs to find the location of the dll file to use.
• Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PlugPlay, and you will find several of the properties pertinent to the Plug and Play service including the service context it should be running under.

• Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PlugPlay\Parameters and you will find a value named “ServiceDll” which contains the path to the dll to load.

• Voila, now Windows has all it needs to load the dll, into the right svchost.exe process.
• Windows will check if there is an svchost.exe process for the “Dcomload” group already created. If not, it will create an instance of one to handle services in the Dcomload group.
• The svchost.exe process for Dcomload will then start the service by executing the “%SystemRoot%\system32\umpnpmgr.dll”. Once the DLL has been loaded by svchost.exe the service will then be in a started state.

NOTE: Now that the PlugPlay service has been successfully started, it will move on to the second entry in the list i.e. DComLoad and repeat the process. As this time the svchost.exe instance will already exist, it will only need to attach the dll file for DcomLoad service to the existing svchost.exe which is used for the PlugPlay service initiated above.

In this segment, you have been presented with the way the operating system makes use of the svchost.exe to run critical Windows Services which are highly required by the operating system. You were also presented with a technical step by step flow, of what process the operating system goes through to load and run these service processes. Should you be interested, more information on this technical process is available from: http://support.microsoft.com/kb/314056.

In Part 1, we introduced the multiple svchost.exe instances running on Microsoft operating systems. In Part 3, we will put together a script which you will be able to run on your system, and determine whether any of those processes have anything strange, or out of the norm, which can indicate malware activity. 

While passing the list you come across a bunch of svchost.exe processes but  you have no idea what each one is doing, why each is running, who is running it… and most importantly, whether they are legitimate.

This is a three part post in which I explore the world of svchost.exe. In part 1, I will introduce the topic; its usage and why it is something that we should understand more about. In part 2, I will go into more depth about how the operating system makes use of this Host Process for its needs. In part 3, I will show you how to create a Powershell script which can be used to investigate and discover potential malware which can be hiding behind this innocent-looking process on your own machines.

Discovering svchost.exe

As mentioned earlier, when investigating the list of processes running on your system, you will come across a bunch of svchost.exe processes running with the most useful description ever to help you understand what they are there for i.e. “Host process for Windows Services”… Or maybe not!

What is worse is that the task manager does not show you the source path of this process by default, therefore making it pretty easy for an attacker to just name his process as “svchost.exe”; hence enabling the malware process to hide itself amongst these generic processes which I am so used to seeing in the list.

If you are running Windows Vista or later you can actually get to see the command which launched the process via View > Select Columns… > Travel to the bottom of the list and enable “Command Line”. If you are still on Windows XP, then your only option is to get to the process id, and delve into the world of the command line to discover more…

Even after a good hard look at the command line trigger and the description, you will most probably still have no idea what all of those entries are…they look legitimate in this case as they are running from the windows system, but relatively still in the dark due to a lack of proper description or understanding what they are; We just understand that most probably they are windows services (because that is what the description says).

Another feature improvement which Microsoft did in the Windows Vista Task Manager is that you can also right click on an svchost.exe process from the Processes tab > select go to services > you will be taken to yet another page where it will automatically highlight all of the services running under the context of that svchost.exe.

Ok, so far we are still looking at this and thinking ‘huh?’ We are still at a loss of what these processes really are etc. and there is no way we want to have to stay manually going through this list every time to discover if they are all legitimate. Nor do we want to wonder whether a new piece of malware was introduced in a system which is masking itself as one of these processes. Needless to say, if seeing a long list of svchost.exe entries will become taken as normal, the chances of noticing an infiltrated malware are below slim.

We have to find out more about them, as well as devise an even better way to root out the legitimate entries from the rest!

The learning experience continues in the second part of this post, in which I will explain the under wiring of the way Microsoft operating systems make use of the svchost.exe system for their needs.

In the meantime one of the most common tools available and recommended for your perusal when discovering the world of process management is a nifty tool from SysInternals called Process Monitor which is available from: http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

In the next segment I will go into more depth about how the operating system makes use of this Host Process for its needs.