引用

Zipney Seabert全面认识Svchost.exe进程
(中文内容基本普及版)很多朋友对svchost.exe进程都不太了解,有时在任务管理器中一旦看到有多个该进程(图1中有6个),就以为自己的电脑中了病毒或木马,其实并非如此!正常情况下,windows中可以有多个svchost.exe进程同时运行,例如Windows2000至少有2个Svchost进程,WindowsXP中有4个以上,Windows2003中则有更多,所以当你看到多个svchost进程时,未必就是病毒!
全面认识Svchost.exe进程 - Zipney Seabert - Zipeny Seabert
svchost.exe进程是干什么的?

  svchost.exe文件存在于“%systemroot%\system32”(例如C:\Windows\system32)目录下,它是WindowsNT核心的重要进程(Windows9X没有该进程),专门为系统启动各种服务的。例如Svchost.exe调用rpcss.dll文件,就会启动rpcss服务(remoteprocedurecall)。

  svchost.exe实际上是一个服务宿主,它本身并不能给用户提供任何服务,但是可以用来运行动态链接库DLL文件,从而启动对应的服务。Svchost.exe进程可以同时启动多个服务。

  svchost是如何启动系统服务的?

  由于系统服务都是以动态链接库(DLL)形式实现的,它们把可执行程序指向svchost,因此svchost只要调用某个动态链接库,即可启动对应的服务。那么svchost启动某服务时,又是如何知道应该调用哪个动态链接库?这是由于系统服务在注册表中都设置了相关参数,因此svchost通过读取某服务在注册表中的信息,即可知道应该调用哪个动态链接库,从而启动该服务。

  下面我们以svchost启动helpsvc(HelpandSupport)服务为例,介绍其启动服务的方法。在WindowsXP中点击“开始”“运行”,输入“services.msc”命令,弹出服务对话框,然后双击打开“HelpandSupport”服务属性对话框,可以看到helpsvc服务的可执行文件的路径为“C:\WINDOWS\System32\svchost.exe-knetsvcs”(如图2),说明helpsvc服务是依靠SVCHOST调用“netsvcs”参数来实现的,而参数的内容则是存放在系统注册表中的。
全面认识Svchost.exe进程 - Zipney Seabert - Zipeny Seabert
在运行对话框中输入“regedit.exe”后回车,打开注册表编辑器,找到[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\helpsvc]项,找到类型为“REG_EXPAND_SZ”的键“magePath”,其键值为“%SystemRoot%\System32\svchost.exe-knetsvcs”(这就是在服务窗口中看到的服务启动命令),另外在“Parameters”子项中有个名为“ServiceDll”的键,其值为“%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll”,其中“pchsvc.dll”就是helpsvc服务要使用的动态链接库文件。这样SVCHOST进程通过读取“helpsvc”服务注册表信息,就能启动该服务了。

  svchost到底启动了哪些服务?

  如果你想了解每个SVCHOST进程当前到底提供了哪些系统服务,可以在命令提示符下输入命令来查看。例如在WindowsXP中,打开“命令提示符”,键入tasklist/svc命令查看;在Windows2000中,则输入“Tlist-S”命令来查看。

  如果你在WindowsXP中,想得到所有进程的详细信息,可以打开“命令提示符”,键入tasklist/svc>abc.txt命令,于是在当前目录中,将会生成一个abc.txt文件,其内容就是当前正在运行的所有进程情况,例如进程名、PID号、该进程启动了哪些服务。

  如何发现svchost进程是否有问题?

  由于svchost进程可以启动各种服务,因此病毒、木马也经常伪装成系统的DLL文件,使svchost调用它,从而进入内存中运行、感染和控制电脑。

  建议你使用“Windows优化大师”进程管理器,查看所有svchost进程的执行文件路径(如图3),正常的Svchost文件应该存在于“c:\Windows\system32”目录下,如果你发现其执行路径在其他目录下,就有可能染上了病毒或木马了,应该马上进行检测和处理。
全面认识Svchost.exe进程 - Zipney Seabert - Zipeny Seabert
Svchost进程杀不掉怎么办?

  如果有些Svchost进程,你在任务管理器中无法关闭之,可以使用ntsd命令来杀掉它,方法如下:

  首先需要了解欲杀的Svchost进程,其PID是多少?在WindowsXP下,按Ctrl+Alt+Del打开任务管理器,点击“进程选项卡”“查看”“选择列”,在弹出的窗口中(图4),勾选“PID(进程标识符)”,然后回到任务管理器中,即可看见PID了(例如要查杀的svchost进程,其PID是844)。
全面认识Svchost.exe进程 - Zipney Seabert - Zipeny Seabert
接下来关闭该进程。点击“开始”“程序”“附件”“命令提示符”,在命令提示符下,输入命令ntsd-cq-p844即可查杀掉Svchost进程(PID是844)。

  小提示:除了System、SMSS.EXE和CSRSS.EXE这三个进程,ntsd命令可以杀掉任何一个系统进程。从Windows2000开始,微软就提供了ntsd工具,该命令执行后,可让你获得系统的debug权,因此能够用来关闭大部分的系统进程,如果你遇到无法关闭的进程,就可以使用该命令,其杀进程的命令格式为:ntsd-cq–pXXX

  以上XXX为欲杀进程的PID;

  ntsd–pXXX表示在调试器中打开某进程(PID为XXX);

  而-cq参数则表示退出调试器。由于调试器关闭之后,它打开的进程会随调试器一起退出,因此ntsd命令能够关闭进程。
补充内容(这个命令没办法通过重定向输出并保存到TXT文件中,如果谁知道怎么弄的,提示一下,谢谢先):
-----------------------------------------------------begin---------------------------------------------------------------

只有System、SMSS.EXE和CSRSS.EXE不能杀。前两个是纯内核态的,最后那个是Win32
子系统,ntsd本身需要它。ntsd从2000开始就是系统自带的用户态调试工具。
被调试器附着(attach)的进程会随调试器一起退出,所以可以用来在命令行下终止
进程。使用ntsd自动就获得了debug权限,从而能杀掉大部分的进程。ntsd会新开一
个调试窗口,本来在纯命令行下无法控制,但如果只是简单的命令,比如退出(q),
用-c参数从命令行传递就行了。NtsdNtsd 按照惯例也向软件开发人员提供。只有系
统开发人员使用此命令。有关详细信息,请参阅 NTSD 中所附的帮助文件。用法:开
个命令行提示符窗口,输入:
  ntsd -c q -p PID
  把最后那个PID,改成你要终止的进程的ID。

附:NTSD语法

usage: ntsd [options]

Options:

<command-line> command to run under the debugger
-? displays command line help text
-- equivalent to -G -g -o -p -1 -d -pd
-2 creates a separate console window for debuggee
-a<DllName> adds a default extension DLL
-bonc request break in after session started
-c "<command>" executes the given debugger command at the first debugger

prompt
-cf <file> specifies a script file to be processed at the first debugger

prompt
-clines <#> number of lines of output history retrieved by a remote client

-d sends all debugger output to kernel debugger via DbgPrint
input is requested from the kernel debugger via DbgPrompt
-d cannot be used with debugger remoting
-d can only be used when the kernel debugger is enabled
-ddefer sends all debugger output to kernel debugger via DbgPrint
input is requested from the kernel debugger via DbgPrompt unless

there are remote clients that can provide input
-ddefer can only be used when the kernel debugger is enabled
-ddefer should be used with -server
-ee <name> set default expression evaluator
<name> can be MASM or C++
-failinc causes incomplete symbol and module loads to fail
-g ignores initial breakpoint in debuggee
-G ignores final breakpoint at process termination
-hd specifies that the debug heap should not be used for created processes
.
This only works on Windows XP and later
-i <ImagePath> specifies the location of the executables that generated
the
fault (see _NT_EXECUTABLE_IMAGE_PATH)
-isd sets the CREATE_IGNORE_SYSTEM_DEFAULT flag in STARTUPINFO.dwFlags
during CreateProcess
-lines requests that line number information be used if present
-loga <logfile> appends to a log file
-logo <logfile> opens a new log file
-myob ignores version mismatches in DBGHELP.DLL
-n enables verbose output from symbol handler
-noio disables all I/O for dedicated remoting servers
-noshell disables the .shell (!!) command
-o debugs all processes launched by debuggee
-p <pid> specifies the decimal process ID to attach to
-pb specifies that the debugger should not break in at attach
-pd specifies that the debugger should automatically detach
-pe specifies that any attach should be to an existing debug port
-pn <name> specifies the name of the process to attach to
-pr specifies that the debugger should resume on attach
-premote <transport>:server=<name>,<params>
specifies the process server to connect to
transport arguments are given as with remoting
-pt <#> specifies the interrupt timeout
-pv specifies that any attach should be noninvasive
-pvr specifies that any attach should be noninvasive and nonsuspending
-QR \\<machine> queries for remote servers
-r <BreakErrorLevel> specifies the (0-3) error level to break on (see
SetErrorLevel)
-remote <transport>:server=<name>,<params>
lets you connect to a debugger session started with -server
must be the first argument if present
transport: tcp | npipe | ssl | spipe | 1394 | com
name: machine name on which the debug server was created
params: parameters the debugger server was created with
for tcp use: port=<socket port #>
for npipe use: pipe=<name of pipe>
for 1394 use: channel=<channel #>
for com use: port=<COM port>,baud=<baud rate>,
channel=<channel #>
for ssl and spipe see the documentation
example: ... -remote npipe:server=yourmachine,pipe=foobar
-robp allows breakpoints to be set in read-only memory
-rtl uses RtlCreateUserProcess instead of Win32 CreateProcess
-s disables lazy symbol loading
-sdce pops up dialogs for critical errors
-secure disallows operations dangerous for the host
-server <transport>:<params>
creates a debugger session other people can connect to
must be the first argument if present
transport: tcp | npipe | ssl | spipe | 1394 | com
params: connection parameterization
for tcp use: port=<socket port #>
for npipe use: pipe=<name of pipe>
for 1394 use: channel=<channel #>
for com use: port=<COM port>,baud=<baud rate>,
channel=<channel #>
for ssl and spipe see the documentation
example: ... -server npipe:pipe=foobar
-ses enables strict symbol loading
-sfce fails critical errors encountered during file searching
-sflags <flags> sets symbol flags from a numeric argument
-sicv ignores the CV record when symbol loading
-sins ignores the symbol path environment variables
-snc converts :: to __ in symbol names
-snul disables automatic symbol loading for unqualified names
-srcpath <SourcePath> specifies the source search path
-sup enables full public symbol searches
-t <PrintErrorLevel> specifies the (0-3) error level to display (see
SetErrorLevel)
-v enables verbose output from debugger
-w specifies to debug 16 bit applications in a separate VDM
-wake <pid> wakes up a sleeping debugger and exits
-x sets second-chance break on AV exceptions
-x{e|d|n|i} <event> sets the break status for the specified event
-y <SymbolsPath> specifies the symbol search path (see _NT_SYMBOL_PATH)

-z <CrashDmpFile> specifies the name of a crash dump file to debug
-zp <CrashPageFile> specifies the name of a page.dmp file to use with a

crash dump

Environment Variables:

_NT_SYMBOL_PATH=[Drive:][Path]
Specify symbol image path.

_NT_ALT_SYMBOL_PATH=[Drive:][Path]
Specify an alternate symbol image path.

_NT_DEBUGGER_EXTENSION_PATH=[Drive:][Path]
Specify a path which should be searched first for extensions dlls


_NT_EXECUTABLE_IMAGE_PATH=[Drive:][Path]
Specify executable image path.

_NT_SOURCE_PATH=[Drive:][Path]
Specify source file path.

_NT_DEBUG_LOG_FILE_OPEN=filename
If specified, all output will be written to this file from offset
0.

_NT_DEBUG_LOG_FILE_APPEND=filename
If specified, all output will be APPENDed to this file.

_NT_DEBUG_HISTORY_SIZE=size
Specifies the size of a server's output history in kilobytes

Control Keys:

<Ctrl-B><Enter> Quit debugger
<Ctrl-C> Break into Target
<Ctrl-F><Enter> Force a break into debuggee (same as Ctrl-C)
<Ctrl-P><Enter> Debug Current debugger
<Ctrl-V><Enter> Toggle Verbose mode
<Ctrl-W><Enter> Print version information
ntsd: exiting - press enter ---
-----------------------------------------------------End---------------------------------------------------------------


下面是MICROSOFT给出的中文解释(基本属于普及版)


Windows XP 中的 Svchost.exe 说明(kbinfo KB314056)[本文适用于:Microsoft Windows XP Professional Edition]

本文描述 Svchost.exe 及其功能。Svchost.exe 是从动态链接库 (DLL) 中运行的服务的通用主机进程名称。

Svchost.exe 文件位于 %SystemRoot%\System32 文件夹中。启动时,Svchost.exe 将检查注册表的服务部分,以构建需要加载的服务的列表。Svchost.exe 的多个实例可同时运行。每个 Svchost.exe 会话可以包含一组服务,以便可以根据 Svchost.exe 的启动方式和位置的不同运行不同的服务。这样可以更好地进行控制,且更加便于调试。

Svchost.exe 组由以下注册表项标识:

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost

此注册表项下的每个值都代表单独的 Svchost 组,并在您查看活动进程时作为单独的实例显示。每个值均为 REG_MULTI_SZ 值,并且包含在该 Svchost 组下面运行的服务。每个 Svchost 组都可以包含一个或多个从以下注册表项提取的服务名称,该注册表项的参数项包含一个 ServiceDLL 值:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\服务

要查看在 Svchost 中运行的服务的列表,请执行以下操作:

  1. 单击 Windows 任务栏上的开始,然后单击运行。
  2. 在打开框中,键入 CMD,然后按 ENTER 键。
  3. 键入 Tasklist /SVC,然后按 ENTER 键。
Tasklist 命令显示活动进程的列表。/SVC 命令开关显示每个进程中活动服务的列表。有关进程的详细信息,请键入以下命令,然后按 ENTER 键:

Tasklist /FI "PID eq 进程 ID"(带引号)

以下的 Tasklist 命令输出示例显示正在运行的 Svchost.exe 的两个实例。
--------------------------------------------begin-------------------------------------------------
Image Name         PID      Services
========================================================================
System Process        0     N/A
System                8     N/A   
Smss.exe            132     N/A
Csrss.exe           160     N/A
Winlogon.exe        180     N/A
Services.exe        208     AppMgmt,Browser,Dhcp,Dmserver,Dnscache,
Eventlog,LanmanServer,LanmanWorkstation,
LmHosts,Messenger,PlugPlay,ProtectedStorage,
Seclogon,TrkWks,W32Time,Wmi
Lsass.exe            220    Netlogon,PolicyAgent,SamSs
Svchost.exe          404    RpcSs
Spoolsv.exe          452    Spooler
Cisvc.exe            544    Cisvc
Svchost.exe          556    EventSystem,Netman,NtmsSvc,RasMan,
SENS,TapiSrv
Regsvc.exe           580    RemoteRegistry
Mstask.exe           596    Schedule
Snmp.exe             660    SNMP
Winmgmt.exe          728    WinMgmt
Explorer.exe         812    N/A
Cmd.exe             1300    N/A
Tasklist.exe        1144    N/A
-------------------------------------------------end-----------------------------------------------------
对上面内容的补充说明:
上面的是MICROSOFT给出的结果,我电脑装的是WINDOW SERVER2003,对应于上面的PID是208的svchost.exe进程(它上面给出的是对于那个参数是netsvcs的),我的电脑上的PID==796,是下面的一些(有些没用的我从服务里禁掉了)

-----------------------------------------------我的PID==796的SVCHOST.EXE-------------------------------------------
AeLookupSvc
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
EventSystem
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Messenger
Netman
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
Rasauto
Rasman
Remoteaccess
Sacsvr
Schedule
Seclogon
SENS
Sharedaccess
Themes
TrkWks
TrkSvr
WZCSVC
Wmi
WmdmPmSp
winmgmt
xmlprov
BITS
wuauserv
ShellHWDetection
WmdmPmSN
helpsvc
----------------------------------------我的PID==796的SVCHOST.EXE---------------------------------------------
再补充一点:
全面认识Svchost.exe进程 - Zipney Seabert - Zipeny Seabert
看不清就看文字:
1. PID==584------ C:\WINDOWS\system32\svchost.exe -k DcomLaunch
2. PID==656------ C:\WINDOWS\system32\svchost.exe -k rpcss
3. PID==704------ C:\WINDOWS\system32\svchost.exe -k NetworkService
4. PID==744------ C:\WINDOWS\system32\svchost.exe -k LocalService
5. PID==796------ C:\WINDOWS\System32\svchost.exe -k netsvcs
--------------------------------------补充完毕(Bill别忘了往我账户里打钱^_^)-------------------------------------
PID==584的(宿主)父进程SVCHOST.EXE有时候会产生两个WMIPRVSE.EXE的子进程,今天就
遇到了这个问题,不知道到底怎么回事(有知道的进来吼一嗓子!!!!!!!!!!!!!!!!!)当时在下载东西,安装了FLASHGET3BETA版和XUNLEI,出现了资源争用的情况,过了一段时间之后又消失了一个PID>1600的WMIPRVSE.EXE,只剩下那个PID>1800(WMIPRVSE.EXE的PID值随每次开机会变,而SVCHOST.EXE[至少是我列举的5个]的PID值,在某台固定的计算机上面不会变化)的那个WMIPRVSE.EXE(有空再研究)当时的疑问(procexp.exe当时抓到的效果,对应的JOB标签页内容是):
\BaseNamedObjects\WmiProviderSubSystemHostJob

此示例的两种组合的注册表设置如下所示:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost:

Netsvcs:Reg_Multi_SZ:EventSystem Ias Iprip Irmon Netman Nwsapagent Rasauto Rasman Remoteaccess SENS Sharedaccess Tapisrv Ntmssvc

RApcss :Reg_Multi_SZ:RpcSs


下面是MICROSOFT给出的英文版的解释(*****这个才算能看的内容*****)
This article describes Svchost.exe and its functions. Svchost.exe is a generic host process name for services that run from dynamic-link libraries (DLLs). This article describes Svchost.exe and its functions. Svchost.exe is a generic host process name for services that run from dynamic-link libraries (DLLs).
   
The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services allows for better control and easier debugging.
-------------------------------------------------对上面红字的解释Begin----------------------------------------------
注册表中与系统启动相关的表项:
HKEY_LOCAL_MACINE\software\microsoft\windows\currentversion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
--------------------------------------------------对上面红字的解释End------------------------------------------------

Svchost.exe groups are identified in the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost

Each value under this key represents a separate Svchost group and appears as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service names that are extracted from the following registry key, whose Parameters key contains a ServiceDLL value:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Service

To view the list of services that are running in Svchost:

  1. Click Start on the Windows taskbar, and then click Run.
  2. In the Open box, type CMD, and then press ENTER.
  3. Type Tasklist /SVC, and then press ENTER.

Tasklist displays a list of active processes. The /SVC switch shows the list of active services in each process. For more information about a process, type the following command, and then press ENTER:

使用命令: Tasklist /FI "PID eq processID" (with the quotation marks)

The following example of Tasklist output shows two instances of Svchost.exe that are running.
--------------------------------------------begin-------------------------------------------------
Image Name         PID      Services
========================================================================
System Process        0     N/A
System                8     N/A   
Smss.exe            132     N/A
Csrss.exe           160     N/A
Winlogon.exe        180     N/A
Services.exe        208     AppMgmt,Browser,Dhcp,Dmserver,Dnscache,
Eventlog,LanmanServer,LanmanWorkstation,
LmHosts,Messenger,PlugPlay,ProtectedStorage,
Seclogon,TrkWks,W32Time,Wmi
Lsass.exe            220    Netlogon,PolicyAgent,SamSs
Svchost.exe          404    RpcSs
Spoolsv.exe          452    Spooler
Cisvc.exe            544    Cisvc
Svchost.exe          556    EventSystem,Netman,NtmsSvc,RasMan,
SENS,TapiSrv
Regsvc.exe           580    RemoteRegistry
Mstask.exe           596    Schedule
Snmp.exe             660    SNMP
Winmgmt.exe          728    WinMgmt
Explorer.exe         812    N/A
Cmd.exe             1300    N/A
Tasklist.exe        1144    N/A
-------------------------------------------------end-----------------------------------------------------

The registry setting for the two groupings for this example are as follows:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost:

Netsvcs: Reg_Multi_SZ: EventSystem Ias Iprip Irmon Netman Nwsapagent Rasauto Rasman Remoteaccess SENS Sharedaccess Tapisrv Ntmssvc

RApcss :Reg_Multi_SZ: RpcSs


What is svchost.exe And Why Is It Running?

You are no doubt reading this article because you are wondering why on earth there are nearly a dozen processes running with the name svchost.exe. You can't kill them, and you don't remember starting them… so what are they?

So What Is It?

According to Microsoft: "svchost.exe is a generic host process name for services that run from dynamic-link libraries". Could we have that in english please?

Some time ago, Microsoft started moving all of the functionality from internal Windows services into .dll files instead of .exe files. From a programming perspective this makes more sense for reusability… but the problem is that you can't launch a .dll file directly from Windows, it has to be loaded up from a running executable (.exe). Thus the svchost.exe process was born.

Why Are There So Many svchost.exes Running?

If you've ever taken a look at the Services section in control panel you might notice that there are a Lot of services required by Windows. If every single service ran under a single svchost.exe instance, a failure in one might bring down all of Windows… so they are separated out.

Those services are organized into logical groups, and then a single svchost.exe instance is created for each group. For instance, one svchost.exe instance runs the 3 services related to the firewall. Another svchost.exe instance might run all the services related to the user interface, and so on.

So What Can I Do About It?

You can trim down unneeded services by disabling or stopping the services that don't absolutely need to be running. Additionally, if you are noticing very heavy CPU usage on a single svchost.exe instance you can restart the services running under that instance.

The biggest problem is identifying what services are being run on a particular svchost.exe instance… we'll cover that below.

If you are curious what we're talking about, just open up Task Manager and check the "Show processes from all users" box:

全面认识Svchost.exe进程 - Zipney Seabert - Zipeny Seabert

Checking From the Command Line (Vista or XP Pro)

If you want to see what services are being hosted by a particular svchost.exe instance, you can use the tasklist command from the command prompt in order to see the list of services.

使用工具的命令: tasklist /SVC

全面认识Svchost.exe进程 - Zipney Seabert - Zipeny Seabert

The problem with using the command line method is that you don't necessarily know what these cryptic names refer to.

Checking in Task Manager in Vista

You can right-click on a particular svchost.exe process, and then choose the "Go to Service" option.

全面认识Svchost.exe进程 - Zipney Seabert - Zipeny Seabert
This will flip over to the Services tab, where the services running under that svchost.exe process will be selected:
全面认识Svchost.exe进程 - Zipney Seabert - Zipeny Seabert

The great thing about doing it this way is that you can see the real name under the Description column, so you can choose to disable the service if you don't want it running.

Using Process Explorer in Vista or XP

You can use the excellent Process Explorer utility from Microsoft/Sysinternals to see what services are running as a part of a svchost.exe process.

Hovering your mouse over one of the processes will show you a popup list of all the services:
全面认识Svchost.exe进程 - Zipney Seabert - Zipeny Seabert
Or you can double-click on a svchost.exe instance and select the Services tab, where you can choose to stop one of the services if you choose.
全面认识Svchost.exe进程 - Zipney Seabert - Zipeny Seabert

Disabling Services

Open up Services from the administrative tools section of Control Panel, or type services.msc into the start menu search or run box.

Find the service in the list that you'd like to disable, and either double-click on it or right-click and choose Properties.
全面认识Svchost.exe进程 - Zipney Seabert - Zipeny Seabert
Change the Startup Type to Disabled, and then click the Stop button to immediately stop it.
全面认识Svchost.exe进程 - Zipney Seabert - Zipeny Seabert

You could also use the command prompt to disable the service if you choose. In this command "trkwks" is the Service name from the above dialog, but if you go back to the tasklist command at the beginning of this article you'll notice you can find it there as well.

使用工具的命令: sc config trkwks start= disabled

Hopefully this helps somebody!


文章版权:杜斟的个人博客 - 个人技术分享

本文链接:http://mcat.cc/index.php/archives/557/

转载请注明文章原始出处 !

添加新评论

返回顶部