识别svchost.exe背后的实际进程而不是一组进程。 [英] Identifying the actual process behind svchost.exe instead of a group of processes.

问题描述

我一直试图找出Windows中是否有办法唯一地识别svchost.exe背后的进程。

I have been trying to find out if there is a way in windows to uniquely identify a process behind svchost.exe .

确定在svchost下运行的服务，我使用命令
tasklist / svc / fi" imagename eq svchost.exe"

To determine the services that are running under svchost , I use the command, tasklist /svc /fi "imagename eq svchost.exe"

该命令的结果是例如

图像名称                      PID     服务

Image Name                     PID      Services

========================= ======== ===== =======================================

========================= ======== ============================================

svchost.exe的                    784      Dnscache，CryptSvc，TapiSrv，TermService

svchost.exe                    784      Dnscache, CryptSvc, TapiSrv , TermService

svchost.exe                     864      RpcEptMapper，RpcSs

svchost.exe                    864      RpcEptMapper, RpcSs

svchost.exe                     936      AudioSrv，Dhcp，eventlog，HomeGroupProvider，lmhosts，wscsvc

svchost.exe                    936      AudioSrv, Dhcp, eventlog, HomeGroupProvider, lmhosts, wscsvc

因此对于进程ID 784，我有4个服务正在运行。 Dnscache，CryptSvc，TapiSrv，TermService。

So for process ID 784, I have 4 services running. Dnscache, CryptSvc, TapiSrv , TermService.

我使用 EnumServicesStatusEx windows API来获取此信息。

I have used the EnumServicesStatusEx windows API to get this information.

我有一个网络驱动程序，通过打开tcp / udpports，当机器中的某个进程尝试在机器外部进行通信时，会向我提供信息。 例如，对于进程ID 784，我收到svchost尝试通过端口53访问Internet
的通知。（这是dns端口）。这是因为作为Windows的DnsClient的Dnscache在端口53上工作。

I have a network driver that gives me information when a particular process in a machine is trying to communicate outside the machine by opening tcp / udpports .  For example for process ID 784 I get a notification that svchost is trying to access internet over port 53. (which is dns port). It is because Dnscache which is a DnsClient for windows works on port 53.

是否有任何win32例程允许我获取此类信息？我想确定一个流程，而不是确定一组流程。

Is there any win32 routine that allows me to get such kind of information ? I wanted to pinpoint a process instead identifying a group of processes.

推荐答案

这是一个单一的过程。  您可能认为有些过程有4个屏蔽为一个，但没有： 一个进程运行4个服务。

It is a single process.  You probably think that somehow there are 4 processes out there masked as one, but no:  One process runs 4 services.

这篇关于识别svchost.exe背后的实际进程而不是一组进程。的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！