Tricks with SVCHOST.EXE
Well, if you read what I wrote yesterday, you read that I put a service all
by itself in a separate SVCHOST.EXE proces.
Windows XP SP1
Service of interest: WebClnt
Binary of interest: WEBCLNT.DLL
Problem: Hangs on startup.
If you run a CMD.EXE prompt (command prompt) and type: TASKLIST
/SVC you'll see an output like this:
F:\Documents and Settings\danvdw>tasklist /SVC
========================= ====== =============================================
System Idle Process
416 Eventlog, PlugPlay
428 Netlogon, PolicyAgent, ProtectedStorage, SamSs
660 AudioSrv, BITS, CryptSvc, Dhcp, dmserver, ERSvc,
lanmanserver, lanmanworkstation, Messenger, Netman, Nla,
Schedule, seclogon, SENS, ShellHWDetection,
srservice, TermService, Themes, uploadmgr,
winmgmt, wuauserv, WZCSVC
796 LmHosts, RemoteRegistry, SSDPSRV,
1084 IISADMIN, SMTPSVC,
W3SVC <Cut Short to Eliminate Boredom>
I'm interested in the one that has WebClient in it. I see it's Process
ID (PID) 796.
That's nice to know, but not really want I want. What I want to see
is WebClient all alone in an SVCHOST.EXE process. Exactly like DNSCACHE is doing.
Why can't my webclient do that too? I think it can!
If you read Raymond Chen's blog, you'll see he refers to Q314056 about SVCHOST.EXE.
Now, I mucked with the registry on this system. If you muck with your
registry, make sure you make backups of the stuff before you fool with it. I
will not be held responsible for anything you do to your registry even if it's something
I write about.
Are we clear on that?
Right there, under svchost, are keys and values. I'm interested in the
*value* that is Localservice and I see it's a REG_MULTI_SZ and is:
There's my WebClient. What if I just highlight it and take it out of
there with a DEL button press? That works.
Okay. But, I want it in it's own SVCHOST.EXE. Can I do that?
Well, I think I can if I hack some. So, let's hack:
I notice that the *keys* are similar to these values. Let's do a new
key and value. I'll call it WebClntSvc.
So, I add a Key and a Value called WebClntSvc. I could have called it
anything, like AnyNameAnything, but I called it WebClntSvc.
So, I make a REG_MULTI_SZ *value* entry called WebClntSvc and add: WebClient.
I also make a Value entry and call it WebClntSvc. What to add there?
Heck, I just copied what was in the Localservice key. That key had:
AuthenticationCapabilities, REG_DWORD, 0x2000 and CoInitializeSecurityParam,
So, I added them both. Is that it?
No, because I see that HKLM\System\CurrentControlSet\Services is of interest
to me, based on the KB article.
If I look at HKLM\System\CurrentControlSet\Services\WebClient, I see an ImagePath
value that's a REG_SZ. I think I want to edit that and change it from:
%SystemRoot%\System32\svchost.exe -k LocalService
%SystemRoot%\System32\svchost.exe -k WebClntSvc
We can confirm this works by checking the interface. That's right-click
on My Computer, Select Manage, then go into the Services, find WebClient and open
Make sure the "Path to Executable" was changed. Mine would
F:\WINDOWS\System32\svchost.exe -k WebClntSvc.
F: is my system drive here. Don't ask me why. You don't want to
That would make sense, right? Does to me. Then, I reboot.
Now, I have a separate instance of SVCHOST.EXE running with WebClient in it.
Now, to debug it is simple. Right, I just attach my debugger to the
process that exists as SVCHOST.EXE with the one and only service in it that's WebClient.
However, I don't want to debug it as it is, I want to debug it as it starts.
Hmm... How do to that?
Well, it's tricky and I have one trick up my sleeve to use that is this:
Copy SVCHOST.EXE to SVCHOST1.EXE in the same place as SVCHOST.EXE and use SVCHOST1.EXE
in my ImageFileExecutionOptions registry setting and use SVCHOST1.EXE in the registry
location for the service for the executable.
Now, when I check the interface, my path says:
F:\WINDOWS\System32\svchost1.exe -k WebClntSvc.
There is a problem here. The default SVCHOST.EXE has a timeout for any
service. If it doesn't start in X seconds, you get a nifty dialog telling you
it didn't start, blah blah blah.
You don't get the dialog for the failure on startup, but it's not running
I'm guessing there is a way around this, but I don't know what yet.....