Demo service that runs in svchost.exe
svchost.exe is designed to save system resources by combining several services into one process. So a service is written as a dll and not as an exe file. Note that Microsoft do not recommend to host 3rd-party services into svchost.exe and its interface is undocumented (thus it may be changed in future). This project is just a demo for academic and research purpose.
Services are combined into groups. Each group has one instance of svchost.exe process. Groups are registered in the registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
| Name | Type | Description |
|---|---|---|
<group> |
REG_MULTI_SZ | List of services |
Group name is passed as a command-line parameter:
%SystemRoot%\System32\svchost.exe -k <group>
A service has to be registered with the following type and image:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\<service>]
| Name | Type | Value |
|---|---|---|
| ImagePath | REG_EXPAND_SZ | %SystemRoot%\System32\svchost.exe -k <group> |
| Type | REG_DWORD | 0x20 (shared) |
and specify its dll in the parameters key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\<service>\Parameters]
| Name | Type | Value |
|---|---|---|
| ServiceDll | REG_EXPAND_SZ | <path to dll> |
A dll has to export the following function:
VOID WINAPI ServiceMain(DWORD dwArgc, LPCWSTR* lpszArgv)This function is very similar to the ServiceMain in a standard service.
- build with cmake
cmake -Hsrc -Bbuild64 -G"Visual Studio 14 2015 Win64"
cmake --build build64 --config RelWithDebInfo -- /m /v:m
- copy
SvcHostDemo.dlltosystem32 - run
installfromsrc/Scripts - run
startfromsrc/Scripts - run
stopfromsrc/Scripts - run
uninstallfromsrc/Scripts - delete
SvcHostDemo.dllfromsystem32