Categories

LKBEN10729: Which process belongs to a certain systemservice under windows? How to identify the process ID (PID) of a system service.

Symptom

Systemprocesses (like Windows Firewall) cannot be identified in Tasklist or Taskmanager

Cause

Some of Windows services run under "svchost.exe"

Solution

Use command TASKLIST in a command shell. Without parameter it delivers a Tasklist similar to the list of processes under Taskmanager (example 1).
While names like cmd.exe or perl.exe are obvious, others need to be known (spoolsv.exe - spooler service, csrss.exe - Client Server Runtime).

For finding the process ID (PID) of a certain service, you might need to know it's original servicename, for instance "SharedAccess" is the servicename for the displayname "Windows Firewall/Shared Internet Access". It can be looked up in the properties of the process in services management Console.

Use TASKLIST /SVC in order to view the services belonging to a (svchost-) process:
...
svchost.exe                 924 DcomLaunch, TermService
svchost.exe                 992 RpcSs
svchost.exe                1100 AudioSrv, Browser, CryptSvc, Dhcp, dmserver,
                                ERSvc, EventSystem, helpsvc, lanmanserver,
                                lanmanworkstation, Netman, Nla, RasMan,
                                Schedule, seclogon, SENS, SharedAccess,
                                ShellHWDetection, srservice, Themes, TrkWks,
                                W32Time, winmgmt, wuauserv, WZCSVC
svchost.exe                1156 Dnscache...

and voilà, there they are (above example of Windows Firewall runs as "Shared Access" under PID 1100).

EXAMPLE 1:

F:\>tasklist
Abbildname                  PID Sitzungsname      Sitz.-Nr. Speichernutzung
========================= ===== ================ ========== ===============
System Idle Process           0 Console                   0            28 K
System                        4 Console                   0           184 K
smss.exe                    592 Console                   0           160 K
csrss.exe                   640 Console                   0         5.228 K
winlogon.exe                664 Console                   0         4.904 K
services.exe                708 Console                   0         2.288 K
lsass.exe                   720 Console                   0         1.620 K
Srvany.exe                  904 Console                   0           180 K
svchost.exe                 924 Console                   0         2.716 K
svchost.exe                 992 Console                   0         1.768 K
svchost.exe                1100 Console                   0        10.684 K
svchost.exe                1156 Console                   0         1.336 K
cmd.exe                    1300 Console                   0           268 K
perl.exe                   1308 Console                   0           572 K
svchost.exe                1316 Console                   0         2.308 K
spoolsv.exe                1516 Console                   0         3.080 K
...

Disclaimer:

The information provided in this document is intended for your information only. Lubby makes no claims to the validity of this information. Use of this information is at own risk!

About the Author

Author: Wim Peeters - Keskon GmbH & Co. KG

Wim Peeters is electronics engineer with an additional master in IT and over 30 years of experience, including time spent in support, development, consulting, training and database administration. Wim has worked with SQL Server since version 6.5. He has developed in C/C++, Java and C# on Windows and Linux. He writes knowledge base articles to solve IT problems and publishes them on the Lubby Knowledge Platform.