tag:ask-leo.com,2012://3/tag:ask-leo.com,2008://3.3476- 2012-01-04T01:17:39Z Comments for How can I tell from where an EXE file is being run? Movable Type 4.32-en tag:ask-leo.com,2008://3.3476-comment:37748 Comment from Chris on 2009-09-06 Chris Hi Leo, great site. Here's a question I CANT find an answer to anywhere:

In windows, and specifically in Vista, could malware run through the taxi svchost.exe, INSIDE the system32 folder?

For instance, is it not possible that executed malware, in the form of injected code, could edit say a trojan to run from your system32 folder under the system taxi svchost.exe? Or better yet, list itself there as a regular service like: Dhcp, DHCP Client? HOW do i check where DHCP client is?

And if svchost.exe connects to the net, with an illegitimate service running from the system32 folder, what then? how do you check each instance of svchost.exe's connection, with only knowing it is svchost.exe connecting from the system32 folder? If you cannot, this would be a great taxi for more then windows services.

As much as i search, i find no answer to this question, and only hints that it is possible. Hopefully you can shed some light on the situation, thanks!

Chris

I'm not really sure what you mean by "taxi", that's a term I've not heard used in this context. Could SVCHOST be used to run malicious code? Absolutely. What then? Same as any other virus, you take steps to eradicate it as best you can. Normally there's an additional file that contains the malware and scanners would look for and remove that. However prevention remains the best approach by far.
Leo
07-Sep-2009
]]>

A comment on: How can I tell from where an EXE file is being run?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

All content Copyright © 2009.

 2009-09-07T01:49:15Z tag:ask-leo.com,2008://3.3476-comment:37015 Comment from Ruby on 2009-08-16 Ruby Thank you very much finally an explanation about svchost.exe I can understand and a great tip on process explorer.

]]>

A comment on: How can I tell from where an EXE file is being run?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

All content Copyright © 2009.

 2009-08-17T04:26:40Z tag:ask-leo.com,2008://3.3476-comment:32613 Comment from Robert on 2008-08-27 Robert What is the defference between whats running and process explorer programs looks like about the same

]]>

A comment on: How can I tell from where an EXE file is being run?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

All content Copyright © 2008.

 2008-08-27T17:32:31Z tag:ask-leo.com,2008://3.3476-comment:32612 Comment from Chris Faulkner on 2008-08-27 Chris Faulkner A good article Leo.
Another good program to look at is Autoruns, it shows ALL running processes, you have the option of terminating temporarily or permanently.
Try it,it's FREE.
Autoruns does not show you what's running now. It shows you what runs automatically at boot, login and other times. But for example if those programs run automatically and then exit (as some do), they will be listed in autoruns, but they will not actually be running at the time you look.

Different (and very good) tool, but for a different purpose.

-Leo

]]>

A comment on: How can I tell from where an EXE file is being run?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

All content Copyright © 2008.

 2008-08-27T11:54:09Z tag:ask-leo.com,2008://3.3476-comment:32611 Comment from Mike on 2008-08-26 Mike Leo,

Excellent article. I've been looking for a good replacement for Task Manager. Thank you very much!

]]>

A comment on: How can I tell from where an EXE file is being run?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

All content Copyright © 2008.

 2008-08-26T15:07:56Z tag:ask-leo.com,2008://3.3476-comment:32610 Comment from John on 2008-08-21 John And just for reference, a great place to look up Window's processes is: www.processlibrary.com

]]>

A comment on: How can I tell from where an EXE file is being run?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

All content Copyright © 2008.

 2008-08-21T14:38:45Z tag:ask-leo.com,2008://3.3476-comment:32609 Comment from Rohit on 2008-08-20 Rohit I also found system explorer to be a useful utility.

]]>

A comment on: How can I tell from where an EXE file is being run?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

All content Copyright © 2008.

 2008-08-20T20:22:12Z