Hi all.

I've had a good look around for info, and come up short.

Does anyone know of a way to get the thread id under which a service is running, from either safehandle or unsafe handle properties of the object?

wmi with Win32_Service does not appear to provide it, just the Process Id.

I get close to the info I need in C++ after getting TEB address, but cannot figure out how to read and decipher the info.

Thanks for reading, I know it's a real tough one.

Recommended Answers

All 14 Replies

I have written some code which indicates which processes are sending and receiving data over IPv4 and 6, but I'd like to go a little further and identify what services that might be running under a process, such as svchost, are responsible, if any.

I've found that every thread has in it, a TEB structure (Thread Environment Block) (https://msdn.microsoft.com/en-us/library/windows/desktop/ms686708(v=vs.85).aspx), that has a in it a pointer to a subsystem tag which in turn holds a field which indicates a service name.

So armed with pid and the tid's which dwell within it, I hope to get collect enough data to reach my goal.
I'm just stuck at the moment, and was hoping there was another way in c#, armed with a handle to each service, to extract from it, the thread id under which it is operating.

Apparently, in x64 most of the segment data was removed, except for the data I'm after.

*According to Intel manuals (System Programming Guide, Chapter 3.2.4):
“In 64-bit mode, segmentation is generally (but not completely) disabled, creating a flat 64-bit linear-address space.

It's a very contrived, and convoluted, lonely world of pebs tibs and tebs and not very much concrete information. For example in c++ I have to use a poorly documented API (NtQueryInformationThread)and an undocumented one (I_QueryTagInformation).

I always seem to pick the awkward projects.

(edit)
This was hard to find, the guy seems to claim he has it nailed, but the code simply does not do what he says it does.

https://translate.google.co.uk/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fm.blog.naver.com%2Fgloryo%2F110129121084&edit-text=&act=url

Which of the many controls and apps in Windows tells you what you are trying to push into your app?
http://www.bleepingcomputer.com/tutorials/list-services-running-under-svchostexe-process/ is a fine read that shows most of what you might be looking for in the GUI form so which of those pictures show what you are looking for?

It sounds like you are trying to craft another Task Manager. But I'm guessing.

I cannot see any that show what I'm after, I can get all the info I see there.

Look at this one

http://www.bleepstatic.com/tutorials/svchost/windows-8/expanded-service-host.jpg

Under the process "Service host DCOM Server.... You see the network column will show the network usage of that process, I want to break it into individual services running under it, and identify which of them is responsible.

(edit) sorry I never answered your question.
To my knowledge there are no windows apps that glean the info I want, not even process explorer.

Maybe the thread does not ever do the I/O? As no tool to date has revealed that, consider the case of an app I wrote long ago.

While it did do network I/O, the byte count was showing up in svchost because that's the API call I made and svchost did the actual work. No inspection tool I ever found would have traced it back to me exactly. Some may call that a glaring Windows fault.

I think we'll have to find that I/O in any tool, control panel, app or anywhere then work out how they did that.

We may also be bumping into security issues here. That is, given that our (still to be made) app wants to inspect an app on the inside, those memory blocks and such may not be accessible due to "security." But here I'm still trying to see where what you want to see has been exposed before by any means.

TL:DR. -> Let's find where what you want has been exposed and find how how to do that in our own code.

There are security issues, which I have had to work around by setting sedebugprivilege, and in c++ I was having to use readprocessmemory of the remote process.

I've just discovered that netstat now sort of gets this info.

neststat -a -b

It does not show pid or tid, but does associate an IP and port with a service and its host process.

Another day and I just have to ask "Why do this?"

Don't get me wrong here. Just last month a buddy was trying to track down internet use on his new laptop and was coding, running scans and generally not doing anything fun. As it was a new W10 machine I mentioned and asked if he had turned off Windows Update sharing. He had never heard of this and that along with some other items were flipped off and his mystery internet activity is now gone.

But if it's not that, we really need to find and see what you are looking for in other tools so we can backtrace to how they do that.

The why is because I cannot think of anything better to do, and I don't know of any other app or utility that provides such information.

Saying that, tcpview comes close, it identifies that there is more than one tcp connection from each svchost process, but does not identify the actual service.

Resource Monitor can identify the service group.

WIsh I could help here. I had hopes we could find any existing tool in Windows or outside that showed what you were after then work with that to see how it was done. But that didn't work out.

Maybe we tackle it another way. Such as what caused you to dig into this. I shared a story about a friend programming to dig into network traffic and for him, it was something I knew about. A setting change and the traffic stopped. So while that didn't use any tools to trace it back to the source, that was good enough for him.

I've just been creating some admin tools of late to help in general troubleshooting, nothing wrong with my machine I'm trying to fix at the moment, but I have often wondered what is using the network resources within svchost from time to time.

Thanks for your interest, I'll get there in the end.

I found a tool what does exactly my current need, which is to extract the service name (if any) from a thread id.

ScTagQuery

http://www.winsiderss.com/tools/sctagquery/sctagquery.htm

Here is sample output...

C:\Users\User Name\Documents\Utils\sctagqry\amd64>sctagqry -t 1424

ScTagQuery v1.12 - Query service tag information
Copyright (C) 2007-2008 Alex Ionescu
www.alex-ionescu.com

Querying service tag information for PID: 1852 TID: 1424

Service Tag: 79 Service Name: MpsSvc

Cheers, I've seen both those, they are linked in an article I linked earlier.

I've got the service/subprocess tag now, (half the battle) just a short while I sould have service name, then I can finally move on with this :)

Also, sorry for dragging a really c++ issue into c# tag. It was my original intention to find a c# solution, suppose I'll just have to use a c++ library in c# app.

Thanks for your time rproffitt, I appreciate it.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.