I have written some code which indicates which processes are sending and receiving data over IPv4 and 6, but I'd like to go a little further and identify what services that might be running under a process, such as svchost, are responsible, if any.
So armed with pid and the tid's which dwell within it, I hope to get collect enough data to reach my goal.
I'm just stuck at the moment, and was hoping there was another way in c#, armed with a handle to each service, to extract from it, the thread id under which it is operating.
Apparently, in x64 most of the segment data was removed, except for the data I'm after.
*According to Intel manuals (System Programming Guide, Chapter 3.2.4):
“In 64-bit mode, segmentation is generally (but not completely) disabled, creating a flat 64-bit linear-address space.
It's a very contrived, and convoluted, lonely world of pebs tibs and tebs and not very much concrete information. For example in c++ I have to use a poorly documented API (NtQueryInformationThread)and an undocumented one (I_QueryTagInformation).
I always seem to pick the awkward projects.
This was hard to find, the guy seems to claim he has it nailed, but the code simply does not do what he says it does.
Under the process "Service host DCOM Server.... You see the network column will show the network usage of that process, I want to break it into individual services running under it, and identify which of them is responsible.
(edit) sorry I never answered your question.
To my knowledge there are no windows apps that glean the info I want, not even process explorer.
Maybe the thread does not ever do the I/O? As no tool to date has revealed that, consider the case of an app I wrote long ago.
While it did do network I/O, the byte count was showing up in svchost because that's the API call I made and svchost did the actual work. No inspection tool I ever found would have traced it back to me exactly. Some may call that a glaring Windows fault.
I think we'll have to find that I/O in any tool, control panel, app or anywhere then work out how they did that.
We may also be bumping into security issues here. That is, given that our (still to be made) app wants to inspect an app on the inside, those memory blocks and such may not be accessible due to "security." But here I'm still trying to see where what you want to see has been exposed before by any means.
TL:DR. -> Let's find where what you want has been exposed and find how how to do that in our own code.
Don't get me wrong here. Just last month a buddy was trying to track down internet use on his new laptop and was coding, running scans and generally not doing anything fun. As it was a new W10 machine I mentioned and asked if he had turned off Windows Update sharing. He had never heard of this and that along with some other items were flipped off and his mystery internet activity is now gone.
But if it's not that, we really need to find and see what you are looking for in other tools so we can backtrace to how they do that.
WIsh I could help here. I had hopes we could find any existing tool in Windows or outside that showed what you were after then work with that to see how it was done. But that didn't work out.
Maybe we tackle it another way. Such as what caused you to dig into this. I shared a story about a friend programming to dig into network traffic and for him, it was something I knew about. A setting change and the traffic stopped. So while that didn't use any tools to trace it back to the source, that was good enough for him.
I've just been creating some admin tools of late to help in general troubleshooting, nothing wrong with my machine I'm trying to fix at the moment, but I have often wondered what is using the network resources within svchost from time to time.
Thanks for your interest, I'll get there in the end.