processserviceswindows 7
Say I have a process called "EvilMalware.exe" that keeps getting restarted (i.e. I kill it and it is restarted after a few seconds).
I looked up the process that starts it and it is C:\Windows\System32\services.exe.
This seems to be a legit windows process for starting stuff.
So how can I figure out what is telling services.exe to keep restarting "EvilMalware.exe"?
Update: Windows 7 Service Pack 1 includes a hotfix:
In this scenario, you notice that there is high CPU usage approximately every 15 seconds on the computer. Additionally, you may experience skipping in audio playback from the audio device when overall CPU usage reaches 100%.
See if SP1 fixes the problem.
Use Process Explorer to peek at the thread that is running, and look at its stack trace. At the very least you can see the services hosted inside services.exe.
i assume the machine is CPU bound during this time, and not IO bound. If it is I/O bound, you can see what it's doing using Process Monitor - it might lead to some insights.
i see in your screenshot of Process Explorer that the process is taking 50% of the cpu. i assume it is a dual-core machine, and taking one entire core. So the CPU is stuck doing something.
Looking at the stack trace:
The things i key on (i'm not an expert, they just piqued my interest) are:
From the term "catalog file", sounds to me like it's going through all the installed INF's. i don't know what these functions do, but i can check:
Verifies a single catalog file.
The SetupFindNextMatchLine function returns the location of the next line in an INF file relative to ContextIn.Line that matches a specified key.
The SetupDiEnumDeviceInterfaces function enumerates the device interfaces that are contained in a device information set.
So it sounds like it's going through all the INF files, poking through each one, and then doing stuff based on what it finds.
The next question is, is it stuck on one INF file, or are there just a lot of them, or is it repeating itself, or does it not have access to one, or...who knows.
The next thing i would do is load up Process Monitor, and set it to only show file activity by services.exe. Then you can see it zoom through all the inf files. Hopefully you can then see the one it's getting stuck on (hopefully it is simply getting stuck on one). Then perhaps you can rename/hide that offending INF file.
Process Monitor primer.
On the toolbar, turn off the options except File System Activity:
Then add a filter:
Process Name
is
services.exe
Include
and click Add:
In powershell you would do:
gwmi -query "select * from win32_process where name='PROCESSNAME.exe'" | %{if($_.GetOwner().User -eq 'USERNAME'){$_.terminate()}}
Best Answer
Run procexp. It will show a nice fork tree depicting parent processes. You can also right-click on the header and add the "command line" column to see the arguments.