A description of Svchost.exe to solve Terminal Services problem
The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging.
Svchost.exe groups are identified in the following registry key:
Each value under this key represents a separate Svchost group and appears as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service names that are extracted from the following registry key, whose Parameters key contains a ServiceDLL value:
To view the list of services that are running in Svchost:
| 1. | Click Start on the Windows taskbar, and then click Run. |
| 2. | In the Open box, type CMD, and then press ENTER. |
| 3. | Type Tasklist /SVC, and then press ENTER. |
Tasklist displays a list of active processes. The /SVC switch shows the list of active services in each process. For more information about a process, type the following command, and then press ENTER:
The following example of Tasklist output shows two instances of Svchost.exe that are running.
Image Name PID Services ======================================================================== System Process 0 N/A System 8 N/A Smss.exe 132 N/A Csrss.exe 160 N/A Winlogon.exe 180 N/A Services.exe 208 AppMgmt,Browser,Dhcp,Dmserver,Dnscache, Eventlog,LanmanServer,LanmanWorkstation, LmHosts,Messenger,PlugPlay,ProtectedStorage, Seclogon,TrkWks,W32Time,Wmi Lsass.exe 220 Netlogon,PolicyAgent,SamSs Svchost.exe 404 RpcSs Spoolsv.exe 452 Spooler Cisvc.exe 544 Cisvc Svchost.exe 556 EventSystem,Netman,NtmsSvc,RasMan, SENS,TapiSrv Regsvc.exe 580 RemoteRegistry Mstask.exe 596 Schedule Snmp.exe 660 SNMP Winmgmt.exe 728 WinMgmt Explorer.exe 812 N/A Cmd.exe 1300 N/A Tasklist.exe 1144 N/A
The registry setting for the two groupings for this example are as follows: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost:
Netsvcs: Reg_Multi_SZ: EventSystem Ias Iprip Irmon Netman Nwsapagent Rasauto Rasman Remoteaccess SENS Sharedaccess Tapisrv Ntmssvc
RApcss :Reg_Multi_SZ: RpcSs
This is really useful when you want to counteract kb 278657: Terminal Services cannot be Manipulated.
- Using tasklist, locate the svchost hosting your termservs.exe and note the PID.
- Then kill the svchost, the one with the right PID otherwise you’ll kill some other important processes. you can do that using the Task manager, but you’ll have to enable the PID column.
- Then you will be able to start your Terminal Services. From the console or the services panel.
Voila!
