What command line options are available to svchost.exe?

windows command-line process services svchost

14,385

Solution 1

This blog post explains there exist three known arguments: -k to run a group of services, -s to only run a specific service from the specified group, and -p to turn on process mitigation policies.

Another blog post, provides more details on what -p does. Windows has an API SetProcessMitigationPolicy which a process can use to enable various mitigations against security vulnerabilities. Each possible type of mitigation is known as a "policy". In the Windows registry, under HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost, there are three values which can be created to toggle three particular policies for svchost.exe: DynamicCodePolicy, BinarySignaturePolicy and ExtensionPolicy.

What the -p option does, is force those three security mitigation policies to be turned on for this svchost.exe process, even if they are not enabled in the registry.

Why does this option exist? Well, the ideal from a security viewpoint would be to toggle all three policies on in the Windows registry, so they are on all the time. However, it is possible that there is some product out there (whether Microsoft or third-party) which contains a service running in svchost.exe and which breaks with these flags being turned on, hence Microsoft doesn't want to turn them on by default. However, for services shipped with Windows, where Microsoft knows they work fine with these flags turned on, there would be better security by having these flags turned on for those particular services. Hence -p can turn those flags on for a particular group of services without turning them on for all svchost.exe services.

Of course these are undocumented internals of Windows, and there is always the chance that Microsoft might break them in some future version. One should be aware of that possibility before trying to rely on them for anything.

Solution 2

I have seen the option -p inside the registry, but not followed by any argument. A Google search for "svchost.exe -p" site:docs.microsoft.com results in zero hits, so there does not seem to be any (official) documentation about it. I don't know what the -p flag does, and I don't know if /p is the same as -p.

14,385

Billy ONeal

Updated on September 18, 2022

Comments

Billy ONeal over 1 year

It seems the only command line option used by Windows for svchost.exe is -k, followed by the group name which svchost needs to start for a given service. Yet, use of a command line option indicates that it's likely there are other possible options. Yet I can't seem to find such things, and the general method for getting command line options (passing --help or /? on the command line) doesn't seem to work.

Are any other command switches for svchost available? What do they do?
- Richard about 12 years
  
  Why do you want this? While people have reverse engineered much of scvhost it remains part of the internals of Windows. A future Windows could replace it with something else.
- Billy ONeal about 12 years
  
  @Richard: I'm trying to write a tool to repair the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost key (after it gets clobbered by malware). That requires me to enumerate services and parse svchost.exe's command line in order to get the load group for a given service.