at least one service did not start - ssms

  • Thread starter Thread starter bob Sterrett
  • Start date Start date
B

bob Sterrett

This probably started after svc pack3.
This service attemps to start svchost with no arguments.

Other instances of svchost (with arguments) are running, Should I delete
this from the registry?

Services
System Process (0)
System (8)
SMSS.EXE (180)
CSRSS.EXE (204)
WINLOGON.EXE (224)
SERVICES.EXE (252)
svchost.exe (468)
DLLHOST.EXE (1116)
DLLHOST.EXE (1768)
spoolsv.exe (512)
msdtc.exe (668)
MSCIS.exe (892)
WFSVCMGR.exe (904)
dfssvc.exe (916)
scvhost.exe (940)
svchost.exe (992)
ismserv.exe (1016)
mdm.exe (1048)
sqlservr.exe (1172)
ntfrs.exe (1300)
regsvc.exe (1372)
LOCATOR.EXE (1384)
mstask.exe (1416)
tcpsvcs.exe (1456)
SNMP.EXE (1472)
svchost.exe (1484)
WinMgmt.exe (1516)
winnt124.exe (1584)
WINS.EXE (1608)
MsPMSPSv.exe (1628)
svchost.exe (1644)
DNS.EXE (1656)
inetinfo.exe (1704)
EXMGMT.EXE (1776)
MAD.EXE (1980)
mqsvc.exe (2012)
mssearch.exe (2044)
trigserv.exe (2436)
STORE.EXE (2636)
EMSMTA.EXE (2804)
LSASS.EXE (264)
explorer.exe (2212) Program Manager
evntsvc.exe (292)
CTFMON.EXE (1156)
AcroTray.exe (3072)
sqlmangr.exe (3700)
CMD.EXE (1964) Command Prompt - tlist -t
tlist.exe (1400)
MSOFFICE.EXE (3660)
 
Dear Bob,

Thank you for your posting.

Svchost.exe is a generic host process name for services that are run from
dynamic-link libraries (DLLs). The Svchost.exe file is located in the
%SystemRoot%\System32 folder. At startup, Svchost.exe checks the services
portion of the registry to construct a list of services that it needs to
load. There can be multiple instances of Svchost.exe running at the same
time. Each Svchost.exe session can contain a grouping of services, so that
separate services can be run depending on how and where Svchost.exe is
started. This allows for better control and debugging.

Svchost.exe groups are identified in the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost

For more detailed information, you can refer to the following article:

250320 Description of Svchost.exe in Windows 2000
http://support.microsoft.com/?id=250320

Hope the information is helpful.

Thanks and have a good day!

Regards,

Benny Fu
Microsoft Online Partner Support
Microsoft Corporation
Get Secure! – www.microsoft.com/security

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| Reply-To: "bob Sterrett" <[email protected]>
| From: "bob Sterrett" <[email protected]>
| Subject: at least one service did not start - ssms
| Date: Wed, 6 Aug 2003 16:28:49 -0400
| Lines: 58
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.win2000.advanced_server
| NNTP-Posting-Host: 64-8-197-170.client.dsl.net 64.8.197.170
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.advanced_server:10367
| X-Tomcat-NG: microsoft.public.win2000.advanced_server
|
| This probably started after svc pack3.
| This service attemps to start svchost with no arguments.
|
| Other instances of svchost (with arguments) are running, Should I delete
| this from the registry?
|
| Services
| System Process (0)
| System (8)
| SMSS.EXE (180)
| CSRSS.EXE (204)
| WINLOGON.EXE (224)
| SERVICES.EXE (252)
| svchost.exe (468)
| DLLHOST.EXE (1116)
| DLLHOST.EXE (1768)
| spoolsv.exe (512)
| msdtc.exe (668)
| MSCIS.exe (892)
| WFSVCMGR.exe (904)
| dfssvc.exe (916)
| scvhost.exe (940)
| svchost.exe (992)
| ismserv.exe (1016)
| mdm.exe (1048)
| sqlservr.exe (1172)
| ntfrs.exe (1300)
| regsvc.exe (1372)
| LOCATOR.EXE (1384)
| mstask.exe (1416)
| tcpsvcs.exe (1456)
| SNMP.EXE (1472)
| svchost.exe (1484)
| WinMgmt.exe (1516)
| winnt124.exe (1584)
| WINS.EXE (1608)
| MsPMSPSv.exe (1628)
| svchost.exe (1644)
| DNS.EXE (1656)
| inetinfo.exe (1704)
| EXMGMT.EXE (1776)
| MAD.EXE (1980)
| mqsvc.exe (2012)
| mssearch.exe (2044)
| trigserv.exe (2436)
| STORE.EXE (2636)
| EMSMTA.EXE (2804)
| LSASS.EXE (264)
| explorer.exe (2212) Program Manager
| evntsvc.exe (292)
| CTFMON.EXE (1156)
| AcroTray.exe (3072)
| sqlmangr.exe (3700)
| CMD.EXE (1964) Command Prompt - tlist -t
| tlist.exe (1400)
| MSOFFICE.EXE (3660)
|
|
|
 
Dear Bob,

Thank you for your reply.

For the SSMS.exe process, it is likely related to the W32.Gismor@mm virus,
please delete the virus to resolve the issue. For the detailed steps on how
to clean the virus, please refer to the following article:

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

You can delete it from
'HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Run\SSMS.EXE'
registry.

Hope it is helpful and clears your concerns.

Thanks and have a good day!

Regards,

Benny Fu
Microsoft Online Partner Support
Microsoft Corporation
Get Secure! – www.microsoft.com/security

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| Reply-To: "bob Sterrett" <[email protected]>
| From: "bob Sterrett" <[email protected]>
| References: <[email protected]>
<[email protected]>
<#lpt#[email protected]>
<[email protected]>
| Subject: Re: at least one service did not start - ssms
| Date: Mon, 11 Aug 2003 08:58:51 -0400
| Lines: 202
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.win2000.advanced_server
| NNTP-Posting-Host: 64-8-197-170.client.dsl.net 64.8.197.170
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.advanced_server:10461
| X-Tomcat-NG: microsoft.public.win2000.advanced_server
|
| The entry in question is ssms not smss.
|
| Virus scans continue to show me as ok.
|
| If you can't think of any reason to attempt a load of svchost with no
| arguments, I will go ahead an delete this registry entry and thus get rid
of
| my warning message.
|
| | > Dear Bob,
| >
| > Thank you for your reply.
| >
| > The following processes are system processes:
| >
| > System Idle Process
| > System
| > smss.exe
| > winlogon.exe
| > csrss.exe
| > services.exe
| > isass.exe
| > taskmgr.exe
| > regsvc.exe
| > mstask.exe
| > explorer.exe
| >
| > Please check registry for a virus associated with smss.exe and
csrss.exe.
| > For more information, please read the following web page:
| >
| >
|
http://securityresponse.symantec.com/avcenter/venc/data/w32.dalbug.worm.html
| >
| > Please monitor the status of the system after you delete the smss.exe
from
| > registry. If anything is unclear, please feel free to let me know.
| >
| > Thanks and have a good day!
| >
| > Regards,
| >
| > Benny Fu
| > Microsoft Online Partner Support
| > Microsoft Corporation
| > Get Secure! - www.microsoft.com/security
| >
| > This posting is provided "AS IS" with no warranties, and confers no
| rights.
| >
| > --------------------
| > | Reply-To: "bob Sterrett" <[email protected]>
| > | From: "bob Sterrett" <[email protected]>
| > | References: <[email protected]>
| > <[email protected]>
| > | Subject: Re: at least one service did not start - ssms
| > | Date: Thu, 7 Aug 2003 09:20:57 -0400
| > | Lines: 123
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| > | Message-ID: <#lpt#[email protected]>
| > | Newsgroups: microsoft.public.win2000.advanced_server
| > | NNTP-Posting-Host: 64-8-197-170.client.dsl.net 64.8.197.170
| > | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
| > | Xref: cpmsftngxa06.phx.gbl
| microsoft.public.win2000.advanced_server:10393
| > | X-Tomcat-NG: microsoft.public.win2000.advanced_server
| > |
| > | Thanks Benny, but I know "what" svchost is. The questions are "Is it
| > | alright to delete this troublesome ssms registry entry or should it be
| > | altered in some way so that it works?" and "Who put this thing there?
"
| > |
| > | | > | > Dear Bob,
| > | >
| > | > Thank you for your posting.
| > | >
| > | > Svchost.exe is a generic host process name for services that are run
| > from
| > | > dynamic-link libraries (DLLs). The Svchost.exe file is located in
the
| > | > %SystemRoot%\System32 folder. At startup, Svchost.exe checks the
| > services
| > | > portion of the registry to construct a list of services that it
needs
| to
| > | > load. There can be multiple instances of Svchost.exe running at the
| same
| > | > time. Each Svchost.exe session can contain a grouping of services,
so
| > that
| > | > separate services can be run depending on how and where Svchost.exe
is
| > | > started. This allows for better control and debugging.
| > | >
| > | > Svchost.exe groups are identified in the following registry key:
| > | >
| > | > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
| NT\CurrentVersion\Svchost
| > | >
| > | > For more detailed information, you can refer to the following
article:
| > | >
| > | > 250320 Description of Svchost.exe in Windows 2000
| > | > http://support.microsoft.com/?id=250320
| > | >
| > | > Hope the information is helpful.
| > | >
| > | > Thanks and have a good day!
| > | >
| > | > Regards,
| > | >
| > | > Benny Fu
| > | > Microsoft Online Partner Support
| > | > Microsoft Corporation
| > | > Get Secure! - www.microsoft.com/security
| > | >
| > | > This posting is provided "AS IS" with no warranties, and confers no
| > | rights.
| > | >
| > | > --------------------
| > | > | Reply-To: "bob Sterrett" <[email protected]>
| > | > | From: "bob Sterrett" <[email protected]>
| > | > | Subject: at least one service did not start - ssms
| > | > | Date: Wed, 6 Aug 2003 16:28:49 -0400
| > | > | Lines: 58
| > | > | X-Priority: 3
| > | > | X-MSMail-Priority: Normal
| > | > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| > | > | X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| > | > | Message-ID: <[email protected]>
| > | > | Newsgroups: microsoft.public.win2000.advanced_server
| > | > | NNTP-Posting-Host: 64-8-197-170.client.dsl.net 64.8.197.170
| > | > | Path:
cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
| > | > | Xref: cpmsftngxa06.phx.gbl
| > | microsoft.public.win2000.advanced_server:10367
| > | > | X-Tomcat-NG: microsoft.public.win2000.advanced_server
| > | > |
| > | > | This probably started after svc pack3.
| > | > | This service attemps to start svchost with no arguments.
| > | > |
| > | > | Other instances of svchost (with arguments) are running, Should I
| > | delete
| > | > | this from the registry?
| > | > |
| > | > | Services
| > | > | System Process (0)
| > | > | System (8)
| > | > | SMSS.EXE (180)
| > | > | CSRSS.EXE (204)
| > | > | WINLOGON.EXE (224)
| > | > | SERVICES.EXE (252)
| > | > | svchost.exe (468)
| > | > | DLLHOST.EXE (1116)
| > | > | DLLHOST.EXE (1768)
| > | > | spoolsv.exe (512)
| > | > | msdtc.exe (668)
| > | > | MSCIS.exe (892)
| > | > | WFSVCMGR.exe (904)
| > | > | dfssvc.exe (916)
| > | > | scvhost.exe (940)
| > | > | svchost.exe (992)
| > | > | ismserv.exe (1016)
| > | > | mdm.exe (1048)
| > | > | sqlservr.exe (1172)
| > | > | ntfrs.exe (1300)
| > | > | regsvc.exe (1372)
| > | > | LOCATOR.EXE (1384)
| > | > | mstask.exe (1416)
| > | > | tcpsvcs.exe (1456)
| > | > | SNMP.EXE (1472)
| > | > | svchost.exe (1484)
| > | > | WinMgmt.exe (1516)
| > | > | winnt124.exe (1584)
| > | > | WINS.EXE (1608)
| > | > | MsPMSPSv.exe (1628)
| > | > | svchost.exe (1644)
| > | > | DNS.EXE (1656)
| > | > | inetinfo.exe (1704)
| > | > | EXMGMT.EXE (1776)
| > | > | MAD.EXE (1980)
| > | > | mqsvc.exe (2012)
| > | > | mssearch.exe (2044)
| > | > | trigserv.exe (2436)
| > | > | STORE.EXE (2636)
| > | > | EMSMTA.EXE (2804)
| > | > | LSASS.EXE (264)
| > | > | explorer.exe (2212) Program Manager
| > | > | evntsvc.exe (292)
| > | > | CTFMON.EXE (1156)
| > | > | AcroTray.exe (3072)
| > | > | sqlmangr.exe (3700)
| > | > | CMD.EXE (1964) Command Prompt - tlist -t
| > | > | tlist.exe (1400)
| > | > | MSOFFICE.EXE (3660)
| > | > |
| > | > |
| > | > |
| > | >
| > |
| > |
| > |
| >
|
|
|
 
at least not this one.

This is a service that does not start. As such, since things seem to be ok
without it starting, I would suspect that no harm will be done by just
deleting the registry entry.

So unless you can indentify whatt the following was meant to do, I will just
delete it.

registry entry

smss
|-Enum
|-Security

root
*(default) REG_SZ (value not set)
*Description REG_SZ Manager of Security for Network Services
*DisplayName REG_SZ Service Security Manager
*ErrorControl REG_DWORD 0x00000001 (1)
*ImagePath REG_EXPAND_SZ C:\WINNT\system32\svchost.exe
*ObjectName REG_SZ LocalSystem
*Start REG_DWORD 0x00000002 (2)
*Type REG_DWORD 0x00000110 (272)


Security
*(default) REG_SZ (value not set)
*SSecurity REG_Binary 01 00 14 80 a0 00 00 00 aC ...

Thanks
 
Dear Bob,

Thank you for your reply.

Based on this and my further research, the issue may be also related to the
worm virus "W32.Blaster.worm". It will use TCP port 135 to download and run
the file Msblast.exe and it can cause the svchost process and system reboot
unexpectedly.

To prevent the computer from infected by the virus, please install the
security patch MS03-026. The patch is available from Windows Update as well
as on www.microsoft.com\security

Blaster Worm: Critical Security Patch for Windows 2000:
http://microsoft.com/downloads/details.aspx?FamilyId=C8B8A846-F541-4C15-8C9F
-220354449117&displaylang=en

Please note that you still need to use Anti Virus program to clean the
system after you apply the patch. If you do not have Anti Virus software
installed, youcan use the following tool to detect the worm.

http://housecall.antivirus.com

The following tools or information from 3rd party vendors may helpful for
removing the virus.

Symantec
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

McAfee:
http://vil.nai.com/vil/stinger

Hope the information is helpful.

Thanks and have a good day!

Regards,

Benny Fu
Microsoft Online Partner Support
Microsoft Corporation
Get Secure! – www.microsoft.com/security

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| Reply-To: "bob Sterrett" <[email protected]>
| From: "bob Sterrett" <[email protected]>
| References: <[email protected]>
<[email protected]>
<#lpt#[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
| Subject: Not a virus
| Date: Tue, 12 Aug 2003 14:07:22 -0400
| Lines: 313
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.win2000.advanced_server
| NNTP-Posting-Host: 64-8-197-170.client.dsl.net 64.8.197.170
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.advanced_server:10534
| X-Tomcat-NG: microsoft.public.win2000.advanced_server
|
| at least not this one.
|
| This is a service that does not start. As such, since things seem to be
ok
| without it starting, I would suspect that no harm will be done by just
| deleting the registry entry.
|
| So unless you can indentify whatt the following was meant to do, I will
just
| delete it.
|
| registry entry
|
| smss
| |-Enum
| |-Security
|
| root
| *(default) REG_SZ (value not set)
| *Description REG_SZ Manager of Security for Network Services
| *DisplayName REG_SZ Service Security Manager
| *ErrorControl REG_DWORD 0x00000001 (1)
| *ImagePath REG_EXPAND_SZ C:\WINNT\system32\svchost.exe
| *ObjectName REG_SZ LocalSystem
| *Start REG_DWORD 0x00000002 (2)
| *Type REG_DWORD 0x00000110 (272)
|
|
| Security
| *(default) REG_SZ (value not set)
| *SSecurity REG_Binary 01 00 14 80 a0 00 00 00 aC ...
|
| Thanks
|
|
| | > Dear Bob,
| >
| > Thank you for your reply.
| >
| > For the SSMS.exe process, it is likely related to the W32.Gismor@mm
virus,
| > please delete the virus to resolve the issue. For the detailed steps on
| how
| > to clean the virus, please refer to the following article:
| >
| >
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
| >
| > You can delete it from
| >
'HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Run\SSMS.EXE'
| > registry.
| >
| > Hope it is helpful and clears your concerns.
| >
| > Thanks and have a good day!
| >
| > Regards,
| >
| > Benny Fu
| > Microsoft Online Partner Support
| > Microsoft Corporation
| > Get Secure! - www.microsoft.com/security
| >
| > This posting is provided "AS IS" with no warranties, and confers no
| rights.
| >
| > --------------------
| > | Reply-To: "bob Sterrett" <[email protected]>
| > | From: "bob Sterrett" <[email protected]>
| > | References: <[email protected]>
| > <[email protected]>
| > <#lpt#[email protected]>
| > <[email protected]>
| > | Subject: Re: at least one service did not start - ssms
| > | Date: Mon, 11 Aug 2003 08:58:51 -0400
| > | Lines: 202
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| > | Message-ID: <[email protected]>
| > | Newsgroups: microsoft.public.win2000.advanced_server
| > | NNTP-Posting-Host: 64-8-197-170.client.dsl.net 64.8.197.170
| > | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
| > | Xref: cpmsftngxa06.phx.gbl
| microsoft.public.win2000.advanced_server:10461
| > | X-Tomcat-NG: microsoft.public.win2000.advanced_server
| > |
| > | The entry in question is ssms not smss.
| > |
| > | Virus scans continue to show me as ok.
| > |
| > | If you can't think of any reason to attempt a load of svchost with no
| > | arguments, I will go ahead an delete this registry entry and thus get
| rid
| > of
| > | my warning message.
| > |
| > | | > | > Dear Bob,
| > | >
| > | > Thank you for your reply.
| > | >
| > | > The following processes are system processes:
| > | >
| > | > System Idle Process
| > | > System
| > | > smss.exe
| > | > winlogon.exe
| > | > csrss.exe
| > | > services.exe
| > | > isass.exe
| > | > taskmgr.exe
| > | > regsvc.exe
| > | > mstask.exe
| > | > explorer.exe
| > | >
| > | > Please check registry for a virus associated with smss.exe and
| > csrss.exe.
| > | > For more information, please read the following web page:
| > | >
| > | >
| > |
| >
|
http://securityresponse.symantec.com/avcenter/venc/data/w32.dalbug.worm.html
| > | >
| > | > Please monitor the status of the system after you delete the
smss.exe
| > from
| > | > registry. If anything is unclear, please feel free to let me know.
| > | >
| > | > Thanks and have a good day!
| > | >
| > | > Regards,
| > | >
| > | > Benny Fu
| > | > Microsoft Online Partner Support
| > | > Microsoft Corporation
| > | > Get Secure! - www.microsoft.com/security
| > | >
| > | > This posting is provided "AS IS" with no warranties, and confers no
| > | rights.
| > | >
| > | > --------------------
| > | > | Reply-To: "bob Sterrett" <[email protected]>
| > | > | From: "bob Sterrett" <[email protected]>
| > | > | References: <[email protected]>
| > | > <[email protected]>
| > | > | Subject: Re: at least one service did not start - ssms
| > | > | Date: Thu, 7 Aug 2003 09:20:57 -0400
| > | > | Lines: 123
| > | > | X-Priority: 3
| > | > | X-MSMail-Priority: Normal
| > | > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| > | > | Message-ID: <#lpt#[email protected]>
| > | > | Newsgroups: microsoft.public.win2000.advanced_server
| > | > | NNTP-Posting-Host: 64-8-197-170.client.dsl.net 64.8.197.170
| > | > | Path:
cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
| > | > | Xref: cpmsftngxa06.phx.gbl
| > | microsoft.public.win2000.advanced_server:10393
| > | > | X-Tomcat-NG: microsoft.public.win2000.advanced_server
| > | > |
| > | > | Thanks Benny, but I know "what" svchost is. The questions are "Is
| it
| > | > | alright to delete this troublesome ssms registry entry or should
it
| be
| > | > | altered in some way so that it works?" and "Who put this thing
| there?
| > "
| > | > |
| > | > | | > | > | > Dear Bob,
| > | > | >
| > | > | > Thank you for your posting.
| > | > | >
| > | > | > Svchost.exe is a generic host process name for services that are
| run
| > | > from
| > | > | > dynamic-link libraries (DLLs). The Svchost.exe file is located
in
| > the
| > | > | > %SystemRoot%\System32 folder. At startup, Svchost.exe checks the
| > | > services
| > | > | > portion of the registry to construct a list of services that it
| > needs
| > | to
| > | > | > load. There can be multiple instances of Svchost.exe running at
| the
| > | same
| > | > | > time. Each Svchost.exe session can contain a grouping of
services,
| > so
| > | > that
| > | > | > separate services can be run depending on how and where
| Svchost.exe
| > is
| > | > | > started. This allows for better control and debugging.
| > | > | >
| > | > | > Svchost.exe groups are identified in the following registry key:
| > | > | >
| > | > | > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
| > | NT\CurrentVersion\Svchost
| > | > | >
| > | > | > For more detailed information, you can refer to the following
| > article:
| > | > | >
| > | > | > 250320 Description of Svchost.exe in Windows 2000
| > | > | > http://support.microsoft.com/?id=250320
| > | > | >
| > | > | > Hope the information is helpful.
| > | > | >
| > | > | > Thanks and have a good day!
| > | > | >
| > | > | > Regards,
| > | > | >
| > | > | > Benny Fu
| > | > | > Microsoft Online Partner Support
| > | > | > Microsoft Corporation
| > | > | > Get Secure! - www.microsoft.com/security
| > | > | >
| > | > | > This posting is provided "AS IS" with no warranties, and confers
| no
| > | > | rights.
| > | > | >
| > | > | > --------------------
| > | > | > | Reply-To: "bob Sterrett" <[email protected]>
| > | > | > | From: "bob Sterrett" <[email protected]>
| > | > | > | Subject: at least one service did not start - ssms
| > | > | > | Date: Wed, 6 Aug 2003 16:28:49 -0400
| > | > | > | Lines: 58
| > | > | > | X-Priority: 3
| > | > | > | X-MSMail-Priority: Normal
| > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| > | > | > | X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| > | > | > | Message-ID: <[email protected]>
| > | > | > | Newsgroups: microsoft.public.win2000.advanced_server
| > | > | > | NNTP-Posting-Host: 64-8-197-170.client.dsl.net 64.8.197.170
| > | > | > | Path:
| > cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
| > | > | > | Xref: cpmsftngxa06.phx.gbl
| > | > | microsoft.public.win2000.advanced_server:10367
| > | > | > | X-Tomcat-NG: microsoft.public.win2000.advanced_server
| > | > | > |
| > | > | > | This probably started after svc pack3.
| > | > | > | This service attemps to start svchost with no arguments.
| > | > | > |
| > | > | > | Other instances of svchost (with arguments) are running,
Should
| I
| > | > | delete
| > | > | > | this from the registry?
| > | > | > |
| > | > | > | Services
| > | > | > | System Process (0)
| > | > | > | System (8)
| > | > | > | SMSS.EXE (180)
| > | > | > | CSRSS.EXE (204)
| > | > | > | WINLOGON.EXE (224)
| > | > | > | SERVICES.EXE (252)
| > | > | > | svchost.exe (468)
| > | > | > | DLLHOST.EXE (1116)
| > | > | > | DLLHOST.EXE (1768)
| > | > | > | spoolsv.exe (512)
| > | > | > | msdtc.exe (668)
| > | > | > | MSCIS.exe (892)
| > | > | > | WFSVCMGR.exe (904)
| > | > | > | dfssvc.exe (916)
| > | > | > | scvhost.exe (940)
| > | > | > | svchost.exe (992)
| > | > | > | ismserv.exe (1016)
| > | > | > | mdm.exe (1048)
| > | > | > | sqlservr.exe (1172)
| > | > | > | ntfrs.exe (1300)
| > | > | > | regsvc.exe (1372)
| > | > | > | LOCATOR.EXE (1384)
| > | > | > | mstask.exe (1416)
| > | > | > | tcpsvcs.exe (1456)
| > | > | > | SNMP.EXE (1472)
| > | > | > | svchost.exe (1484)
| > | > | > | WinMgmt.exe (1516)
| > | > | > | winnt124.exe (1584)
| > | > | > | WINS.EXE (1608)
| > | > | > | MsPMSPSv.exe (1628)
| > | > | > | svchost.exe (1644)
| > | > | > | DNS.EXE (1656)
| > | > | > | inetinfo.exe (1704)
| > | > | > | EXMGMT.EXE (1776)
| > | > | > | MAD.EXE (1980)
| > | > | > | mqsvc.exe (2012)
| > | > | > | mssearch.exe (2044)
| > | > | > | trigserv.exe (2436)
| > | > | > | STORE.EXE (2636)
| > | > | > | EMSMTA.EXE (2804)
| > | > | > | LSASS.EXE (264)
| > | > | > | explorer.exe (2212) Program Manager
| > | > | > | evntsvc.exe (292)
| > | > | > | CTFMON.EXE (1156)
| > | > | > | AcroTray.exe (3072)
| > | > | > | sqlmangr.exe (3700)
| > | > | > | CMD.EXE (1964) Command Prompt - tlist -t
| > | > | > | tlist.exe (1400)
| > | > | > | MSOFFICE.EXE (3660)
| > | > | > |
| > | > | > |
| > | > | > |
| > | > | >
| > | > |
| > | > |
| > | > |
| > | >
| > |
| > |
| > |
| >
|
|
|
 
Dear Bob,

Thank you for your reply.

Based on this, please try to delete the registry entry and check the issue.
Once you finish the steps, please reply me with an update. I look forward
to the results.

Thanks and have a good day!

Regards,

Benny Fu
Microsoft Online Partner Support
Microsoft Corporation
Get Secure! – www.microsoft.com/security

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| Reply-To: "bob Sterrett" <[email protected]>
| From: "bob Sterrett" <[email protected]>
| References: <[email protected]>
<[email protected]>
<#lpt#[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
| Subject: Not Blaster related - I will just delete the registry entry
| Date: Wed, 13 Aug 2003 17:00:38 -0400
| Lines: 423
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.win2000.advanced_server
| NNTP-Posting-Host: 64-8-197-170.client.dsl.net 64.8.197.170
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.advanced_server:10598
| X-Tomcat-NG: microsoft.public.win2000.advanced_server
|
| Probably not virus related. This has been around since sp3 and is more
| likely related to an upgrade of SQLserver, Exchange5.5 or
exchange2000beta.
|
| Thanks anyway.
|
| | > Dear Bob,
| >
| > Thank you for your reply.
| >
| > Based on this and my further research, the issue may be also related to
| the
| > worm virus "W32.Blaster.worm". It will use TCP port 135 to download and
| run
| > the file Msblast.exe and it can cause the svchost process and system
| reboot
| > unexpectedly.
| >
| > To prevent the computer from infected by the virus, please install the
| > security patch MS03-026. The patch is available from Windows Update as
| well
| > as on www.microsoft.com\security
| >
| > Blaster Worm: Critical Security Patch for Windows 2000:
| >
|
http://microsoft.com/downloads/details.aspx?FamilyId=C8B8A846-F541-4C15-8C9F
| > -220354449117&displaylang=en
| >
| > Please note that you still need to use Anti Virus program to clean the
| > system after you apply the patch. If you do not have Anti Virus software
| > installed, youcan use the following tool to detect the worm.
| >
| > http://housecall.antivirus.com
| >
| > The following tools or information from 3rd party vendors may helpful
for
| > removing the virus.
| >
| > Symantec
| > http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html
| >
| > McAfee:
| > http://vil.nai.com/vil/stinger
| >
| > Hope the information is helpful.
| >
| > Thanks and have a good day!
| >
| > Regards,
| >
| > Benny Fu
| > Microsoft Online Partner Support
| > Microsoft Corporation
| > Get Secure! - www.microsoft.com/security
| >
| > This posting is provided "AS IS" with no warranties, and confers no
| rights.
| >
| > --------------------
| > | Reply-To: "bob Sterrett" <[email protected]>
| > | From: "bob Sterrett" <[email protected]>
| > | References: <[email protected]>
| > <[email protected]>
| > <#lpt#[email protected]>
| > <[email protected]>
| > <[email protected]>
| > <[email protected]>
| > | Subject: Not a virus
| > | Date: Tue, 12 Aug 2003 14:07:22 -0400
| > | Lines: 313
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| > | Message-ID: <[email protected]>
| > | Newsgroups: microsoft.public.win2000.advanced_server
| > | NNTP-Posting-Host: 64-8-197-170.client.dsl.net 64.8.197.170
| > | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| > | Xref: cpmsftngxa06.phx.gbl
| microsoft.public.win2000.advanced_server:10534
| > | X-Tomcat-NG: microsoft.public.win2000.advanced_server
| > |
| > | at least not this one.
| > |
| > | This is a service that does not start. As such, since things seem to
be
| > ok
| > | without it starting, I would suspect that no harm will be done by just
| > | deleting the registry entry.
| > |
| > | So unless you can indentify whatt the following was meant to do, I
will
| > just
| > | delete it.
| > |
| > | registry entry
| > |
| > | smss
| > | |-Enum
| > | |-Security
| > |
| > | root
| > | *(default) REG_SZ (value not set)
| > | *Description REG_SZ Manager of Security for Network Services
| > | *DisplayName REG_SZ Service Security Manager
| > | *ErrorControl REG_DWORD 0x00000001 (1)
| > | *ImagePath REG_EXPAND_SZ C:\WINNT\system32\svchost.exe
| > | *ObjectName REG_SZ LocalSystem
| > | *Start REG_DWORD 0x00000002 (2)
| > | *Type REG_DWORD 0x00000110 (272)
| > |
| > |
| > | Security
| > | *(default) REG_SZ (value not set)
| > | *SSecurity REG_Binary 01 00 14 80 a0 00 00 00 aC ...
| > |
| > | Thanks
| > |
| > |
| > | | > | > Dear Bob,
| > | >
| > | > Thank you for your reply.
| > | >
| > | > For the SSMS.exe process, it is likely related to the W32.Gismor@mm
| > virus,
| > | > please delete the virus to resolve the issue. For the detailed steps
| on
| > | how
| > | > to clean the virus, please refer to the following article:
| > | >
| > | >
| >
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
| > | >
| > | > You can delete it from
| > | >
| >
'HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Run\SSMS.EXE'
| > | > registry.
| > | >
| > | > Hope it is helpful and clears your concerns.
| > | >
| > | > Thanks and have a good day!
| > | >
| > | > Regards,
| > | >
| > | > Benny Fu
| > | > Microsoft Online Partner Support
| > | > Microsoft Corporation
| > | > Get Secure! - www.microsoft.com/security
| > | >
| > | > This posting is provided "AS IS" with no warranties, and confers no
| > | rights.
| > | >
| > | > --------------------
| > | > | Reply-To: "bob Sterrett" <[email protected]>
| > | > | From: "bob Sterrett" <[email protected]>
| > | > | References: <[email protected]>
| > | > <[email protected]>
| > | > <#lpt#[email protected]>
| > | > <[email protected]>
| > | > | Subject: Re: at least one service did not start - ssms
| > | > | Date: Mon, 11 Aug 2003 08:58:51 -0400
| > | > | Lines: 202
| > | > | X-Priority: 3
| > | > | X-MSMail-Priority: Normal
| > | > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| > | > | Message-ID: <[email protected]>
| > | > | Newsgroups: microsoft.public.win2000.advanced_server
| > | > | NNTP-Posting-Host: 64-8-197-170.client.dsl.net 64.8.197.170
| > | > | Path:
cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
| > | > | Xref: cpmsftngxa06.phx.gbl
| > | microsoft.public.win2000.advanced_server:10461
| > | > | X-Tomcat-NG: microsoft.public.win2000.advanced_server
| > | > |
| > | > | The entry in question is ssms not smss.
| > | > |
| > | > | Virus scans continue to show me as ok.
| > | > |
| > | > | If you can't think of any reason to attempt a load of svchost with
| no
| > | > | arguments, I will go ahead an delete this registry entry and thus
| get
| > | rid
| > | > of
| > | > | my warning message.
| > | > |
| > | > | | > | > | > Dear Bob,
| > | > | >
| > | > | > Thank you for your reply.
| > | > | >
| > | > | > The following processes are system processes:
| > | > | >
| > | > | > System Idle Process
| > | > | > System
| > | > | > smss.exe
| > | > | > winlogon.exe
| > | > | > csrss.exe
| > | > | > services.exe
| > | > | > isass.exe
| > | > | > taskmgr.exe
| > | > | > regsvc.exe
| > | > | > mstask.exe
| > | > | > explorer.exe
| > | > | >
| > | > | > Please check registry for a virus associated with smss.exe and
| > | > csrss.exe.
| > | > | > For more information, please read the following web page:
| > | > | >
| > | > | >
| > | > |
| > | >
| > |
| >
|
http://securityresponse.symantec.com/avcenter/venc/data/w32.dalbug.worm.html
| > | > | >
| > | > | > Please monitor the status of the system after you delete the
| > smss.exe
| > | > from
| > | > | > registry. If anything is unclear, please feel free to let me
know.
| > | > | >
| > | > | > Thanks and have a good day!
| > | > | >
| > | > | > Regards,
| > | > | >
| > | > | > Benny Fu
| > | > | > Microsoft Online Partner Support
| > | > | > Microsoft Corporation
| > | > | > Get Secure! - www.microsoft.com/security
| > | > | >
| > | > | > This posting is provided "AS IS" with no warranties, and confers
| no
| > | > | rights.
| > | > | >
| > | > | > --------------------
| > | > | > | Reply-To: "bob Sterrett" <[email protected]>
| > | > | > | From: "bob Sterrett" <[email protected]>
| > | > | > | References: <[email protected]>
| > | > | > <[email protected]>
| > | > | > | Subject: Re: at least one service did not start - ssms
| > | > | > | Date: Thu, 7 Aug 2003 09:20:57 -0400
| > | > | > | Lines: 123
| > | > | > | X-Priority: 3
| > | > | > | X-MSMail-Priority: Normal
| > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| > | > | > | Message-ID: <#lpt#[email protected]>
| > | > | > | Newsgroups: microsoft.public.win2000.advanced_server
| > | > | > | NNTP-Posting-Host: 64-8-197-170.client.dsl.net 64.8.197.170
| > | > | > | Path:
| > cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
| > | > | > | Xref: cpmsftngxa06.phx.gbl
| > | > | microsoft.public.win2000.advanced_server:10393
| > | > | > | X-Tomcat-NG: microsoft.public.win2000.advanced_server
| > | > | > |
| > | > | > | Thanks Benny, but I know "what" svchost is. The questions are
| "Is
| > | it
| > | > | > | alright to delete this troublesome ssms registry entry or
should
| > it
| > | be
| > | > | > | altered in some way so that it works?" and "Who put this thing
| > | there?
| > | > "
| > | > | > |
| > | > | > | | > | > | > | > Dear Bob,
| > | > | > | >
| > | > | > | > Thank you for your posting.
| > | > | > | >
| > | > | > | > Svchost.exe is a generic host process name for services that
| are
| > | run
| > | > | > from
| > | > | > | > dynamic-link libraries (DLLs). The Svchost.exe file is
located
| > in
| > | > the
| > | > | > | > %SystemRoot%\System32 folder. At startup, Svchost.exe checks
| the
| > | > | > services
| > | > | > | > portion of the registry to construct a list of services that
| it
| > | > needs
| > | > | to
| > | > | > | > load. There can be multiple instances of Svchost.exe running
| at
| > | the
| > | > | same
| > | > | > | > time. Each Svchost.exe session can contain a grouping of
| > services,
| > | > so
| > | > | > that
| > | > | > | > separate services can be run depending on how and where
| > | Svchost.exe
| > | > is
| > | > | > | > started. This allows for better control and debugging.
| > | > | > | >
| > | > | > | > Svchost.exe groups are identified in the following registry
| key:
| > | > | > | >
| > | > | > | > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
| > | > | NT\CurrentVersion\Svchost
| > | > | > | >
| > | > | > | > For more detailed information, you can refer to the
following
| > | > article:
| > | > | > | >
| > | > | > | > 250320 Description of Svchost.exe in Windows 2000
| > | > | > | > http://support.microsoft.com/?id=250320
| > | > | > | >
| > | > | > | > Hope the information is helpful.
| > | > | > | >
| > | > | > | > Thanks and have a good day!
| > | > | > | >
| > | > | > | > Regards,
| > | > | > | >
| > | > | > | > Benny Fu
| > | > | > | > Microsoft Online Partner Support
| > | > | > | > Microsoft Corporation
| > | > | > | > Get Secure! - www.microsoft.com/security
| > | > | > | >
| > | > | > | > This posting is provided "AS IS" with no warranties, and
| confers
| > | no
| > | > | > | rights.
| > | > | > | >
| > | > | > | > --------------------
| > | > | > | > | Reply-To: "bob Sterrett" <[email protected]>
| > | > | > | > | From: "bob Sterrett" <[email protected]>
| > | > | > | > | Subject: at least one service did not start - ssms
| > | > | > | > | Date: Wed, 6 Aug 2003 16:28:49 -0400
| > | > | > | > | Lines: 58
| > | > | > | > | X-Priority: 3
| > | > | > | > | X-MSMail-Priority: Normal
| > | > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| > | > | > | > | X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| > | > | > | > | Message-ID: <[email protected]>
| > | > | > | > | Newsgroups: microsoft.public.win2000.advanced_server
| > | > | > | > | NNTP-Posting-Host: 64-8-197-170.client.dsl.net
64.8.197.170
| > | > | > | > | Path:
| > | > cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
| > | > | > | > | Xref: cpmsftngxa06.phx.gbl
| > | > | > | microsoft.public.win2000.advanced_server:10367
| > | > | > | > | X-Tomcat-NG: microsoft.public.win2000.advanced_server
| > | > | > | > |
| > | > | > | > | This probably started after svc pack3.
| > | > | > | > | This service attemps to start svchost with no arguments.
| > | > | > | > |
| > | > | > | > | Other instances of svchost (with arguments) are running,
| > Should
| > | I
| > | > | > | delete
| > | > | > | > | this from the registry?
| > | > | > | > |
| > | > | > | > | Services
| > | > | > | > | System Process (0)
| > | > | > | > | System (8)
| > | > | > | > | SMSS.EXE (180)
| > | > | > | > | CSRSS.EXE (204)
| > | > | > | > | WINLOGON.EXE (224)
| > | > | > | > | SERVICES.EXE (252)
| > | > | > | > | svchost.exe (468)
| > | > | > | > | DLLHOST.EXE (1116)
| > | > | > | > | DLLHOST.EXE (1768)
| > | > | > | > | spoolsv.exe (512)
| > | > | > | > | msdtc.exe (668)
| > | > | > | > | MSCIS.exe (892)
| > | > | > | > | WFSVCMGR.exe (904)
| > | > | > | > | dfssvc.exe (916)
| > | > | > | > | scvhost.exe (940)
| > | > | > | > | svchost.exe (992)
| > | > | > | > | ismserv.exe (1016)
| > | > | > | > | mdm.exe (1048)
| > | > | > | > | sqlservr.exe (1172)
| > | > | > | > | ntfrs.exe (1300)
| > | > | > | > | regsvc.exe (1372)
| > | > | > | > | LOCATOR.EXE (1384)
| > | > | > | > | mstask.exe (1416)
| > | > | > | > | tcpsvcs.exe (1456)
| > | > | > | > | SNMP.EXE (1472)
| > | > | > | > | svchost.exe (1484)
| > | > | > | > | WinMgmt.exe (1516)
| > | > | > | > | winnt124.exe (1584)
| > | > | > | > | WINS.EXE (1608)
| > | > | > | > | MsPMSPSv.exe (1628)
| > | > | > | > | svchost.exe (1644)
| > | > | > | > | DNS.EXE (1656)
| > | > | > | > | inetinfo.exe (1704)
| > | > | > | > | EXMGMT.EXE (1776)
| > | > | > | > | MAD.EXE (1980)
| > | > | > | > | mqsvc.exe (2012)
| > | > | > | > | mssearch.exe (2044)
| > | > | > | > | trigserv.exe (2436)
| > | > | > | > | STORE.EXE (2636)
| > | > | > | > | EMSMTA.EXE (2804)
| > | > | > | > | LSASS.EXE (264)
| > | > | > | > | explorer.exe (2212) Program Manager
| > | > | > | > | evntsvc.exe (292)
| > | > | > | > | CTFMON.EXE (1156)
| > | > | > | > | AcroTray.exe (3072)
| > | > | > | > | sqlmangr.exe (3700)
| > | > | > | > | CMD.EXE (1964) Command Prompt - tlist -t
| > | > | > | > | tlist.exe (1400)
| > | > | > | > | MSOFFICE.EXE (3660)
| > | > | > | > |
| > | > | > | > |
| > | > | > | > |
| > | > | > | >
| > | > | > |
| > | > | > |
| > | > | > |
| > | > | >
| > | > |
| > | > |
| > | > |
| > | >
| > |
| > |
| > |
| >
|
|
|
 
Back
Top