1

I recently installed Sysmon, which logs events to OSSEC and currently monitors several endpoints. I have been trying to whitelist benign processes such as Windows services. Many of these processes run with commandline arguments e.g. svchost.exe -k netsvcs -p -s NetSetupSvc. However, an explanation of these commandline arguments is not available for many of these Windows processes when using /? in the command prompt e.g. svchost.exe /?

Is there documentation online that explains the commandline arguments of these Windows processes? It would also be useful if there is documentation indicating the parent process that spawns a specific Windows process.

The reason I am requesting this information is so that I can whitelist a Windows process using its process name, commandline arguments and parent process. I do not want to whitelist a process by only using its process name as this would not detect malware which uses the same name.

synthesis
  • 155
  • 1
  • 1
  • 15

2 Answers2

0

Microsoft tends to not document things which they don't believe are to be used by customers. I would not expect to find Microsoft documentation for this executable but a close alternative is to research findings from people who reverse engineer Microsoft products. I have a general expectation of this from having worked in support of core Windows OS a while ago. The only supported end user tweak on this service that I remember was splitting services away from a shared svchost instance into a single, dedicated service in a new svchost process, for added system stability or for debugging.

If you would be happy with third party research, using Sysinternals tools on a live system, searching the Windows registry for values to do with services or picking up a copy of Windows Internals book could get you close to what you actually want to achieve.

Samples: https://www.geoffchappell.com/studies/windows/win32/services/svchost/index.htm https://www.raymond.cc/blog/identify-loaded-svchostexe-in-windows-task-list/

Finding out the parent process can be done a number of ways but each process carries it's own Process ID (PID) as well as the PID of it's parent process. If the parent process is still running you can query it by finding that PID. Further if you enable process tracking auditing, those process creation Windows events should contain the parent process information which spawned the new process.

HackneyB
  • 319
  • 1
  • 6
0

Is there documentation online that explains the commandline arguments of these Windows processes?

Are you asking about svchost.exe's own parameter list or the services which svchost runs?

If it's the former, you're not the first to ask. MS doesn't document it on purpose. You'll have to search each individual flag you come across and even then some of the explanations aren't that great.

If it's the later, you'll need to figure out what svchost is wrapping. There's a million ways to do that. This is the easiest IMHO:

tasklist /svc | findstr "svchost"

Then you can see what svchost is running. With that information determine what binary (tracing the PID in the output to the binary is one method) is being used for the service and try to run foo.exe /? yourself.

Be advised though, your mileage may vary... you're either NOT going to be able to access some stuff, some stuff is going to be designed to keep users from monkeying with it, and other stuff simply isn't going to have parameters at all.

MGoBlue93
  • 185
  • 7