1
For firewall purposes I made a copy of svchost.exe
called mysvchost.exe
and made some services run on mysvchost.exe
by editing their ImagePath
in the registry (under HKLM\SYSTEM\CurrentControlSet\Services
). However, on reboot I noticed that the settings have reverted back to the old svchost.exe
. How do I make the changed ImagePath
stick through the reboot?
I expect (not totally certain) that this program is being replaced by the valid copy in WinSXS. I don't think you can solve your problem this way. If you could, any virus writer could do the same thing and screw up your system (and everyone else's) – John – 2020-01-09T00:59:22.003
I am not sure what you mean. I am replacing
svchost.exe
inSystem32
by its exact copy (and not even replacing, just keeping the copy under the namemysvchost
alongside it). I don't see svchost in WinSXS. Regarding the viruses, Windows can just check thatmysvchost
has exactly the same hash as the original svchost and is digitally signed by Microsoft. – teagut – 2020-01-09T01:06:04.617I found a bunch of svchost.exe files in WinSXS (by processor model). I am not sure how else Windows would have replaced it (and it apparently did) – John – 2020-01-09T01:10:14.543
Ok, yes, you're right, there are svchost files in WinSXS. But it doesn't have anything to do with my question. My svchost wasn't replaced because I never deleted it in the first place. It's still sitting where it's always been, in
system32
. Also my copy of it,mysvchost.exe
is still there as well, not deleted by Windows Defender or whatever. The only thing I changed wasImagePath
in the registry for some services and those registry edits got reverted by Windows. – teagut – 2020-01-09T01:17:21.777