Find out what started a process using "services.exe"


Say I have a process called "EvilMalware.exe" that keeps getting restarted (i.e. I kill it and it is restarted after a few seconds).

I looked up the process that starts it and it is C:\Windows\System32\services.exe.

This seems to be a legit windows process for starting stuff.

So how can I figure out what is telling services.exe to keep restarting "EvilMalware.exe"?


Posted 2013-01-25T17:21:12.033

Reputation: 5 977

How did you determine that it was services.exe that was running the file? Are you sure it was the real copy of services.exe? Sometimes malware puts legitimate-looking files in legitimate-looking places (for example, the NACHI worm makes a file called svchost.exe in \Windows\System32\WINS which looks normal enough, but of course is not (the real file is in System32, not System32\WINS). – Synetech – 2013-03-12T18:02:10.073

So how can I figure out what is telling services.exe to keep restarting "EvilMalware.exe"?   Assuming it was the real copy of services.exe running it, then you would have to figure out which service is launching it because services.exe itself does not host any services, it simply contains the Service Controller which coordinates services hosted in other files (including Windows’ own generic svchost.exe). You can use Process Explorer to view the list of running services that the SC has started to look for anything fishy. – Synetech – 2013-03-12T18:05:42.087



Run procexp. It will show a nice fork tree depicting parent processes. You can also right-click on the header and add the "command line" column to see the arguments.


Posted 2013-01-25T17:21:12.033

Reputation: 141

2But services.exe has no hosted services, so it won’t help. – Synetech – 2013-03-12T18:02:51.620


services.exe is a program that is used to start stop and interact with services.

Assuming you have an evil malware I suggest a virus scan is the best order of business.

You may be able to stop it in the services control panel but the malware would probably revert any change you make.

You should boot into an antivirus like ClamAV to delete the files without the virus being able to tamper.


Posted 2013-01-25T17:21:12.033

Reputation: 1 766

1It is not a traditional malware product. But it is acting like it. That is why I am asking this question rather than running a malware scan. – Vaccano – 2013-01-25T18:03:15.257