Showing Services under Each Process

This section provides a tutorial example on how to use command 'tasklist' to show all services under each running process with the service option '/SVC'.

On Windows system, many essential functionalities are provided by services running as background processes. There several background processes, like "services.exe", "lsass.exe" and "svchost.exe", that can run multiple services.

In other words, two or services will running under a single process name, if they use the same executable program with the same options. For example, the Cryptographic Service - "CryptSvc" and the DHCP Client service - "Dhcp" will be running under the same process "svchost.exe", because they are started with the same command: "C:\WINDOWS\system32\svchost.exe -k netsvcs".

To get a list of services that are running under each process, you can run the "tasklist" command with the service option "/SVC". An example result is included below:

C:\herong>tasklist /SVC

Image Name                   PID Services
========================= ====== =====================================
System Idle Process            0 N/A
System                         4 N/A
smss.exe                     504 N/A
csrss.exe                    556 N/A
winlogon.exe                 584 N/A
services.exe                 628 Eventlog, PlugPlay
lsass.exe                    640 Netlogon, ProtectedStorage, SamSs
svchost.exe                  800 DcomLaunch
svchost.exe                  860 RpcSs
svchost.exe                  952 AudioSrv, CryptSvc, Dhcp, EventSystem,
                                 lanmanworkstation, Netman, RasMan, 
                                 Schedule, SENS, SharedAccess, 
                                 srservice, TapiSrv, Themes, winmgmt, 
svchost.exe                 1060 Dnscache
svchost.exe                 1104 LmHosts
spoolsv.exe                 1320 Spooler
msdtc.exe                   1520 MSDTC
httpd.exe                   1612 Apache2
FrameworkService.exe        1640 McAfeeFramework
Mcshield.exe                1676 McShield
VsTskMgr.exe                1700 McTaskManager
httpd.exe                   1720 N/A
naPrdMgr.exe                1736 N/A
MsDtsSrvr.exe               1788 MsDtsServer
wdfmgr.exe                  2300 UMWdf
hpqwmiex.exe                2344 hpqwmiex
explorer.exe                3200 N/A
smax4pnp.exe                3396 N/A
accelerometerST.exe         3412 N/A
SynTPEnh.exe                3420 N/A
QLBCTRL.exe                 3428 N/A
Scheduler.exe               3460 N/A
CLI.exe                     3476 N/A
shstat.exe                  3484 N/A
UpdaterUI.exe               3492 N/A
GoogleToolbarNotifier.exe   3544 N/A
YahooMessenger.exe          3584 N/A
wmiprvse.exe                3836 N/A
ApacheMonitor.exe           3872 N/A
MDM.EXE                     2480 N/A
CLI.exe                     3536 N/A
firefox.exe                 5892 N/A
cmd.exe                     3224 N/A
wmiprvse.exe                2872 N/A
tasklist.exe                4460 N/A

This output is very useful. It tells me which service is running under what process.

