|
Hi all;
I want to inactivate process monitoring for a while and because this task is done through "secur32.dll" module, I want to unload it from memory for a few seconds.
I've searched to see which processes use this dll OR which process loads it on the memory. I found that "svchost.exe" process uses it, so I run below
command in the windows7 (32 bit) command prompt:
tasklist /m /fi "imagename eq svchost.exe"
and I saw the following result:
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
Image Name PID Modules
========================= ======== ============================================
svchost.exe 696 ntdll.dll, kernel32.dll, KERNELBASE.dll,
msvcrt.dll, sechost.dll, RPCRT4.dll,
umpnpmgr.dll, SPINF.dll, USER32.dll,
GDI32.dll, LPK.dll, USP10.dll, DEVRTL.dll,
IMM32.DLL, MSCTF.dll, RpcRtRemote.dll,
USERENV.dll, profapi.dll, GPAPI.dll,
CRYPTBASE.dll, umpo.dll, WINSTA.dll,
SETUPAPI.dll, CFGMGR32.dll, ADVAPI32.dll,
OLEAUT32.dll, ole32.dll, DEVOBJ.dll,
pcwum.DLL, rpcss.dll, SspiCli.dll,
credssp.dll, CLBCatQ.DLL, ntmarta.dll,
WLDAP32.dll, wmidcprv.dll, FastProx.dll,
wbemcomn.dll, WS2_32.dll, NSI.dll,
NTDSAPI.dll, wbemprox.dll, CRYPTSP.dll,
rsaenh.dll, wbemsvc.dll, wmiutils.dll,
WINTRUST.dll, CRYPT32.dll, MSASN1.dll,
apphelp.dll, WTSAPI32.dll
svchost.exe 800 ntdll.dll, kernel32.dll, KERNELBASE.dll,
msvcrt.dll, sechost.dll, RPCRT4.dll,
rpcepmap.dll, RpcRtRemote.dll, secur32.dll,
SSPICLI.DLL, credssp.dll, CRYPTBASE.dll,
rpcss.dll, ADVAPI32.dll, CRYPTSP.dll,
rsaenh.dll, WS2_32.dll, NSI.dll,
mswsock.dll, user32.dll, GDI32.dll,
LPK.dll, USP10.dll, IMM32.DLL, MSCTF.dll,
wshtcpip.dll, wship6.dll, FirewallAPI.dll,
VERSION.dll, CLBCatQ.DLL, ole32.dll,
OLEAUT32.dll, fwpuclnt.dll, WTSAPI32.dll,
WINSTA.dll
svchost.exe 936 ntdll.dll, kernel32.dll, KERNELBASE.dll,
msvcrt.dll, sechost.dll, RPCRT4.dll,
ole32.dll, GDI32.dll, USER32.dll, LPK.dll,
USP10.dll, IMM32.DLL, MSCTF.dll,
CRYPTBASE.dll, ADVAPI32.dll, wevtsvc.dll,
RpcRtRemote.dll, secur32.dll, SSPICLI.DLL,
credssp.dll, WS2_32.dll, NSI.dll,
mswsock.dll, wshtcpip.dll, wship6.dll,
GPAPI.dll, ntmarta.dll, WLDAP32.dll,
audiosrv.dll, POWRPROF.dll, SETUPAPI.dll,
CFGMGR32.dll, OLEAUT32.dll, DEVOBJ.dll,
MMDevAPI.DLL, PROPSYS.dll, AVRT.dll,
CLBCatQ.DLL, WINSTA.dll, lmhsvc.dll,
IPHLPAPI.DLL, WINNSI.DLL, nrpsrv.DLL,
dhcpcore.dll, DNSAPI.dll, firewallapi.dll,
VERSION.dll, dhcpcore6.dll, SHLWAPI.dll,
CRYPTSP.dll, rsaenh.dll, audioses.dll,
WMALFXGFXDSP.dll, mfplat.DLL, wscsvc.dll,
dbghelp.dll, wbemprox.dll, wbemcomn.dll,
wbemsvc.dll, fastprox.dll, NTDSAPI.dll,
CRYPT32.dll, MSASN1.dll, WINTRUST.DLL,
imagehlp.dll, ncrypt.dll, bcrypt.dll,
bcryptprimitives.dll, wuapi.dll,
Cabinet.dll, profapi.dll, USERENV.dll,
wkscli.dll, netutils.dll, provsvc.dll,
actxprxy.dll, npmproxy.dll, FunDisc.dll,
ATL.DLL, msxml6.dll, fdproxy.dll,
ieproxy.dll, dhcpcsvc.DLL, dhcpcsvc6.DLL
svchost.exe 1008 ntdll.dll, kernel32.dll, KERNELBASE.dll,
msvcrt.dll, sechost.dll, RPCRT4.dll,
ole32.dll, GDI32.dll, USER32.dll, LPK.dll,
USP10.dll, IMM32.DLL, MSCTF.dll,
CRYPTBASE.dll, ADVAPI32.dll, audiosrv.dll,
POWRPROF.dll, SETUPAPI.dll, CFGMGR32.dll,
OLEAUT32.dll, DEVOBJ.dll, MMDevAPI.DLL,
PROPSYS.dll, AVRT.dll, CLBCatQ.DLL,
SHLWAPI.dll, cscsvc.dll, USERENV.dll,
profapi.dll, pcwum.dll, PeerDist.dll,
AUTHZ.dll, taskschd.dll, SspiCli.dll,
mstask.dll, COMCTL32.dll, CRYPTSP.dll,
rsaenh.dll, RpcRtRemote.dll, WTSAPI32.dll,
GPAPI.dll, WINSTA.dll, uxsms.dll,
wudfsvc.dll, WUDFPlatform.dll, PSAPI.DLL,
VERSION.dll, wevtapi.dll, WINTRUST.dll,
CRYPT32.dll, MSASN1.dll, wlansvc.dll,
bcrypt.dll, dsrole.dll, SHELL32.dll,
WLANMSM.DLL, WLANSEC.dll, WS2_32.dll,
NSI.dll, OneX.DLL, eappprxy.dll,
dhcpcsvc.DLL, IPHLPAPI.DLL, WINNSI.DLL,
eappcfg.dll, wlgpclnt.dll, l2gpstore.dll,
wlanutil.dll, SYSNTFY.dll, WinSCard.dll,
msxml6.dll, secur32.dll, credssp.dll,
kerberos.DLL, cryptdll.dll, netcfgx.dll,
slc.dll, devrtl.DLL, sysmain.dll,
ntmarta.dll, WLDAP32.dll, trkwks.dll,
PortableDeviceApi.dll,
portabledeviceconnectapi.dll, apphelp.dll,
cscobj.dll, netman.dll, netshell.dll,
nlaapi.dll, RASDLG.dll, MPRAPI.dll,
RASAPI32.dll, rasman.dll, rtutils.dll,
hnetcfg.dll, ATL.DLL, wbemprox.dll,
wbemcomn.dll, wbemsvc.dll, fastprox.dll,
NTDSAPI.dll, pcasvc.dll, AEPIC.dll,
sfc.dll, sfc_os.DLL
svchost.exe 1048 ntdll.dll, kernel32.dll, KERNELBASE.dll,
msvcrt.dll, sechost.dll, RPCRT4.dll,
ole32.dll, GDI32.dll, USER32.dll, LPK.dll,
USP10.dll, IMM32.DLL, MSCTF.dll,
CRYPTBASE.dll, ADVAPI32.dll, gpsvc.dll,
GPAPI.dll, WLDAP32.dll, Secur32.dll,
SSPICLI.DLL, NSI.dll, SYSNTFY.dll,
nlaapi.dll, themeservice.dll, profsvc.dll,
OLEAUT32.dll, USERENV.dll, profapi.dll,
SHLWAPI.dll, ATL.DLL, RpcRtRemote.dll,
WINSTA.dll, dsrole.dll, CLBCatQ.DLL,
slc.dll, CRYPTSP.dll, rsaenh.dll, sens.dll,
WS2_32.dll, eapsvc.dll, eapphost.dll,
CRYPT32.dll, MSASN1.dll, IPHLPAPI.DLL,
WINNSI.DLL, umb.dll, shsvcs.dll,
CFGMGR32.dll, SETUPAPI.dll, DEVOBJ.dll,
schedsvc.dll, pcwum.dll, SHELL32.dll,
NETAPI32.dll, netutils.dll, srvcli.dll,
wkscli.dll, wevtapi.dll, AUTHZ.dll,
UBPM.dll, ktmw32.dll, XmlLite.dll,
WINTRUST.dll, credssp.dll, FVEAPI.dll,
tbs.dll, FVECERTS.dll, LOGONCLI.DLL,
wiarpc.dll, taskcomp.dll, VERSION.dll,
ntmarta.dll, mswsock.dll, wshtcpip.dll,
wship6.dll, netjoin.dll, WTSAPI32.dll,
comctl32.dll, PROPSYS.dll, ikeext.dll,
fwpuclnt.dll, ncrypt.dll, bcrypt.dll,
bcryptprimitives.dll, dhcpcsvc.DLL,
dhcpcsvc6.DLL, wmisvc.dll, wbemcomn.dll,
iphlpsvc.dll, FirewallAPI.dll, rtutils.dll,
sqmapi.dll, WDSCORE.dll, netprofm.dll,
devrtl.DLL, VSSAPI.DLL, VssTrace.DLL,
NCI.dll, samcli.dll, SAMLIB.dll,
wbemcore.dll, esscli.dll, FastProx.dll,
NTDSAPI.dll, wbemsvc.dll, SPINF.dll,
wmiutils.dll, repdrvfs.dll, srvsvc.dll,
browser.dll, SSCORE.DLL, CLUSAPI.DLL,
cryptdll.dll, RESUTILS.DLL, DNSAPI.dll,
wmiprvsd.dll, NCObjAPI.DLL, wbemess.dll,
mdnsNSP.dll, rasadhlp.dll, qmgr.dll,
bitsperf.dll, bitsigd.dll, upnp.dll,
WINHTTP.dll, webio.dll, SSDPAPI.dll,
npmproxy.dll, SXS.DLL, UxTheme.dll,
apphelp.dll, ncprov.dll, tschannel.dll,
RasApi32.dll, rasman.dll, wuaueng.dll,
ESENT.dll, WINSPOOL.DRV, Cabinet.dll,
mspatcha.dll, psapi.dll, WMsgAPI.dll,
msxml3.dll, wer.dll, dssenh.dll,
imagehlp.dll, msi.dll, wups2.dll,
schannel.DLL, cryptnet.dll, advpack.dll,
ES.DLL, MPR.dll, wbemprox.dll, actxprxy.dll
svchost.exe 1260 ntdll.dll, kernel32.dll, KERNELBASE.dll,
msvcrt.dll, sechost.dll, RPCRT4.dll,
ole32.dll, GDI32.dll, USER32.dll, LPK.dll,
USP10.dll, IMM32.DLL, MSCTF.dll,
CRYPTBASE.dll, ADVAPI32.dll, es.dll,
OLEAUT32.dll, CRYPTSP.dll, rsaenh.dll,
RpcRtRemote.dll, CLBCatQ.DLL, nsisvc.dll,
NSI.dll, SXS.DLL, netprofm.dll, nlaapi.dll,
wdi.dll, perftrack.dll, wer.dll,
dwmapi.dll, Secur32.dll, SSPICLI.DLL,
AEPIC.dll, sfc.dll, sfc_os.DLL,
VERSION.dll, apphelp.dll, npmproxy.dll,
IPHLPAPI.DLL, WINNSI.DLL, WS2_32.dll,
GPAPI.dll, winhttp.dll, webio.dll,
SHLWAPI.dll, credssp.dll, DNSAPI.dll,
napinsp.dll, pnrpnsp.dll, mdnsNSP.dll,
mswsock.dll, winrnr.dll, wshtcpip.dll,
wship6.dll, rasadhlp.dll, fwpuclnt.dll,
dhcpcsvc.DLL, dhcpcsvc6.DLL, fdphost.dll,
fdwsd.dll, ATL.DLL, bcrypt.dll,
CRYPT32.dll, MSASN1.dll, MLANG.dll,
wsdapi.dll, webservices.dll,
FirewallAPI.dll, fdssdp.dll, SSDPAPI.dll,
fdproxy.dll, bcryptprimitives.dll,
XmlLite.dll, FunDisc.dll, msxml6.dll,
propsys.dll, ieproxy.dll, fthsvc.dll,
wevtapi.dll
svchost.exe 1344 ntdll.dll, kernel32.dll, KERNELBASE.dll,
msvcrt.dll, sechost.dll, RPCRT4.dll,
ole32.dll, GDI32.dll, USER32.dll, LPK.dll,
USP10.dll, IMM32.DLL, MSCTF.dll,
CRYPTBASE.dll, ADVAPI32.dll, dnsrslvr.dll,
WS2_32.dll, NSI.dll, DNSAPI.dll,
WINNSI.DLL, Fwpuclnt.dll, dnsext.dll,
USERENV.dll, profapi.dll, GPAPI.dll,
RpcRtRemote.dll, mswsock.dll, iphlpapi.dll,
dhcpcsvc.DLL, dhcpcsvc6.DLL, wship6.dll,
wkssvc.dll, netutils.dll, netjoin.dll,
SspiCli.dll, cryptsvc.dll, CRYPTNET.dll,
CRYPT32.dll, MSASN1.dll, WLDAP32.dll,
VSSAPI.DLL, ATL.DLL, VssTrace.DLL,
OLEAUT32.dll, samcli.dll, SAMLIB.dll,
CRYPTSP.dll, rsaenh.dll, CLBCatQ.DLL,
es.dll, PROPSYS.dll, ESENT.dll, psapi.dll,
nlasvc.dll, wevtapi.dll, ncsi.dll,
WINHTTP.dll, webio.dll, CFGMGR32.dll,
secur32.dll, credssp.dll, ssdpapi.dll,
wkscli.dll, WTSAPI32.dll, WINSTA.dll,
SHLWAPI.dll, wshtcpip.dll, bcrypt.dll,
bcryptprimitives.dll, mdnsNSP.dll,
rasadhlp.dll, Cabinet.dll, DEVRTL.dll,
ncrypt.dll, SensApi.dll, SXS.DLL,
vss_ps.dll, msxml3.dll
svchost.exe 1716 ntdll.dll, kernel32.dll, KERNELBASE.dll,
msvcrt.dll, sechost.dll, RPCRT4.dll,
ole32.dll, GDI32.dll, USER32.dll, LPK.dll,
USP10.dll, IMM32.DLL, MSCTF.dll,
CRYPTBASE.dll, ADVAPI32.dll, scardsvr.dll,
AUTHZ.dll, CFGMGR32.dll, RpcRtRemote.dll,
fdrespub.dll, wsdapi.dll, WS2_32.dll,
NSI.dll, IPHLPAPI.DLL, WINNSI.DLL,
webservices.dll, FirewallAPI.dll,
VERSION.dll, CLBCatQ.DLL, OLEAUT32.dll,
FunDisc.dll, ATL.DLL, SHLWAPI.dll,
dhcpcsvc.DLL, dhcpcsvc6.DLL, mswsock.dll,
wship6.dll, wshqos.dll, wshtcpip.DLL,
WINHTTP.dll, webio.dll, HTTPAPI.dll,
pcwum.dll, wkscli.dll, netutils.dll,
msxml6.dll, CRYPTSP.dll, rsaenh.dll,
XmlLite.dll, ssdpsrv.dll, secur32.dll,
SSPICLI.DLL, credssp.dll, fntcache.dll,
ktmw32.dll, ntmarta.dll, WLDAP32.dll
svchost.exe 1772 ntdll.dll, kernel32.dll, KERNELBASE.dll,
msvcrt.dll, sechost.dll, RPCRT4.dll,
ole32.dll, GDI32.dll, USER32.dll, LPK.dll,
USP10.dll, IMM32.DLL, MSCTF.dll,
CRYPTBASE.dll, ADVAPI32.dll, bfe.dll,
AUTHZ.dll, slc.dll, SspiCli.dll, pcwum.dll,
RpcRtRemote.dll, mpssvc.dll,
FirewallAPI.dll, VERSION.dll, fwpuclnt.dll,
NSI.dll, CFGMGR32.dll, SHLWAPI.dll,
secur32.dll, credssp.dll, USERENV.dll,
profapi.dll, GPAPI.dll, WS2_32.dll,
IPHLPAPI.DLL, WINNSI.DLL, dhcpcsvc.DLL,
dhcpcsvc6.DLL, wfapigp.dll, ntmarta.dll,
WLDAP32.dll, dps.dll, OLEAUT32.dll,
CLBCatQ.DLL, taskschd.dll, bcrypt.dll,
wdi.dll, wdiasqmmodule.dll, netprofm.dll,
nlaapi.dll, CRYPTSP.dll, rsaenh.dll,
npmproxy.dll, radardt.dll, WTSAPI32.dll,
mswsock.dll, wshqos.dll, wshtcpip.DLL,
wship6.dll, WINSTA.dll
svchost.exe 1924 ntdll.dll, kernel32.dll, KERNELBASE.dll,
msvcrt.dll, sechost.dll, RPCRT4.dll,
apphostsvc.dll, ADVAPI32.dll, IISUTIL.dll,
USER32.dll, GDI32.dll, LPK.dll, USP10.dll,
nativerd.dll, CRYPT32.dll, MSASN1.dll,
XmlLite.dll, ktmw32.dll, IMM32.DLL,
MSCTF.dll, IISRES.DLL, CRYPTSP.dll,
rsaenh.dll, CRYPTBASE.dll, ole32.dll,
VSSAPI.DLL, ATL.DLL, VssTrace.DLL,
OLEAUT32.dll, samcli.dll, SAMLIB.dll,
netutils.dll, CLBCatQ.DLL, es.dll,
RpcRtRemote.dll, PROPSYS.dll, mlang.dll
svchost.exe 2352 ntdll.dll, kernel32.dll, KERNELBASE.dll,
msvcrt.dll, sechost.dll, RPCRT4.dll,
wiaservc.dll, ADVAPI32.dll, USER32.dll,
GDI32.dll, LPK.dll, USP10.dll,
OLEAUT32.dll, ole32.dll, VERSION.dll,
IMM32.DLL, MSCTF.dll, wiatrace.dll,
CRYPTBASE.dll, RpcRtRemote.dll,
secur32.dll, SSPICLI.DLL, credssp.dll,
msv1_0.DLL, cryptdll.dll, CFGMGR32.dll,
CLBCatQ.DLL, CRYPTSP.dll, rsaenh.dll,
SETUPAPI.dll, DEVOBJ.dll
svchost.exe 2508 ntdll.dll, kernel32.dll, KERNELBASE.dll,
msvcrt.dll, sechost.dll, RPCRT4.dll,
iisw3adm.dll, ADVAPI32.dll, pcwum.DLL,
USER32.dll, GDI32.dll, LPK.dll, USP10.dll,
ole32.dll, logoncli.dll, IISUTIL.dll,
W3TP.dll, nativerd.dll, CRYPT32.dll,
MSASN1.dll, XmlLite.dll, ktmw32.dll,
Secur32.dll, SSPICLI.DLL, IMM32.DLL,
MSCTF.dll, IISRES.DLL, CRYPTSP.dll,
rsaenh.dll, CRYPTBASE.dll, CLBCatQ.DLL,
OLEAUT32.dll, mlang.dll, ntmarta.dll,
WLDAP32.dll, RpcRtRemote.dll, HTTPAPI.dll
svchost.exe 3104 ntdll.dll, kernel32.dll, KERNELBASE.dll,
msvcrt.dll, sechost.dll, RPCRT4.dll,
ipsecsvc.dll, AUTHZ.dll, fwpuclnt.dll,
FirewallAPI.dll, VERSION.dll,
FwRemoteSvr.DLL, ADVAPI32.dll, ole32.dll,
GDI32.dll, USER32.dll, LPK.dll, USP10.dll,
IMM32.DLL, MSCTF.dll, CRYPTBASE.dll,
CLBCatQ.DLL, OLEAUT32.dll, secur32.dll,
SSPICLI.DLL, credssp.dll, RpcRtRemote.dll,
WS2_32.dll, NSI.dll, mswsock.dll,
wshtcpip.dll, wship6.dll, IPHLPAPI.DLL,
WINNSI.DLL, dhcpcsvc.DLL, dhcpcsvc6.DLL
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////
As you see, multiple svchost.exe processes with the PIDs [800, 936, 1008, 1048, 1260, 1344, 1716, 1772, 2352, 2508, 3104] use secur32.dll.
I also run the above command in Windows XP (32 bit) and saw the following result:
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////
Image Name PID Modules
========================= ====== =============================================
svchost.exe 852 ntdll.dll, kernel32.dll, ADVAPI32.dll,
RPCRT4.dll, ShimEng.dll, AcGenral.DLL,
USER32.dll, GDI32.dll, WINMM.dll, ole32.dll,
msvcrt.dll, OLEAUT32.dll, MSACM32.dll,
VERSION.dll, SHELL32.dll, SHLWAPI.dll,
USERENV.dll, UxTheme.dll, comctl32.dll,
comctl32.dll, NTMARTA.DLL, WLDAP32.dll,
SAMLIB.dll, rpcss.dll, WS2_32.dll,
WS2HELP.dll, Secur32.dll, xpsp2res.dll,
CLBCATQ.DLL, COMRes.dll, termsrv.dll,
ICAAPI.dll, SETUPAPI.dll, WINTRUST.dll,
CRYPT32.dll, MSASN1.dll, IMAGEHLP.dll,
AUTHZ.dll, mstlsapi.dll, ACTIVEDS.dll,
adsldpc.dll, NETAPI32.dll, ATL.DLL,
REGAPI.dll, rsaenh.dll, Apphelp.dll
svchost.exe 948 ntdll.dll, kernel32.dll, ADVAPI32.dll,
RPCRT4.dll, ShimEng.dll, AcGenral.DLL,
USER32.dll, GDI32.dll, WINMM.dll, ole32.dll,
msvcrt.dll, OLEAUT32.dll, MSACM32.dll,
VERSION.dll, SHELL32.dll, SHLWAPI.dll,
USERENV.dll, UxTheme.dll, comctl32.dll,
comctl32.dll, rpcss.dll, WS2_32.dll,
WS2HELP.dll, Secur32.dll, xpsp2res.dll,
rsaenh.dll, mswsock.dll, hnetcfg.dll,
wshtcpip.dll, DNSAPI.dll, iphlpapi.dll,
winrnr.dll, WLDAP32.dll, rasadhlp.dll,
CLBCATQ.DLL, COMRes.dll
svchost.exe 1064 ntdll.dll, kernel32.dll, ADVAPI32.dll,
RPCRT4.dll, ShimEng.dll, AcGenral.DLL,
USER32.dll, GDI32.dll, WINMM.dll, ole32.dll,
msvcrt.dll, OLEAUT32.dll, MSACM32.dll,
VERSION.dll, SHELL32.dll, SHLWAPI.dll,
USERENV.dll, UxTheme.dll, comctl32.dll,
comctl32.dll, NTMARTA.DLL, WLDAP32.dll,
SAMLIB.dll, xpsp2res.dll, shsvcs.dll,
WINSTA.dll, NETAPI32.dll, rsaenh.dll,
dhcpcsvc.dll, DNSAPI.dll, WS2_32.dll,
WS2HELP.dll, iphlpapi.dll, Secur32.dll,
wzcsvc.dll, rtutils.dll, WMI.dll,
CRYPT32.dll, MSASN1.dll, WTSAPI32.dll,
ESENT.dll, ATL.DLL, mswsock.dll,
hnetcfg.dll, wshtcpip.dll, rastls.dll,
CRYPTUI.dll, WINTRUST.dll, IMAGEHLP.dll,
WININET.dll, MPRAPI.dll, ACTIVEDS.dll,
adsldpc.dll, SETUPAPI.dll, RASAPI32.dll,
rasman.dll, TAPI32.dll, SCHANNEL.dll,
WinSCard.dll, raschap.dll, msv1_0.dll,
CLBCATQ.DLL, COMRes.dll, schedsvc.dll,
NTDSAPI.dll, MSIDLE.DLL, audiosrv.dll,
wkssvc.dll, cryptsvc.dll, certcli.dll,
dmserver.dll, ersvc.dll, es.dll, pchsvc.dll,
srvsvc.dll, netman.dll, netshell.dll,
credui.dll, WZCSAPI.DLL, seclogon.dll,
sens.dll, srsvc.dll, POWRPROF.dll,
trkwks.dll, w32time.dll, MSVCP60.dll,
wmisvc.dll, VSSAPI.DLL, wuauserv.dll,
wuaueng.dll, ADVPACK.dll, SHFOLDER.dll,
WINSPOOL.DRV, WINHTTP.dll, Cabinet.dll,
mspatcha.dll, sfc.dll, sfc_os.dll,
browser.dll, ipnathlp.dll, AUTHZ.dll,
SXS.DLL, comsvcs.dll, MTXCLU.DLL,
WSOCK32.dll, colbact.DLL, CLUSAPI.DLL,
RESUTILS.DLL, wscsvc.dll, msi.dll,
wbemcomn.dll, wbemcore.dll, esscli.dll,
FastProx.dll, wmiutils.dll, repdrvfs.dll,
wmiprvsd.dll, NCObjAPI.DLL, wbemess.dll,
ncprov.dll, upnp.dll, SSDPAPI.dll,
rasadhlp.dll, RASDLG.dll, Apphelp.dll,
wups.dll, catsrvut.dll, MfcSubs.dll,
MPR.dll, urlmon.dll, catsrv.dll,
netcfgx.dll, wbemsvc.dll
svchost.exe 1212 ntdll.dll, kernel32.dll, ADVAPI32.dll,
RPCRT4.dll, ShimEng.dll, AcGenral.DLL,
USER32.dll, GDI32.dll, WINMM.dll, ole32.dll,
msvcrt.dll, OLEAUT32.dll, MSACM32.dll,
VERSION.dll, SHELL32.dll, SHLWAPI.dll,
USERENV.dll, UxTheme.dll, comctl32.dll,
comctl32.dll, dnsrslvr.dll, DNSAPI.dll,
WS2_32.dll, WS2HELP.dll, iphlpapi.dll
svchost.exe 1328 ntdll.dll, kernel32.dll, ADVAPI32.dll,
RPCRT4.dll, ShimEng.dll, AcGenral.DLL,
USER32.dll, GDI32.dll, WINMM.dll, ole32.dll,
msvcrt.dll, OLEAUT32.dll, MSACM32.dll,
VERSION.dll, SHELL32.dll, SHLWAPI.dll,
USERENV.dll, UxTheme.dll, comctl32.dll,
comctl32.dll, NTMARTA.DLL, WLDAP32.dll,
SAMLIB.dll, xpsp2res.dll, lmhsvc.dll,
iphlpapi.dll, WS2_32.dll, WS2HELP.dll,
webclnt.dll, WININET.dll, CRYPT32.dll,
MSASN1.dll, Secur32.dll, urlmon.dll,
wsock32.dll, regsvc.dll, ssdpsrv.dll,
hnetcfg.dll, CLBCATQ.DLL, COMRes.dll,
mswsock.dll, wshtcpip.dll
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
In the above list, processes with PIDs [852, 948, 1064, 1328] use secur32.dll module.
Now, my question is:
How should I unload this dll for a while and afterward load it into memory rapidly to prevent a SYSTEM CRASH?
I mean, how to get handle of a memory-resident dll (secur32.dll in here!) to unload it from memory?
I guess that first should get svchost.exe process handle (I don't know with which PID, of course!) and then use this handle to get secure32.dll handle.
Then pass the dll handle to the unloadlibrary function, sleep some miliseconds and then load the dll again to svchost.exe process address space to prevent system crash.
But I don't know which Windows functions should use respectively to implement this steps?
Or have you another & better solution for this purpose?
Could you put here a sample code to do this work in C++ please?
Thanks in Advance.
|
|
|
|