Services are background processes in the Windows operating system. Some of the services execute independently while other execute under the svchost.exe process.

If you want to view services installed on your Windows operating system, you use the command msconfig. It gives a list of services, startup programs, and bootup programs. Many of the services need to be executed before the user logs in. The following registry keys are used to launch an exe as a service before the user logs in:

• HKLMSYSTEMCurrentControlSetservices
• HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
• HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesOnce

The registry key points to the absolute path of the malware exe file.

Malware can also run as a service under the svchost.exe process. This is a Windows process. As the name suggests, it hosts services (svc is shorthand for services). The following registry key is associated with services executing under svchost:

• HKLMSoftwareMicrosoftWindows NTCurrentVersionSvchost