Well, if you read what I wrote yesterday, you read that I put a service all by itself in a separate SVCHOST.EXE proces.

Windows XP SP1

Service of interest:  WebClnt

Binary of interest:  WEBCLNT.DLL

Problem:  Hangs on startup.

If you run a CMD.EXE prompt (command prompt) and type:   TASKLIST /SVC you'll see an output like this:

F:\Documents and Settings\danvdw>tasklist /SVC

Image Name                   PID Services
========================= ====== =============================================
System Idle Process            0          N/A
System                                 4          N/A
services.exe                        416       Eventlog, PlugPlay
lsass.exe                             428        Netlogon, PolicyAgent, ProtectedStorage, SamSs
svchost.exe                         636        RpcSs
svchost.exe                         660        AudioSrv, BITS, CryptSvc, Dhcp, dmserver, ERSvc, EventSystem,    
                                                           lanmanserver, lanmanworkstation, Messenger, Netman, Nla,
                                                           Schedule, seclogon, SENS, ShellHWDetection,
                                                           srservice, TermService, Themes, uploadmgr,
                                                           W32Time, winmgmt, wuauserv, WZCSVC
svchost.exe                         772         Dnscache
svchost.exe                         796         LmHosts, RemoteRegistry, SSDPSRV, WebClient
spoolsv.exe                         876         Spooler
inetinfo.exe                       1084         IISADMIN, SMTPSVC, W3SVC

<Cut Short to Eliminate Boredom>

I'm interested in the one that has WebClient in it.  I see it's Process ID (PID) 796.

That's nice to know, but not really want I want.  What I want to see is WebClient all alone in an SVCHOST.EXE process.  Exactly like DNSCACHE is doing.  Why can't my webclient do that too?  I think it can!

If you read Raymond Chen's blog, you'll see he refers to Q314056 about SVCHOST.EXE.

Now, I mucked with the registry on this system.  If you muck with your registry, make sure you make backups of the stuff before you fool with it.  I will not be held responsible for anything you do to your registry even if it's something I write about.

Are we clear on that?

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\svchost

Right there, under svchost, are keys and values.  I'm interested in the *value* that is Localservice and I see it's a REG_MULTI_SZ and is:

Alerter
WebClient
LmHosts
RemoteRegistry
upnphost
SSDPSRV

There's my WebClient.  What if I just highlight it and take it out of there with a DEL button press?  That works.

Okay.  But, I want it in it's own SVCHOST.EXE.  Can I do that?  Well, I think I can if I hack some.  So, let's hack:

I notice that the *keys* are similar to these values.  Let's do a new key and value.  I'll call it WebClntSvc.

So, I add a Key and a Value called WebClntSvc.  I could have called it anything, like AnyNameAnything, but I called it WebClntSvc.

So, I make a REG_MULTI_SZ *value* entry called WebClntSvc and add:  WebClient.

I also make a Value entry and call it WebClntSvc.  What to add there?  Heck, I just copied what was in the Localservice key. That key had:

AuthenticationCapabilities, REG_DWORD, 0x2000 and CoInitializeSecurityParam, REG_DWORD, 0x1

So, I added them both.  Is that it?

No, because I see that HKLM\System\CurrentControlSet\Services is of interest to me, based on the KB article.

If I look at HKLM\System\CurrentControlSet\Services\WebClient, I see an ImagePath value that's a REG_SZ.  I think I want to edit that and change it from:

%SystemRoot%\System32\svchost.exe -k LocalService

to

%SystemRoot%\System32\svchost.exe -k WebClntSvc

We can confirm this works by checking the interface.  That's right-click on My Computer, Select Manage, then go into the Services, find WebClient and open it up.

Make sure the "Path to Executable" was changed.  Mine would say:

F:\WINDOWS\System32\svchost.exe -k WebClntSvc.

F: is my system drive here.  Don't ask me why.  You don't want to know.

That would make sense, right?  Does to me.  Then, I reboot.  Now, I have a separate instance of SVCHOST.EXE running with WebClient in it.

I do.

Now, to debug it is simple.  Right, I just attach my debugger to the process that exists as SVCHOST.EXE with the one and only service in it that's WebClient.

However, I don't want to debug it as it is, I want to debug it as it starts.  Hmm... How do to that?

Well, it's tricky and I have one trick up my sleeve to use that is this:  Copy SVCHOST.EXE to SVCHOST1.EXE in the same place as SVCHOST.EXE and use SVCHOST1.EXE in my ImageFileExecutionOptions registry setting and use SVCHOST1.EXE in the registry location for the service for the executable.

Now, when I check the interface, my path says:

F:\WINDOWS\System32\svchost1.exe -k WebClntSvc.

There is a problem here.  The default SVCHOST.EXE has a timeout for any service.  If it doesn't start in X seconds, you get a nifty dialog telling you it didn't start, blah blah blah.

You don't get the dialog for the failure on startup, but it's not running regarless.

I'm guessing there is a way around this, but I don't know what yet.....