Address : C:\Windows\SysWOW64\system

Behavior : Reboot when taskkill any one of them

According to my tests, these two programs may links to the regedit and send datas to each other constantly.

Name : svchosth.exe, svchosts.exe

(Note here to notice the difference between them and svchost.exe, where the latter one is Windows' system task.)

svchosth.exe will end the task of taskmgr.

Linked service : SystemExplorerCheck

Stopping it will cause a reboot.

svchosts.exe needs system authority to hang up, its auto-boot address is shown here:

HKLM\System\CurrentControlSet\Services\SystemExplorerCheck

---

Solution :

download NSudo and Process Explorer, using nt-system priority to start the procexp_Chn.exe, hang the two process svchosts.exe and svchosth.exe up.

In real tests, I used "NSudo_8.2_All_Components".

you can download NSudo here (not direct).

And Process Explorer here.

Method discovered by blue_239k.

And you can safely taskkill both of them after doing this.

Issues :

The controller's computer cannot recognize anything on the using computer including the logout.

Maybe I still need several weeks to solve this problem. Fatbean is good.

---

More about it :

Judging from the length of the code, svchosts.exe has a more basic utility.

Here's its data :

RCData-DVDLAL : 0

26 3D 4F 38 C2 82 37 B8 F3 24 42 03 17 9B 3A 83 

&=08  7  $B   :

RCData-PACKAGEINFO : 0

01 00 00 CC 00 00 00 00 04 00 00 00 01 B0 73 76 
63 68 6F 73 74 73 00 00 2D 75 6E 57 61 74 63 68 
50 72 6F 63 65 73 73 00 00 81 53 79 73 49 6E 69 
74 00 00 FB 66 72 6D 54 65 73 74 5F 73 76 72 00 

              svchosts  -unWatchProcess   SysInit   frmTest_svr 

RCData-TSYSTEMEXPLORERCHECK ： 0

object SystemExplorerCheck: TSystemExplorerCheck
  OldCreateOrder = False
  DisplayName = 'SystemExplorerCheck'
  OnContinue = ServiceContinue
  OnPause = ServiceStop
  OnStart = ServiceStart
  OnStop = ServiceStop
  Left = 214
  Top = 104
  Height = 150
  Width = 215
end