Now let s look at another Autoruns service entry that is also loaded by svchost.exe, called stisvc. I will break down the Autoruns log entry as follows:

• Registry Location HKLM\SYSTEM\CurrentControlSet\_Services\stisvc.

• Service Name stisvc.

• Description Provides image acquisition services for scanners and cameras.

• Publisher (Verified) Microsoft Corporation.

• Image Path C:\windows\system32\svchost.exe.

Here is the Autoruns log entry:

 + stisvc Provides image acquisition services for scanners and cameras. (Verified) Microsoft Windows Publisher c:\windows\system32\svchost.exe

The Autoruns log entry matches what appears on the display screen, except the + (plus sign) precedes each entry under an autostart section which is not empty. This time we can eliminate the Autoruns step in figuring out what the DLL filename is and use Process Explorer to tell us that right away To do that, I right-click the Autoruns entry labeled as stisvc. In the context menu that opens, I select Process Explorer. In the Process Explorer Properties box, I click Services. stisvc is different from the previous example, in that it is not one of a group of services but is the only service launched by this svchost. We find that the display name for the service is Windows Image Acquisition (WIA).

Next, I scroll to the right so that the path column is in view. I can see that Process Explorer identifies the filename as C:\Windows\System32\wiaservc.dll. Since I know the display name of the service is Windows Image Acquisition...