SVCHOST_GLOBAL_DATA

This structure is available to service DLLs running in a SVCHOST process. It is instantiated in SVCHOST.EXE and is communicated to service DLLs when SVCHOST calls their SvchostPushServiceGlobals function before calling their ServiceMain function.

Definition 

typedef struct _SVCHOST_GLOBAL_DATA {
    PSID NullSid;                               // S-1-0-0
    PSID WorldSid;                              // S-1-1-0
    PSID LocalSid;                              // S-1-2-0
    PSID NetworkSid;                            // S-1-5-2
    PSID LocalSystemSid;                        // S-1-5-18
    PSID LocalServiceSid;                       // S-1-5-19
    PSID NetworkServiceSid;                     // S-1-5-20
    PSID BuiltinDomainSid;                      // S-1-5-32
    PSID AuthenticatedUserSid;                  // S-1-5-11
    PSID AnonymousLogonSid;                     // S-1-5-7
    PSID AliasAdminsSid;                        // S-1-5-32-544
    PSID AliasUsersSid;                         // S-1-5-32-545
    PSID AliasGuestsSid;                        // S-1-5-32-546
    PSID AliasPowerUsersSid;                    // S-1-5-32-547
    PSID AliasAccountOpsSid;                    // S-1-5-32-548
    PSID AliasSystemOpsSid;                     // S-1-5-32-549
    PSID AliasPrintOpsSid;                      // S-1-5-32-550
    PSID AliasBackupOpsSid;                     // S-1-5-32-551
    LPSTART_RPC_SERVER StartRpcServer;
    LPSTOP_RPC_SERVER StopRpcServer;
    LPSTOP_RPC_SERVER_EX StopRpcServerEx;
    LPNET_BIOS_OPEN NetBiosOpen;
    LPNET_BIOS_CLOSE NetBiosClose;
    LPNET_BIOS_RESET NetBiosReset;
    #if (_WIN32_WINNT == _WIN32_WINNT_WINXP && NTDDI_VERSION >= NTDDI_WINXPSP2) \
        || (_WIN32_WINNT == _WIN32_WINNT_WS03 && NTDDI_VERSION >= NTDDI_WS03SP1) \
        || _WIN32_WINNT >= _WIN32_WINNT_LONGHORN)
    LPREGISTER_STOP_CALLBACK RegisterStopCallback;
    #endif
} SVCHOST_GLOBAL_DATA;

Though the name SVCHOST_GLOBAL_DATA is known from Microsoft’s published symbol files, all other names are inventions, including the following type definitions for function pointers: 

typedef NTSTATUS (WINAPI *LPSTART_RPC_SERVER) (RPC_WSTR, RPC_IF_HANDLE);
typedef NTSTATUS (WINAPI *LPSTOP_RPC_SERVER) (RPC_IF_HANDLE);
typedef NTSTATUS (WINAPI *LPSTOP_RPC_SERVER_EX) (RPC_IF_HANDLE);

typedef VOID (WINAPI *LPNET_BIOS_OPEN) (VOID);
typedef VOID (WINAPI *LPNET_BIOS_CLOSE) (VOID);
typedef DWORD (WINAPI *LPNET_BIOS_RESET (UCHAR);

typedef DWORD (WINAPI *LPREGISTER_STOP_CALLBACK) (HANDLE *, PCWSTR, HANDLE, WAITORTIMERCALLBACK, PVOID, DWORD);

Members

Many of the members, from the start of the structure, are addresses of well-known SIDs. Though preparing these things is straightforward, it is a chore which is much better done once, i.e., by SVCHOST, for use by all.

Several members are addresses of functions which do things that may be wanted by more than one service DLL and are either convenient to have coded for common use or actually do need to be.

Availability

The SVCHOST_GLOBAL_DATA structure is prepared by SVCHOST version 5.1 and higher.

The RegisterStopCallback member is present in version 5.1 from Windows XP SP2, version 5.2 from Windows Server 2003 SP1, and higher. Note that a service DLL has no formal means to determine whether the structure extends as far as this member.

Microsoft does not formally document this structure or the function through which to find it—or, for that matter, how to write a service DLL to run under SVCHOST.

This page was created on 13th October 2008 and was last modified on 14th November 2008.

Copyright © 2008. Geoff Chappell. All rights reserved. Conditions apply.