Archive for the ‘Windows 7’ Category

Robust File and Folder Copy.

By default Robocopy will only copy a file if the source and destination have different time stamps or different file sizes.



ROBOCOPY Source_folder Destination_folder [files_to_copy] [options]



file(s)_to_copy : A list of files or a wildcard.

(defaults to copying *.*)


  Source options

/S : Copy Subfolders.

/E : Copy Subfolders, including Empty Subfolders.

/COPY:copyflag[s] : What to COPY (default is /COPY:DAT)

(copyflags : D=Data, A=Attributes, T=Timestamps

S=Security=NTFS ACLs, O=Owner info, U=aUditing info).

/SEC : Copy files with SECurity (equivalent to /COPY:DATS).

/DCOPY:T : Copy Directory Timestamps. ##

/COPYALL : Copy ALL file info (equivalent to /COPY:DATSOU).

/NOCOPY : Copy NO file info (useful with /PURGE).


/A : Copy only files with the Archive attribute set.

/M : like /A, but remove Archive attribute from source files.

/LEV:n : Only copy the top n LEVels of the source tree.


/MAXAGE:n : MAXimum file AGE – exclude files older than n days/date.

/MINAGE:n : MINimum file AGE – exclude files newer than n days/date.

(If n < 1900 then n = no of days, else n = YYYYMMDD date).


/FFT : Assume FAT File Times (2-second date/time granularity).

/256 : Turn off very long path (> 256 characters) support.


Copy options

/L : List only – don’t copy, timestamp or delete any files.

/MOV : MOVe files (delete from source after copying).

/MOVE : Move files and dirs (delete from source after copying).


/Z : Copy files in restartable mode (survive network glitch).

/B : Copy files in Backup mode.

/ZB : Use restartable mode; if access denied use Backup mode.

/IPG:n : Inter-Packet Gap (ms), to free bandwidth on slow lines.


/R:n : Number of Retries on failed copies – default is 1 million.

/W:n : Wait time between retries – default is 30 seconds.

/REG : Save /R:n and /W:n in the Registry as default settings.

/TBD : Wait for sharenames To Be Defined (retry error 67).


Destination options


/A+:[RASHCNET] : Set file Attribute(s) on destination files + add.

/A-:[RASHCNET] : UnSet file Attribute(s) on destination files – remove.

/FAT: Create destination files using 8.3 FAT file names only.


/CREATE: CREATE directory tree structure + zero-length files only.

/DST: Compensate for one-hour DST time differences ##

/PURGE: Delete dest files/folders that no longer exist in source.

/MIR: MIRror a directory tree – equivalent to /PURGE plus all subfolders (/E)


Logging options

/L: List only – don’t copy, timestamp or delete any files.

/NP: No Progress – don’t display % copied.

/LOG:file : Output status to LOG file (overwrite existing log).

/UNILOG:file : Output status to Unicode Log file (overwrite) ##

/LOG+:file : Output status to LOG file (append to existing log).

/UNILOG+:file : Output status to Unicode Log file (append) ##

/TS : Include Source file Time Stamps in the output.

/FP : Include Full Pathname of files in the output.

/NS : No Size – don’t log file sizes.

/NC : No Class – don’t log file classes.

/NFL : No File List – don’t log file names.

/NDL : No Directory List – don’t log directory names.

/TEE : Output to console window, as well as the log file.

/NJH : No Job Header.

/NJS : No Job Summary.


 Repeated Copy Options

/MON:n : MONitor source; run again when more than n changes seen.

/MOT:m : MOnitor source; run again in m minutes Time, if changed.


/RH:hhmm-hhmm : Run Hours – times when new copies may be started.

/PF : Check run hours on a Per File (not per pass) basis.


 Job Options

/JOB:jobname : Take parameters from the named JOB file.

/SAVE:jobname : SAVE parameters to the named job file

/QUIT : QUIT after processing command line (to view parameters).

/NOSD : NO Source Directory is specified.

/NODD : NO Destination Directory is specified.

/IF : Include the following Files.


Advanced options you’ll probably never use

/EFSRAW : Copy any encrypted files using EFS RAW mode. ##

/MT[:n] : Multithreaded copying, n = no. of threads to use (1-128) ###

default = 8 threads, not compatible with /IPG and /EFSRAW

The use of /LOG is recommended for better performance.


/SECFIX : FIX file SECurity on all files, even skipped files.

/TIMFIX : FIX file TIMes on all files, even skipped files.


/XO : eXclude Older – if destination file exists and is the same date or newer than the source – don’t bother to overwrite it.

/XC | /XN : eXclude Changed | Newer files

/XL : eXclude “Lonely” files and dirs (present in source but not destination)

This will prevent any new files being added to the destination.

/XX : eXclude “eXtra” files and dirs (present in destination but not source)

This will prevent any deletions from the destination. (this is the default)


/XF file [file]… : eXclude Files matching given names/paths/wildcards.

/XD dirs [dirs]… : eXclude Directories matching given names/paths.

XF and XD can be used in combination  e.g.

ROBOCOPY c:\source d:\dest /XF *.doc *.xls /XD c:\unwanted /S


/IA:[RASHCNETO] : Include files with any of the given Attributes

/XA:[RASHCNETO] : eXclude files with any of the given Attributes

/IS : Include Same, overwrite files even if they are already the same.

/IT : Include Tweaked files.

/XJ : eXclude Junction points. (normally included by default).


/MAX:n : MAXimum file size – exclude files bigger than n bytes.

/MIN:n : MINimum file size – exclude files smaller than n bytes.

/MAXLAD:n : MAXimum Last Access Date – exclude files unused since n.

/MINLAD:n : MINimum Last Access Date – exclude files used since n.

(If n < 1900 then n = n days, else n = YYYYMMDD date).


/BYTES : Print sizes as bytes.

/X : Report all eXtra files, not just those selected & copied.

/V : Produce Verbose output log, showing skipped files.

/ETA : Show Estimated Time of Arrival of copied files.

## = New Option in Vista (XP027) all other options are valid for the XP version of Robocopy (XP010)

### = New Option in Windows 7 and Windows 2008 R2




File Attributes [RASHCNETO]


R – Read only

A – Archive

S – System

H – Hidden

C – Compressed

N – Not content indexed

E – Encrypted

T – Temporary

O – Offline

If either the source or desination are a “quoted long foldername” do not include a trailing backslash as this will be treated as an escape character, i.e. “C:\some path\” will fail but “C:\some path\\” or “C:\some path\.” or “C:\some path” will work.


By copying only the files that have changed, robocopy can be used to backup very large volumes.


ROBOCOPY will accept UNC pathnames including UNC pathnames over 256 characters long.


/REG Writes to the registry at HKCU\Software\Microsoft\ResKit\Robocopy


/XX (exclude extra) If used in conjunction with /Purge or /Mir, this switch will take precedence and prevent any files being deleted from the destination.


To limit the network bandwidth used by robocopy, specify the Inter-Packet Gap parameter /IPG:n

This will send packets of 64 KB each followed by a delay of n Milliseconds.


Open Files


Robocopy will fail to copy files that are locked by other users or applications, so limiting the number of retries with /R:0 will speed up copying by skipping any in-use files. The Windows Volume Shadow Copy service is the only Windows subsystem that can copy open files. Robocopy does not use the Volume Shadow Copy service, but it can backup a volume shadow that has already been created with VSHADOW or DISKSHADOW.




All versions of Robocopy will copy security information (ACLs) for directories, version XP010 will not copy file security changes unless the file itself has also changed, this greatly improves performance.


/B (backup mode) will allow Robocopy to override file and folder permission settings (ACLs).


ERROR 5 (0x00000005) Changing File Attributes … Access is denied

This error usually means that File/Folder permissions or Share permissions on either the source or the destination are preventing the copy, either change the permissions or run the command in backup mode with /B.


To run ROBOCOPY under a non-administrator account will require backup files privilege, to copy security information auditing privilege is also required, plus of course you need at least read access to the files and folders.




Robocopy is a standard command in Windows 7 and above. The Windows Server 2003 Resource Kit Tools include Robocopy XP010, which can be run on NT 4/ Windows 2000. Robocopy does not run on Windows 95, or NT 3.5. (RoboCopy is a Unicode application).


Robocopy ‘Jobs’ and the ‘MOnitor source’ option provide an alternative to setting up a Scheduled Task to run a batchfile with a RoboCopy command.




Copy files from one server to another including subfolders (/S)

If this command is run repeatedly it will skip any files already in the destination, however it is not a true mirror as any files deleted from the source will remain in the destination.


ROBOCOPY \\Server1\reports \\Server2\backup *.doc /S

List files over 32 MBytes in size:


ROBOCOPY C:\work /MAX:33554432 /L

Move files over 14 days old: (note the MOVE option will fail if any files are open and locked.)


ROBOCOPY C:\work C:\destination /move /minage:14

Backup a Server:

The script below copies data from FileServ1 to FileServ2, the destination holds a full mirror along with file security info. When run regularly to synchronize the source and destination, robocopy will only copy those files that have changed (change in time stamp or size.)





SET _source=\\FileServ1\e$\users


SET _dest=\\FileServ2\e$\BackupUsers



:: /COPYALL :: COPY ALL file info

:: /B :: copy files in Backup mode.

:: /SEC :: copy files with SECurity

:: /MIR :: MIRror a directory tree


SET _options=/R:0 /W:0 /LOG:MyLogfile.txt /NFL /NDL

:: /R:n :: number of Retries

:: /W:n :: Wait time between retries

:: /LOG :: Output log file

:: /NFL :: No file logging

:: /NDL :: No dir logging


ROBOCOPY %_source% %_dest% %_what% %_options%


Run two robocopy jobs at the same time with START /Min


Start /Min “Job one” Robocopy \\FileServA\C$\Database1 \\FileServeBackupA\c$\Backups

Start /Min “Job two” Robocopy \\FileServB\C$\Database2 \\FileServeBackupB\c$\Backups



Related Posts:

Robocopy Error 5


Summary:  Group Policy application seems straightforward enough: Group Policy Objects (GPOs) are linked to organizational units (OUs); users and computers are in OUs. All the GPOs from a user’s OU hierarchy filter down to the user.

Things get more complicated, though, when you remember that GPOs can be linked to a domain and to sites—meaning you’ll have to open a whole new console to see what’s going on. You also have to consider local security policies, which exist solely on the client computer and are applied before any domain-based policies arrive. Throw in options such as Block Policy Inheritance, No Override, and loopback processing, and it’s no wonder why there’s such a robust market for third-party GPO tools. However, with some patience and a methodology, you can do quite a bit of quality troubleshooting on your own.

Start from the Scratch

Too many administrators try to start at the top, working their way down the hierarchy of GPOs and figuring out which ones apply. That method is time-consuming, error-prone, and just plain boring. It’s a lot easier to start at the bottom—the client—and work your way up the tree. Windows XP’s Gpresult tool, for example, is a great troubleshooting tool. Run from the command line, it will tell you which groups the current user is a member of (which can affect GPO application), and give you a list of every GPO that is currently affecting the user. You’ll also see the last time that GPOs were applied to the computer. What Gpresult is displaying is called resultant set of policy (RSOP). It sorts through all the blocked inheritance, no overrides, and conflicting policies to sort out exactly which policies are being applied.

By default, Gpresult doesn’t show you which individual policies are applied or what they are set to; because GPOs successively overwrite one another as they are applied, you can still be left with a troubleshooting task to figure out which of the GPOs listed is responsible for the settings you’re seeing. Fortunately, Gpresult has a “superverbose” mode, enabled by running

Gpresult /z

This mode not only displays which GPOs have been applied, but lists every single policy that’s enabled in each GPO, allowing you to see which GPO modified which setting, and which GPO finally won out in the end. Figure 36.1 shows a portion of Gpresult’s superverbose output. In this example, the GPO being applied is Local Group Policy, and you can see exactly which registry keys each setting is modifying.

Superverbose mode also breaks down the user and computer policies, allowing you to see every setting that is affecting the current users or their machines.

Here is a quick reference you can use to determine which tools to use to help locate and resolve problems with your AD network.

Q: User unable to access network resources?

Is the network functioning at all? Can you view a list of networked systems or even access resources on other computers? If not, you have network connectivity problems. The troubleshooting tools you should start with include: Event Viewer, Ping, IPCONFIG, NLTEST, NetDiag and Network Monitor.

Q: User unable to locate resources by name?

Is name resolution functioning? Can you resolve NetBIOS or domain names into IP addresses using Windows Explorer or PING? If not, you have name resolution service problems. The troubleshooting tools you should start with include: Event Viewer, NSLOOKUP, NBTSTAT and DNSCMD.

Q: User unable to log in and obtain its roaming profile?

If not, your DC is having problems. The troubleshooting tools you should start with include: Event Viewer, DCDiag, DSASTAT and NTDSUTIL.

Q: User is unable to authenticate?

Can any client log on locally or remotely? If not, your DC is not authenticating properly. The troubleshooting tools you should start with include: Event Viewer and NetSetup.

Q: User unable to access resources as expected?

Can you access objects that you should be granted access to, and are you restricted from objects that you should not have access to? If not, then either the ACLs or DC is not functioning properly. The troubleshooting tools you should start with include: Event Viewer, DSACLS, NETDOM and SDCHECK.

Other Posts related to Active Directory:

A firewall is an important component of a larger overall security strategy. Windows 7 comes with a built-in firewall that’s turned on and working from the moment you first start your computer.


The firewall is automatically configured to prevent unsolicited Internet traffic from getting into your computer, thereby protecting you from worms and other hack attempts. The 7 firewall also provides advanced options for professional network and security administrators who need more granular control over its behavior. In Detail:


  • Exceptions in Windows Firewall are programs that are allowed to work through the firewall.
  • A firewall will not protect your computer from viruses, pop-up ads, or junk e-mail.
  • A firewall protects your computer from unsolicited network traffic, which is a major cause of worms and other hack attempts.
  • When you start an Internet program that needs access to the Internet through a closed port, you’ll be given a security alert with options to Unblock, or Keep Blocking, the port. You must choose Unblock to use that program.
  • Windows Firewall is one of the programs in the Security Center. To open Security Center, click the Start button and choose Control Panel ➪ Security ➪ Security Center.
  • You don’t need to configure the firewall to use standard Internet services such as the Web and e-mail. Those will work through the firewall automatically.
  • Professional network and security administrators can configure Windows Firewall through the Windows Firewall with Advanced Security console in Administrative Tools.
  • From the Start menu, you can search on the keyword fire to get to Windows Firewall configuration options.

To understand what a firewall is, you need to first understand what a network connection is. Even though you have only one skinny set of wires connecting your computer to the Internet (through a phone line or cable outlet), that connection actually consists of 65,535 ports. Each port can simultaneously carry on its own conversation with the outside world. So, theoretically, you could have 65,535 things going on at a time. Of course, nobody ever has that much going on all at one time. A handful of ports are more like it.

The ports are divided into two categories: TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). TCP is generally used to send text and pictures (Web pages and e-mail), and includes some error checking to make sure all the information that’s received by a computer matches what the sending computer sent. UDP works more like broadcast TV or radio, where the information is just sent out and there is no error checking. UDP is generally used for real-time communications, such as voice conversations and radio broadcasts sent over the Internet.

Each port has two directions: incoming and outgoing. The direction is in relation to stuff coming into your computer from the outside: namely the Internet. It’s the stuff coming into your computer that you have to watch out for. But you can’t close all ports to all incoming traffic. If you did, there’d be no way to get the good stuff in. But you don’t want to let everything in.

Antispyware and antivirus software are good tools for keeping out viruses and other bad things that are attached to files coming into your computer. But hackers can actually sneak worms and other bad things in through unprotected ports without involving a file in the process. That’s where the firewall comes into play. A stateful firewall, such as the one that comes with Windows 7, keeps track of everything you request. When traffic from the Internet wants to come in through a port, the firewall checks to make sure the traffic is something you requested. If it isn’t, the firewall assumes this is a hacker trying to sneak something in without your knowing it, and therefore prevents the traffic from entering your computer.

This is commonly referred to as the Blue Screen of Death (BSOD). It doesn’t mean your computer is permanently broken. A frequent cause of this problem is a device driver that doesn’t work with Windows 7.


If you recently connected or installed a new hardware device, disconnect or uninstall it. Then start the computer again. That’s your best bet. If you still get the Blue Screen of Death, you’ll likely have to boot to Safe Mode and disable the device through Device Manager. This is not the sort of thing the average user normally does. This is more the kind of thing that a professional would handle.


If the error persists, look for an error number on the Blue Screen of Death page. It will most likely start with the characters 0x. Jot that number down on a sheet of paper. Then, if you can get online through another computer, go to Microsoft’s sites ( or or your favorite online search site (such as Google) and search for that number. You might find a page that offers an exact solution to that problem.


If you can get online through another computer, you might also consider posting a question at the Windows Communities site. Be sure to include the error number in your post. You might find someone who has already experienced and solved that very problem.

In this section, we’ll discuss the registry keys that are used for power management. You may edit any of them using one of the registry editors.

Note Changing registry entries responsible for power management won’t have an immediate effect. Windows only reads settings from the registry when you log on, when you click OK in Control Panel, or when a Powerprof.dll function is called on to read the registry.

The registry keys used for power management are listed below.

  • HKCU\AppEvents\EventLabels\LowBatteryAlarm – descriptive name of a low battery-power-alarm event
  • HKCU\AppEvents\EventLabels\CriticalBatteryAlarm – descriptive name of a critical battery-power-alarm event
  • HKCU\AppEvents\Schemes\Apps\PowerCfg\LowBatteryAlarm\.Current, HKCU\AppEvents\Schemes\Apps\PowerCfg\LowBatteryAlarm\.Default, HKCU\AppEvents\Schemes\Apps\PowerCfg\CriticalBatteryAlarm\.Current, HKCU\AppEvents\Schemes\Apps\PowerCfg\CriticalBatteryAlarm\.Default – filenames of the WAV files that will play as a low and critical power-alarm events
  • HKCU\Control Panel\PowerCfg\CurrentPowerPolicy – index of current user and machine power policy
  • HKCU\Control Panel\PowerCfg\GlobalPowerPolicy\Policies – the user global power policy (binary encoded data)
  • HKCU\Control Panel\PowerCfg\PowerPolicies\n\Name – name of power scheme n, where n = 0, 1, 2, etc.
  • HKCU\Control Panel\PowerCfg\PowerPolicies\n\Description – descriptive string for power scheme n, where n = 0, 1, 2, etc.
  • HKCU\Control Panel\PowerCfg\PowerPolicies\n\Policies – user power policy n, where n = 0, 1, 2, etc. (binary encoded data)
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg\LastID – index of the last power policy in the lists of user and machine power policies (for example, if there are six user power policies and six machine power policies in the registry, the value of this key is 5)
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg\DiskSpinDownMax – the maximum disk spin-down time that Control Panel will allow the user to set
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg\DiskSpinDownMin – the minimum disk spin-down time that Control Panel will allow the user to set
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg\GlobalPowerPolicy\Policies – the machine global power policy (binary encoded data)
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg\PowerPolicies\n\Policies – machine power policy n, where n = 0, 1, 2, etc. (binary encoded data)

Power management configuration in Windows 2000, Windows XP, and Windows Server 2003 is based on the concept of power schemes. A power scheme is a group of preset power options that are passed to the Power Policy Manager component of the operating system to control the machine’s power-management behavior.

Each power scheme consists of a global power-policy structure and a power-policy structure.

  • Global power-policy structures contain preset power options that are global across all power schemes.
  • Non-global power-policy structures contain power options that are unique to a particular power scheme.

These power-policy structures are further divided into machine structures and user structures.

  • Values in machine structures are stored in the HKEY_LOCAL_MACHINE registry key, and none of these values are exposed in the user interface. For example, you can’t set any of these values using the Power Options applet in the Control Panel.
  • Values in user structures are stored in the HKEY_CURRENT_USER registry key and some of these values are displayed in the user interface. Some of these parameters can be set using the Power Options applet in Control Panel.

The data structures defining power management policy are listed below:

  • GLOBAL_POWER_POLICY – used to manage global power policies. This structure contains the data common to all power schemes. This structure is a container for a GLOBAL_USER_POWER_POLICY structure and a GLOBAL_MACHINE_POWER_POLICY structure, which contains elements that are read from and written to the registry.
  • GLOBAL_MACHINE_POWER_POLICY – this structure is a part of the GLOBAL_POWER_POLICY structure. It contains the data common to all power schemes and users. The elements in this structure are read from and written to the HKLM key in the registry.
  • GLOBAL_USER_POWER_POLICY – this structure is a part of the GLOBAL_POWER_POLICY structure. It contains the data common to all power schemes for the user. The elements in this structure are read from and written to the HKCU key in the registry.
  • POWER_POLICY – used to manage non-global power policies. This structure contains the data unique for all power schemes. This structure is a container for the USER_POWER_POLICY and MACHINE_POWER_POLICY structures that contain the elements to be read from and written to the registry. There is one POWER_POLICY structure for each power scheme on a machine.
  • MACHINE_POWER_POLICY – this structure is a part of the POWER_POLICY structure. It contains the data unique to each power scheme, but common to all users. The elements in this structure are read from and written to the HKLM key in the registry.
  • USER_POWER_POLICY – this structure is a part of the POWER_POLICY structure. It contains the data unique to each user and power scheme. The elements in this structure are read from and written to the HKCU key in the registry.

Malware – The generic term used for all forms of software designed with malicious intent. Viruses, worms, spyware etc. are all forms of malware. The term virus is often used when malware should really be used as it describes all forms of malicious software.

Virus – A computer virus acts very much like a human virus. Human viruses are spread, via thumb drives, floppy discs, network connections etc., to other PCs. Viruses need a host (like a free screensaver program) to spread. By pure definition: a virus has the ability to spread itself, via a host, to other computers.

Worm – A worm is much like a virus. The key difference is worms can spread between PCs without a host (free screensaver program, downloaded game etc.) These programsrely on computer networks and usually damage files and slow down networks in their path.

Trojan horse (Trojan) – A Trojan horse is a seemingly harmless program that looks to provide value. However, just as in Greek mythology, a Trojan horse has a secret agenda and acts as a backdoor to your computer. This backdoor can be accessed by a hacker to compromise your PC. Trojan horses are not self-replicating and spread due to users installing them manually on their PC.

Privacy-invasive software – A formal term used to describe software that invades your privacy. This software comes in different forms including spyware and adware.

Spyware – Spyware tracks a user’s activity by monitoring browsing habits and keyboard activity and can even take screenshots while you use your PC. This information is sent back to the creator or beneficiary of the spyware. Signs of spyware include: modified browser homepages, slow internet, and suspicious looking sites in place of legitimate sites (for example: banking sites.)

Adware – Like spyware, adware is software that may track visited websites and act as a key logger. Adware tracks this information to automatically display downloaded or installed adverts to a user. You may wonder why you are being offered “PC Super Anti Spyware 2011” when using your PC; this is adware at work. AIM, FlashGet, Deamon Tools, and RealPlayer are all examples of adware.

Backdoor – A backdoor is a point of access to a computer that does not require authentication. An unlocked house back door gives access to an otherwise secure home; a computer backdoor allows access to your PC without your knowledge or permission.

Key logger – Key loggers are used to monitor keyboard activity on a PC. These can be software-based (bundled with Trojan horses, adware, and spyware) or hardware-based (between the keyboard cable and the PC, acoustic etc.) Usually this information is retrieved across a local network, the internet, or from the physical device connected to the keyboard.

Firewall – A firewall both permits and blocks access to a network or PC. Firewalls are included with popular security software (e.g. AVG Internet Security and ESET Smart Security) and limit communication between your PC and devices that are not authorized to communicate with you.

Windows Firewall – Comes bundled with Windows XP, Vista, and 7. This is a great solution; however, due to a lack of comprehensive definition updates, Windows Firewall is not completely effective in blocking threats and allowing safe connections.

Antimalware / Antivirus / Antispyware – Software designed to remove or block malware (e.g. AVG Internet Security and ESET Smart Security.)

One of the most common questions about system processes is what is svchost.exe and why are there so many processes running? First appearing in Windows XP, svchost.exe hosts multiple services within one process.  This allows the operating system to save memory by reducing process overhead by cutting down on the number of processes that need to be running.

Every system service such as Windows Update, Event Log, Terminal Services, Audio Service, etc. runs within svchost.exe.  Depending on the access the services need, they are grouped together and are run in a number of processes which explains why you see so many in Task Manager running under different accounts such as System, Local Service and Network Service.

Identifying what services are running is different depending on the version of Windows you have.

Windows XP

In Windows XP at a command prompt run:

tasklist /svc

The tasklist utility will show you what processes are running under each svchost.exe process.

Windows Vista and Windows 7

Task manager in Windows Vista and Windows 7 has been enhanced so you can easily see what services are running inside a host process such as svchost.exe.

Click on the Start Button, type in taskmgr and hit Enter. When task manager loads, click on the Processes tab and click Show processes from all users to see all of the svchost.exe processes. Then, right click on a svchost.exe process and select Go to Service(s). You will be taken to the Services tab with all services running in that process highlighted.

All Versions of Windows

Microsoft Sysinternals has a great free utility called Process Explorer that is like a task manager on steroids.  It works on all versions of Windows and allows you to easily see services running inside of svchost.exe.  Download Process Explorer here.  Once you have it running right click on any process and select Properties. Then click on the Services tab and you will see all processes running inside the host process.