svchost.exe
#1
Scooby Regular
Thread Starter
Join Date: Oct 2002
Location: At Tescos Filling Up With 99 Octane!!!
Posts: 4,313
Likes: 0
Received 0 Likes
on
0 Posts
Had the problems yesterday cleared out downloaded the patch and a firewall and i keep getting messages that it has blocked application generic host win 32 svchost.exe or something like that and nt kernel and system. Is it the same thing trying again?
#4
This thing's getting worse by the second (everyone's coming down with it). And every new user a would be attacker for the next unlikely subject.
I'm getting at least 40 attempts a day (warning logs from firewall), saying port 135's had another attempt. It's constant.
Do a search for msblast.exe on your hard disk as it leaves this file when it's off and have a look at your processes running to see if there's an "svchost.exe" running without a corresponding username (it'll be blank). The first signs before you get the system shutdown warnings.
I'm getting at least 40 attempts a day (warning logs from firewall), saying port 135's had another attempt. It's constant.
Do a search for msblast.exe on your hard disk as it leaves this file when it's off and have a look at your processes running to see if there's an "svchost.exe" running without a corresponding username (it'll be blank). The first signs before you get the system shutdown warnings.
#5
It's probably not an exploit or anything else.
Search on Google for it. It's normal OS behaviour for svchost.exe to go out to the internet. It handles most of the networking of your PC for you.
Have a nosey at this or this to find out what it is and does.
There are some trojans that infect svchost.exe, but a virus scan should confirm it is/isn't one of those.
Search on Google for it. It's normal OS behaviour for svchost.exe to go out to the internet. It handles most of the networking of your PC for you.
Have a nosey at this or this to find out what it is and does.
There are some trojans that infect svchost.exe, but a virus scan should confirm it is/isn't one of those.
#6
Dont panic if you have a couple of instances of svchost.exe,
it is part of the OS.
Instead of me trying to explain (badly) read this :
http://support.microsoft.com/default...NoWebContent=1
If you want to know what services svchost.exe is hosting when its running; use a mini dos util called tlist.exe, comes with a resource kit.
open command prompt , type tlist -t which will list all tasks running, and the sub tasks that svchost is hosting.
If you need tlist, i may be able to zip it & mail you.
it is part of the OS.
Instead of me trying to explain (badly) read this :
http://support.microsoft.com/default...NoWebContent=1
If you want to know what services svchost.exe is hosting when its running; use a mini dos util called tlist.exe, comes with a resource kit.
open command prompt , type tlist -t which will list all tasks running, and the sub tasks that svchost is hosting.
If you need tlist, i may be able to zip it & mail you.
#7
Foot_Tapper is correct in saying that having multiple copies of svchost.exe is normal, as this is XP and Win Server 2003's new "generic service hosting" process. Basically this process spawns a number of services, look in:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
...to find out what can possibly get spawned.
Type the following from a command prompt (on XP, Win Server 2003):
tasklist /SVC /FI "IMAGENAME eq svchost.exe"
...to see what svchost.exe is currently hosting.
However, DSOTM is incorrect in saying it's normal for svchost.exe to try to connect to the Internet. This is definitely irregular behaviour.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
...to find out what can possibly get spawned.
Type the following from a command prompt (on XP, Win Server 2003):
tasklist /SVC /FI "IMAGENAME eq svchost.exe"
...to see what svchost.exe is currently hosting.
However, DSOTM is incorrect in saying it's normal for svchost.exe to try to connect to the Internet. This is definitely irregular behaviour.
Trending Topics
#8
Really ? I'm wrong.
Nice little extract from Outpost firewall FAQ
Personally, I'd call these protocols "normal" behaviour.
Should I allow or block SVCHOST?
We recommend to create the following rules for the svchost process. Please note that this will be okay for the majority of users but some will need to change it according to the services they use.
Allowing DHCP
Protocol: UDP
LocalPort: 68
RemotePort: 67
Direction: Inbound
AllowIt
Allowin HTTP connection
Protocol: TCP
RemotePort: 80
Direction: Outbound
AllowIt
Allowing HTTPS connection
Protocol: TCP
RemotePort: 443
Direction: Outbound
AllowIt
Blocking "SSDP Discovery Service" and "UPnP device Host" services
Protocol: UDP
RemotePort: 1900
RemoteHost: 239.255.255.250
Direction: Inbound
DenyIt
Blocking "SSDP Discovery Service" and "UPnP device Host" services
Protocol: TCP
RemotePort: 5000
RemoteHost: 239.255.255.250
Direction: Inbound
DenyIt
Blocking "SSDP Discovery Service" and "UPnP device Host" services
Protocol: UDP
RemotePort: 5000
RemoteHost: 239.255.255.250
Direction: Inbound
DenyIt
Blocking "Remote Procedure Call"
Protocol: TCP
Local port: 135
DenyIt
Nice little extract from Outpost firewall FAQ
Personally, I'd call these protocols "normal" behaviour.
Should I allow or block SVCHOST?
We recommend to create the following rules for the svchost process. Please note that this will be okay for the majority of users but some will need to change it according to the services they use.
Allowing DHCP
Protocol: UDP
LocalPort: 68
RemotePort: 67
Direction: Inbound
AllowIt
Allowin HTTP connection
Protocol: TCP
RemotePort: 80
Direction: Outbound
AllowIt
Allowing HTTPS connection
Protocol: TCP
RemotePort: 443
Direction: Outbound
AllowIt
Blocking "SSDP Discovery Service" and "UPnP device Host" services
Protocol: UDP
RemotePort: 1900
RemoteHost: 239.255.255.250
Direction: Inbound
DenyIt
Blocking "SSDP Discovery Service" and "UPnP device Host" services
Protocol: TCP
RemotePort: 5000
RemoteHost: 239.255.255.250
Direction: Inbound
DenyIt
Blocking "SSDP Discovery Service" and "UPnP device Host" services
Protocol: UDP
RemotePort: 5000
RemoteHost: 239.255.255.250
Direction: Inbound
DenyIt
Blocking "Remote Procedure Call"
Protocol: TCP
Local port: 135
DenyIt
#9
And just for complete clarity, these are the services/devices hosted by svchost.exe on a WinXP machine.
If you don't believe me, search HKLM\System\CurrentControlSet\Services in your registry for "svchost.exe"
Looking at the list, I would say there are a fair few there that would, without question, require network access to perform their correct function.
Windows Time, DHCP Client and DNS Client are just a few of the obvious ones.
Alerter
Application Management
Windows Audio
Background Intelligent Transfer Service
Computer Browser
Cryptographic Services
DHCP Client
Logical Disk Manager
DNS Client
Error Reporting Service
COM+ Event System
Fast User Switching Compatibility
Help and Support
Human Interface Device Access
Server (lanmanserver)
Workstation
TCP/IP NetBIOS Helper
Messenger
Network Connections
Network Location Awareness
Removable Storage
Remote Access Auto Connection Manager
Remote Access Connection Manager
Routing and Remote Access
Remote Registry
COM Infrastructure
Task Scheduler
Secondary Logon
System Event Notification
Internet Connection Firewall (ICF)
Shell Hardware Detection
System Restore Service
SSDP Discovery Service
Windows Image Acquisition (WIA)
Telephony
Terminal Services
Themes
Distributed Link Tracking Client
Upload Manager
Universal Plug and Play Device Host
Windows Time
WebClient
Windows Management Instrumentation
Portable Media Serial Number Service
Windows Management Instrumentation Driver Extensions
Automatic Updates
Wireless Zero Configuration
If you don't believe me, search HKLM\System\CurrentControlSet\Services in your registry for "svchost.exe"
Looking at the list, I would say there are a fair few there that would, without question, require network access to perform their correct function.
Windows Time, DHCP Client and DNS Client are just a few of the obvious ones.
Alerter
Application Management
Windows Audio
Background Intelligent Transfer Service
Computer Browser
Cryptographic Services
DHCP Client
Logical Disk Manager
DNS Client
Error Reporting Service
COM+ Event System
Fast User Switching Compatibility
Help and Support
Human Interface Device Access
Server (lanmanserver)
Workstation
TCP/IP NetBIOS Helper
Messenger
Network Connections
Network Location Awareness
Removable Storage
Remote Access Auto Connection Manager
Remote Access Connection Manager
Routing and Remote Access
Remote Registry
COM Infrastructure
Task Scheduler
Secondary Logon
System Event Notification
Internet Connection Firewall (ICF)
Shell Hardware Detection
System Restore Service
SSDP Discovery Service
Windows Image Acquisition (WIA)
Telephony
Terminal Services
Themes
Distributed Link Tracking Client
Upload Manager
Universal Plug and Play Device Host
Windows Time
WebClient
Windows Management Instrumentation
Portable Media Serial Number Service
Windows Management Instrumentation Driver Extensions
Automatic Updates
Wireless Zero Configuration
#10
Scooby Regular
Join Date: May 2000
Location: MY00,MY01,RX-8, Alfa 147 & Focus ST :-)
Posts: 10,371
Likes: 0
Received 0 Likes
on
0 Posts
Yep I'm with DSTOM.
Svchost is a generic name. It means that you have DLL based services running - every PC will have some of these running at some point. Some of these services could well be internet facing - they could include DNS/DHCP/netlogin - all things that could be internet facing.
I would strongly suggest reading up on this at MS Technet, or do a search on the topic.
Chris
Svchost is a generic name. It means that you have DLL based services running - every PC will have some of these running at some point. Some of these services could well be internet facing - they could include DNS/DHCP/netlogin - all things that could be internet facing.
I would strongly suggest reading up on this at MS Technet, or do a search on the topic.
Chris
#11
Chaps
A little heated, me thinks!
OK, DNS and Time Service, they may connect to the Internet, unless your [external] firewall proxies these services, or you have DNS/NTP on your LAN.
The point I'm making is if something like DHCP tries a DORA request on an Internet facing NIC, then you've got something wrong, or bigger problems still.
A little heated, me thinks!
OK, DNS and Time Service, they may connect to the Internet, unless your [external] firewall proxies these services, or you have DNS/NTP on your LAN.
The point I'm making is if something like DHCP tries a DORA request on an Internet facing NIC, then you've got something wrong, or bigger problems still.
#12
The point I'm making is if something like DHCP tries a DORA request on an Internet facing NIC, then you've got something wrong, or bigger problems still.
Discover, Offer, Request, Acknowledge....kind of what DHCP is meant to do.
Why on earth would that be a problem for a PC with a software firewall ?
[Edited by DSOTM - 8/17/2003 9:00:55 PM]
#13
Scooby Regular
Join Date: May 2000
Location: MY00,MY01,RX-8, Alfa 147 & Focus ST :-)
Posts: 10,371
Likes: 0
Received 0 Likes
on
0 Posts
So if I my ISP gives out dynamic IP addresses (which the vast majority do), how else would I request an IP address, other than by DHCP request which would be on my internet facing NIC???
Chris
Chris
#15
Apologies folks. Was thinking "what's there to be confused about", so read the thread from top to bottom.
I have been making an assumption all along, which I shouldn't have made. Stupidly assumed that broadband/ISDN routers were being used, which would be doing the DHCP negotiations; thus the comment "if something like DHCP tries a DORA request on an Internet facing NIC, then you've got something wrong, or bigger problems still.". That is, the BOOTP traffic shouldn't traverse onto the Internet, as it should be satisfied by the router.
Completely forgot about dial-up modems and USB ISDN/Broadband adapters!
I shall retire to my hole.
Thread
Thread Starter
Forum
Replies
Last Post
Jiggerypokery
Computer & Technology Related
5
31 January 2005 05:57 PM
Dicke C
Computer & Technology Related
2
24 September 2004 11:38 AM