Results 1 to 3 of 3

Thread: Generic Host Process for Windows32 Services

  1. #1
    Senior Member
    Join Date
    Oct 2004
    Posts
    187

    Generic Host Process for Windows32 Services

    Can someonje explain me what to do with that process. My Kerio is always telling me that svchost want internet access. Here is everything i found for that process. I understand all, but should i give him internet access:

    svchost - svchost.exe - Process Information
    Process File: svchost or svchost.exe
    Process Name: Microsoft Service Host Process

    Description:
    svchost.exe is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs. This program is important for the stable and secure running of your computer and should not be terminated. Note: svchost.exe is a process which is registered as the W32.Welchia.Worm. It takes advantage of the Windows LSASS vulnerability, which creates a buffer overflow and instigates your computer to shut down. To see more information about this vulnerability please look at the following Microsoft bulletin: http://www.microsoft.com/technet/sec.../ms04-011.mspx This is a registered security risk and should be removed immediately. Please see additional details regarding this process
    Remember, all I\'m offering is the truth, nothing more.

  2. #2
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi

    Obviously, links like [0] are not of much use in order to gain an
    understanding of svchost.exe. Hence, I'd like to put together some
    information about that notorious svchost.exe. Information that might
    be well known to a lot of users here, but anyway, this is an attempt
    to order it a bit.


    in general


    In short: There actually should be no such an option as to allow
    %SystemRoot%\System32\Svchost.exe as a whole access to the Internet.
    Svchost is just a name for other "programs", which need to use Svchost.exe in
    order to be able to offer a service (for the OS/User).

    Therefore, Svchost can be misused to hide the activity of a malicious
    program.

    However, in certain cases you want to allow for internet/LAN activity.
    In order to know, what you can allow and what not, you have to dive in deeply.


    information gathering


    .First stage of information gathering - registry part 1


    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost

    tells you, which "subprograms" are started under the name of Svchost (hence,
    Svchost is called a generic name)[1]. You see several entries like LocalService,
    netsvcs, rpcss. Each of these starts a new instance of svchost.exe. These entries
    themselves contain a list of services: these are the "subprograms" which are
    started under the name "svchost".


    .Second stage of information gathering - registry part 2


    The "subprogram"-names given can be looked at in detail at

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services


    The two starting notions here are
    - DisplayName: This name you can use in order to gather more information at [2]
    - ImagePath: Here you can check how it is started. This information can partly
    be used to detect the activity of a worm. Eg. Welchia[3] activated itself tricking
    the system to present it as a Svchost process, but the executable is at
    %SystemRoot%\Wins\ !

    Eg.: Information about CryptSvc: Cryptographic Services[4]



    .which svchost

    The output of "tasklist /SVC" (Win XP) or "tlist -s" (win 2000) tells you which
    services are running under the correponding PID (eg. named with Svchost). There
    are several. The drawback of tasklist is, that you see the name of the executable,
    but not the full path.

    Use
    - fport[5] to get the full path
    - Process Explorer[6] is another very helpful tool. Right-Click on the PID you wish
    to have information about, Properties.Services.
    - A superb tool is microsofts Port Reporter tool[7]. You can quickly identify a program
    listing on port 135 under the name Svchost with RpcSs:
    Code:
    Process ID: 952 (svchost.exe)
    
    User context: NT AUTHORITY\SYSTEM
    
    Service Name: RpcSs
    Display Name: Remote Procedure Call (RPC)
    Service Type: shares a process with other services
    
    PID	Port		Local IP	State		 Remote IP:Port
    952	TCP 135  	0.0.0.0 	LISTENING	 0.0.0.0:2096
    
    Port Statistics
    
    TCP mappings: 1
    UDP mappings: 0
    
    TCP ports in a LISTENING state: 	1 = 100.00%

    Conclusion


    As mentioned in the beginning: I would not allow Svchost.exe as a whole access to
    the internet. In a common home-user environment, I am not aware of any need to
    allow Svchost the access at all.

    Be aware that there might be the possibility of a worm and or malware. The first
    step is run a state-of-the-art scanner, like [8]. Then check the processes which
    wants to access the internet thoroughly using the above method/tools.


    Cheers

    [0] http://support.microsoft.com/kb/314056/en-us
    [1] http://www.hsc.fr/ressources/article...v/ch04s11.html
    and the whole chapter four: http://www.hsc.fr/ressources/article..._srv/ch04.html
    [2] http://www.theeldergeek.com/services_guide.htm
    [3] http://securityresponse.symantec.com...chia.worm.html
    [4] http://www.theeldergeek.com/cryptographic_services.htm
    [5] http://www.foundstone.com/index.htm?...desc/fport.htm
    [6] http://www.sysinternals.com/ntw2k/fr.../procexp.shtml
    [7] http://support.microsoft.com/default...b;en-us;837243
    [8] http://housecall.trendmicro.com


    P.s. For quite a while I wanted to put together these kind of information.
    I'd appreciate any adding/critic/correction.
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  3. #3
    Senior Member
    Join Date
    Oct 2004
    Posts
    187
    ______________________________________________________
    Conclusion

    As mentioned in the beginning: I would not allow Svchost.exe as a whole access to
    the internet. In a common home-user environment, I am not aware of any need to
    allow Svchost the access at all.
    _____________________________________________________
    And what about if i have more than 1000 PCs on my network. Should i let it work?
    Remember, all I\'m offering is the truth, nothing more.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •