-
December 12th, 2004, 11:36 AM
#1
Senior Member
Generic Host Process for Windows32 Services
Can someonje explain me what to do with that process. My Kerio is always telling me that svchost want internet access. Here is everything i found for that process. I understand all, but should i give him internet access:
svchost - svchost.exe - Process Information
Process File: svchost or svchost.exe
Process Name: Microsoft Service Host Process
Description:
svchost.exe is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs. This program is important for the stable and secure running of your computer and should not be terminated. Note: svchost.exe is a process which is registered as the W32.Welchia.Worm. It takes advantage of the Windows LSASS vulnerability, which creates a buffer overflow and instigates your computer to shut down. To see more information about this vulnerability please look at the following Microsoft bulletin: http://www.microsoft.com/technet/sec.../ms04-011.mspx This is a registered security risk and should be removed immediately. Please see additional details regarding this process
Remember, all I\'m offering is the truth, nothing more.
-
December 12th, 2004, 02:08 PM
#2
Hi
Obviously, links like [0] are not of much use in order to gain an
understanding of svchost.exe. Hence, I'd like to put together some
information about that notorious svchost.exe. Information that might
be well known to a lot of users here, but anyway, this is an attempt
to order it a bit.
in general
In short: There actually should be no such an option as to allow
%SystemRoot%\System32\Svchost.exe as a whole access to the Internet.
Svchost is just a name for other "programs", which need to use Svchost.exe in
order to be able to offer a service (for the OS/User).
Therefore, Svchost can be misused to hide the activity of a malicious
program.
However, in certain cases you want to allow for internet/LAN activity.
In order to know, what you can allow and what not, you have to dive in deeply.
information gathering
.First stage of information gathering - registry part 1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost
tells you, which "subprograms" are started under the name of Svchost (hence,
Svchost is called a generic name)[1]. You see several entries like LocalService,
netsvcs, rpcss. Each of these starts a new instance of svchost.exe. These entries
themselves contain a list of services: these are the "subprograms" which are
started under the name "svchost".
.Second stage of information gathering - registry part 2
The "subprogram"-names given can be looked at in detail at
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
The two starting notions here are
- DisplayName: This name you can use in order to gather more information at [2]
- ImagePath: Here you can check how it is started. This information can partly
be used to detect the activity of a worm. Eg. Welchia[3] activated itself tricking
the system to present it as a Svchost process, but the executable is at
%SystemRoot%\Wins\ !
Eg.: Information about CryptSvc: Cryptographic Services[4]
.which svchost
The output of "tasklist /SVC" (Win XP) or "tlist -s" (win 2000) tells you which
services are running under the correponding PID (eg. named with Svchost). There
are several. The drawback of tasklist is, that you see the name of the executable,
but not the full path.
Use
- fport[5] to get the full path
- Process Explorer[6] is another very helpful tool. Right-Click on the PID you wish
to have information about, Properties.Services.
- A superb tool is microsofts Port Reporter tool[7]. You can quickly identify a program
listing on port 135 under the name Svchost with RpcSs:
Code:
Process ID: 952 (svchost.exe)
User context: NT AUTHORITY\SYSTEM
Service Name: RpcSs
Display Name: Remote Procedure Call (RPC)
Service Type: shares a process with other services
PID Port Local IP State Remote IP:Port
952 TCP 135 0.0.0.0 LISTENING 0.0.0.0:2096
Port Statistics
TCP mappings: 1
UDP mappings: 0
TCP ports in a LISTENING state: 1 = 100.00%
Conclusion
As mentioned in the beginning: I would not allow Svchost.exe as a whole access to
the internet. In a common home-user environment, I am not aware of any need to
allow Svchost the access at all.
Be aware that there might be the possibility of a worm and or malware. The first
step is run a state-of-the-art scanner, like [8]. Then check the processes which
wants to access the internet thoroughly using the above method/tools.
Cheers
[0] http://support.microsoft.com/kb/314056/en-us
[1] http://www.hsc.fr/ressources/article...v/ch04s11.html
and the whole chapter four: http://www.hsc.fr/ressources/article..._srv/ch04.html
[2] http://www.theeldergeek.com/services_guide.htm
[3] http://securityresponse.symantec.com...chia.worm.html
[4] http://www.theeldergeek.com/cryptographic_services.htm
[5] http://www.foundstone.com/index.htm?...desc/fport.htm
[6] http://www.sysinternals.com/ntw2k/fr.../procexp.shtml
[7] http://support.microsoft.com/default...b;en-us;837243
[8] http://housecall.trendmicro.com
P.s. For quite a while I wanted to put together these kind of information.
I'd appreciate any adding/critic/correction.
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
-
December 12th, 2004, 03:52 PM
#3
Senior Member
______________________________________________________
Conclusion
As mentioned in the beginning: I would not allow Svchost.exe as a whole access to
the internet. In a common home-user environment, I am not aware of any need to
allow Svchost the access at all.
_____________________________________________________
And what about if i have more than 1000 PCs on my network. Should i let it work?
Remember, all I\'m offering is the truth, nothing more.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|