March 22nd, 2005, 04:14 AM
anyone knows how to debug/trace what exactly svchost.exe is doing in Windows XP?
this is becos i have some suspicious traffic going out to the internet from a PC and the traffic seems to be initiated by svchost.exe.
March 22nd, 2005, 04:23 AM
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier
March 22nd, 2005, 04:39 AM
Under XP (may require SP2, not sure):
Credit travels up, blame travels down -- The Boss
March 22nd, 2005, 09:22 AM
hmm maybe i am not too clear in my last post, but anyway, i manage to find strace for NT and am now fiddling with it..becos the command have an option that can "tag" onto the process id svchost.exe is using and can see low level calls going on in svchost.exe.
By the way, the suspicious traffic is started by svchost.exe and is going to download.windowsupdate.com. Even if i turn off the automatic update services in control panel->administration tools->services, the same traffic still goes to the site.
Anyone knows what's going on ?thanks
March 22nd, 2005, 12:02 PM
Haveing not used strace for NT I am unable to fully comment..
The comment was to use a program Process explorer (procexp.exe) this shows a mine of information..I also recommend to have a look at. TCPView.. this tells you what port is being used by a process..
realise that svchost is just a slave to other processes in your pc..it on its own is not the perpetrator..
also .. svchosd, scvhost, svvhost, svcbost, snchost..etc are not legit windows progs..bit like Isass and lsass.. be aware of the spelling of the process your looking at..
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
March 22nd, 2005, 12:14 PM
To just add a little to what Undies has said..............
svchost may have several instances running at once, that can be quite legitimate, but there should only be one copy of the program on your system.
March 22nd, 2005, 01:57 PM
i manage to find out a little on the problem..seems like my internal LAN pcs are trying to access download.windowsupdate.com directly w/o going thru my internet proxy server.
March 22nd, 2005, 02:02 PM
\"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts\".....Spaf
Everytime I learn a new thing, I discover how ignorant I am.- ... Black Cluster