I was noticing my firewall on some UDP request activates my "svchost.exe" program and then my firwall blocks it when it attempts to connect "outgoing" is blocked as well asthe incoming request, what I want to know is, why on some requests the "svchost.exe" activates and others in does not, on all of these, UDP ports I am not initiating any of the request, it is the "nosey" China.net computers , here is an example of what I am talking about:

Alert
Source IP Address 61.152.158.152 The IP address of the computer that sent the packet which caused the alert.
Source Port 49387 The port used by the source computer when sending the packet.
Destination IP xxx.xxx.xxx.xxx(me loacally)
The IP address of the computer to which the packet was sent.

Destination Port 1026 The port on the destination computer used to receive the packet.

Transport Layer Protocol UDP The protocol that allows data to be transported between software programs on different computers.

Network Layer Protocol IP The protocol that allows two networked computers to locate each other on a network.
Link Layer Protocol Ethernet The protocol that allows two directly linked computers to share a
network cable.

Alert Date Jun-07-2005 11:00:59 AM PDT The time when ZoneAlarm Pro detected the alert on your computer.

Alert Count 1



ok that was copied ,obviously from Zonlabs alert "more info" now the next set of data is stating the svchost.exe program has activated..this is what I dont understand, as far as I have test all my ports are "stealth".....


Inside the firewall alert



Alert property Alert property value Technical explanation
Source IP Address 221.211.255.8 The IP address of the computer that sent the packet which caused the alert.
Source Port 32920 The port used by the source computer when sending the packet.

Destination IP xxx.xxx.xxx.xxx The IP address of the computer to which the packet was sent.
Destination Port 1027 The port on the destination computer used to receive the packet.

Transport Layer Protocol UDP The protocol that allows data to be transported between software programs on different computers.

Network Layer Protocol IP The protocol that allows two networked computers to locate each other on a network.
Link Layer Protocol Ethernet The protocol that allows two directly linked computers to share a network cable.

Program Name Generic Host Process for Win32 Services A program on your computer. This program either attempted to send an IP packet over the Internet or is waiting for an incoming packet.

(I think these are simply ports scans from the nosey china servers and/or looking for there "bots" but how does it make my single computer on dialup through earthlink activate svchost.exe on some port scans versus others?




File Name svchost.exe <---see this is what I am talking about?


The executable file on your computer that launches and runs Generic Host Process for Win32 Services.

Alert Date Jun-07-2005 11:09:35 AM PDT The time when ZoneAlarm Pro detected the alert on your computer.

Alert Count 1 Number of times this connection attempt repeated its attempt on your machine



To sum it all up why does the svchost.exe launch on similar port scans "UDP 1027" and "UDP 1026" but NOT everyone? Does this have something to do with STEALTH and NOt STEALTH ports, ?