svchost.exe and the internet (XP Pro SP-1)

Topic

New Reply

Why do I keep getting asked (by ZA) if svchost should be allowed to accept connections from the internet?

I am not entirely clear what svchost does, to begin with, but I have no idea why it should be connected to the internet. I have seen no problems so far with denying the access, but I don’t want to set this as a rule until I know more.

Reply | Quote

Replies

This is from Answers That Work: [indent]

---

Windows 2000/XP only. SVCHOST is a generic process which acts as a host for other processes running from DLLs. Depending on the configuration of your system there may be more than one instance of SVCHOST showing in the Task List.

Recommendation :
An integral part of the operating system, leave alone.

---

[/indent]

Reply | Quote

I saw this definition somewhere, but to be honest, having read it, I’m none the wiser. Maybe by the end of my MCSE course, it might be clearer.

Reply | Quote

For my own money, I just let the sucker connect. My rationale is if I set a rule to deny SVCHOST and forget about it, I may wind up with less hair somewhere down the line as I try and figure out why program won’t do what it’s supposed to.

What you might investigate, though, is something like Dependency Walker (usually included in the NT resource kits) to trace what is communicating through SVCHOST. It’s not something the average person is going to want to dig into since it’s less than friendly, but it’s an option if you’re curious and like to investigate.

Reply | Quote

Unless Rory has a copy of NT somewhere in his bag of Goodies, I have no access to it. Is there anywhere else I might find Dependency Walker or something similar?

So far, just telling ZoneAlarm to block it doesn’t seem to have caused any problems. There are a few things I am happy to give internet access (IE, AOL, OE and some others on demand), but I when something I don’t recognise wants access to do something I don’t know about, I just assume Trojan or Spyware and say , ‘No!’

Experience has taught me that ‘Generic Host Process for Win32 Services’ (what a mouthful) needs to be allowed access, but that’s the only program that I allow without really knowing what it is.

Reply | Quote

You’ll have to pardon me for asking, since I don’t pretend to know a whole of a lot about this, but isn’t “Generic Host Process for Win32 Services” the gobbledegook name for SVCHOST.EXE? Like Answers That Work and Pacs-Portal say, I have FOUR instances of SVCHOST in my Task Manager and I have my browser, About Time, Mailwasher and ZoneAlarm running, so I’ve always figured it’s a DLL that supports those services.

Reply | Quote

Al, that’s correct. And typically it is a DLL that is communicating through the SVCHOST.EXE executable. Just a shame that Microsoft didn’t give anyone an easy way to determine which DLL.

Reply | Quote

I see three instances running on my machine. One is System, one is Local Services and the third is Network Services.

Probably should have looked closer at this before. I’m running a stand-alone PC, so I don’t know to what extent I need the Network Services. Saying that, my AOL connection might well require this. Anyway, perhaps it is this instance that is being targetted for connection.

Reply | Quote

You’re in luck. Since there’s no trademark on the program’s name, head over to http://www.dependencywalker.com/%5B/url%5D and grab yourself a copy!

Reply | Quote

Many thanks for that. It looks like a great tool for learning more about the inner workings of the O/S.

Svchost and ‘Generic Host…’ both get seperate responses from ZA. If I don’t enable the latter to connect, I can’t access the internet at all; but no problems blocking the former, though I should reiterate that I am being asked whether it should be allowed to ACCEPT connections from the internet, which leaves me wondering who or what out there wants to talk to/through svchost.

Reply | Quote

I think you’ll find a lot of helpful info here on services and such:
http://www.blkviper.com/WinXP/xpprofiles.htm%5B/url%5D

Reply | Quote

Part of the answer to your quest may lie in the thread Unsolicited Webpopups – the new Spam?. About halfway through, in a post by R2 is the following:[indent]

---

Disallowing SVCHOST to accept connections (In ZA terms denying it server access) will assure that Net Send commands from outside your Network will never get to you.

---

[/indent]I’ve had server access for svchost.exe (aka Generic Host Process for Win32 Services) disabled since last year without obvious problems. I would have passed on this reference sooner, had I been able to remember where I’d seen it.

Reply | Quote