Generic Host Process and the internet

[kv]

Just curious, I've always seen it stated that Generic Host Process (svchost.exe) in Win2K should be allowed internet access through personal firewalls otherwise some network services will fail.

However, quite a few months back I decided to permanently deny it access and have yet to run into any issues with my network services (although my log reports that it constantly does try to access the network) or any internet applications.

Just wondering if anyone knows exactly what the system is trying to do when GHP calls outside? I'm not really paranoid (yet) so I don't think that something bad is amiss, but I do like to know why things are happening where network access is concerned, particularly nowadays.

Thanks,
KV

[Newt]

svchost.exe is a wrapper for other services and what you are seeing is that some component of a svchost.exe instance is trying to get out.

You can dig specifics out of the registry with a bit of work but the easiest way is to use a utility called tasklist.exe that shipped with XP but not with 2K. However it should work with 2K - at least some parts of it.

When I run tasklist /svc on my XP-pro system at work, I get the following information (there is more but I just put in the svchost parts and a couple other items). You can see that the instance running under PID 1060 has quite a few items that might want to call out.

Code:

Image Name                   PID Services                                     
========================= ====== =============================================
System Idle Process            0 N/A                                          
System                         4 N/A                                          
smss.exe                     592 N/A                                          
csrss.exe                    640 N/A                                          
winlogon.exe                 664 N/A                                          
services.exe                 708 Eventlog, PlugPlay                           
lsass.exe                    720 Netlogon, PolicyAgent, ProtectedStorage,     
                                 SamSs                                        
ibmpmsvc.exe                 916 IBMPMSVC                                     
svchost.exe                  944 RpcSs                                        
svchost.exe                 1060 AudioSrv, BITS, CryptSvc, Dhcp, ERSvc,       
                                 EventSystem, helpsvc, Irmon, lanmanserver,   
                                 lanmanworkstation, Messenger, Netman, Nla,   
                                 RasMan, Schedule, seclogon, SENS,            
                                 ShellHWDetection, srservice, TapiSrv,        
                                 TermService, TrkWks, uploadmgr, w32time,     
                                 winmgmt                                      
svchost.exe                 1232 Dnscache                                     
svchost.exe                 1264 LmHosts, RemoteRegistry, SSDPSRV             
spoolsv.exe                 1384 Spooler                                      
aiclient.exe                1496 AICLIENT                                     
blackd.exe                  1512 BlackICE

[kv]

Hmmm, thanks for the tip, I'll try using the XP version on my system.

I did locate the registry key showing the services attached to svchost, and while I couldn't track down info on all of them, some of them are self-evident and some of them aren't actually installed. Regardless, with things like BITS and automatic updates disabled, no remote access running, ir disabled etc. etc. I still can't figure out which service may be tripping it.

Hopefully tasklist will give me a better idea.

Cheers,
KV