Firewall Log

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Having problems understanding the workings of 'svchost.exe' service. I have
6 of them on my desktop which uses XP Pro SP2. I'm having trouble
identifying what is happening. Its a home pc, on one router. I've blocked
port 1900 and UPnP on the router and think i've blocked it in Windows
Firewall. Not sure what this is. Below is my result of netstat and tasklist:

UDP 127.0.0.1:1900 *:* 1296
c:\windows\system32\WS2_32.dll
c:\windows\system32\ssdpsrv.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 1004
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:990 0.0.0.0:0 LISTENING 324
TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING 1776
TCP 127.0.0.1:1031 0.0.0.0:0 LISTENING 2804
TCP 127.0.0.1:1035 127.0.0.1:27015 ESTABLISHED 1796
TCP 127.0.0.1:1036 0.0.0.0:0 LISTENING 1816
TCP 127.0.0.1:1037 0.0.0.0:0 LISTENING 3896
TCP 127.0.0.1:1038 0.0.0.0:0 LISTENING 3888
TCP 127.0.0.1:5679 0.0.0.0:0 LISTENING 1996
TCP 127.0.0.1:7438 0.0.0.0:0 LISTENING 1996
TCP 127.0.0.1:27015 0.0.0.0:0 LISTENING 608
TCP 127.0.0.1:27015 127.0.0.1:1035 ESTABLISHED 608
TCP 192.168.10.13:139 0.0.0.0:0 LISTENING 4
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:500 *:* 756
UDP 0.0.0.0:1027 *:* 1156
UDP 0.0.0.0:4500 *:* 756
UDP 127.0.0.1:123 *:* 1100
UDP 127.0.0.1:1069 *:* 3036
UDP 127.0.0.1:1900 *:* 1296
UDP 192.168.10.13:123 *:* 1100
UDP 192.168.10.13:137 *:* 4
UDP 192.168.10.13:138 *:* 4
UDP 192.168.10.13:1900 *:* 1296

Image Name PID Services
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 624 N/A
csrss.exe 672 N/A
winlogon.exe 700 N/A
services.exe 744 Eventlog, PlugPlay
lsass.exe 756 PolicyAgent, ProtectedStorage, SamSs
ati2evxx.exe 920 Ati HotKey Poller
svchost.exe 944 DcomLaunch, TermService
svchost.exe 1004 RpcSs
svchost.exe 1100 AudioSrv, CryptSvc, Dhcp, dmserver, ERSvc,
EventSystem, helpsvc, HidServ, lanmanserver,
lanmanworkstation, Netman, Nla, RasMan,
Schedule, seclogon, SENS, SharedAccess,
ShellHWDetection, srservice, TapiSrv,
Themes, TrkWks, W32Time, winmgmt, wscsvc,
wuauserv, WZCSVC
svchost.exe 1156 Dnscache
svchost.exe 1296 LmHosts, RemoteRegistry, SSDPSRV, WebClient
ccSetMgr.exe 1360 ccSetMgr
ccEvtMgr.exe 1452 ccEvtMgr
spoolsv.exe 1640 Spooler
ati2evxx.exe 348 N/A
explorer.exe 452 N/A
AppleMobileDeviceService. 608 Apple Mobile Device
DefWatch.exe 656 DefWatch
mdm.exe 988 MDM
svchost.exe 1188 stisvc
Rtvscan.exe 1712 Symantec AntiVirus
soundman.exe 1768 N/A
CLI.exe 1776 N/A
iTunesHelper.exe 1796 N/A
hpwuSchd2.exe 1808 N/A
ccApp.exe 1816 N/A
VPTray.exe 1836 N/A
LCDMon.exe 1856 N/A
LGDCore.exe 1868 N/A
jusched.exe 1928 N/A
reader_sl.exe 1940 N/A
LCDMedia.exe 1956 N/A
ctfmon.exe 1976 N/A
wcescomm.exe 1996 N/A
hpqtra08.exe 2024 N/A
SetPoint.exe 132 N/A
hpqimzone.exe 296 N/A
rapimgr.exe 324 N/A
KHALMNPR.exe 424 N/A
wmiprvse.exe 2396 N/A
alg.exe 2804 ALG
hpqnrs08.exe 2868 N/A
iPodService.exe 3560 iPod Service
hpqste08.exe 3656 N/A
CLI.exe 3888 N/A
CLI.exe 3896 N/A
wuauclt.exe 2532 N/A
iexplore.exe 3036 N/A
cmd.exe 2384 N/A
netstat.exe 1044 N/A
cmd.exe 3780 N/A
wmiprvse.exe 220 N/A
HPZinw12.exe 388 N/A
tasklist.exe 392 N/A
 
Wayne said:
Having problems understanding the workings of 'svchost.exe' service. I
have
6 of them on my desktop which uses XP Pro SP2. I'm having trouble
identifying what is happening. Its a home pc, on one router. I've
blocked
port 1900 and UPnP on the router and think i've blocked it in Windows
Firewall. Not sure what this is. Below is my result of netstat and
tasklist:

UDP 127.0.0.1:1900 *:* 1296
c:\windows\system32\WS2_32.dll
c:\windows\system32\ssdpsrv.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 1004
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:990 0.0.0.0:0 LISTENING 324
TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING 1776
TCP 127.0.0.1:1031 0.0.0.0:0 LISTENING 2804
TCP 127.0.0.1:1035 127.0.0.1:27015 ESTABLISHED 1796
TCP 127.0.0.1:1036 0.0.0.0:0 LISTENING 1816
TCP 127.0.0.1:1037 0.0.0.0:0 LISTENING 3896
TCP 127.0.0.1:1038 0.0.0.0:0 LISTENING 3888
TCP 127.0.0.1:5679 0.0.0.0:0 LISTENING 1996
TCP 127.0.0.1:7438 0.0.0.0:0 LISTENING 1996
TCP 127.0.0.1:27015 0.0.0.0:0 LISTENING 608
TCP 127.0.0.1:27015 127.0.0.1:1035 ESTABLISHED 608
TCP 192.168.10.13:139 0.0.0.0:0 LISTENING 4
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:500 *:* 756
UDP 0.0.0.0:1027 *:* 1156
UDP 0.0.0.0:4500 *:* 756
UDP 127.0.0.1:123 *:* 1100
UDP 127.0.0.1:1069 *:* 3036
UDP 127.0.0.1:1900 *:* 1296
UDP 192.168.10.13:123 *:* 1100
UDP 192.168.10.13:137 *:* 4
UDP 192.168.10.13:138 *:* 4
UDP 192.168.10.13:1900 *:* 1296

Image Name PID Services
========================= ======
=============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 624 N/A
csrss.exe 672 N/A
winlogon.exe 700 N/A
services.exe 744 Eventlog, PlugPlay
lsass.exe 756 PolicyAgent, ProtectedStorage, SamSs
ati2evxx.exe 920 Ati HotKey Poller
svchost.exe 944 DcomLaunch, TermService
svchost.exe 1004 RpcSs
svchost.exe 1100 AudioSrv, CryptSvc, Dhcp, dmserver,
ERSvc,
EventSystem, helpsvc, HidServ,
lanmanserver,
lanmanworkstation, Netman, Nla, RasMan,
Schedule, seclogon, SENS, SharedAccess,
ShellHWDetection, srservice, TapiSrv,
Themes, TrkWks, W32Time, winmgmt, wscsvc,
wuauserv, WZCSVC
svchost.exe 1156 Dnscache
svchost.exe 1296 LmHosts, RemoteRegistry, SSDPSRV,
WebClient
ccSetMgr.exe 1360 ccSetMgr
ccEvtMgr.exe 1452 ccEvtMgr
spoolsv.exe 1640 Spooler
ati2evxx.exe 348 N/A
explorer.exe 452 N/A
AppleMobileDeviceService. 608 Apple Mobile Device
DefWatch.exe 656 DefWatch
mdm.exe 988 MDM
svchost.exe 1188 stisvc
Rtvscan.exe 1712 Symantec AntiVirus
soundman.exe 1768 N/A
CLI.exe 1776 N/A
iTunesHelper.exe 1796 N/A
hpwuSchd2.exe 1808 N/A
ccApp.exe 1816 N/A
VPTray.exe 1836 N/A
LCDMon.exe 1856 N/A
LGDCore.exe 1868 N/A
jusched.exe 1928 N/A
reader_sl.exe 1940 N/A
LCDMedia.exe 1956 N/A
ctfmon.exe 1976 N/A
wcescomm.exe 1996 N/A
hpqtra08.exe 2024 N/A
SetPoint.exe 132 N/A
hpqimzone.exe 296 N/A
rapimgr.exe 324 N/A
KHALMNPR.exe 424 N/A
wmiprvse.exe 2396 N/A
alg.exe 2804 ALG
hpqnrs08.exe 2868 N/A
iPodService.exe 3560 iPod Service
hpqste08.exe 3656 N/A
CLI.exe 3888 N/A
CLI.exe 3896 N/A
wuauclt.exe 2532 N/A
iexplore.exe 3036 N/A
cmd.exe 2384 N/A
netstat.exe 1044 N/A
cmd.exe 3780 N/A
wmiprvse.exe 220 N/A
HPZinw12.exe 388 N/A
tasklist.exe 392 N/A

I find Process Explorer useful to see what is running under a particular
instance of svchost.exe. Process Monitor allows you to display a
hierarchical view of processes in a treeview so you can see what processes
svchost is the parent for.

For more detailed information on what each process instance is doing Process
Monitor may be of use to you.

Further reading here:

http://support.microsoft.com/kb/314056

FWIW I have six running as well.

Ed Metcalfe.
 
Back
Top