Generic Host Process for Win32 Services

[Stuart]

I've noticed numerous Microsoft programs utilize Generic Host Process for
Win32 Services. Does either the operating system or the online portion of
Defender block access to this for all other programs?
Stuart//

 

[Guest]

I don't think WD gets involved. The help documentation for the real-time
agents doesn't mention anything about svchost. Maybe take a look at:

http://www.computing.net/security/wwwboard/forum/272.html

 

[Bill Sanderson MVP]

I'm not sure what you are asking. Here are a couple of KB articles that
describe this process, one for XP and the other for Windows 2000:
XP
http://support.microsoft.com/kb/314056/EN-US/
Windows 2000
http://support.microsoft.com/kb/250320/en-us

If your question is whether third party programs can make use of this
process, I don't know that kind of answer.

http://msdn.microsoft.com/msdnmag/issues/01/12/XPKernel/

discusses in greater detail what this critter does for a living, but
skimming it, I didn't spot a clear statement about whether or not a
third-party service can run under this process.

If your question is: Could some malware create a service and set it to
execute under one of the SVCHOST instances, without Windows Defender
noticing?

Here's what I read in the Help with regard to one of the real-time
protection agents:
---
Services and Drivers

Monitors services and drivers as they interact with Windows and your
programs. Because services and drivers perform essential computer functions
(such as allowing devices to work with your computer), they have access to
important software in the operating system. Spyware and other potentially
unwanted software can use services and drivers to gain access to your
computer or to try to run undetected on your computer like normal operating
system components.

 

[Stuart]

If your question is: Could some malware create a service and set it to
execute under one of the SVCHOST instances, without Windows Defender
noticing?

Yes, that is my question stated more clearly. I'm studying this as I think
it is a greater risk area than I had realized because the program control of
my firewall, which I rely on heavily, will do little to assist me. Any other
references would be appreciated.
Stuart//

 

[Bill Sanderson MVP]

I did some operation on Vista today which gave rise to an alert from this
agent in Windows Defender. I am 99% (and a bit more!) sure that this agent
would cover your case--and that it does it better in Vista, because of the
additional security layers in the underlying OS, than it does in XP.

I haven't found much more that is relevant, but here are some more
references:

http://technet.microsoft.com/en-us/windowsserver/default.aspx

This next one is quite relevant to a number of Vista-related questions we
see here, including yours, to some extent:

http://technet.microsoft.com/en-us/windowsvista/aa905073.aspx#EHF

This one is relevant, but is maybe just what Help has in it under Vista.

http://windowshelp.microsoft.com/Windows/en-US/Help/8b8917f4-88c7-4470-88ae-0a06987c20fd1033.mspx

--