Hi all,

I'm looking for a firewall that handles svchost properly, i.e. lets me at all the "hosted" bits individually. I know I've seen reference to this here before, but I guess I'm not phrasing my search criteria very well: I just keep getting millions of links to messages in which people are wondering what this svchost thing is.

I think Outpost (non-free?) was mentioned as having this capability. Or was it LnS? I'm currently using Kerio 2.1.5 and don't like the way it handles svchost.

What I'm really looking for is a decent, very comprehensive application firewall, as I'm using a Linksys router with a good stateful packet filter built in. But I don't think such an application exists yet - aside from that one which uses an online database and requires you to upload suspect files for their inspection (can't remember its name).

Thanks for any input!

Outpost v. 2.7 (paid) is a very capable firewall which handles svchost.exe very well if configured properly. Paranoid 2000, who often posts on this forum, has produced a guide to producing a secure configuration for Outpost. That guide contains an extensive discussion on how to set Outpost for svchost.exe. If you don't like Outpost or can't use it, you can probably adapt the rules suggested in Paranoid 2000's guide for another highly configurable firewall.

Here's a link to the guide:

http://www.outpostfirewall.com/forum/showthread.php?t=9858

-{ Quote: "I'm currently using Kerio 2.1.5 and don't like the way it handles svchost." }-
What issues or concerns do you have with Kerio and it's handling of svchost?

Regards,

CrazyM

Thanks profhsg, I'll take a look at that guide. Sounds promising!
-{ Quote: "What issues or concerns do you have with Kerio and it's handling of svchost?" }-Don't get me wrong, CrazyM: I love the old Kerio. And so far it's working well as an application firewall. But svchost is just one big lump in Kerio 2.1.5. So many things go through it that its rules need to be far more lenient than they should be. I want control of the DLLs that use svchost individually, if that's possible.

Thanks for your input, guys!

-{ Quote: "Thanks profhsg, I'll take a look at that guide. Sounds promising!
Don't get me wrong, CrazyM: I love the old Kerio. And so far it's working well as an application firewall. But svchost is just one big lump in Kerio 2.1.5. So many things go through it that its rules need to be far more lenient than they should be. I want control of the DLLs that use svchost individually, if that's possible.

Thanks for your input, guys!" }-

It sounds like you're after a firewall which also does checksums on components used by the executable/dlls.

But firstly, three things need to be stated here. Firstly, dlls are not executable by themselves. By dll injection, an executable may use a function within the dll file. (dll = Dynamicly linked library). Second, component checking firewalls already exist. However, often the checksumming process is so non-discriminating that components which legitimately get modified often are checked as well. Consequently, the result is a stream of 'false positives' alerting to the fact that a program's components have changed.

Thirdly, it is possible to create tight rules for svchost.exe without intrusive/painful measures. It is most likely that the rules you have chosen to create are the problem, rather than any missing feature of the firewall you are using. (See the Outpost link provided and/or BZ's default ruleset)

Thanks for the reply, ghost16825 (can I just call you ghost?:). I'm after a firewall that allows specific control over each and every aspect of every application and component in my system - at least as far as network access is concerned. I want to be able to choose an application in this mythical firewall and methodically specify protocols, ports, and directions to which it has access. I want svchost broken down into the DLLs that are actually requesting the net access and then I want to be able to specify policies for each of them as well.

Right now my svchost rules look like this:

http://www.syrinx.net/images/shrules.gif

The first is DNS, the second, DHCP (both to my router), and the fourth is for Windows' insistence on time synchronization. The third rule is the one I don't like. What if the impossible happened :) and I got infected by a trojan which hides behind svchost and happens to phone home to a web service (SOAP, XML-RPC, etc.) listening on port 80 or 443? It could send ANYTHING out (not to mention receiving information). Currently I have to give svchost outbound access on these ports or be plagued by alerts asking me whether to allow it out on port 80 or 443.

That's why I want more fine-grained control. I'm not looking specifically for MD5 signature maintenance. I thought I recalled mention of a firewall that allowed one to peer inside svchost and apply rules to each component therein. Perhaps I was mistaken.

I'd write this mythical app firewall myself, but I've not enough Windows experience for the job. I'm a Linux/Python/C kinda guy.

Thanks for the response!

zigguratt, how could a trojan hide behind SVCHOST? My understanding is that the "Generic Host Process for Win32 Services" {i.e. SVCHOST} functions only for Windows vital services, such as what you mentioned: DNS, DHCP, etc.

-{ Quote: "zigguratt, how could a trojan hide behind SVCHOST? My understanding is that the "Generic Host Process for Win32 Services" {i.e. SVCHOST} functions only for Windows vital services, such as what you mentioned: DNS, DHCP, etc." }-

I'm not certain, but is this the type of concern that is being discussed? It has been a concern of mine, as a user of ZoneAlarm Pro.

http://vil.mcafeesecurity.com/vil/content/v_100699.htm

Rich

Thank you Rich, never heard of that. "Backdoor-AZF" {McAfee classification} sounds like a job for my TrojanHunter app to cover. ;) TH supposedly handles DLL-injecting trojans. I hope to capture a sample of that one and send in to TH now. ;)

-{ Quote: "I'm not certain, but is this the type of concern that is being discussed? It has been a concern of mine, as a user of ZoneAlarm Pro.

http://vil.mcafeesecurity.com/vil/content/v_100699.htm

Rich" }-Yes, that's exactly what I'm talking about, and it's just one example. I see svchost as a huge security hole in Windows and want more control over it.

Whoa! Fast posting around here! :) I use TH (guard & scanner) as well. Call me paranoid, but I just want to cover all eventualities...

-{ Quote: "Don't get me wrong, CrazyM: I love the old Kerio. And so far it's working well as an application firewall. But svchost is just one big lump in Kerio 2.1.5. So many things go through it that its rules need to be far more lenient than they should be. I want control of the DLLs that use svchost individually, if that's possible." }-
As ghost16825 eluded to you will not have the component control with Kerio 2.1.5 that other firewalls offer, but you may be able to refine your rules.

-{ Quote: "... and the fourth is for Windows' insistence on time synchronization." }-
The rule for Windows Time is fine and restricted to an IP. If you do not want Windows doing this, simply disable the service.

-{ Quote: "The third rule is the one I don't like. What if the impossible happened :) " }-
You can play the "What if ...?" game for ever. You just need to define a realistic security policy that best suits your needs.
For rule #3 the outbounds will most likely all be for Microsoft sites. Your option for refining this rule is to start gathering a list of IP's used (enable logging) and then modify your rule set allowing outbound to those IP's only. An option would be to use the Custom IP list for this (much like you could use the trusted zone list in ZA for svchost).

Regards,

CrazyM

-{ Quote: "http://vil.mcafeesecurity.com/vil/content/v_100699.htm

Yes, that's exactly what I'm talking about, and it's just one example. I see svchost as a huge security hole in Windows and want more control over it." }-Here is the key sentence:

----------------------
Currently, the trojan needs to be manually installed and connected in order to achieve remote access to the victim's machine.
----------------------

I would be more concerned about how a trojan could become installed, rather then worrying about my firewall. With all of the other protection available, what is the possibility, really, of this happening?

Regarding your rules: I'm not sure why you have #3. Permitted, unlimited outbound doesn't seem wise here. I concur with CrazyM's suggestion about setting up rules for svchost.

regards,

-rich
________________
~~Be ALERT!!! ~~

I don't really understand about svchost needing access. I have it blocked in and out tcp and udp in Kerio 2.1.5 any address and have not noticed it causing any problems in the last couple of years.

Depends on how you have your rules configured as svchost.exe will be the process behind some common network functionality in Windows. An example why you may not have seen it: is your DNS rule in Kerio for "any application"?

Regards,

CrazyM

-{ Quote: "...is your DNS rule in Kerio for "any application"?" }-This is the way Kerio's default system-wide rules are set up. When I became aware of how Services (Win2K) and Svchost (WinXP) work, I changed from "any application" to listing the specific application, leaving any other attempts oubound by those services to call up an alert. I assume this is what you would advise people to do?

-rich
________________
~~Be ALERT!!! ~~

-{ Quote: "This is the way Kerio's default system-wide rules are set up. When I became aware of how Services (Win2K) and Svchost (WinXP) work, I changed from "any application" to listing the specific application, leaving any other attempts oubound by those services to call up an alert. I assume this is what you would advise people to do?" }-
The defaults may be fine for some, others may want stricter rules. It is a matter of how much you want to lock things down. Firewall choice/rule sets along with other measures should be part of an overall assessment of what best suits your security needs. Unfortunately there is no magic bullet or right answer for all. What may meet my requirements could be totally unsuitable for you. This is something we each need to define and implement.

Regards,

CrazyM

-{ Quote: "...What may meet my requirements could be totally unsuitable for you. This is something we each need to define and implement.
Regards,

CrazyM" }-Since many people post asking about rules, how would you teach someone just getting started with a rule-set firewall, how to define needs and requirements?

thanks,

-rich
________________
~~Be ALERT!!! ~~

-{ Quote: "Currently I have to give svchost outbound access on these ports or be plagued by alerts asking me whether to allow it out on port 80 or 443." }-

Ah, but that's a choice you have made. If you have created this rule for Automatic Updates, then it is possible to restrict it to Microsoft's netblock. Also, for a DHCP Broadcast if I'm not mistaken this only need to be allowed outbound from the client (which asks for DNS servers/an IP address to be assigned to it).

-{ Quote: "Since many people post asking about rules, how would you teach someone just getting started with a rule-set firewall, how to define needs and requirements?" }-
That is a pretty broad question as it depends on the firewall and a number of other things such as users, their use of the system(s), their habits (good, bad or indifferent), their computer knowledge, other security/privacy measures in place.

The following comments are based on the premise of no local servers and a deny all inbound policy.

For rule based firewalls, application based or not, a basic rule set would limit outbound connections to required services only. This will vary for users but usually include DHCP, DNS, HTTP, HTTPS, POP3, SMTP, FTP, NNTP and probably some IM (MSN, Yahoo, AOL) services.

The next option if you wanted to refine or customize your rules further, application based or not, would be to limit certain services to specific IP’s. This would typically see things like DNS, SMTP, POP3 restricted further.

The last option would be applicable for application rule based firewalls where you could further restrict something like the topic of this post, svchost.exe, or have things like application based DNS rules. For those using and concerned with proxy software and localhost, some firewalls will also allow for setting restrictions on what can access localhost and the proxy (loopback rules).

Do you need to go the extent of the last option? This will always be subject of debate and a matter of personal preference. My suggestion for those just getting started would be option one as a minimum (a little more than a default permit any outbound) and option two as a happy medium if they wish to customize a little further.

Regards,

CrazyM

-{ Quote: "That is a pretty broad question as it depends on the firewall and a number of other things such as users, their use of the system(s), their habits (good, bad or indifferent), their computer knowledge, other security/privacy measures in place." }-Thanks for those suggestions. That seems like the logical first step, rather than just copying someone else's ruleset.

(great quote in your sig!)

-rich
________________
~~Be ALERT!!! ~~

quick question.

why won't pointing your svchost.exe to your dynamic/static ip gateway (esp. if you are behind a router) do? svchost.exe is only allowed to access 192.168.2.1 on my PC. so any trojan or malware cannot use svchost to access any other internet address.

-{ Quote: "Ah, but that's a choice you have made. If you have created this rule for Automatic Updates, then it is possible to restrict it to Microsoft's netblock. Also, for a DHCP Broadcast if I'm not mistaken this only need to be allowed outbound from the client (which asks for DNS servers/an IP address to be assigned to it)." }-The only choice I've made so far is to use Kerio. :) The reason I posted in the first place was to find an alternative with which I didn't HAVE to make the choice we're discussing. I will, however, change my svchost rule to build up a list of legit IPs in the Custom Address Group - or figure out Microsoft's netblock and specify that instead. At least until I can find an alternative to Old Kerio.

At the moment I'm not even using DHCP so I'm going to disable that rule anyway. I only added it recently when experimenting with the router. The only change I would make to the rule would be to specify local port 68 instead of [Any port]. You do need bidirectional communication with the DHCP server, however, unless I seriously misunderstand DHCP!

[Edit: I just checked and this rule (with local port 68 specified) is now exactly the same as the "Assign DHCP Server" rule in the BlitzenZeus Kerio rule set]

-{ Quote: "quick question.

why won't pointing your svchost.exe to your dynamic/static ip gateway (esp. if you are behind a router) do? svchost.exe is only allowed to access 192.168.2.1 on my PC. so any trojan or malware cannot use svchost to access any other internet address." }-That works fine for any available local services to which svchost needs access, such as DHCP/DNS (see above). This also assumes you aren't connected directly to the 'net, as I suspect most people are. But it definitely won't work when Windows wants to connect to the Windows Update servers, which are, oddly, not behind your router...

-{ Quote: "Thanks for those suggestions. That seems like the logical first step, rather than just copying someone else's ruleset." }-
Nothing wrong with using something like that as a starting point or guide, just don't implement it carte blanche. It is important that a user understand all their rules and what they do. Always a fun learning experience to start with no rules (deny all) and build from there ;)

-{ Quote: "(great quote in your sig!)" }-
A good common sense approach.

Regards,

CrazyM

-{ Quote: " You do need bidirectional communication with the DHCP server, however, unless I seriously misunderstand DHCP!" }-Depends.

See:

http://www.geocities.com/yosponge/fw/kexpl1.html

http://www.dslreports.com/faq/3301

I use outbound only, dialup, Win2K (see image below)

On my laptop with WinXP, the application is Svchost.


EDIT: I see you've solved it already.


-rich
________________
~~Be ALERT!!! ~~

-{ Quote: "Depends.

See:

http://www.geocities.com/yosponge/fw/kexpl1.html

http://www.dslreports.com/faq/3301

I use outbound only, dialup, Win2K (see image below)

On my laptop with WinXP, the application is Svchost.


EDIT: I see you've solved it already.


-rich
________________
~~Be ALERT!!! ~~" }-I don't know how that's working unless there's another rule somewhere permitting inbound DHCP responses. I'm betting that even the rule you DO have is being ignored and DHCP both directions is getting through another way. Both of the links you gave above have rules for DHCP in both directions. The second even had another rule for broadcast in addition to the bidirectional rule I specified.

If I were you I'd take a close look at my rules to make sure there aren't any holes that need plugging.

-{ Quote: "Depends on how you have your rules configured as svchost.exe will be the process behind some common network functionality in Windows. An example why you may not have seen it: is your DNS rule in Kerio for "any application"?

Regards,

CrazyM" }-

There is more to this than I realise. Yes the DNS rule is for any application. If I make it specific then it will not work for that program, so I assume that duplicates of that rule have to be made. I guess that services.exe is one that needs a DNS rule to be set. Disabling the svchost rule had no effect.

This is probably why in Netveda and I think LnS ask several times about services when setting the rule

-{ Quote: "I don't know how that's working unless there's another rule somewhere permitting inbound DHCP responses. " }-To test, I put the DHCP rule at the top and put a block-all-inbound next, and nothing tries to get in except DNS port 53.

It's been so long since I set up those rules, I went back to my notes to check, and see that I created my own little tutorial by starting with *no* rules and letting Kerio prompt me for my system-wide rules, and I ended up with just two: the DHCP rule as I posted above, and an In-Out DNS rule which I customized for Port 53 and my two DNS servers.

I specified the application for these rules: My Win2K system uses Services.exe, and my XP system uses svchost.exe.

regards,

-rich
________________
~~Be ALERT!!! ~~

Very odd! Do me a favour: type "ipconfig /all" at a command prompt and tell me what it says beside "Dhcp Enabled".

To get this thread back on topic, I'd still like to know if there's a firewall that handles svshost as I described. I've been able to tighten up my svchost Kerio rules a bit. I turned off the svchost DHCP rule, as I'm using static IPs for all desktop machines here. I disabled the Windows DNS Client service as suggested in the Outpost guide pointed to by profhsg. This allowed me to turn off the svchost DNS rule in Kerio. As a side-effect I now have to specify a DNS rule for every application that requires access. It sounds a bit annoying, but it's in keeping with my desire for an application firewall. I want all these things specified per application. I've left the NTP rule in place as it's appropriately restricted and relatively harmless (!).

So that leaves only the HTTP rule. For the moment I've turned it off as well in order to collect IPs to add to the custom set. It looks like they're too diverse to infer a single Microsoft netblock.

Thanks all for the suggestions and help. Interesting discussion so far. I'd like final resolution on the DHCP issue, however.

Should DHCP be enabled? Mine currently is not. I think at the time it was thought better not to, but cannot remember the thinking now

-{ Quote: "Should DHCP be enabled? Mine currently is not. I think at the time it was thought better not to, but cannot remember the thinking now" }-Well of course the answer is: it depends. Is your computer a laptop? If so, does it connect to various networks, wireless or otherwise (home, work, coffee shop)? If so, then using DHCP is wise as you won't have to keep changing your network settings every time you change location. If it's a desktop machine, is it connected directly to the 'net (i.e. a wire right to your cable/DSL box, or direct connection to the modem)? If so then you'll need DHCP as no ISPs these days give out static IPs. If your machine is behind some sort of gateway (wired/wireless router) you have a choice either way as they usually have built-in DNS/DHCP servers. Being behind one of these routers I've chosen to use static IPs (no DHCP) on my internal wired network. The machines aren't going anywhere so I can set up the networking once and forget it. But it's just as valid to use DHCP in this case. It's up to you.

But that's the only time you really have a choice. I'd probably go with DHCP if I weren't such a contol freak. :)

-{ Quote: "Very odd! Do me a favour: type "ipconfig /all" at a command prompt and tell me what it says beside "Dhcp Enabled"." }-
PPP adapter xxxxxx:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-xxxxxxxxxxx
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : xx.xx.xx.xxx
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : xx.xx.xx.xxx
DNS Servers . . . . . . . . . . . : xxx.xxxx1
........................................xxx.xxxxx2
NetBIOS over Tcpip. . . . . . . . : Disabled


-rich
________________
~~Be ALERT!!! ~~

-{ Quote: "DHCP Enabled. . . . . . . . . . . : No" }-Well that explains it then! You're not even using DHCP so no requests/responses are being issued. That's why you can be missing rules in your firewall and still have everything functioning properly. In this case you don't even need that one DHCP rule you DO have in Kerio. Your machine shouldn't be broadcasting for a lease if it isn't using DHCP.

Glad to find out I'm not going crazy (well, not over this, anyway:). Odd subnet mask! For a 192.168.x.x private network it's normally something more like 255.255.255.0. If you're using a 10.x.x.x private network (e.g. Apple AirPort) it's usually something like 255.0.0.0. Yours says that all bits of the IP are network specifiers, leaving no room for host numbers. I don't know what effect this might have on your network, but it's obviously not catastrophic as you seem to be getting along fine as is.

I don't understand the technical points of DHCP, so that's why, rather than copying someone else's rules (everyone has his own ideas), I just let Kerio prompt me for what it needs, and I ended up with the two rules I described above, and I've never had a problem with connecting.


-rich
________________
~~Be ALERT!!! ~~

-{ Quote: "Well of course the answer is: it depends. Is your computer a laptop? .................
................... The machines aren't going anywhere so I can set up the networking once and forget it. But it's just as valid to use DHCP in this case. It's up to you.

But that's the only time you really have a choice. I'd probably go with DHCP if I weren't such a contol freak. :)" }-

Thanks - that explains it.

It is on a 2 machine LAN both connecting to a router, and contrary to you am on a static IP.

-{ Quote: "For rule #3 the outbounds will most likely all be for Microsoft sites. Your option for refining this rule is to start gathering a list of IP's used (enable logging) and then modify your rule set allowing outbound to those IP's only." }-Is there an easier way of doing this? If we're talking solely about Windows updates - the only reason I would want svchost to connect to Microsoft - isn't there a standard list of IPs to use? As a post in this thread (http://www.wilderssecurity.com/showthread.php?t=90026) suggests:-{ Quote: "You can create 4 rules for Windows Updates:
for the applications : Generic Host Process and Internet Explorer.

All those rules have as Source your IP
local ports 1025 to 5000 , protocol TCP

Destinations:

1- IP address range 206.24.0.0 to 206.24.254.254 port 80
2- IP address range 66.77.0.0 to 66.77.254.254 port 80
3- IP address range 207.46.0.0 to 207.61.254.254 ports 80 and 443
4- IP address range 64.4.0.0 to 64.254.254 ports 80 and 443" }-

-{ Quote: "Is there an easier way of doing this? If we're talking solely about Windows updates - the only reason I would want svchost to connect to Microsoft - isn't there a standard list of IPs to use? As a post in this thread (http://www.wilderssecurity.com/showthread.php?t=90026) suggests:" }-
-{ Quote: "Originally Posted by Climenole
You can create 4 rules for Windows Updates:
for the applications : Generic Host Process and Internet Explorer.

All those rules have as Source your IP
local ports 1025 to 5000 , protocol TCP

Destinations:

1- IP address range 206.24.0.0 to 206.24.254.254 port 80
2- IP address range 66.77.0.0 to 66.77.254.254 port 80
3- IP address range 207.46.0.0 to 207.61.254.254 ports 80 and 443
4- IP address range 64.4.0.0 to 64.254.254 ports 80 and 443" }-
Unfortunately if you want to go to the extent of locking down svchost.exe/services.exe in this manner it will involve establishing an accurate list of IP's. What will complicate it is the fact MS will use multiple servers outside of their own to deploy updates (ie. Akamai Technologies) which could vary for users and make defining a reliable list difficult.

From the IP ranges in your quote, only two belong to MS.

207.46.0.0 - 207.46.255.255 - corrected range
OrgName: Microsoft Corp
OrgID: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US

NetRange: 207.46.0.0 - 207.46.255.255
CIDR: 207.46.0.0/16
NetName: MICROSOFT-GLOBAL-NET
NetHandle: NET-207-46-0-0-1
64.4.0.0 - 64.4.63.255 - corrected range
OrgName: MS Hotmail
OrgID: MSHOTM
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US

NetRange: 64.4.0.0 - 64.4.63.255
CIDR: 64.4.0.0/18
NetName: HOTMAIL
NetHandle: NET-64-4-0-0-1
Not sure if this range would be involved in Windows/Microsoft Update.

If you do not want to go to this extent, you can always permit these services outbound connections with less restrictive rules.

Regards,

CrazyM

Thanks. I wonder if it's worth the effort. What I've been doing up to now is blocking outbound TCP for svchost, toggling it to permit whenever I get an alert for Windows update. It works, but it isn't pretty, and I think I'll just permit it to all addresses on remote ports 80 and 443, and live with the (slight?) risk.


On that risk: Rmus, you say -{ Quote: "I would be more concerned about how a trojan could become installed, rather then worrying about my firewall." }- And then immediately after that:-{ Quote: "Regarding your rules: I'm not sure why you have #3. Permitted, unlimited outbound doesn't seem wise here." }- Why does it not seem wise? What dangers are there, other than trojans?

-{ Quote: "On that risk: Rmus, you say:

--------------------------------
Regarding your rules: I'm not sure why you have #3. Permitted, unlimited outbound doesn't seem wise here.
--------------------------------

Why does it not seem wise? What dangers are there, other than trojans?" }-It's just based on what I learned about services and protocols.

In a post subsequent to mine, CrazyM wrote:

-------------------------------
Unfortunately there is no magic bullet or right answer for all.
What may meet my requirements could be totally unsuitable for you.
This is something we each need to define and implement.
-------------------------------

In hindsight, I wouldn't have made that statement regarding that rule #3 which you refer to, since it was based on how I implement rules from what I learned about services and protocols.

In this thread, for every suggestion w/good reason, someone else counters with a reason to do the opposite.

Users will "define and implement" in their own way.

It may be useful to suggest where to find information about specifics -- in this case, services and protocols -- but the decision has to be made by the user.

At least, that's where my thinking is at the moment.

regards,

-rich
________________
~~Be ALERT!!! ~~

Now this isn't strictly an answer to the question, but sometimes changing the problem to one that is more easily solved (with the tools at hand) is a viable way forward (until the tools evolve)....

One option that nobody has mentioned is the ability to "roll your own" svchost instance and move services into that, but this is not something that should be done on an important machine due to the potential for something going wrong (either now or in the future)

As long as you don't mind wasting a little bit more memory it can work, but its definitely not for the faint hearted and has the potential to break with future windows updates/patches

I moved the wuauserv and BITS services into their own svchost instance so I could have some more control (at a process level) of the access granted. Before this is useful you need to have security programs that will allow you to control program access by executable name and command line arguments

What I have done has worked for me (so far) and when it breaks (which it probably will) I will probably have to restore a registry backup or do some tinkering in the recovery console... so its not something to just rush off and do because it sounds like a good idea (unless you know how to recover as well)

Seeing as you need to know how to recover there is not much point outlining the exact changes I made, but they started at under the key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost and I also made a change in HKLM\SYSTEM\CurrentControlSet\Services\BITS and HKLM\SYSTEM\CurrentControlSet\Services\wuauserv

Once again I would like to emphasise that if you are considering doing this you need to have a way of recovering should it go wrong either initially or down the track and remember that I did this for testing purposes on a workstation that I use for testing (and general use)

Regards