2 Microsoft services. how are they best handled?

I noticed that NPF has a custom rule for "Microsoft Distributed Transaction Coordinator" and wondered at that since normally Norton "recommends giving Microsoft anything it asks for. Just curious if there is a reason for this exception.


Question #2. I am still pretty knew to the concept of NOT giving microsoft everything it asks for. I always see Svchost.exe wanting to connect. My understanding of Svchost.exe can be summed up as this: "it could mean just about any process on your computer, microsoft or not. My efforts to track down what they are havent been that successful, and when my firewall asks it for permission i don't see how I could authorize it, not knowing what it is. The result is I have started just denying it permission, and hoping if it causes a problem that the cause will be obvious. I am worried about delayed effects and the fact that after a few days I will never make the connection. Sorry for taking so many words to ask this:

Can I get burned by blocking svchost.exe ?

I wish programmers would understand that some people don't want to connect to the internet unless they know what the connection is for. Does that seem unreasonable?


- HandsOff

 

Hello HandsOff,

XP "bundles" services under SVCHOST.EXE. To see exactly what is running in each instance of svchost:

Open a cmd box: start > run > type cmd > ok and type:
tasklist /svc > c:\tasklist.txt

To relate the Task Manager entries and the tasklist.txt entries: they are tied together thru the PID number. Make sure that in TM the PID is showing. If not, click on view > Select Columns.

tasklist.exe is only on XP-pro, so if running Home you'll need to download it from here:
http://www.computerhope.com/download/winxp.htm

Move it to \Windows\System32

Off the top of my head - wuauclt.exe (windows update) piggybacks out on Generic host processes for System32, one of the entries under one of the SVCHOST.EXE instances. Gets to be a little complicated

Regards - Charles

 

I don't see any real reason to have this service enabled in most cases. I recommend disabling the service and removing the rule.

Many Services (Control panel ->Services) rely on svchost.exe. You can find out which service invoke svchost.exe (with command line arguments) through here.

The only time I see that you could be "burned" is when you have denied an outgoing DHCP Broadcast (caused by DHCP Client Service) which means your computer won't be able to know the DNS servers. This can be solved by allowing the broadcast when you reconnect again. Norton probably already has this rule by default.

 

thanks for those answers - i am going save them in a safe place.

I think I have reached computer fact saturation. everytime I learn something new, i forget something else. Frustrating.


-HandsOff

 

Distributed Transaction Coordinator is closely related to the Distributed Link Tracking Client. It really serves no purpose for home user systems. If you use the FAT 32 filesystem you can turn off Distributed Link Tracking Client as well as it's just for the NT Filesystems.

As far as svchost goes it is basically just a wrapper ... By that i mean it is a process and within that (or any) process is many modules (.dll's - ocx's - etc..) that run without being listed seperately (they are shared components and can be used by any process).

So your statement that anything can piggyback within svchost and get out is essentially right on target.

 

It would be nice if the process could be listed as svchost.exe - programx, or something like that. i don't know why the don't, but it might be just a spacesaver used during developement that they did not bother to change when the gui was added.

Distributed link tracking client is one of a handful of services i am not sure about.

Recently, I decided to see how much I could tie up some loose ends. I uninstalled QoS Packet server and deactivated Microsoft network client, and ms file and printer sharing and netbios/tcp from network connections in the fire wall. I installed BugOff, and WWDC to close some ports. I disabled many services that I usually disable including terminal services, and even extended into new disablling territory by disabling com+ services and Com services helper

Then two things happened:

(1) comcast decides to "upgrade" service in our area, and
(2) service get's pretty bad.

Just my luck, they do this immediately after I made the changes. I've been frantically trying to do and undo things, then all of the sudden service works great again.

At the time it works good again, Com+ and its helper are set on manual and DCOM and 445 are left enabled in WWDC, and Bugoff protection is deactivated. everything works again!

but it had those same settings the night before and hardly worked at all. I ... think...it was comcast upgrading causing the problems all along, but it gets confusing.

I know the smart thing to do is to enable the protections one at a time and wait in between. But I wish I could at least guess which ones are most likely to cause trouble.

Since I am posting a wish I knew list, is BITs service needed for anything but updates? I always used to keep it disabled but that is another potential unknown.


-HandsOff

 

check your comcast signal strengh. they just did the upgrade here and had lots of problems. they were out 4 times to fix my signal to noise after the upgrade. i was dropping to a low of 25 and was just getting kicked off all the time. then they got me to 29 still problem now im at 34 and seems to be fine. nothing specific but all kinds of issues. also check your power downstream and upstream. downstream lower than -10 call them, upstream should be aroun 35-41 and not negative.
i have friends that work for them so i found out a lot of things afterwords and they caused a lot of screw ups in certain areas with the upgrade

 

Well, I'm not sure how I would go about checking those things. are the values accessible through a diagnostic program, or does it require testing equipment? It really does suck when you don't know if your problems are hardware or software (or operator error).


-HandsOff

 

You can go here. This will tell you if its on their end.

http://192.168.100.1/startup.html

This will test Motorola Surfboard cable modems and probably any other cable modem. Click on signal at top just below where it says Configuration Manager.

Upstream, you want to see between 40 to 50 dbmv for the power level. Downstream, a good S/N ratio is around 30 - 35. zfactor is right, downstream power level down to -10 is OK, mine is usually around -5.

Jaws

 

Well my connection seems to be functioning well, the first two readings are within the good rang, however

my down stream value is way down at -19.


I would guess this may be related to the way that the cable is run to get to my computer. It has to run about 100 feet from the where the cable connects to the house and go through a couple splitters and 2 or 3 splices. I cant do anything about the distance, but I can check the splices and splitters, and look for improvement.



- HandsOff

 

Well, I appologize to the forum master if the subject of this post has drifted further and further away from firewalls...still, this is kind of interesting, i think.

I went to the sight alluded to in Jaws post. I ran the test several times over the course of a couple hours. each and every time my downstream power level was far lower than the recommended -10 or greater. specifically, it was -19.

I replaced the splitter that goes to my tv with a straight connector and tested again. the value jumped to -14 which is a lot closer to -10 than -19.

The thing that is sort of amazing to me, given the variability of results of other types of modem tests is the consistancy of results. I tested it several times over the course of the evening and each time the figure was -14.

Now (the next morning) the value is up to -12. Yesterday was very hot when I tested, and it is still chilly now, which may account for the current value of -12. (heat increases resistance).

This test is a valuable diagnostic tool!


-HandsOff

 

Just for future reference....that site is your Cable Modems IP address and is definetly a good place to start when you need to look at your Cable Modems levels. I would also be cautious of what type splitter you use and how it's placed in your system.

 

.
FYI, I had a problem with low upstream power level (IIRC around 32 -34). I had intermittent problems getting a connection.

The Tech put a SPLITTER just before the cable modem, which instantly raised the power level. I currently average around (43 to 45).

My current signal levels:
Downstream PL -9
Downstream S/N 34dB
Upstream PL 45dBmV

If there is no way for you to experiment with something like this, for sure, if you're having connection problems, I would get in touch with tech support.

Hope this helps.

Jaws

 

re:svchost.exe

This service must have outbound access for Windows update to work. It is possible to limit it to various Microsoft address ranges, although MS sometimes buys bandwidth. That will cause the MS addresses to not work.

Don't loose too much sleep over svchost.exe. There are lots of other ways for trojans to dial out, including IE, OE, the Windows help system, terminating the firewall and installing a communications driver to bypass the firewall and everything else.

 

And if I am not mistaken, Svchost.Exe is used in XP for DNS lookups, and also for DHCP I think.. So if you're going to restrict it to certain addresses, then you should add your ISP's DNS servers to the list. DHCP I'm not sure about, it's either Services.Exe or Svchost.Exe.

 

Finally a chance to read all your posts:

Bubba, I did notice the cable company's splitters are a little bigger, and say 5 to 1000 MHz versus the store bought ones I have that say 5 to 900 MHz.

To Jaws:
I'm not sure I understand. He moved an existing splitter that was further away from the cable modem, or he simply added one that didn't supply another device - I suppose it's possible that that would lower the resistance.

I'm not too proud to call Comcast to call for a tech, but I am too impatient. Do to my position (at the end of the cable run of about 100 feet) my signal has to traverse a number of connections. I think it falls within the realm of my ability to test these connections, fix questionable ones, and see if the signal shows improvement. Over the years I've had considerable practice repairing coax cables. I've got it down to a science!

On Svchost.exe, I don't like being asked to approve of the connection or not without knowing what it is. There are usually several SvcHosts running, and I don't see any way to know which one wants to connect until after the connection is established when openports or something can ID the one that has made a connection.

Actually, I may be wrong about that, and next time I am notified that SvcHost.exe wants to connect I will run openports and see. Maybe it will be listed, you never know.

On the other hand, I could just purchase Port Explorer, like I have been wanting to do, and monitor the connections in style!


- HandsOff

 

Distributed Transaction Coordinator. DTC is not really related to Distributed Link Tracking other than the fact that they both share the word "distributed" in their name and that they both are services largely unused by most users. DTC is part of the COM (Component Object Model) technologies; or, more specifically, part of product originally called Microsoft Transaction Server (MTS) which was finally bundled up with COM and forms most of the plus ("+") in what's now termed COM+. Microsoft had aspirations of providing support for what's called "enterprise middleware" technologies. These technologies are hard to describe, but basically they let corporate developers more easily write code for customized, proprietary, database centric applications.

At the root of many of these middleware technologies is the notion of a "transaction". A transaction is set of operations that must succeed or fail as an entire group. That is, it's ok if all of the operations in the group fail, but it's most definitely not ok if some of the operations succeed and some fail. The textbook example of a transaction is a bank application that transfers money from your savings account to your checking account. You definitely want both the savings account deduction and the checking account deposit to occur to together, or not at all. The worst case would be if money was deducted from your savings account and for some reason some error or processing failure caused the checking account deposit to fail. Likewise, the bank would think it pretty bad if the checking account deposit succeed and the savings account withdrawal failed.

Most modern database servers provide support for the notion of transactions. If programmed correctly, they will not allow for some operations to succeed and others to fail. If it was only a database transaction, then all of it could be internalized in the DBMS itself and there would be no need of middleware like MTS. No, MTS's role is that allows transactions to span multiple technologies... for example, both a database operation and a file system operation. As a hypothetical, say that you had a critical application that would export database information into a log file for eventual offline storage. Say that it was imperative that no database information would get deleted without first being logged into some proprietary log/backup file. Perhaps this information is needed for auditing or legal purposes. Thus, your "transaction" might encompass a database operation which deleted rows from a table while simultaneously adding information into a propietary log file. You want both operations to succeed or not at all. Here is where something like the Distributed Transaction Coordinator would come into play. It provides a means for programmers to enforce and "coordinate" this "transaction" across a "distributed" set of technologies (ie, DBMS & filesystem).

Is DTC relevant or necessary for most Windows users? Probably not. You could probably safely disable DTC. However, you just never know where some of this COM technology might crop up. Sometimes Microsoft tools and 3rd party apps rely on such functionality and they will rarely explain this requirement. I've never made an exhaustive study of what apps and technologies really utilize DTC, so that's why I would say its probably not necessary. If you want to drill down into more information on DTC and you are using Windows 2000 or XP Professional, you can go to "Programs | Administrative Tools | Component Services | Computers | My Computer | Distributed Transaction Coordinator | Transaction Statistics" to dig up actual stats on it.

Svchost.exe Much has been written on the topic, both here at Wilders as well as the Internet at large. You should find a lot of detail out there. There are numerous programs that will detail what services are bundled within any specific process instance of svchost. One of the better ones, IMHO, is Sysinternals' Process Explorer. It is not a firewall, so it won't really alert you when any specific svchost process is sending or receiving TCP/UDP packets... but it does a great job of displaying which services are in which process. In theory, pretty much any developer could utilize the svchost.exe wrapper, but in practice it seems like Microsoft is the only one that really does. Why, you might ask? Well, it largely has to do with coding and memory efficiency. This way they can bundled numerous system services in a few processes. What are some of the svchost bundled that might seek to send or receive TCP/UDP packets? Oh, geez, tons of 'em: the browser service (not related to Internet browsing), DHCP client service, Error Reporting service, Help and Support service, the Server service (for file/printer sharing), the Workstation service (for accessing file/printer shares), Network Location Awareness service, Windows Firewall / Internet Connection Sharing service, Windows Time service, Windows Management Instrumentation (WMI) service, Automatic Updates service, Remote Procedure Call (RPC) service, DCOM service, DNS client service, TCP/IP NetBIOS Helper service, etc. Almost any of these services might have need to send and/or receive the occassional packet to or from the network, although usually these packets would be destined for your local LAN or your ISP rather than to the wild Internet.

 

One of the last times I looked at NIS/NPF I noted a number of the automatic rules had been updated and were fairly customized, which is a good thing and better than some of the early automatic rules.

Just curious how you came across the rule, did you run the application scan (in which case you may have numerous rules you may never need), or were you prompted?

Are you aware NIS/NPF has this functionality under "View Statistics"?

Regards,

CrazyM

 

Alec - If I understood half of what you said I would know alot more than I do. That said, I found your post very interesting and informative. Alot of the problems I have with XP center around what seems to be a less than average ability to assimilate microsoft terminology that I often find vague, misleading, inconsistant and/or irrational.

Your description of "Transaction", on the other hand, the concept of it was vivid enough that it actually attaches meaning to the service name. Somehow when that happens in connection with XP there is a connect feeling of a weight being lifted from my shoulders.

Anyway, you are right about the two services DTC, and DLTS being unrelated. If the unthinkable were to happen, and I was at a loss to point to an inconsistancy in microsofts terminology I could alway site that example. BTW, as you probly know, DLTS coincidentally is one of those services that run as "svchost.exe".

speaking of svchost.exe (how's that for a segue?) the fact that svchost is almost always just an innocent microsoft process is exactly what would make it such a good screen to run malware. I do appreciate your recommendation of Process Explorer. I have used it in the past, but somehow, I just don't feel like I have a handle on this process identification. I should take a look again though.

Now returning to distributed transaction coordinator. The central question still remains, and let me take it to a new level of suspicion. I have not disabled it, as such, I mearly question why Norton, who most likely parties with Bill Gates, has gone out of his way to write a special rule that appears to block internet access for this process in such a way, that I would not even receive a request to approve a connection. That smacks of existance of an exploit of some kind. See what I mean? with no custom rule in place NAV would ask me to approve the connection. I, fearful of undercutting the stability of the system could just, in a weak moment, approve of the connection. Norton seemed to think that was a chance he was not going to let me take. What does Norton know?

It sort of makes you wonder how hard would it be for a malicious program to simulate a transaction so that a firewall might report the request as coming from "Microsoft Distributed Transaction Coordinator" and not Gates of Hell Flaming Orifice, or something. (I imagine stuff like this, but I'm not saying there's anything to it)

To Crazy M-

Very diplomatic how you asked if I did a program scan. No! and was I prompted? No, again. This is the thing...it is the only custom rule that is in the group of programs that are in manual control access section. Maybe its just a mistake!

I am not a sophistocated firewall user. I just download Norton's rules, and don't even look at them. Since you may be interested in statistics, I seem to have 18 general rules, and 64 trojan horse rules. I do not edit these at all. probably a lot of them could be removed, however NPF shows no sign at all that it is weighted down by them, so I let them stand.

How I found the rule: I am set for manually controlling program access. alot of times I may allow a program access when i am installing or updating. afterward I go to the manual control access and taketh away. That's when I saw it. sitting there with my manual set programs. I am pretty sure the rule means to block inbound and outbound traffic.

another static. there a 30 programs with manual access set. 10 of them are symantec. Geeze these guys are worse than microsoft. Of the remaining 20 most are either Microsoft, security programs, or disk burning programs that fetch cd track info.

Not alot of access granted on my part. Now if I could just get Microsoft to quit allowing everything access I might have a fighting chance!


-HandsOff

 

So you have automatic rule creation disabled? If so, has it always been disabled?

The default rules you mention are fine, but can be trimmed down considerably if you ever decide to go down that path.

Is it possible you permitted it when prompted during one of these installing/updating sessions? You would have to open the entry in program access control to see the specific rule(s) and what the permit/deny.

Yes there will be a few entries for Symantec processes.

Regards,

CrazyM

 

I've always had automatic rule creation disabled since I installed it (again) a few months ago. I may be wrong, but if I understand it, if you allow one rule to be automatically created you have told the program to automatically create rules from then on. when I first ran NPF2003, I did just that. And when I got around to checking about 300 processes were internet enabled.

It's just possible that in a flurry of activity, I was checking manual access, saw DTC listed as "permit all" and meant to click block all, but missed and clicked custom then:
A) did not notice, or
B) noticed, but saw the default custom setting is block in and outbound and said to myself, "good enough", followed by

completely forgetting the whole episode, seeing the rule, and wondering, "What the hell?"

While not reflecting very well on myself, I am starting to lean towards thinking that this may well be what happened. (I've been under a lot of stress lately, these damn computers, you know how it is?)

-HandsOff


Oh, I forgot to mention, i did know about the statics thing only because I read one of your posts a long time ago. NPF did not do a real good job of prominantly displaying that in the firewall controls, ect...Between that, automatic access setting, and default settings they do a fair job of making themselves look much worse than they are. Still, if you have not tried Port Explorer (doubtful?) you really should...it's just...Cool!"