PG stopped svchost.exe from shutting down both gcasdtserv.exe (the MS anti-malware project, @ 21:28 on 02/06) and spybotsd.exe (OK, needless to say, SpyBot @08:03 on 02/07) over the last 24 hours for me. Does PG have any tools for me to try to trace what program(s) were trying to use svchost to shut these down? If not, is there any way to do so? This has been one of my most constant irritations, whether or not appropriate, with svchost, as so many programs can utilize it's functions and I have no idea how then to pin down the offender. Any and ALL help is appreciated!
Hi brucemc, SVChosts is an important part of your OS so be very careful about stopping it's various instances. ProcessGuard stops other programs interferring with svchosts processes whilst they are running and Execution Protection will stop any changed svchost.exe from running. I understand your concern about the .dlls it allows to run but remember that PG will stop .dll injection into running processes and will not allow servic / driver install without explicit permission. Try sysinternals Process Explorer it gives a lot of info' about processes. Anyway back to your request, here is how to see what the various svchosts are running: From MSKB To view the list of services that are running in Svchost: 1. Click Start on the Windows taskbar, and then click Run. 2. In the Open box, type CMD, and then press ENTER. 3. Type Tasklist /SVC, and then press ENTER. Tasklist displays a list of active processes. The /SVC switch shows the list of active services in each process. For more information about a process, type the following command, and then press ENTER: Tasklist /FI "PID eq processID" (with the quotation marks) The following example of Tasklist output shows two instances of Svchost.exe that are running. Image Name PID Services ======================================================================== System Process 0 N/A System 8 N/A Smss.exe 132 N/A Csrss.exe 160 N/A Winlogon.exe 180 N/A Services.exe 208 AppMgmt,Browser,Dhcp,Dmserver,Dnscache, Eventlog,LanmanServer,LanmanWorkstation, LmHosts,Messenger,PlugPlay,ProtectedStorage, Seclogon,TrkWks,W32Time,Wmi Lsass.exe 220 Netlogon,PolicyAgent,SamSs Svchost.exe 404 RpcSs Spoolsv.exe 452 Spooler Cisvc.exe 544 Cisvc Svchost.exe 556 EventSystem,Netman,NtmsSvc,RasMan, SENS,TapiSrv Regsvc.exe 580 RemoteRegistry Mstask.exe 596 Schedule Snmp.exe 660 SNMP Winmgmt.exe 728 WinMgmt Explorer.exe 812 N/A Cmd.exe 1300 N/A Tasklist.exe 1144 N/A
What you present will show what svchost is running, but I am interested in why svchost ran something that tried to shut these two processes down. I may be way off base, but I picture some program calling the svchost program and giving it instructions which are normally fine, but in these cases are rather questionable. If, and I grant that this is a huge "if", that model above is correct then svchost is just the messenger, I need to know who sent it on it's way to execute my anti-spyware programs if I am going to know if the request was warranted. Am I off in left field in my model of what part svchost plays?
brucemc, I'm guessing that you have already done the obvious and looked at the PG logfile to see the process id that was blocked If so and the process id listed is that of an svchost.exe then the best you can do is to check the running services in that svchost process. If it was another application utilising a service running inside a svchost process then I'd say you are out of luck for now It would be a decent enhancement to log the name of the service in addition to the processid in the case of svchost, and in the case of another program making use of svchost then both the svchost process + service name and the invoking process should really be logged (assuming they are not already) The PG logfile is currently "kind of" useful in some circumstances for forensic purposes, it isn't complete and you don't always have enough information to map processes to their parents, hopefully this part of PG will get better with time NB: Just in case its useful ... listing the services provided by svchost.exe without any of the dross in a full tasklist Code: tasklist /svc /FI "IMAGENAME eq svchost.exe" or tasklist /svc /FI "PID eq 1234" Edit: brucemc, I see you have already replied while I was away mid-way through a post. It would be interesting to see exactly what PG logged in its logfile for these events
Given the security you have running I doubt an unknown process could initiate svchost without your knowledge, having said that, if you are not sure there are several courses of action. 1. google the program name to see what function it serves. 2. check the file's properties 3. scan the file with all your scanners and also use online scans. 4. Submit the a zipped copy of the file to submit@diamondcs.com.au for analysis HTH Pilli
Welll, let's see. I found that oddly enough, tere are absolutely no logged records during the minute that the first attempt was made, though there are 48 entries during that minute in the view window, but there is probably a reasonable explanation to that. As to the second, the attempt to shut down spybot, the PID is apparently that of svchost. I don't know if these things are different on different systems, but showing #1244, and as I really am not all that bright (no, I didn't think of the log file...), there is probably an obvious explanation to this, and since it is short I will post it: Mon 07 - 04:00:01 [EXECUTION] "e:\program files\spybot - search & destroy\spybotsd.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\svchost.exe" [1244] [EXECUTION] Commandline - [ "e:\program files\spybot - search & destroy\spybotsd.exe" /autocheck /autofix ] Mon 07 - 08:00:00 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\svchost.exe" [1244] [EXECUTION] Commandline - [ c:\windows\system32\rundll32.exe c:\windows\system32\schedsvc.dll,closeproc 476 ] Mon 07 - 08:03:01 [TERMINATE] c:\windows\system32\svchost.exe [1244] was blocked from terminating e:\program files\spybot - search & destroy\spybotsd.exe [476] I'd much rather hear of the stupid & simple mistakes I made than I have a problem, so let'er riip-
OK, duhhhhh. I see the shutdown request of spybot by rundll32. As to why it wants to shut it down is the next mystery to me. What initiated that command line? Can someone 'splain that to me? And the first request to kill the MS/Giant scanner, with no log entries at all... Poltergeists? Are they really baaaaack?
It looks like task schedular engine "schedsvc.dll" made the termination requests thru svchost using rundll32. Did these termination attempts by svchost happen after a scan, reboot to scan before anything loads to remove things it couldn't before on both products? I know sometimes if these apps can't remove something, they offer to reboot and load before anything else to do the removal then, also they can be autoloaded to scan at each boot. Just guessing here. It could be that both these apps use task schedular as a means of loading and unloading during a boot scan/cleaning and therefore use svchost to terminate when done? Do you have these apps set to scan automatically at boot time or did they require a reboot to "finish cleaning"? You could check your system log in the Event Viewer to see if you were booting at the time. Look for event numbers 6009 and 6005 and the service control manager entries above it. Another possibility - I know on my system wmiadap loads a couple minutes after boot and quits after a couple minutes of doing it's "performance monitoring thing". If I suspend my PC while wmiadap is loaded and running, SVCHOST will attempt to terminate the process and FAIL when I resume my system later, since I do not allow svchost termination rights. Another guess, did you suspend or hibernate while the scans were taking place? There's no place I know of that logs this, other than you might see a time gap in ProcessGuards logs. It could be when your resumed or unhibernated, taskschedular tried to terminate the processes considering them timed out or something. Hope it helps, totally guessing here.
Interesting. I think both are scheduled for daily automatic updating, and I know that if an update is loaded it is normal to have to at least shut the app down and restart which would probably be an automated request with the automated function, but I do not think either are set to update at any point near when these items cropped up; normally I shoot for between midnite and 5:00am. That does not mean I didn't screw up though. I will look into this. I greatly appreciate everyone's help.
Just to be safe, I would set rundll32.exe to permit once in the Security tab of ProcessGuard and manually allow rundll32 to execute by checking to see what command line it wants to execute each time. It may be a nuisance, but if it happens again, at least you could catch svchost trying to run rundll32.exe/schedsvc.dll to close down your anti-spyware apps and get a better clue as to exactly what was taking place at the time. Maybe malware found a way to get svchost to launch rundll32 and get task schedular to close down apps? Or maybe it's auto updating and restarting like you thought? I think SB S&D maintains a log of some activity, you could see if it was auto-updating at that time. Your other tool may maintain a log as well. See what it was doing right at that moment.
Good advice, this has been recommended by Jason in another thread for those extra cautious users, I also have rundll32.exe set to permit once and it does get started occasionally by certain apps. Jason: Quoted from another thread:
The same thing just happened on my system when closing FireFox (or Opera, can't remember now): Thu 24 - 10:23:17 [TERMINATE] c:\windows\system32\svchost.exe [996] was blocked from terminating c:\program files\microsoft antispyware\gcasdtserv.exe [236] gcasdtserv.exe is "Actually, its one of the necessary processes that allows Microsoft AntiSpyware Real Time Protection to function properly." http://www.microsoft.com/athome/security/spyware/software/newsgroups/reader/default.mspx?dg=microsoft.private.security.spyware.general&tid=56b4ed97-837b-4d42-9855-f2651a02b51a&cat=en_US_419F30E4-BBC2-47AC-97EE-D5649468C647&lang=en&cr=US&sloc=en-US&m=1&p=1 Very strange.
I started to get the same problem right after updating to the newest release of MS AntiSpyware. Svchost tried to terminate gcasdtserv.exec on startup.
Strange ? perhaps Definitely normal and you should ALLOW this terminate privilege. The Task Scheduler started the scan, now it wants to stop it.