8 svchost.exe's running....

Yes, Vista/7 uses more than XP. If you examine your services, there could be many you have no need for, and when you set them to manual/disable, instances of svchost can be reduced. The goal should not be to limit the instances of svchost for performance or security. The goal should be to tune your computer to run what is necessary for you to use it. MS likes to enable many services that MIGHT be needed. I don't worry about how many svchost.exe instances are running. But I do periodically check to see what is running within each svchost instance. There are some exploits that mock svchost.

Sul.

 

Perfectly normal.

Enter tasklist /svc to see what is actually running them.

 

I've got the memory to spare. It's too much of a hassle disabling them. Yes I do know of Black Viper and etc but still I just leave it as it is.

 

i gave the comand tasklist /SVC

and i get this list

Code:

System Idle Process            0 N/D                                          
System                         4 N/D                                          
smss.exe                     616 N/D                                          
csrss.exe                    684 N/D                                          
winlogon.exe                 724 N/D                                          
services.exe                 768 Eventlog, PlugPlay                           
lsass.exe                    780 PolicyAgent, ProtectedStorage, SamSs         
ati2evxx.exe                 944 Ati HotKey Poller                            
svchost.exe                  956 DcomLaunch, TermService                      
svchost.exe                 1040 RpcSs                                        
svchost.exe                 1144 AudioSrv, Browser, CryptSvc, Dhcp, dmserver, 
                                 ERSvc, EventSystem,                          
                                 FastUserSwitchingCompatibility, helpsvc,     
                                 lanmanserver, lanmanworkstation, Netman,     
                                 Nla, Schedule, seclogon, SENS, SharedAccess, 
                                 ShellHWDetection, Themes, TrkWks, W32Time,   
                                 winmgmt, wuauserv, WZCSVC                    
svchost.exe                 1260 Dnscache                                     
svchost.exe                 1340 LmHosts, RemoteRegistry, SSDPSRV, WebClient  
ati2evxx.exe                1424 N/D                                          
spoolsv.exe                 1592 Spooler                                      
explorer.exe                1832 N/D                                          
nod32krn.exe                 244 NOD32krn                                     
svchost.exe                  296 stisvc                                       
nod32kui.exe                 496 N/D                                          
ctfmon.exe                   528 N/D                                          
alg.exe                     1932 ALG                                          
firefox.exe                 3648 N/D                                          
foobar2000.exe              2936 N/D                                          
taskmgr.exe                 2860 N/D                                          
cmd.exe                     1524 N/D                                          
wmiprvse.exe                2236 N/D                                          
tasklist.exe                3600 N/D

is normal?

 

Yeah, there are more running in Vista. It's just Win doing what it needs to do, it's not an issue....

 

Here is a high-level description of svchost.exe

 

can somebody give a look to my list please

 

I have more than enough memory as well. I leave the services alone more than I used to, but I still disable unnecessary ones like DHCP since I am always static. Not much difference can be gained on newer machines anyway. For me it comes down to already knowing how, and using reg or bat files that I made long ago to instantly take care of it.

I am just curious though, how do you handle other services besides svchost? For example, CDburnerXP puts in a service that I always disable as I never use it. Same goes for the Avira AV, I don't use the scheduler. Just curious.

Code:

svchost.exe                  956 DcomLaunch, TermService                      
svchost.exe                 1040 RpcSs                                        
svchost.exe                 1144 AudioSrv, Browser, CryptSvc, Dhcp, dmserver, 
                                 ERSvc, EventSystem,                          
                                 FastUserSwitchingCompatibility, helpsvc,     
                                 lanmanserver, lanmanworkstation, Netman,     
                                 Nla, Schedule, seclogon, SENS, SharedAccess, 
                                 ShellHWDetection, Themes, TrkWks, W32Time,   
                                 winmgmt, wuauserv, WZCSVC                    
svchost.exe                 1260 Dnscache                                     
svchost.exe                 1340 LmHosts, RemoteRegistry, SSDPSRV, WebClient 

Here, you see a good example of why to stop some services. This list has browser running, which is not needed in a home environment on any but one computer. It can cause browse master elections, which CAN cause undue stress especially if on a hub. I always disable it on all but my server.

Also running is the remoteregistry service. Can't hurt to turn that off unless you need it. What about TermService? Good for remotedesktop and fastuserswitching, but could be disabled. Seclogon, may not be needed if only one user running as admin.

I would kill remote registry at the least. Only you can decide what you plan on using your computer for. Personally, it is my belief that any service that has the remote possibility of being used in an exploit of some kind should be turned off if not needed. But realistically, if you know much about your computer and have a good security plan implemented, you probably won't have any problems.

Sul.

 

Erm, this is probably going to rouse some feathers, but another thing to learn about is what services are holding what ports open. There has been much discussion on whether or not you are vulnerable if you have ports open, when using a firewall or router. Regardless, since this forum is about sharing and learning, you might want to check out what is happening by doing this

netstat -ano

this (from cmd) will show you what ports are open by what PID. You can then match the PID to your tasklist /svc output, and "sortof" determine what has a port open. I say sortof, because if the PID is for an instance of svchost, you won't know absolutely until you either understand what each service in the host does, or stop some of those service (that can be stopped) and see what ports remain open.

Can't hurt to learn something new, or old in this case.

Sul.

 

thank you so much
so i should i turn off

right?
wich utility could i use?
i don't like services.msc /s , i would like a program that let me swich off without forget of my action

i used autoruns but i can 't find TermService

 

it's so good?

 

I did not say you SHOULD, I said you COULD. You need to understand that some services are dependent on others. You stop one, others won't function. Open services.msc, click on each service and look at the description. Double click and you can see dependencies. You should not just turn them off because I do.

A little research first goes a long way. You might also write down what your current settings are so you can restore or have a reference for the future. There are ways to export them. I know the regkey would be the easiest. I seem to recall someone around here telling of a different way too.

You might as well google up pserv, it is better than services.msc.

I personally use either pserv or sc. sc.exe is a command line tool that is much faster than using net, plus you can configure your services with it. Make a batch file, and you can toggle on/off or start state easily.

Figure out what you need first, or you could be in for some trouble.

Sul.

EDIT: I seem to recall using pserve to save service configurations. Been some time ago since I did that, but you might have a look.

 

i did your advise , but i can't find TermService , i have not english xp sp2
but is online the black viper again?
i would like a tool that help me to don't make mistaken
maybe to export feature

 

Not at all. I run this (as a .cmd file) to equate the processes with the connections:


@echo off

tasklist /svc

echo.

netstat -a -o -f | find /V "%COMPUTERNAME%:" | find /V "*:*" | find /V "Active Connections"

echo.
echo *** End of List ***
echo.

 

Nice batchin man. I am going to flat out steal that code and use it myself.

Many thanks.

Sul.

 

from command prompt

sc query state= all > c:\service_states.txt

Find the service name/display name for each service etc.

sc query termservice
sc stop termservice
sc config termservice start= disabled

etc etc. Sc.exe is a very good tool to know for services.

Sul.

 

Hi Mantra,

WebClient is very dangerous. I disabled WebClient.

Also, I disabled: Themes ( I have Classic Windows ), DNSClient, Application Layer Gateway Service ( alg.exe ).

Spooler: I have on Manual! Yes! If I need to print, I start the service, that's all.

I removed ctfmon.

First of all for you: start Advanced SystemCare v3. Look on thread 'Advanced WindowsCare ...' .

Yours PROROOTECT

 

DNSClient is need to surf on on the net
Application Layer Gateway Service and ctmon i don't know it


but with all the tools arond there is not a tool that let me easy save the default service , and disable which i don't like

i don't like dos

 

DNSClient I need because I use the Windows host file a lot for a lot of things. CTFMon is needed to type stuff in my native language. There's actually only a few resource hungry processes/services. The rest even if you enable/disable you wont notice any decrease/increase in performance.

 

Pserv 2.6 > Templates > Export as xml
Pserv 2.6 > Templates > Apply xml template

pserv 2.7 I presume is the same
http://p-nand-q.com/download/pserv_cpl.html

Sul.

 

First i want to thank you all for the replies.

Sully, thank you very very much. I find your posts quite informative and very useful.
Now i know if i have some problem, which person i can call for help

I know that i reacted a little too panic i was too paranoic.

I know that my ISP have bigger problems that me, you are apsolutely right.


Although i don't use Avast and i'm just trying, i noticed something really strange.

That was svchost.exe was using my ISP address, and not 255.xxx. as default.
Something strange was that my FW connected to some weird address and everything became fishy to me.

All the previous AV's that i have tried and have used 255.xxx for svchost.exe.


Now after i have reinstaled AV and FW seems that everything is fine and i will keep monitoring.

So, it's normal svchost.exe to connect to internet, right?


When i first connect to internet that is from clean image restored, which has never been connected to internet.
I'm virtualized all the time and i use Sandboxie, and i only when i update my AV for couple of minutes i exit from virtual mode.

So i think that at least my system partition is fine secured, even if there is some infection of other partition(s), but AFAIK without execution that infection cannot go to system partition.

I only was concerned that during my surfing someone( including ISP) can penetrate to my PC or spy me, although i don't keep some sensitive data on my pc, nor i shop online.

 

Read this. You should read it twice.

http://www.outpostfirewall.com/forum/showthread.php?t=9858
Sul.

 

I did a very interesting and revealing experiment years ago with my Kerio 2 firewall.

I made a copy of the rule set, then deleted all rules except a 'Deny all inbound' rule. This was just to prevent alerts.

Then, I connected to the internet and let Kerio help make my internet rules. First comes DHCP, then DNS. You will be alerted at each outbound attempt and you can see what process is being used for what. I'm on Win2K here, so it is services.exe, rather than svchost.exe.



I learned so much about internet rules by letting Kerio prompt for everything! Of course, I did a lot of reading to learn about protocols and other networking stuff. A good background in the principles helps to understand what is going on.

----
rich

 

did you use it ?

 

Thank you both of you, Sully and Rmus.

I will read it tomorrow. Right now i'm so tired and i'm going to sleep.

Thanks again.