@Jason You have said in another forum ... "Also seems Process Guard v2.000 is the first to properly block this method of DLL injection. [links] " [ I have omitted the links because I am afraid that Paul will delete my post. This has happened too many times before and I do not want it to happen again ... :-( ] 1. I would like to know how PG will block this injection technique. Will it specifically prevent the start of svchost.exe with flag CREATE_SUPSPENDED? Or will it block the start of svchost.exe in general? 2. Does this DNS demo really bypass a personal firewall which has been properly configured and uses a rule which merely allows svchost to establish an outgoing connection via port 53 to the dns servers of the internet provider (and not to any other internet addresses)? TIA.