SSM question

Discussion in 'other anti-malware software' started by Tarnak, Jul 30, 2010.

Thread Status:
Not open for further replies.
  1. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    Does anyone know why whenever I am in one my several snapshots, I get an SSM popup that svchost.exe is trying to modify the registry? This usaully happens once or twice per session.

    Process:
    Path: C:\WINDOWS\system32\svchost.exe
    PID: 1968
    Information: Generic Host Process for Win32 Services (Microsoft Corporation)
    Registry Group: User Shell Settings
    Object:
    Registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    Registry value: AppData
    New value:
    Type: REG_SZ
    Value: C:\Documents and Settings\NetworkService\Application Data
    Previous value:
    Type: REG_SZ
    Value: C:\Documents and Settings\LocalService\Application Data

    I have the option of creating a permananent rule in the checkbox, but since I am not sure, I don't create a permanent rule.

    I usually choose to block, and the popup disappears without any hindrance to my system.

    Obviously, the change is a choice between "NetworkService" and "LocalService" in C:\Documents and Setting\......\Application Data

    My system is XP Pro SP2, standalone desktop, and is not part of a domain.

    I don't know what the different values in the registry would make, as a choice.
     
  2. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    The only security problem with svchost.exe is, IMO, his attempts to connect continually with internet. I block all svchost.exe connection's attempts with the firewall ( I allow it ONLY for manually Windows updates ) and do a rule for the DNS resolving for applications that I want conncting internet.
     
  3. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    Thanks blacknight for your reply, however it doesn't really answer my question ... but I do have 5 svchost.exe's presently active as services.

    I wouldn't even attempt to setup FW rules, in case I do something wrong. I depend on a layered approach to keep from getting infected.
     
  4. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    Yes I was aware that I didn't answer straightforward. But Now I remembered a program that may be is useful for you: svchost viewer
     
  5. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I may be wrong as I don't remember seeing that particular prompt, but I believe that value specifies which application data folder is going to be in use. Both are normal system folders. Allowing it should be fine.
     
  6. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    I forgot about this thread...Thanks for your reply. :) Yes, I usually just allow it.
     
Thread Status:
Not open for further replies.