SSM question

Discussion in 'other anti-malware software' started by Tarnak, Jul 30, 2010.

Thread Status:
Not open for further replies.
  1. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,297
    Does anyone know why whenever I am in one my several snapshots, I get an SSM popup that svchost.exe is trying to modify the registry? This usaully happens once or twice per session.

    Process:
    Path: C:\WINDOWS\system32\svchost.exe
    PID: 1968
    Information: Generic Host Process for Win32 Services (Microsoft Corporation)
    Registry Group: User Shell Settings
    Object:
    Registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    Registry value: AppData
    New value:
    Type: REG_SZ
    Value: C:\Documents and Settings\NetworkService\Application Data
    Previous value:
    Type: REG_SZ
    Value: C:\Documents and Settings\LocalService\Application Data

    I have the option of creating a permananent rule in the checkbox, but since I am not sure, I don't create a permanent rule.

    I usually choose to block, and the popup disappears without any hindrance to my system.

    Obviously, the change is a choice between "NetworkService" and "LocalService" in C:\Documents and Setting\......\Application Data

    My system is XP Pro SP2, standalone desktop, and is not part of a domain.

    I don't know what the different values in the registry would make, as a choice.
     
    Tarnak, Jul 30, 2010
    #1
  2. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,351
    Location:
    Europe, UE citizen
    The only security problem with svchost.exe is, IMO, his attempts to connect continually with internet. I block all svchost.exe connection's attempts with the firewall ( I allow it ONLY for manually Windows updates ) and do a rule for the DNS resolving for applications that I want conncting internet.
     
    blacknight, Jul 30, 2010
    #2
  3. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,297
    Thanks blacknight for your reply, however it doesn't really answer my question ... but I do have 5 svchost.exe's presently active as services.

    I wouldn't even attempt to setup FW rules, in case I do something wrong. I depend on a layered approach to keep from getting infected.
     
    Tarnak, Jul 30, 2010
    #3
  4. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,351
    Location:
    Europe, UE citizen
    Yes I was aware that I didn't answer straightforward. But Now I remembered a program that may be is useful for you: svchost viewer
     
    blacknight, Jul 30, 2010
    #4
  5. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I may be wrong as I don't remember seeing that particular prompt, but I believe that value specifies which application data folder is going to be in use. Both are normal system folders. Allowing it should be fine.
     
    noone_particular, Jul 30, 2010
    #5
  6. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,297
    I forgot about this thread...Thanks for your reply. :) Yes, I usually just allow it.
     
    Tarnak, Aug 3, 2010
    #6
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...