svchost.exe Network usage Reduction

Discussion in 'other firewalls' started by CloneRanger, May 17, 2011.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Noticed in services that Windows Time was running :( which is something i always disable. Not sure why it was ? so i shut it down & set it to disabled.

    wt.gif

    I did the exact same to DHCP.

    dh.gif

    After doing the above things i saw svchost.exe had disappeared from the Network & has remained so :thumb:

    w-out.gif

    This is on an XP/SP2 comp, so your milage may vary.
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Using WinXP/SP3 - I never notice any usage with svchost:

    kerio_svchostCPU.gif

    I like to keep my clock uptodate , so I set a firewall rule permitting svchost:

    kerio_svchost123.gif
     
  3. bollity

    bollity Registered Member

    Joined:
    May 9, 2009
    Posts:
    179
    svchost is the service that contact DNS server when you are browsing.
     
  4. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Well, that could certainly make a "Network usage reduction", as on many default setups it would cut off Internet.


    I noticed in your thread concerning "No firewall, No attacks" that you already had DHCP disabled, but also in that thread, a sniffer log was showing DHCP info from your ISP.


    - Stem
     
  5. wat0114

    wat0114 Guest

    svchost.exe does not have to be treated like a demonic presence on the pc. It is, after all, a legitimate and very necessary process in the O/S. It can easily be restricted to specific protocols, ports, and even ip addresses in the firewall rules. Windows firewall with advanced security takes it a step further by allowing it to be tied to the specific service, such as wuauserv.exe for Windows updates.
     
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ bollity

    Hi, svchost does a "bit" more than that actually, and several instances of it can be running at the same time, doing different things, from what i've observered.

    @ Rmus

    I think you were looking at Process usage, though i was looking at Network usage/connections with PH. "Might" have been my use of the word Usage ?

    :D So i wonder why i'm still online ?

    The CMD screenie in Post # 19. You're right about it showing DHCP disabled & i just checked the same way & it says it is.

    But today in Services DHCP was showing as Running/AutoStart. I'm not sure if during the "No firewall, No attacks" tests it was Running in Services ? I have a feeling it must have been though.

    "Maybe" it "could" be one set of parameters/instructions/code etc ? wasn't talking to some "other/s" ? Is that a possible cause of CMD showing no DHCP whilst the service itself was active etc ?

    I've just launched WireShark & interestingly, it shows NO PPP ! The only Protocols showing so far are,

    DNS/TCP/TLSV1/SSL

    Does that seem right to you, or ?

    TIA
     
  7. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    If you disable the service while you already have an IP, then there is no need for the service, unless your ISP is sending possible updates/renewals to the network config.

    It does depend on your setup.
    As a simple example:- An home network, where users are connected to an home router (default setup). The IPs are put out from the router via DHCP. If you disable DHCP, it can still leave the PC with its current IP, but on re-boot, there can then be problems/loss of internet.

    For your own setup, I am not sure as to how that is configured, as I have not been directly involved with 3g/PPP connections, or seen full cold boot sniffer logs.
    With DHCP disabled, can you still connect to the Internet after a re-boot?


    - Stem
     
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    OK

    OK

    Ooh !

    OK

    Can do if you could spare the time to peruse them etc ? :) If so, how would i enable a "cold boot sniffer log" with WS. I'm thinking you mean set WS to autostart with windows on boot to grab everything first off ? But i would be offline. Or do you just mean, reboot, launch WS & then go online & log ?

    I'll try it now & post back soon :thumb:
     
  9. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Sorry, I should of been more specific.

    I am referring to a cold network boot. Normally it would be referred to as DHCP:Boot, but as there is not current certainty in how you are receiving your IP, then terminology can be incorrect.

    I think I am tripping over myself with my thinking of how you are connecting. I should be thinking more of dial up connections rather than direct/cable connections. (Its been a long time since I used dialup)

    EDIT:
    Start WS, then try connecting to Internet with the DHCP service disabled.



    - Stem
     
  10. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Stem

    I'm back with No DHCP service running ? No PPP again ! & the same Protocols in WS as i described in my last post.

    ipc.gif

    Shows PPP on there though ?

    I saved my last sessions PCAP from WS, if you need it.

    No worries. Terminology, don't ya just love it ;)

    prop.gif ppp.gif

    So something/s about my system is fine getting online with No DHCP. And it's curious that PPP "appears" to now Not be required, even though it's showing on Connections applet ?
     
    Last edited: May 17, 2011
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Yes.

    Then, what is Network Usage?

    Looking at my Firewall's "Open Connections" I see that svchost.exe used 48 bytes in its connection to Port 123 for time check.

    kerio_usage.gif

    Is that the usage you refer to? It doesn't seem like much of a strain on the system...


    -rich
     
  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Rmus

    RE - Network Usage

    Yeah my use of the word Usage it seems, sorry :( I was looking to restrict services from Using the Network ie, having access to the internet.
     
  13. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Thanks, but now not needed. I have set up a PPP connection and seeing the DHCP_inform (Bootp/bootstrap) inbound that configs the connection.

    I will need to change my setup to check correctly, as I also need(at the moment) DHCP enabled on that setup for the PPP tunnel to work.

    I just want to see now how the DHCP_inform is handled internally with the DHCP client disabled.(just curious, as usual)


    - Stem
     
  14. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Originally Posted by Stem

    Ok

    Thanks for doing that :thumb:

    Yeah, me too ;) Be interesting to see what you discover :)
     
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    OK, I see what you are doing.

    Just curious: why disable services, when the firewall monitors everything and restricts anything from accessing the internet
    that you haven't specifically authorized with a rule?

    For example, without rules, the firewall alerts for these services, SSDP and time check:

    kerio_alert1900.gif kerio_alert123.gif

    A Yay or Nay controls access w/o fiddling with the Service. So, what is the advantage of doing the latter?

    thanks,

    -rich
     
  16. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    First attempts are a fail :D
    The TDI monitor system driver (I have) appears to be giving conflict/problems to the PPP/miniport interface/connection creation. So I need to find another way to monitor.



    - Stem
     
  17. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    AFAIK my FW doesn't have a rules option.

    I have set GHP up to alert on attempting out

    gh.gif

    But once it connects that's it, no more alerts :( And as long as i'm online it stays connected ! Your FW is better than mine :p

    Apart from that, i've always thought it best to disable Any/All services i don't actually Need. Both for trimming purposes & extra security, placebo or otherwise ;)
     
  18. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Oh dear ! What OS are you on anyway, is it the XP/Pro you were on the other day or ?

    Ok :thumb:
     
  19. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,275
    One of the key rules in ZoneAlarm is to permit trusted server rights for svchost. Just trusted server. NOT internet. If I recall correctly, it's just for loopback and zero octet, and also for 135.

    ZA paid version do have rules option. They're called expert rules and rather rough to set up but it can be done.
     
    Last edited: May 17, 2011
  20. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,275
    If this is OT, please, remove.

    @Rmus, how come you get away with UDP-out only when to update the time I have to have both directions? and I end up with both localhost:123 and myIP:123 listening.
     
  21. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I don't have DHCP disabled, but due to other restrictions I got in place, communication to DHCP is blocked, and I'm always able to get an IP.

    I'm also using a 3G USB connection device.
     
  22. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I only have 1 rule for Windows Time, for UDP out (local port: 123, remote port: 123).

    There's no need to allow inbound traffic.

    I'm using Windows firewall, by the way.
     
  23. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I don't know -- I just do what the firewall requests and set a rule accordingly.

    Same here -- see the screenshot in my post #11.

    Again, I don't know how all of this works behind the scene. I just let the firewall do its thing!

    -rich
     
  24. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Understood!

    -rich
     
  25. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,275
    Thanks a bunch. I trusted Kerio, otherwise the clock would be all wrong. Forever.
     
Thread Status:
Not open for further replies.