svchost.exe Network usage Reduction

Noticed in services that Windows Time was running which is something i always disable. Not sure why it was ? so i shut it down & set it to disabled.



I did the exact same to DHCP.



After doing the above things i saw svchost.exe had disappeared from the Network & has remained so



This is on an XP/SP2 comp, so your milage may vary.

 

Using WinXP/SP3 - I never notice any usage with svchost:



I like to keep my clock uptodate , so I set a firewall rule permitting svchost:

 

svchost is the service that contact DNS server when you are browsing.

 

Well, that could certainly make a "Network usage reduction", as on many default setups it would cut off Internet.


I noticed in your thread concerning "No firewall, No attacks" that you already had DHCP disabled, but also in that thread, a sniffer log was showing DHCP info from your ISP.


- Stem

 

svchost.exe does not have to be treated like a demonic presence on the pc. It is, after all, a legitimate and very necessary process in the O/S. It can easily be restricted to specific protocols, ports, and even ip addresses in the firewall rules. Windows firewall with advanced security takes it a step further by allowing it to be tied to the specific service, such as wuauserv.exe for Windows updates.

 

@ bollity

Hi, svchost does a "bit" more than that actually, and several instances of it can be running at the same time, doing different things, from what i've observered.

@ Rmus

I think you were looking at Process usage, though i was looking at Network usage/connections with PH. "Might" have been my use of the word Usage ?

So i wonder why i'm still online ?

The CMD screenie in Post # 19. You're right about it showing DHCP disabled & i just checked the same way & it says it is.

But today in Services DHCP was showing as Running/AutoStart. I'm not sure if during the "No firewall, No attacks" tests it was Running in Services ? I have a feeling it must have been though.

"Maybe" it "could" be one set of parameters/instructions/code etc ? wasn't talking to some "other/s" ? Is that a possible cause of CMD showing no DHCP whilst the service itself was active etc ?

I've just launched WireShark & interestingly, it shows NO PPP ! The only Protocols showing so far are,

DNS/TCP/TLSV1/SSL

Does that seem right to you, or ?

TIA

 

If you disable the service while you already have an IP, then there is no need for the service, unless your ISP is sending possible updates/renewals to the network config.

It does depend on your setup.
As a simple example:- An home network, where users are connected to an home router (default setup). The IPs are put out from the router via DHCP. If you disable DHCP, it can still leave the PC with its current IP, but on re-boot, there can then be problems/loss of internet.

For your own setup, I am not sure as to how that is configured, as I have not been directly involved with 3g/PPP connections, or seen full cold boot sniffer logs.
With DHCP disabled, can you still connect to the Internet after a re-boot?


- Stem

 

OK

OK

Ooh !

OK

Can do if you could spare the time to peruse them etc ? If so, how would i enable a "cold boot sniffer log" with WS. I'm thinking you mean set WS to autostart with windows on boot to grab everything first off ? But i would be offline. Or do you just mean, reboot, launch WS & then go online & log ?

I'll try it now & post back soon

 

Sorry, I should of been more specific.

I am referring to a cold network boot. Normally it would be referred to as DHCP:Boot, but as there is not current certainty in how you are receiving your IP, then terminology can be incorrect.

I think I am tripping over myself with my thinking of how you are connecting. I should be thinking more of dial up connections rather than direct/cable connections. (Its been a long time since I used dialup)

EDIT:
Start WS, then try connecting to Internet with the DHCP service disabled.



- Stem

 

@ Stem

I'm back with No DHCP service running ? No PPP again ! & the same Protocols in WS as i described in my last post.



Shows PPP on there though ?

I saved my last sessions PCAP from WS, if you need it.

No worries. Terminology, don't ya just love it



So something/s about my system is fine getting online with No DHCP. And it's curious that PPP "appears" to now Not be required, even though it's showing on Connections applet ?

 

Yes.

Then, what is Network Usage?

Looking at my Firewall's "Open Connections" I see that svchost.exe used 48 bytes in its connection to Port 123 for time check.



Is that the usage you refer to? It doesn't seem like much of a strain on the system...


-rich

 

@ Rmus

RE - Network Usage

Yeah my use of the word Usage it seems, sorry I was looking to restrict services from Using the Network ie, having access to the internet.

 

Thanks, but now not needed. I have set up a PPP connection and seeing the DHCP_inform (Bootp/bootstrap) inbound that configs the connection.

I will need to change my setup to check correctly, as I also need(at the moment) DHCP enabled on that setup for the PPP tunnel to work.

I just want to see now how the DHCP_inform is handled internally with the DHCP client disabled.(just curious, as usual)


- Stem

 

Originally Posted by Stem

Ok

Thanks for doing that

Yeah, me too Be interesting to see what you discover

 

OK, I see what you are doing.

Just curious: why disable services, when the firewall monitors everything and restricts anything from accessing the internet
that you haven't specifically authorized with a rule?

For example, without rules, the firewall alerts for these services, SSDP and time check:



A Yay or Nay controls access w/o fiddling with the Service. So, what is the advantage of doing the latter?

thanks,

-rich

 

First attempts are a fail
The TDI monitor system driver (I have) appears to be giving conflict/problems to the PPP/miniport interface/connection creation. So I need to find another way to monitor.



- Stem

 

AFAIK my FW doesn't have a rules option.

I have set GHP up to alert on attempting out



But once it connects that's it, no more alerts And as long as i'm online it stays connected ! Your FW is better than mine

Apart from that, i've always thought it best to disable Any/All services i don't actually Need. Both for trimming purposes & extra security, placebo or otherwise

 

Oh dear ! What OS are you on anyway, is it the XP/Pro you were on the other day or ?

Ok

 

One of the key rules in ZoneAlarm is to permit trusted server rights for svchost. Just trusted server. NOT internet. If I recall correctly, it's just for loopback and zero octet, and also for 135.

ZA paid version do have rules option. They're called expert rules and rather rough to set up but it can be done.

 

If this is OT, please, remove.

@Rmus, how come you get away with UDP-out only when to update the time I have to have both directions? and I end up with both localhost:123 and myIP:123 listening.

 

I don't have DHCP disabled, but due to other restrictions I got in place, communication to DHCP is blocked, and I'm always able to get an IP.

I'm also using a 3G USB connection device.

 

I only have 1 rule for Windows Time, for UDP out (local port: 123, remote port: 123).

There's no need to allow inbound traffic.

I'm using Windows firewall, by the way.

 

I don't know -- I just do what the firewall requests and set a rule accordingly.

Same here -- see the screenshot in my post #11.

Again, I don't know how all of this works behind the scene. I just let the firewall do its thing!

-rich

 

Understood!

-rich

 

Thanks a bunch. I trusted Kerio, otherwise the clock would be all wrong. Forever.