svchost.exe.. Problem or not??

Hi all,

I've been checking my firewall frequently and every few seconds svchost.exe tries to accept something from the internet. I think this is a program for a service pack from Microsoft but I'm not sure. Does anyone know for sure?

And if it is okay, would anyone know if I need these sevice packs that automatically update? If not, I'm going to rid myself of them...

Thanks in advance...

 

svchost.exe is the host application for Windows services. It normally runs multiple instances (4-5) at the same time. Because it is the service host application it can be any number of currently running services that have made the network request or is trying to accept the incoming connection.

To check which services are currently running you can go to Control Panel, then Administrative Tools, then Computer Management and check "Services" under "Services and Applications."

You can also check which services are running under which svchost.exe process by going to the command line (Run -> cmd.exe) and type "tasklist /svc" (without quotes) and press enter.

The "Automatic Updates" service is one of the services that may run (it will by default) and will try to check for Windows updates regularly.

You can stop services, but unless you know what you are doing, it is not recommended.

If you stop the Automatic Updates Service you can still get the latest Windows Updates from http://www.windowsupdate.com/. Whatever you do I would strongly recommend that you always install the latest Critical Windows Updates and keep up to date.

In addition to this there are viruses/worms that fakes being svchost.exe, but if you have a decent and up to date virus scanner it should catch it.

Hope that helped.

 

For guidance on XP's Services: http://www.blkviper.com/WinXP/servicecfg.htm

Regards - Charles

 

I ve always blocked incoming connections to svchost and never had problems.

 

[30+]Darknight,

If you are running Windows XP then svchost is a problem - it does some things that are critical (DHCP and DNS), some that are optional (time synchronisation, Windows Help) and some that are dangerous (RPC/DCOM services that can be exploited by worms like MSBlast and Universal Plug and Play which has had a few security problems of its own). So what you should allow will depend on your system and network setup.

Disabling unneeded services can certainly help (disabling the DNS Client service will stop svchost from being used for DNS lookups which are needed to access any domain name). However it is best from a security standpoint to block all svchost access except for those features that you definitely need.

If you use Outpost firewall, then the Outpost forum's Secure Configuration Guide does include extensive recommendations for svchost (in section E2). If you use another rule-based firewall then you should still find it useful in creating appropriate rules. However if you have an application-based firewall which does not offer specific control over protocols and ports (e.g. ZA Free) then the best bet is to block incoming traffic (as Hyperion has mentioned) and allow all outgoing.