Trace security shut-down?

Discussion in 'ProcessGuard' started by brucemc, Feb 7, 2005.

Thread Status:
Not open for further replies.
  1. brucemc

    brucemc Registered Member

    Joined:
    May 27, 2004
    Posts:
    44
    PG stopped svchost.exe from shutting down both gcasdtserv.exe (the MS anti-malware project, @ 21:28 on 02/06) and spybotsd.exe (OK, needless to say, SpyBot @08:03 on 02/07) over the last 24 hours for me. Does PG have any tools for me to try to trace what program(s) were trying to use svchost to shut these down? If not, is there any way to do so? This has been one of my most constant irritations, whether or not appropriate, with svchost, as so many programs can utilize it's functions and I have no idea how then to pin down the offender. Any and ALL help is appreciated!
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi brucemc, SVChosts is an important part of your OS so be very careful about stopping it's various instances.
    ProcessGuard stops other programs interferring with svchosts processes whilst they are running and Execution Protection will stop any changed svchost.exe from running. I understand your concern about the .dlls it allows to run but remember that PG will stop .dll injection into running processes and will not allow servic / driver install without explicit permission.
    Try sysinternals Process Explorer it gives a lot of info' about processes.

    Anyway back to your request, here is how to see what the various svchosts are running: From MSKB

    To view the list of services that are running in Svchost:
    1. Click Start on the Windows taskbar, and then click Run.
    2. In the Open box, type CMD, and then press ENTER.
    3. Type Tasklist /SVC, and then press ENTER.
    Tasklist displays a list of active processes. The /SVC switch shows the list of active services in each process. For more information about a process, type the following command, and then press ENTER:
    Tasklist /FI "PID eq processID" (with the quotation marks)
    The following example of Tasklist output shows two instances of Svchost.exe that are running. Image Name PID Services
    ========================================================================
    System Process 0 N/A
    System 8 N/A
    Smss.exe 132 N/A
    Csrss.exe 160 N/A
    Winlogon.exe 180 N/A
    Services.exe 208 AppMgmt,Browser,Dhcp,Dmserver,Dnscache,
    Eventlog,LanmanServer,LanmanWorkstation,
    LmHosts,Messenger,PlugPlay,ProtectedStorage,
    Seclogon,TrkWks,W32Time,Wmi
    Lsass.exe 220 Netlogon,PolicyAgent,SamSs
    Svchost.exe 404 RpcSs
    Spoolsv.exe 452 Spooler
    Cisvc.exe 544 Cisvc
    Svchost.exe 556 EventSystem,Netman,NtmsSvc,RasMan,
    SENS,TapiSrv
    Regsvc.exe 580 RemoteRegistry
    Mstask.exe 596 Schedule
    Snmp.exe 660 SNMP
    Winmgmt.exe 728 WinMgmt
    Explorer.exe 812 N/A
    Cmd.exe 1300 N/A
    Tasklist.exe 1144 N/A
     
    Last edited: Feb 7, 2005
  3. brucemc

    brucemc Registered Member

    Joined:
    May 27, 2004
    Posts:
    44
    What you present will show what svchost is running, but I am interested in why svchost ran something that tried to shut these two processes down. I may be way off base, but I picture some program calling the svchost program and giving it instructions which are normally fine, but in these cases are rather questionable. If, and I grant that this is a huge "if", that model above is correct then svchost is just the messenger, I need to know who sent it on it's way to execute my anti-spyware programs if I am going to know if the request was warranted. Am I off in left field in my model of what part svchost plays?
     
  4. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    brucemc,
    I'm guessing that you have already done the obvious and looked at the PG logfile to see the process id that was blocked

    If so and the process id listed is that of an svchost.exe then the best you can do is to check the running services in that svchost process. If it was another application utilising a service running inside a svchost process then I'd say you are out of luck for now

    It would be a decent enhancement to log the name of the service in addition to the processid in the case of svchost, and in the case of another program making use of svchost then both the svchost process + service name and the invoking process should really be logged (assuming they are not already)

    The PG logfile is currently "kind of" useful in some circumstances for forensic purposes, it isn't complete and you don't always have enough information to map processes to their parents, hopefully this part of PG will get better with time

    NB: Just in case its useful ... listing the services provided by svchost.exe without any of the dross in a full tasklist
    Code:
       tasklist /svc /FI "IMAGENAME eq svchost.exe"
    or
       tasklist /svc /FI "PID eq 1234"
    Edit: brucemc, I see you have already replied while I was away mid-way through a post. It would be interesting to see exactly what PG logged in its logfile for these events
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Given the security you have running I doubt an unknown process could initiate svchost without your knowledge, having said that, if you are not sure there are several courses of action.
    1. google the program name to see what function it serves.
    2. check the file's properties
    3. scan the file with all your scanners and also use online scans.
    4. Submit the a zipped copy of the file to submit@diamondcs.com.au for analysis

    HTH Pilli :)
     
  6. brucemc

    brucemc Registered Member

    Joined:
    May 27, 2004
    Posts:
    44
    Welll, let's see. I found that oddly enough, tere are absolutely no logged records during the minute that the first attempt was made, though there are 48 entries during that minute in the view window, but there is probably a reasonable explanation to that.

    As to the second, the attempt to shut down spybot, the PID is apparently that of svchost. I don't know if these things are different on different systems, but showing #1244, and as I really am not all that bright (no, I didn't think of the log file...), there is probably an obvious explanation to this, and since it is short I will post it:

    Mon 07 - 04:00:01 [EXECUTION] "e:\program files\spybot - search & destroy\spybotsd.exe" was allowed to run
    [EXECUTION] Started by "c:\windows\system32\svchost.exe" [1244]
    [EXECUTION] Commandline - [ "e:\program files\spybot - search & destroy\spybotsd.exe" /autocheck /autofix ]
    Mon 07 - 08:00:00 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
    [EXECUTION] Started by "c:\windows\system32\svchost.exe" [1244]
    [EXECUTION] Commandline - [ c:\windows\system32\rundll32.exe c:\windows\system32\schedsvc.dll,closeproc 476 ]
    Mon 07 - 08:03:01 [TERMINATE] c:\windows\system32\svchost.exe [1244] was blocked from terminating e:\program files\spybot - search & destroy\spybotsd.exe [476]


    I'd much rather hear of the stupid & simple mistakes I made than I have a problem, so let'er riip-
     
  7. brucemc

    brucemc Registered Member

    Joined:
    May 27, 2004
    Posts:
    44
    OK, duhhhhh. I see the shutdown request of spybot by rundll32. As to why it wants to shut it down is the next mystery to me. What initiated that command line? Can someone 'splain that to me? And the first request to kill the MS/Giant scanner, with no log entries at all... Poltergeists? Are they really baaaaack?
     
  8. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    It looks like task schedular engine "schedsvc.dll" made the termination requests thru svchost using rundll32.

    Did these termination attempts by svchost happen after a scan, reboot to scan before anything loads to remove things it couldn't before on both products? I know sometimes if these apps can't remove something, they offer to reboot and load before anything else to do the removal then, also they can be autoloaded to scan at each boot.

    Just guessing here. It could be that both these apps use task schedular as a means of loading and unloading during a boot scan/cleaning and therefore use svchost to terminate when done?

    Do you have these apps set to scan automatically at boot time or did they require a reboot to "finish cleaning"? You could check your system log in the Event Viewer to see if you were booting at the time. Look for event numbers 6009 and 6005 and the service control manager entries above it.

    Another possibility - I know on my system wmiadap loads a couple minutes after boot and quits after a couple minutes of doing it's "performance monitoring thing". If I suspend my PC while wmiadap is loaded and running, SVCHOST will attempt to terminate the process and FAIL when I resume my system later, since I do not allow svchost termination rights.

    Another guess, did you suspend or hibernate while the scans were taking place? There's no place I know of that logs this, other than you might see a time gap in ProcessGuards logs. It could be when your resumed or unhibernated, taskschedular tried to terminate the processes considering them timed out or something.

    Hope it helps, totally guessing here. :D
     
  9. brucemc

    brucemc Registered Member

    Joined:
    May 27, 2004
    Posts:
    44
    Interesting. I think both are scheduled for daily automatic updating, and I know that if an update is loaded it is normal to have to at least shut the app down and restart which would probably be an automated request with the automated function, but I do not think either are set to update at any point near when these items cropped up; normally I shoot for between midnite and 5:00am. That does not mean I didn't screw up though. I will look into this.

    I greatly appreciate everyone's help.
     
  10. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    Just to be safe, I would set rundll32.exe to permit once in the Security tab of ProcessGuard and manually allow rundll32 to execute by checking to see what command line it wants to execute each time.

    It may be a nuisance, but if it happens again, at least you could catch svchost trying to run rundll32.exe/schedsvc.dll to close down your anti-spyware apps and get a better clue as to exactly what was taking place at the time.

    Maybe malware found a way to get svchost to launch rundll32 and get task schedular to close down apps? Or maybe it's auto updating and restarting like you thought?

    I think SB S&D maintains a log of some activity, you could see if it was auto-updating at that time. Your other tool may maintain a log as well. See what it was doing right at that moment.
     
    Last edited: Feb 7, 2005
  11. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Good advice, this has been recommended by Jason in another thread for those extra cautious users, I also have rundll32.exe set to permit once and it does get started occasionally by certain apps.

    Jason: Quoted from another thread:

     
  12. George_S

    George_S Registered Member

    Joined:
    Jun 11, 2004
    Posts:
    11
    The same thing just happened on my system when closing FireFox (or Opera, can't remember now):

    Thu 24 - 10:23:17 [TERMINATE] c:\windows\system32\svchost.exe [996] was blocked from terminating c:\program files\microsoft antispyware\gcasdtserv.exe [236]

    gcasdtserv.exe is "Actually, its one of the necessary processes that allows Microsoft AntiSpyware Real Time Protection to function properly."

    http://www.microsoft.com/athome/security/spyware/software/newsgroups/reader/default.mspx?dg=microsoft.private.security.spyware.general&tid=56b4ed97-837b-4d42-9855-f2651a02b51a&cat=en_US_419F30E4-BBC2-47AC-97EE-D5649468C647&lang=en&cr=US&sloc=en-US&m=1&p=1

    Very strange.
     
  13. Mover

    Mover Registered Member

    Joined:
    Oct 1, 2005
    Posts:
    165
    I started to get the same problem right after updating to the newest release of MS AntiSpyware. Svchost tried to terminate gcasdtserv.exec on startup.
     
  14. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Strange ? perhaps :) Definitely normal and you should ALLOW this terminate privilege. The Task Scheduler started the scan, now it wants to stop it.
     
Thread Status:
Not open for further replies.