What are these ports/processes?

Discussion in 'Port Explorer' started by Justin Smith, Feb 23, 2003.

Thread Status:
Not open for further replies.
  1. Justin Smith

    Justin Smith Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    13
    Location:
    New York
    OK, now that I'm getting acquainted with all of my cool new Diamond software, I have some questions. I figure the PE forum might be a good place to ask about what PE shows.

    Here are listening processes I'd like to know more about:

    Generic Host Process... PID: 816; TCP; Local: 0.0.0.0 on 135; Remote 0.0.0.0 on 0
    Generic Host Process... PID: 956; TCP; Local: 0.0.0.0 on 1025; Remote: 0.0.0.0 on 0
    Generic Host Process... PID: 1092; UDP Local: 0.0.0.0 on 1027; Remote: *.*.*.* on *

    * SYSTEM PID: 4; TCP; Local 0.0.0.0 on 445; Remote 0.0.0.0 on 0
    * SYSTEM PID: 4; TCP; Local 0.0.0.0 on 445; Remobe *.*.*.* on *

    I think I understand LSA Shell and the other stuff that shows up.

    I'm most puzzled about this Svchost generic host process mishmash listening on local ports TCP 1025 and UDP 1027. Is this normal and what is it?

    I've already managed to shut down some other NetBIOS stuff that was listening on two other ports. I could've sworn that I'd already turned NetBIOS off, so, I found looking at the ports to be pretty useful!
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Ah, the wonders of Windows XP... The short answer to your question is that this is normal and not really anything to be worried about. The longer answer involves a bit of reading about just what "Generic Host Process for Win32 Services" (svchost.exe) is and how it works.

    One resource is the Black Viper site. There are a few different pages there cover the various services that run on these systems, their functions and whether or not you can close them down. On the following page, look for all references running under the program svchost.exe:

    http://www.blkviper.com/WinXP/servicecfg.htm

    Most likely, you've got say DNS and DHCP enabled, running under one of the svchost.exe processes. Of course, port 135 is the epmap process. Here are a couple Wilders threads with information on some of this, including a link to a web site that describes how to minimize the running services on the Windows NT family of Windows operating systems:

    https://www.wilderssecurity.com/showthread.php?t=6078

    https://www.wilderssecurity.com/showthread.php?t=4194

    On my system, I have shutdown many unneeded services and when I do a clean reboot of my system, I have only three ports open and listening (two under svchost and one under System)...

    [pre]Pid Process Port Proto Path
    608 svchost -> 135 TCP C:\WINNT\system32\svchost.exe
    648 svchost -> 1025 TCP C:\WINNT\System32\svchost.exe
    4 System -> 1026 TCP
    [/pre]This can be a lot of fun to research and closing down unneeded services is the best thing you can do to help secure your system.

    Best Wishes,
    LowWaterMark
     
  3. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Hi Justin,

    This url will answer your netbios questions :-
    http://ntsecurity.nu/papers/port445/

    This url talks about port 135 :-
    http://www.seifried.org/security/ports/0/135.html


    -Jason-
     
  4. Justin Smith

    Justin Smith Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    13
    Location:
    New York
    Thanks for the references, guys! That'll keep me busy for a while.

    Yep, I've been shutting services down for a few weeks now, I've gotten further than ever before, down to just 16 processes on my base system (from something like 3:cool:...plus 7 or so related to security.

    I did find Blackviper's site earlier, it is very helpful. I didn't find too much about svchost.exe lying around on the web, so I purchased the Microsoft Press Securing Windows XP book a few nights ago. It has reasonably informative descriptions of the services, but I'm still evaluating whether I should really keep the book. Everything I've seen about "COM+" from MS so far, including what they have in this book about it, is similarly pretty sketchy.

    AFAIK I need the DNS and DHCP, but maybe I should try shutting 'em off and see what happens. I know in one situation I definitely need the DHCP, in another situation perhaps not.

    I sure would like to get my system down to just 3 ports!
     
Thread Status:
Not open for further replies.