XP components and Internet Access

Does anyone know of a website or can provide a full list of known XP processes that may ask for internet access yet you can block them safely via a Firewall i.e. explorer.exe.

dja2k

 

I'd be interested to know...

...I think it will be hard to find out, other than to block them all, one by one as they attempt to connect. There seem to be umbrella processes that connect for other xp processes. And there are some seemingly unrelated processes that won't work if another process is blocked, i.e. "Windows Time", "Scheduler", "Automatic Updates", "Prefectch" (not a service, but depends on services).

Maybe an easier question would be what processes are the most dangerous to allow internet access.

I am hoping you get some good feedback. Everything seems hopelessly interrelated to me!

 

Something like this, perhaps?.....My ISP....just blocked!

 

I guess...it depends on your firewall and how you connect. But your right, if svchost.exe has six or eight instances running, and one or more are accessing the internet then how secure does that make you feel?

-HandsOff

 

Here are some sites with a list of Windows XP processes/services and their corresponding descriptions,

http://beemerworld.com/tips/servicesxp.htm
http://www.neuber.com/taskmanager/process/
http://www.blackviper.com/WinXP/service411.htm
http://www.blackviper.com/WinXP/strangeservice.htm

You can disable suspicious Windows processes/services using xp-AntiSpy.

thanatos

 

Thanks thanatos_theos for the links, but thats not exactly what I was looking for and as far as hardening windows xp goes, I think I have that covered pretty good. Also look into Security and Privacy Complete which has more to offer than XP-AntiSpy.

I was asking about other essential windows processes that need to run but can safely block internet access to them. Like yesterday I saw logonui.exe access the net which I have no idea why, so I started to think, why not block that in my firewall and permanently block it. I have two down that I have added and blocked to my firewall. I have blocked both TCP\UDP, IN\OUT for ports 0-65535 for Explorer.exe and Logonui.exe.

I was just wondering this because lets say I leave my computer and my parents or friends use it and just start allowing the pop ups that the firewall provides (randomly of course not the ones I have allowed already or know of). If I block them, they will be permanently blocked already.

dja2k

 

Thanks for Security and Privacy Complete dja2k. I'll check it out.

So far (iirc), svchost.exe, alg.exe (ftp?), mmc.exe (driver updates) and explorer.exe asked me for Internet access. I blocked explorer.exe but allowed the others. Also, it seems that most Windows processes will only ask net access if you ran/executed them; for instance driver updates. However, most firewalls today like Comodo allows by default some Windows processes net access.

That's the reason why I posted those links. Those links will help you identify certain Windows processes whose function/job doesn't require net access (unless they are malware diguising themselves as valid Windows processes). Regarding logonui.exe, maybe some Windows processes randomly access the net (by default to update itself, but that's the job of svchost.exe ), another program executed it/injected itself into it (I doubt it, because OA should have notified you) or a Windows bug/vulnerability.

Again, I believe Windows processes are not that intrusive unless provoked (except for svchost.exe, which I assume you have taken care of already). Your relatives/friends will only experience firewall/HIPS pop-ups if they accidentally executed/installed mal... err something new.

thanatos

 

I just tweaked my Windows XP Professional SP3 (3300) system. Haven't checked network access yet but here are running process informations.

tasklist /scv results, only windows components

Code:

Image Name                   PID Services
========================= ====== =============================================
System Idle Process            0 N/A
System                         4 N/A
smss.exe                     384 N/A
csrss.exe                    668 N/A
winlogon.exe                 760 N/A
services.exe                 804 Eventlog, PlugPlay
lsass.exe                    816 N/A
svchost.exe                 1012 DcomLaunch
svchost.exe                 1112 RpcSs
svchost.exe                 1388 AudioSrv, CryptSvc, Netman, winmgmt, WZCSVC
svchost.exe                 1424 BthServ
explorer.exe                1744 N/A
rundll32.exe                1900 N/A
rundll32.exe                1916 N/A
wmiprvse.exe                 328 N/A

I use Harden-It, Secure-It, Seconfig XP and Security & Privacy Complete. Plus some manual tweaking...

Everything working fine with these tweaks. Only problem is that WLAN status is always Acquiring network access even everything is connected and working.

 

Hello.

There is no need to block Windows processes/services with a firewall, I don't consider that to be a good practice. Any unneeded comm by Windows processes can/should be blocked by disabling a process making a comm itself.
The only comm that I know of which cannot be stopped by disabling its service/process, is explorer.exe 'calling mother ship' when you perform a 'search'. This should be blocked by a firewall, though it's not a big concern IMO. I allow this (manually, I don't have a rule)

Cheers,

 

Thanks thanatos_theos and the rest of you for your posts. I will then wait for more executable activity of Windows processes before I block anymore at the moment.

dja2k

 

If I´m correct, only lssas.exe and svchost.exe need network access, but I would block explorer.exe for sure, as this might be used in attacks.