XP components and Internet Access

Discussion in 'other software & services' started by dja2k, Feb 10, 2008.

Thread Status:
Not open for further replies.
  1. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    Does anyone know of a website or can provide a full list of known XP processes that may ask for internet access yet you can block them safely via a Firewall i.e. explorer.exe.

    dja2k
     
  2. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    I'd be interested to know...

    ...I think it will be hard to find out, other than to block them all, one by one as they attempt to connect. There seem to be umbrella processes that connect for other xp processes. And there are some seemingly unrelated processes that won't work if another process is blocked, i.e. "Windows Time", "Scheduler", "Automatic Updates", "Prefectch" (not a service, but depends on services).

    Maybe an easier question would be what processes are the most dangerous to allow internet access.

    I am hoping you get some good feedback. Everything seems hopelessly interrelated to me!
     
  3. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,890
    Something like this, perhaps?.....My ISP....just blocked! ;)
     

    Attached Files:

  4. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    I guess...it depends on your firewall and how you connect. But your right, if svchost.exe has six or eight instances running, and one or more are accessing the internet then how secure does that make you feel?

    -HandsOff
     
  5. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    Last edited: Feb 10, 2008
  6. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    Thanks thanatos_theos for the links, but thats not exactly what I was looking for and as far as hardening windows xp goes, I think I have that covered pretty good. Also look into Security and Privacy Complete which has more to offer than XP-AntiSpy.

    I was asking about other essential windows processes that need to run but can safely block internet access to them. Like yesterday I saw logonui.exe access the net which I have no idea why, so I started to think, why not block that in my firewall and permanently block it. I have two down that I have added and blocked to my firewall. I have blocked both TCP\UDP, IN\OUT for ports 0-65535 for Explorer.exe and Logonui.exe.

    I was just wondering this because lets say I leave my computer and my parents or friends use it and just start allowing the pop ups that the firewall provides (randomly of course not the ones I have allowed already or know of). If I block them, they will be permanently blocked already.

    dja2k
     
    Last edited: Feb 11, 2008
  7. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    Thanks for Security and Privacy Complete dja2k. I'll check it out.

    So far (iirc), svchost.exe, alg.exe (ftp?), mmc.exe (driver updates) and explorer.exe asked me for Internet access. I blocked explorer.exe but allowed the others. Also, it seems that most Windows processes will only ask net access if you ran/executed them; for instance driver updates. However, most firewalls today like Comodo allows by default some Windows processes net access.

    That's the reason why I posted those links. Those links will help you identify certain Windows processes whose function/job doesn't require net access (unless they are malware diguising themselves as valid Windows processes). Regarding logonui.exe, maybe some Windows processes randomly access the net (by default to update itself, but that's the job of svchost.exe o_O), another program executed it/injected itself into it (I doubt it, because OA should have notified you) or a Windows bug/vulnerability.

    Again, I believe Windows processes are not that intrusive unless provoked (except for svchost.exe, which I assume you have taken care of already). Your relatives/friends will only experience firewall/HIPS pop-ups if they accidentally executed/installed mal... err something new.

    thanatos
     
    Last edited: Feb 11, 2008
  8. MikeNAS

    MikeNAS Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    697
    Location:
    FiNLAND
    I just tweaked my Windows XP Professional SP3 (3300) system. Haven't checked network access yet but here are running process informations.

    tasklist /scv results, only windows components

    Code:
    Image Name                   PID Services
    ========================= ====== =============================================
    System Idle Process            0 N/A
    System                         4 N/A
    smss.exe                     384 N/A
    csrss.exe                    668 N/A
    winlogon.exe                 760 N/A
    services.exe                 804 Eventlog, PlugPlay
    lsass.exe                    816 N/A
    svchost.exe                 1012 DcomLaunch
    svchost.exe                 1112 RpcSs
    svchost.exe                 1388 AudioSrv, CryptSvc, Netman, winmgmt, WZCSVC
    svchost.exe                 1424 BthServ
    explorer.exe                1744 N/A
    rundll32.exe                1900 N/A
    rundll32.exe                1916 N/A
    wmiprvse.exe                 328 N/A
    
    I use Harden-It, Secure-It, Seconfig XP and Security & Privacy Complete. Plus some manual tweaking...

    Everything working fine with these tweaks. Only problem is that WLAN status is always Acquiring network access even everything is connected and working.
     
    Last edited: Feb 11, 2008
  9. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hello.

    There is no need to block Windows processes/services with a firewall, I don't consider that to be a good practice. Any unneeded comm by Windows processes can/should be blocked by disabling a process making a comm itself.
    The only comm that I know of which cannot be stopped by disabling its service/process, is explorer.exe 'calling mother ship' when you perform a 'search'. This should be blocked by a firewall, though it's not a big concern IMO. I allow this (manually, I don't have a rule)

    Cheers,
     
  10. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    Thanks thanatos_theos and the rest of you for your posts. I will then wait for more executable activity of Windows processes before I block anymore at the moment.

    dja2k
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    If I´m correct, only lssas.exe and svchost.exe need network access, but I would block explorer.exe for sure, as this might be used in attacks.
     
Loading...
Thread Status:
Not open for further replies.