C:\windows\system32\svchost.exe

Hello all,

Can someone explain what C:\windows\system32\svchost.exe actually does and why it keeps asking to send a UDP to port 1900. I keep denying it but I would like to know if I should be or not. Should I have a certain rule set for this bugger in my firewall? It happens everytime I boot up my pc and it is getting irritating.

Thanks,
FireDancer

 

svc host is simply short for service host, and is used by many services on your PC. Thats the really short version. For the long one read this:

http://support.microsoft.com/?kbid=314056

Edited see below for more.....

 

Dez Bradley,

I have and use on a regualr basis ad aware se , spy bot, spywareblaster, spywareguard, TDS-3 trojan hunter, nod-32 av and a firewall up hmmm. I will re run them but im sure I will come up clean . Maybe a hijack log will help. Ill post in security and get some ideas.

Thanks,
FireDancer

 

Actually i may be wrong with that port. Got my ports mixed up. It isnt adware.

That port is used by Windows SSDP & Windows Messenger (not to be confused with MSN Messenger the chat program), both can be disabled.

Heres more detaills:

In XP, the Simple Service Discovery Protocol (SSDP) discovery service searches for Universal Plug and Play devices on your home network. SSDP searches for upstream Internet gateways using UDP port 1900 - a potential security risk many people will want to block.

Programs like Nortons Internet Security have a block on Port 1900 built in. If you have a firewall block port 1900 for UDP protocol in and outbound stops SSDP.

The Universal Plug and Play Network Address Translation (NAT) traversal discovery used by Windows Messenger broadcasts on UDP 1900 as well.

To turn off Windows Messenger's broadcasts using regedit:

Hive: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\DirectPlayNATHelp\DPNHUPnP
Name: UPnPMode
Type: REG_DWORD
Value: 2 (disabled) <<<<====What u need to change (to)

With UPnPMode=2, Universal Plug and Play Network Address Translation (NAT) traversal discovery does not occur.

You can also turn off "Messenger" service in Admin Tools-Services but havent tested if this works by itself.

So Windows is doing the talk on UDP 1900 not adware. If you need more help let me know.

 

Firedancer - as I posted on your thread in security where you helped out more by giving the IP address, it is as Dez has said and is the OS trying to discover other plug/play devices on the network (in this case, your entire ISP) like a web printer or similar.

Block it by all means but also know it is normal and harmless while a little annoying. If your ISP is set up correctly, the packet never gets past their router to the internet and besides, the packet has a limited TTL (time to live or hop count) so it dies quickly enough if it finds nothing and dies immediately if it does find something.

 

After thought about what Newt says i tend to agree with him, it is pretty harmless and doesnt really need attention. I would just disable being told about it by your firewall. Putting a block on UDP 1900 may be the only way to shut it up with some FWs.

I would still turn off the Service called "Messenger" in XP and 2000, as it can be exploited by advertisers to pop up ads. Ask for how to do this.

Interestingly Microsoft must have had a lot of feedback about it as Messenger is disabled by default in SP2.

It was meant to be used on LANs for admin messages and pop up messages but they figured out how to exploit it from the net ages ago. The internet after all is just a big network you are a part of when online. Didnt take much to figure how to exploit it.

 

Hi Fellas,

I just got done posting to what I thought was this thread moved by lonny, anyways I did create a rule in firewall that will not allow accsess either way for service host. TCP/UDP both directions DENY any port any program. did not want to dbl post sorry for the confusion

FireDancer

 

Fyi

Dez,
The easiest way to permanently get rid of Messenger is Start>Run
c/v
RunDll32 advpack.dll,LaunchINFSection %windir%\INF\msmsgs.inf,BLC.Remove
and you never have to worry about it again...

Johanna

 

I would be very careful about creating a rule taht generally blocks svchost, as many internet programs you want to access the net may not function correctly. Only block that port 1900, not svchost itself.

And Joanna, yes i use that command line where needed to remove msn messenger but that it not the same as Windows Messenger. Windows messenger is a service that when exploited pops up ads in a grey box on your screen in 2000 and XP.

Some people may find that command line useful though as msn messenger can be annoying if you dont want it, and the fact there is no uninstall option for it.

 

Actually, that command is used to remove Windows Messenger, which is different from both Messenger Service and MSN Messenger. The Messenger Service is disabled by clicking start>run, type services.msc and hit enter. Locate Messenger in the list, right click and select properties. Stop the service, then set to disabled, apply and OK out. I would recommend disabling the service and uninstalling Windows Messenger, a primarily network environment instant messaging program.

 

You would think Microsoft could have been more helpful and named things differently to distinguish them more clearly. Messenger, MSN Messenger, Windows Messenger. Too many messengers hehe. I usually disable the Messenger service in Admin Tools-Services as a practice when i do XP machines, and fortuneately in SP2, MS disable it by default....finally.

 

Dez Bradley,
My name is Johanna, with a "h ". I know the difference between the Messengers. The network Windows Messenger Service that pops up ads on desktops was designed for computer administrators to send notification en masse, and is easily disabled in Admin Tools> Services. No registry edits are necessary. Windows Messenger,is removed with the above command, and it comes with XP by default, and the IM program is uninstalled in Add/Remove.

If you want to know more about that, do a search on the BBS for "Messenger" and "Welshjim ".

You can use your firewall to block all online communication for svchost.exe and just about every other kind of MS app, except, of course, the ones you want to use, on a stand alone computer. GenHostProcess does not need the internet, neither does any component of Office, or WE. In fact, looking at my firewall rules, only IE & OE have permission to access the internet, and then, only when I call on them. This does not interfere with the way software, including XP, behaves. In fact, all the software that DOESN'T need to access the internet for MY convenience, is denied access through itself, and Norton. For example, if I want to open a pdf, AA doesn't need to call home. If I want updates, I'll go to the website and download them. I do not need the aggravation of monitoring a program that is misbehaving because it connected to fill-in-the-blank.

Firedancer:
A good rule of thumb is to block unknown connections. You'll figure out pretty quick if a program needs it or not, and can always change your rule. Even my mouse and keyboard were factory set to call home every time I booted the computer! To me, that is ridiculous. I have worked on OEMs that had 60 programs trying to go online, and stay online (maintaining an active connection and running as a process in Task Manager) by default, and the users wondered why their computer booted slowly. You may not notice on high speed dsl, but an older comp on dial up might choke. When unsure, say "NO."

Many people let Norton or their security program do "Automatic Program Control ". This lets known programs through by default. If you are comfortable making those decisions yourself, shut it off, and watch the prompts you get as new rules have to be created manually. You will be shocked at what all WANTS to be online. With the newer faster computers, on their high speed connections, the default settings will permit a lot of activity, and the user will never notice. I know the companies have business reasons for their desire to be "in touch ", but, I place a high value on privacy, or paranoia, whatever.

Johanna