Windows, Operating System, Security, Networking, Malware, Support, Forum, Help Site Check Our Facebook Page!
Notices
Windows XP Post your Windows XP related questions here.


Register your FREE account to unlock additional features at WindowsBBS.com
   
 
 
LinkBack Thread Tools
Old 11th December 2004   #1
Inactive
THREAD STARTER
Lifetime Subscription
 
FireDancer's Avatar
 
Profile:
Join Date: Apr 2003
Location: Po' Dunk Kentucky!
Posts: 460
Computer Experience:
LEARNING EVERYDAY!!!
FireDancer Reputation Level

Send a message via Yahoo to FireDancer
Exclamation

C:\windows\system32\svchost.exe


Hello all,

Can someone explain what C:\windows\system32\svchost.exe actually does and why it keeps asking to send a UDP to port 1900. I keep denying it but I would like to know if I should be or not. Should I have a certain rule set for this bugger in my firewall? It happens everytime I boot up my pc and it is getting irritating.

Thanks,
FireDancer


Last edited by FireDancer; 11th December 2004 at 23:57. Reason: add a line
FireDancer is offline  

 

Register
to remove this ad.
 
 

Old 12th December 2004   #2
Inactive
 
Profile:
Join Date: Oct 2004
Location: Gold Coast, Queensland.Australia
Posts: 246
Computer Experience:
PC Technician/MCSA
Dez Bradley Reputation Level

svc host is simply short for service host, and is used by many services on your PC. Thats the really short version. For the long one read this:

http://support.microsoft.com/?kbid=314056

Edited see below for more.....


Last edited by Dez Bradley; 12th December 2004 at 04:56.
Dez Bradley is offline  

Did you find this post helpful? Yes | No
Old 12th December 2004   #3
Inactive
THREAD STARTER
Lifetime Subscription
 
FireDancer's Avatar
 
Profile:
Join Date: Apr 2003
Location: Po' Dunk Kentucky!
Posts: 460
Computer Experience:
LEARNING EVERYDAY!!!
FireDancer Reputation Level

Send a message via Yahoo to FireDancer

Dez Bradley,


I have and use on a regualr basis ad aware se , spy bot, spywareblaster, spywareguard, TDS-3 trojan hunter, nod-32 av and a firewall up hmmm. I will re run them but im sure I will come up clean . Maybe a hijack log will help. Ill post in security and get some ideas.

Thanks,
FireDancer

FireDancer is offline  

Did you find this post helpful? Yes | No
Old 12th December 2004   #4
Inactive
 
Profile:
Join Date: Oct 2004
Location: Gold Coast, Queensland.Australia
Posts: 246
Computer Experience:
PC Technician/MCSA
Dez Bradley Reputation Level

Actually i may be wrong with that port. Got my ports mixed up. It isnt adware.

That port is used by Windows SSDP & Windows Messenger (not to be confused with MSN Messenger the chat program), both can be disabled.

Heres more detaills:

In XP, the Simple Service Discovery Protocol (SSDP) discovery service searches for Universal Plug and Play devices on your home network. SSDP searches for upstream Internet gateways using UDP port 1900 - a potential security risk many people will want to block.

Programs like Nortons Internet Security have a block on Port 1900 built in. If you have a firewall block port 1900 for UDP protocol in and outbound stops SSDP.

The Universal Plug and Play Network Address Translation (NAT) traversal discovery used by Windows Messenger broadcasts on UDP 1900 as well.

To turn off Windows Messenger's broadcasts using regedit:

Hive: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\DirectPlayNATHelp\DPNHUPnP
Name: UPnPMode
Type: REG_DWORD
Value: 2 (disabled) <<<<====What u need to change (to)

With UPnPMode=2, Universal Plug and Play Network Address Translation (NAT) traversal discovery does not occur.

You can also turn off "Messenger" service in Admin Tools-Services but havent tested if this works by itself.

So Windows is doing the talk on UDP 1900 not adware. If you need more help let me know.


Last edited by Dez Bradley; 12th December 2004 at 04:55.
Dez Bradley is offline  

Did you find this post helpful? Yes | No
Old 12th December 2004   #5
Inactive
 
Newt's Avatar
 
Profile:
Join Date: Jan 2002
Location: Concord, NC, USA
Posts: 10,978
Computer Experience:
*****
Newt Reputation LevelNewt Reputation Level

Firedancer - as I posted on your thread in security where you helped out more by giving the IP address, it is as Dez has said and is the OS trying to discover other plug/play devices on the network (in this case, your entire ISP) like a web printer or similar.

Block it by all means but also know it is normal and harmless while a little annoying. If your ISP is set up correctly, the packet never gets past their router to the internet and besides, the packet has a limited TTL (time to live or hop count) so it dies quickly enough if it finds nothing and dies immediately if it does find something.

Newt is offline  

Did you find this post helpful? Yes | No
Old 12th December 2004   #6
Inactive
 
Profile:
Join Date: Oct 2004
Location: Gold Coast, Queensland.Australia
Posts: 246
Computer Experience:
PC Technician/MCSA
Dez Bradley Reputation Level

After thought about what Newt says i tend to agree with him, it is pretty harmless and doesnt really need attention. I would just disable being told about it by your firewall. Putting a block on UDP 1900 may be the only way to shut it up with some FWs.

I would still turn off the Service called "Messenger" in XP and 2000, as it can be exploited by advertisers to pop up ads. Ask for how to do this.

Interestingly Microsoft must have had a lot of feedback about it as Messenger is disabled by default in SP2.

It was meant to be used on LANs for admin messages and pop up messages but they figured out how to exploit it from the net ages ago. The internet after all is just a big network you are a part of when online. Didnt take much to figure how to exploit it.

Dez Bradley is offline  

Did you find this post helpful? Yes | No
Old 12th December 2004   #7
Inactive
THREAD STARTER
Lifetime Subscription
 
FireDancer's Avatar
 
Profile:
Join Date: Apr 2003
Location: Po' Dunk Kentucky!
Posts: 460
Computer Experience:
LEARNING EVERYDAY!!!
FireDancer Reputation Level

Send a message via Yahoo to FireDancer

Hi Fellas,


I just got done posting to what I thought was this thread moved by lonny, anyways I did create a rule in firewall that will not allow accsess either way for service host. TCP/UDP both directions DENY any port any program. did not want to dbl post sorry for the confusion

FireDancer

FireDancer is offline  

Did you find this post helpful? Yes | No
Old 12th December 2004   #8
Alumni
 
Profile:
Join Date: Mar 2003
Location: New Knoxville, Ohio USA
Posts: 2,411
Computer Experience:
good days, bad days
Johanna Reputation LevelJohanna Reputation LevelJohanna Reputation LevelJohanna Reputation LevelJohanna Reputation LevelJohanna Reputation LevelJohanna Reputation LevelJohanna Reputation Level

My System

Fyi


Dez,
The easiest way to permanently get rid of Messenger is Start>Run
c/v
RunDll32 advpack.dll,LaunchINFSection %windir%\INF\msmsgs.inf,BLC.Remove
and you never have to worry about it again...

Johanna

Johanna is offline  

Did you find this post helpful? Yes | No
Old 12th December 2004   #9
Inactive
 
Profile:
Join Date: Oct 2004
Location: Gold Coast, Queensland.Australia
Posts: 246
Computer Experience:
PC Technician/MCSA
Dez Bradley Reputation Level

I would be very careful about creating a rule taht generally blocks svchost, as many internet programs you want to access the net may not function correctly. Only block that port 1900, not svchost itself.

And Joanna, yes i use that command line where needed to remove msn messenger but that it not the same as Windows Messenger. Windows messenger is a service that when exploited pops up ads in a grey box on your screen in 2000 and XP.

Some people may find that command line useful though as msn messenger can be annoying if you dont want it, and the fact there is no uninstall option for it.


Last edited by Dez Bradley; 12th December 2004 at 23:46.
Dez Bradley is offline  

Did you find this post helpful? Yes | No
Old 13th December 2004   #10
Inactive
 
Profile:
Join Date: Apr 2003
Location: New Bremen, Ohio U.S.A.
Posts: 12,183
Computer Experience:
~@<*+
noahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Level

My System
Send a message via MSN to noahdfear
Actually, that command is used to remove Windows Messenger, which is different from both Messenger Service and MSN Messenger. The Messenger Service is disabled by clicking start>run, type services.msc and hit enter. Locate Messenger in the list, right click and select properties. Stop the service, then set to disabled, apply and OK out. I would recommend disabling the service and uninstalling Windows Messenger, a primarily network environment instant messaging program.

noahdfear is offline  

Did you find this post helpful? Yes | No
Old 13th December 2004   #11
Inactive
 
Profile:
Join Date: Oct 2004
Location: Gold Coast, Queensland.Australia
Posts: 246
Computer Experience:
PC Technician/MCSA
Dez Bradley Reputation Level

You would think Microsoft could have been more helpful and named things differently to distinguish them more clearly. Messenger, MSN Messenger, Windows Messenger. Too many messengers hehe. I usually disable the Messenger service in Admin Tools-Services as a practice when i do XP machines, and fortuneately in SP2, MS disable it by default....finally.

Dez Bradley is offline  

Did you find this post helpful? Yes | No
Old 13th December 2004   #12
Alumni
 
Profile:
Join Date: Mar 2003
Location: New Knoxville, Ohio USA
Posts: 2,411
Computer Experience:
good days, bad days
Johanna Reputation LevelJohanna Reputation LevelJohanna Reputation LevelJohanna Reputation LevelJohanna Reputation LevelJohanna Reputation LevelJohanna Reputation LevelJohanna Reputation Level

My System
Dez Bradley,
My name is Johanna, with a "h". I know the difference between the Messengers. The network Windows Messenger Service that pops up ads on desktops was designed for computer administrators to send notification en masse, and is easily disabled in Admin Tools> Services. No registry edits are necessary. Windows Messenger,is removed with the above command, and it comes with XP by default, and the IM program is uninstalled in Add/Remove.

If you want to know more about that, do a search on the BBS for "Messenger" and "Welshjim".

You can use your firewall to block all online communication for svchost.exe and just about every other kind of MS app, except, of course, the ones you want to use, on a stand alone computer. GenHostProcess does not need the internet, neither does any component of Office, or WE. In fact, looking at my firewall rules, only IE & OE have permission to access the internet, and then, only when I call on them. This does not interfere with the way software, including XP, behaves. In fact, all the software that DOESN'T need to access the internet for MY convenience, is denied access through itself, and Norton. For example, if I want to open a pdf, AA doesn't need to call home. If I want updates, I'll go to the website and download them. I do not need the aggravation of monitoring a program that is misbehaving because it connected to fill-in-the-blank.

Firedancer:
A good rule of thumb is to block unknown connections. You'll figure out pretty quick if a program needs it or not, and can always change your rule. Even my mouse and keyboard were factory set to call home every time I booted the computer! To me, that is ridiculous. I have worked on OEMs that had 60 programs trying to go online, and stay online (maintaining an active connection and running as a process in Task Manager) by default, and the users wondered why their computer booted slowly. You may not notice on high speed dsl, but an older comp on dial up might choke. When unsure, say "NO."

Many people let Norton or their security program do "Automatic Program Control". This lets known programs through by default. If you are comfortable making those decisions yourself, shut it off, and watch the prompts you get as new rules have to be created manually. You will be shocked at what all WANTS to be online. With the newer faster computers, on their high speed connections, the default settings will permit a lot of activity, and the user will never notice. I know the companies have business reasons for their desire to be "in touch", but, I place a high value on privacy, or paranoia, whatever.

Johanna


Last edited by Johanna; 13th December 2004 at 01:29.
Johanna is offline  

Did you find this post helpful? Yes | No


 

THIS THREAD HAS EXPIRED.

Are you having the same problem? Please post a new thread, but first you'll have to join us by Registering (FREE).



Discussion Forums
Operating Systems
Windows 8 Windows 8
Windows 7 Windows 7
Windows Vista Windows Vista
Windows XP Windows XP
Windows Server System Windows Server System
Legacy Windows OS Legacy Windows OS
Internet & Networking
Networking (Hardware & Software) Networking
Internet Explorer Internet Explorer
Microsoft Mail Microsoft Mail
Firefox, Thunderbird & SeaMonkey Firefox, Thunderbird
      & SeaMonkey

Web Applications & Cloud Web Applications & Cloud
General Internet
Security
Malware and Virus Removal Malware and Virus
     Removal

Security and Privacy Security and Privacy

Other
Other PC Software Other PC Software
Test Posts Test Posts
Hardware
PC Hardware PC Hardware
Mobile Devices Mobile Devices
Community
Introductions Introductions
General Discussions General Discussions
Site Comments & Suggestions Site Comments
      & Suggestions

News News @ WindowsBBS

Thread Tools


Find us on Facebook   Web Of Trust Rating

All times are GMT. The time now is 08:15.


Recent Discussions
Sharing a printer using WiFi (2)
Hub Manager (1)
Outlook Express doesn't work with b.. (3)
SpywareBlaster updates available (0)
Blue Screen Of Death (9)
Need desktop icon save/restore sw f.. (1)
Spacebar won't work (5)
PC Will Not Boot After HDDs Re-Arra.. (32)
WD External Hard Drives not recogin.. (4)
BSoD (31)
Can't get Win7 shortcuts to open in.. (13)
Changing default View Fields in Out.. (3)
Dell Studio 540 350watt psu require.. (25)
Firefox and Thunderbird Version 31... (8)
How do I check links in favorites t.. (6)
CD player application (3)
Re-starting IE8 every time I change.. (1)
Need Help adding a Win7 machine to .. (6)
Battery available (free) for Arris .. (0)
Weather station software. (18)


Donate!
Support Windows BBS!



Powered by vBulletin® Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO
Copyright 2002 - 2013 WindowsBBS.com. All rights reserved.
FDMA Media LLC
Terms of Use, Legal Information & Privacy Policy
Page generated in 0.14942 seconds with 7 queries