Generic Host Process for Win32

[Dan Drewry]

Every so often, out of the blue, Zone Alarm pops up a message saying
"Generic Host Process for Win32 Services is trying to act as a server",
and sometimes it wants to accept connections from the internet.
The application is SVCHOST.EXE.
What is this thing, why does it appear at random times, and should I
allow it or deny it?
Thank you.

 

[Twayne]

Every so often, out of the blue, Zone Alarm pops up a message saying

"Generic Host Process for Win32 Services is trying to act as a
server", and sometimes it wants to accept connections from the
internet. The application is SVCHOST.EXE.
What is this thing, why does it appear at random times, and should I
allow it or deny it?
Thank you.

Hmm, that's unusual IME. I don't think it should be wanting to act as a
server.
Check your log files for ZA and see if you can tell who's running it
and what it's trying to do? It should be listed with a "blocked" action
since you denied it, or at least I hope you did, for now. It seems
completely wrong for svchost to want to act as a server.

svchost.exe is a service as it sounds, and you may have several of
them running, each one different. e.g. I have 5 running at this moment,
each one servicing something different.
Did you capitalize the name for clarity or was it capitalized in the
message?

What is your OS? Home or Pro?
What are you doing when that message pops up?
What is your level of computer expertise? e.g. novice, exp, very exp,
highly exp, etc.?

Then we could move on to more targeted responses unless someone
recognizes the issue and jumps in here first.

HTH
Twayne

 

[Dan Drewry]

Hmm, that's unusual IME. I don't think it should be wanting to act as a
server.
Check your log files for ZA and see if you can tell who's running it
and what it's trying to do? It should be listed with a "blocked" action
since you denied it, or at least I hope you did, for now. It seems
completely wrong for svchost to want to act as a server.

svchost.exe is a service as it sounds, and you may have several of
them running, each one different. e.g. I have 5 running at this moment,
each one servicing something different.
Did you capitalize the name for clarity or was it capitalized in the
message?

What is your OS? Home or Pro?
What are you doing when that message pops up?
What is your level of computer expertise? e.g. novice, exp, very exp,
highly exp, etc.?

Then we could move on to more targeted responses unless someone
recognizes the issue and jumps in here first.

HTH
Twayne

The ZA log shows no source or destination IP. The direction is incoming
(accept) and the action is blocked. No source or destination DNS.
Capitalization was just for clarity.
Using Win XP Pro.
The message wanting to act as a server usually pops up during bootup. I
don't remember, but the other occurred either while browsing or doing
email, not sure.
I am an experienced computer user.

I think I allowed the request the first time it came up, and I denied it
after that. Didn't notice any effect either way. I'll deny from now on.
Thanks.

 

[Twayne]

The ZA log shows no source or destination IP. The direction is
incoming (accept) and the action is blocked. No source or destination
DNS. Capitalization was just for clarity.
Using Win XP Pro.
The message wanting to act as a server usually pops up during bootup.
I don't remember, but the other occurred either while browsing or
doing email, not sure.
I am an experienced computer user.

I think I allowed the request the first time it came up, and I denied
it after that. Didn't notice any effect either way. I'll deny from
now on. Thanks.

That could have been just a ping then, looking to find a computer online
and open to access or less likely, completely innocent. If you
highlight the ZA line there should be some info about it in the box at
the bottom of the window; might ID whether it was tcp/ip, icm, etc..
Since it only happens durng the boot process, it sounds like during
boot something is sending out a request and that might be the response
to it. The question is, what's sending out the request and should it be
doing it? I'd have a look at msconfig and System SErvices to start with
and see if there was anything there that shouldn't be.
What happens if you boot with the modem disconnected? Any error
messages on screen or errors in Event Viewer?
Might be time for AV and malware arsenal scans too.

Sorry not more help.

Twayne

 

[TechWriter]

Since 8/29/2008, there have been numerous postings on the ZoneAlarm forums
about the Generic Host Process requesting Internet server rights. ZoneAlarm
Tech Support told us that ZoneAlarm's SmartDefender default was recently
changed from Block to Ask, but we can't get a clear reason from them even
though we've repeatedly asked. Nor can they explain why, even when a user
changes the Generic Host Process setting back to Block, it reverts back to
Ask every day or two. Nor can they explain why there are now numerous
Generic Host Process attempts being blocked (our ZoneAlarm log file is now
filled with blocked GHP attempts). In our case the source is the IP address
of our wireless router (which has its wireless access disabled and is being
used only as a wired router), and the attempts cease when the router is
turned off.

 

[captainscapegoat]

I've had this too. When I updated ZA I then chose to block SVCHOST as a server.

Now ever since I signed up with them, I've had Virgin.net automatically
going to their homepage when I connect to the internet. Haven't been able to
figure out how to stop this, although my homepage stays the same.

Now that I've blocked SVCHOST as a server, Virgin can no longer find it's
homepage when I establish a net connection!

Coincidence?