Generic host svchost asks for internet access?

[Jeff]

I am setting up a new installation of Zone Alarm in a XP PC.

I received an alert saying:

"Generic Host Process for Win32 Services wants to accept connections from
the internet.
Application Svchost.exe
Source IP: 207.46.232.189: Port 123"

I do not recognize this IP. Is this something I should allow?

Thanks.

Jeff

 

[David H. Lipman]

From: "Jeff" <[email protected]>

| I am setting up a new installation of Zone Alarm in a XP PC.
|
| I received an alert saying:
|
| "Generic Host Process for Win32 Services wants to accept connections from
| the internet.
| Application Svchost.exe
| Source IP: 207.46.232.189: Port 123"
|
| I do not recognize this IP. Is this something I should allow?
|
| Thanks.
|
| Jeff
|


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[David]

I am setting up a new installation of Zone Alarm in a XP PC.

I received an alert saying:

"Generic Host Process for Win32 Services wants to accept connections from
the internet.
Application Svchost.exe
Source IP: 207.46.232.189: Port 123"

I do not recognize this IP. Is this something I should allow?

Thanks.

Jeff

That belongs to time.windows.com

David

 

[Jeff]

I am setting up a new installation of Zone Alarm in a XP PC.

I received an alert saying:

"Generic Host Process for Win32 Services wants to accept connections
from
the internet.
Application Svchost.exe
Source IP: 207.46.232.189: Port 123"

I do not recognize this IP. Is this something I should allow?

Thanks.

Jeff

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder
C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow
WGET.EXE to go through your FireWall to allow it to download the
needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in
C:\AV-CLS}
This will bring up the initial menu of choices and should be executed
in Normal Mode. This way all the components can be downloaded from
each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and
Reboot the PC.

You can choose to go to each menu item and just download the needed
files or you can download the files and perform a scan in Normal
Mode. Once you have downloaded the files needed for each scanner you
want to use, you should reboot the PC into Safe Mode [F8 key during
boot] and re-run the menu again and choose which scanner you want to
run in Safe Mode. It is suggested to run the scanners in both Safe
Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more
comprehensive PDF help file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

Are you suggesting I have a trojan or other virus?

Jeff

 

[Wesley Vogel]

time.windows.com is.... you guessed it, Microsoft's very own Time server for
updating the time on your computer clock.

Double click the clock in the notification area.
Click the Internet Time tab.
time.windows.com is one of the two choices for Server.

canonical name time.windows.com.
aliases
addresses 207.46.232.189

Domain Whois record
Queried whois.internic.net with "dom windows.com"...

Whois Server Version 1.3

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: WINDOWS.COM
Registrar: TUCOWS INC.
Whois Server: whois.opensrs.net
Referral URL: http://domainhelp.tucows.com
Name Server: NS3.MSFT.NET
Name Server: NS1.MSFT.NET
Name Server: NS5.MSFT.NET
Name Server: NS2.MSFT.NET
Name Server: NS4.MSFT.NET
Status: REGISTRAR-LOCK
Updated Date: 10-jun-2004
Creation Date: 11-sep-1995
Expiration Date: 04-jun-2014

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Nepatsfan]

(e-mail address removed),

I am setting up a new installation of Zone Alarm in a XP PC.

I received an alert saying:

"Generic Host Process for Win32 Services wants to accept
connections from the internet.
Application Svchost.exe
Source IP: 207.46.232.189: Port 123"

I do not recognize this IP. Is this something I should allow?

Thanks.

Jeff

It depends, do trust Microsoft?

Running tracert from a command prompt shows that IP as being
time.windows.com.

Here's some more info on that IP address:
http://www.dnsstuff.com/tools/whois.ch?ip=207.46.232.189&cache=off

Here's an explanation about port 123.
http://www.seifried.org/security/ports/0/123.html

Bottom line, it sounds like Zone Alarm is asking if you want to
allow Microsoft's time server to connect to your computer to
synchronize the time.

I don't have Zone Alarm installed on any of my computers so I
can't really test this but I did try the following:

Configure firewall to block Generic Host Process for Win32
Services/svchost.exe.
Go to Control Panel and double click Date and Time.
Click on Internet Time tab.
Hit the Update Now button.
Message displayed reads "An error occurred while Windows was
synchronizing with time.windows.com. The peer is unreachable".
Configure firewall to allow Generic Host Process for Win32
Services/svchost.exe.
Go back and hit Update Now button and time is successfully
synchronized.

What you've encountered is one of the reasons I don't use Zone
Alarm, too many cryptic questions. If you haven't done so
already, you might want to post your question here:

Zone Labs User Forums
http://forum.zonelabs.org/zonelabs

Good luck

Nepatsfan

 

[Jeff]

(e-mail address removed),


It depends, do trust Microsoft?

Running tracert from a command prompt shows that IP as being
time.windows.com.

Configure firewall to block Generic Host Process for Win32
Services/svchost.exe.
Go to Control Panel and double click Date and Time.
Click on Internet Time tab.
Hit the Update Now button.
Message displayed reads "An error occurred while Windows was synchronizing
with time.windows.com. The peer is unreachable".
Configure firewall to allow Generic Host Process for Win32
Services/svchost.exe.
Go back and hit Update Now button and time is successfully synchronized.

[Snip]

Begs the question of whether to instruct the firewall to allow or not allow
Host Process for Win32 Services/svchost.exe in general? I was reluctant to
allow it because it is a "generic" service that could be used by anything.
Am I too paranoid?

Jeff

 

[Jeff]

Thank you.

Jeff

time.windows.com is.... you guessed it, Microsoft's very own Time server
for
updating the time on your computer clock.

Double click the clock in the notification area.
Click the Internet Time tab.
time.windows.com is one of the two choices for Server.

canonical name time.windows.com.
aliases
addresses 207.46.232.189

Domain Whois record
Queried whois.internic.net with "dom windows.com"...

Whois Server Version 1.3

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: WINDOWS.COM
Registrar: TUCOWS INC.
Whois Server: whois.opensrs.net
Referral URL: http://domainhelp.tucows.com
Name Server: NS3.MSFT.NET
Name Server: NS1.MSFT.NET
Name Server: NS5.MSFT.NET
Name Server: NS2.MSFT.NET
Name Server: NS4.MSFT.NET
Status: REGISTRAR-LOCK
Updated Date: 10-jun-2004
Creation Date: 11-sep-1995
Expiration Date: 04-jun-2014

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Jeff]

That belongs to time.windows.com

David

Thanks. That's reassuring.

Question is whether I should permit Host Process for Win32
Services/svchost.exe to act as a "Server" with access to the internet or is
that a security risk. I presently have ZA set to:

Access: allowed --- to the internet and trusted zones but
Server: disallowed or Ask --- as"Server" to trusted and internet zones

Could this explain why I am having intermittent loss of internet access
through my router?

Not sure what the correct settings should be for Host Process for Win32
Services/svchost.exe. Any advice?

Jeff

 

[Wesley Vogel]

Question is whether I should permit Host Process for Win32

Services/svchost.exe to act as a "Server"

I do not allow *anything* to act as a Server in ZoneAlarm.

A red X means the program is denied access/server rights.

I have red Xs in both columns, Trusted and Internet under Server.

From ZoneAlarm HELP:

server permission
Server permission allows a program on your computer to "listen" for
connection requests from other computers, in effect giving those computers
the power to initiate communications with yours. This is distinct from
access permission, which allows a program to initiate a communications
session with another computer.

Several common types of applications, such as chat programs, e-mail clients,
and Internet Call Waiting programs, may need server permission to operate
properly. Grant server permission only to programs you're sure you trust,
and that require it in order to work.

If possible, avoid granting a program server permission for the Internet
Zone. If you need to accept incoming connections from only a small number of
machines, add those machines to the Trusted Zone, and then allow the program
server permission for the Trusted Zone only.

The following basic options are available for each program

Allow the program to listen for connection requests

Block the program from listening for connection requests

Ask me whether to allow the program to listen for connection requests (show
Server Program alert)


--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Jeff]

Thank you.

Jeff

I do not allow *anything* to act as a Server in ZoneAlarm.

A red X means the program is denied access/server rights.

I have red Xs in both columns, Trusted and Internet under Server.

From ZoneAlarm HELP:

server permission
Server permission allows a program on your computer to "listen" for
connection requests from other computers, in effect giving those computers
the power to initiate communications with yours. This is distinct from
access permission, which allows a program to initiate a communications
session with another computer.

Several common types of applications, such as chat programs, e-mail
clients,
and Internet Call Waiting programs, may need server permission to operate
properly. Grant server permission only to programs you're sure you trust,
and that require it in order to work.

If possible, avoid granting a program server permission for the Internet
Zone. If you need to accept incoming connections from only a small number
of
machines, add those machines to the Trusted Zone, and then allow the
program
server permission for the Trusted Zone only.

The following basic options are available for each program

Allow the program to listen for connection requests

Block the program from listening for connection requests

Ask me whether to allow the program to listen for connection requests
(show
Server Program alert)


--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Wesley Vogel]

You're welcome.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Nepatsfan]

(e-mail address removed),

(e-mail address removed),


It depends, do trust Microsoft?

Running tracert from a command prompt shows that IP as being
time.windows.com.

Configure firewall to block Generic Host Process for Win32
Services/svchost.exe.
Go to Control Panel and double click Date and Time.
Click on Internet Time tab.
Hit the Update Now button.
Message displayed reads "An error occurred while Windows
was synchronizing with time.windows.com. The peer is
unreachable". Configure firewall to allow Generic Host
Process for Win32
Services/svchost.exe.
Go back and hit Update Now button and time is successfully
synchronized.

[Snip]

Begs the question of whether to instruct the firewall to
allow or not allow Host Process for Win32
Services/svchost.exe in general? I was reluctant to allow it
because it is a "generic" service that could be used by
anything. Am I too paranoid?
Jeff

As long as the svchost.exe file is located in the
C:\Windows\System32 folder you should be fine if you allow it
in Zone Alarm. Here are a couple of articles with more info:

A description of Svchost.exe in Windows XP Pro
http://support.microsoft.com/?kbid=314056

Courtesy of Ramesh Srinivasan MS-MVP
Description of Svchost.exe in Windows XP
http://windowsxp.mvps.org/svchost.htm

Keep in mind that since many of the services that operate under
svchost.exe are related to networking, blocking it would
probably disable your internet connection.

Good luck

Nepatsfan

 

[Steven L Umbach]

In general there is no need for most users to need to accept any inbound
connection request from any source unless you are running a server service
on your computer that you want to make available to internet users. But
something does not make sense here in that your internet router should be
stopping inbound connection requests [rather than allow response to
established sessions] from the internet and makes me believe that ZA is not
quite telling the truth that Application Svchost.exe wants to connect to
your computer. Most likely the warning was for traffic that was a response
to traffic initiated from your computer to synch it's time and in this
particular case you would want to allow it.

Steve

 

[Jeff]

Thank you.

I guess you are correct since time synch would have been initiated by my PC.

I changed my time synch to "time.nist.gov" instead of time.windows.com and
that seemed to synch with no problem.

I have my Zone Alarm's setting for svchost to allow as server for Trusted
zones and to block for Server Internet. I also put my router's IP (DHCP
server) and home network PCs in the trusted zone. Hope all that is correct.

Jeff

In general there is no need for most users to need to accept any inbound
connection request from any source unless you are running a server service
on your computer that you want to make available to internet users. But
something does not make sense here in that your internet router should be
stopping inbound connection requests [rather than allow response to
established sessions] from the internet and makes me believe that ZA is
not quite telling the truth that Application Svchost.exe wants to connect
to your computer. Most likely the warning was for traffic that was a
response to traffic initiated from your computer to synch it's time and in
this particular case you would want to allow it.

Steve

Thanks. That's reassuring.

Question is whether I should permit Host Process for Win32
Services/svchost.exe to act as a "Server" with access to the internet or
is
that a security risk. I presently have ZA set to:

Access: allowed --- to the internet and trusted zones but
Server: disallowed or Ask --- as"Server" to trusted and internet zones

Could this explain why I am having intermittent loss of internet access
through my router?

Not sure what the correct settings should be for Host Process for Win32
Services/svchost.exe. Any advice?

Jeff

 

[Jeff]

Thank you.

Jeff

(e-mail address removed),

(e-mail address removed),
I am setting up a new installation of Zone Alarm in a XP
PC. I received an alert saying:

"Generic Host Process for Win32 Services wants to accept
connections from the internet.
Application Svchost.exe
Source IP: 207.46.232.189: Port 123"

I do not recognize this IP. Is this something I should
allow? Thanks.

Jeff

It depends, do trust Microsoft?

Running tracert from a command prompt shows that IP as being
time.windows.com.

Configure firewall to block Generic Host Process for Win32
Services/svchost.exe.
Go to Control Panel and double click Date and Time.
Click on Internet Time tab.
Hit the Update Now button.
Message displayed reads "An error occurred while Windows
was synchronizing with time.windows.com. The peer is
unreachable". Configure firewall to allow Generic Host Process for Win32
Services/svchost.exe.
Go back and hit Update Now button and time is successfully
synchronized.

[Snip]

Begs the question of whether to instruct the firewall to
allow or not allow Host Process for Win32
Services/svchost.exe in general? I was reluctant to allow it
because it is a "generic" service that could be used by
anything. Am I too paranoid?
Jeff

As long as the svchost.exe file is located in the C:\Windows\System32
folder you should be fine if you allow it in Zone Alarm. Here are a couple
of articles with more info:

A description of Svchost.exe in Windows XP Pro
http://support.microsoft.com/?kbid=314056

Courtesy of Ramesh Srinivasan MS-MVP
Description of Svchost.exe in Windows XP
http://windowsxp.mvps.org/svchost.htm

Keep in mind that since many of the services that operate under
svchost.exe are related to networking, blocking it would probably disable
your internet connection.

Good luck

Nepatsfan

 

[Nepatsfan]

You're welcome.

Nepatsfan

(e-mail address removed),

Thank you.

Jeff

(e-mail address removed),

(e-mail address removed),
I am setting up a new installation of Zone Alarm in a XP
PC. I received an alert saying:

"Generic Host Process for Win32 Services wants to accept
connections from the internet.
Application Svchost.exe
Source IP: 207.46.232.189: Port 123"

I do not recognize this IP. Is this something I should
allow? Thanks.

Jeff

It depends, do trust Microsoft?

Not really <grin>

Running tracert from a command prompt shows that IP as
being time.windows.com.

Configure firewall to block Generic Host Process for Win32
Services/svchost.exe.
Go to Control Panel and double click Date and Time.
Click on Internet Time tab.
Hit the Update Now button.
Message displayed reads "An error occurred while Windows
was synchronizing with time.windows.com. The peer is
unreachable". Configure firewall to allow Generic Host
Process for Win32 Services/svchost.exe.
Go back and hit Update Now button and time is successfully
synchronized.

[Snip]

Begs the question of whether to instruct the firewall to
allow or not allow Host Process for Win32
Services/svchost.exe in general? I was reluctant to allow
it because it is a "generic" service that could be used by
anything. Am I too paranoid?
Jeff

As long as the svchost.exe file is located in the
C:\Windows\System32 folder you should be fine if you allow
it in Zone Alarm. Here are a couple of articles with more
info: A description of Svchost.exe in Windows XP Pro
http://support.microsoft.com/?kbid=314056

Courtesy of Ramesh Srinivasan MS-MVP
Description of Svchost.exe in Windows XP
http://windowsxp.mvps.org/svchost.htm

Keep in mind that since many of the services that operate
under svchost.exe are related to networking, blocking it
would probably disable your internet connection.

Good luck

Nepatsfan

 

[Steven L Umbach]

Assuming you want to be able to share files/printers on that computer with
other computers on your local network that sounds like a good strategy.

Steve

Thank you.

I guess you are correct since time synch would have been initiated by my
PC.

I changed my time synch to "time.nist.gov" instead of time.windows.com and
that seemed to synch with no problem.

I have my Zone Alarm's setting for svchost to allow as server for Trusted
zones and to block for Server Internet. I also put my router's IP (DHCP
server) and home network PCs in the trusted zone. Hope all that is
correct.

Jeff

In general there is no need for most users to need to accept any inbound
connection request from any source unless you are running a server
service on your computer that you want to make available to internet
users. But something does not make sense here in that your internet
router should be stopping inbound connection requests [rather than allow
response to established sessions] from the internet and makes me believe
that ZA is not quite telling the truth that Application Svchost.exe wants
to connect to your computer. Most likely the warning was for traffic that
was a response to traffic initiated from your computer to synch it's time
and in this particular case you would want to allow it.

Steve

I am setting up a new installation of Zone Alarm in a XP PC.

I received an alert saying:

"Generic Host Process for Win32 Services wants to accept connections
from
the internet.
Application Svchost.exe
Source IP: 207.46.232.189: Port 123"

I do not recognize this IP. Is this something I should allow?

Thanks.

Jeff

That belongs to time.windows.com

David

Thanks. That's reassuring.

Question is whether I should permit Host Process for Win32
Services/svchost.exe to act as a "Server" with access to the internet or
is
that a security risk. I presently have ZA set to:

Access: allowed --- to the internet and trusted zones but
Server: disallowed or Ask --- as"Server" to trusted and internet zones

Could this explain why I am having intermittent loss of internet access
through my router?

Not sure what the correct settings should be for Host Process for Win32
Services/svchost.exe. Any advice?

Jeff

 

[Jeff]

Thank you.

Jeff

Assuming you want to be able to share files/printers on that computer
with other computers on your local network that sounds like a good
strategy.
Steve

Thank you.

I guess you are correct since time synch would have been initiated
by my PC.

I changed my time synch to "time.nist.gov" instead of
time.windows.com and that seemed to synch with no problem.

I have my Zone Alarm's setting for svchost to allow as server for
Trusted zones and to block for Server Internet. I also put my
router's IP (DHCP server) and home network PCs in the trusted zone. Hope
all that is correct.

Jeff

In general there is no need for most users to need to accept any
inbound connection request from any source unless you are running a
server service on your computer that you want to make available to
internet users. But something does not make sense here in that your
internet router should be stopping inbound connection requests
[rather than allow response to established sessions] from the
internet and makes me believe that ZA is not quite telling the
truth that Application Svchost.exe wants to connect to your
computer. Most likely the warning was for traffic that was a
response to traffic initiated from your computer to synch it's time
and in this particular case you would want to allow it. Steve




I am setting up a new installation of Zone Alarm in a XP PC.

I received an alert saying:

"Generic Host Process for Win32 Services wants to accept
connections from
the internet.
Application Svchost.exe
Source IP: 207.46.232.189: Port 123"

I do not recognize this IP. Is this something I should allow?

Thanks.

Jeff

That belongs to time.windows.com

David

Thanks. That's reassuring.

Question is whether I should permit Host Process for Win32
Services/svchost.exe to act as a "Server" with access to the
internet or is
that a security risk. I presently have ZA set to:

Access: allowed --- to the internet and trusted zones but
Server: disallowed or Ask --- as"Server" to trusted and internet
zones Could this explain why I am having intermittent loss of internet
access through my router?

Not sure what the correct settings should be for Host Process for
Win32 Services/svchost.exe. Any advice?

Jeff

 

[Steven L Umbach]

Glad to help.

Steve

Thank you.

Jeff

Assuming you want to be able to share files/printers on that computer
with other computers on your local network that sounds like a good
strategy.
Steve

Thank you.

I guess you are correct since time synch would have been initiated
by my PC.

I changed my time synch to "time.nist.gov" instead of
time.windows.com and that seemed to synch with no problem.

I have my Zone Alarm's setting for svchost to allow as server for
Trusted zones and to block for Server Internet. I also put my
router's IP (DHCP server) and home network PCs in the trusted zone. Hope
all that is correct.

Jeff


In general there is no need for most users to need to accept any
inbound connection request from any source unless you are running a
server service on your computer that you want to make available to
internet users. But something does not make sense here in that your
internet router should be stopping inbound connection requests
[rather than allow response to established sessions] from the
internet and makes me believe that ZA is not quite telling the
truth that Application Svchost.exe wants to connect to your
computer. Most likely the warning was for traffic that was a
response to traffic initiated from your computer to synch it's time
and in this particular case you would want to allow it. Steve




I am setting up a new installation of Zone Alarm in a XP PC.

I received an alert saying:

"Generic Host Process for Win32 Services wants to accept
connections from
the internet.
Application Svchost.exe
Source IP: 207.46.232.189: Port 123"

I do not recognize this IP. Is this something I should allow?

Thanks.

Jeff

That belongs to time.windows.com

David

Thanks. That's reassuring.

Question is whether I should permit Host Process for Win32
Services/svchost.exe to act as a "Server" with access to the
internet or is
that a security risk. I presently have ZA set to:

Access: allowed --- to the internet and trusted zones but
Server: disallowed or Ask --- as"Server" to trusted and internet
zones Could this explain why I am having intermittent loss of internet
access through my router?

Not sure what the correct settings should be for Host Process for
Win32 Services/svchost.exe. Any advice?

Jeff