heavy traffic on port 1025

[Guest]

Many people seem to have noticed heavy traffic on port 1025. This traffic is caused by the task scheduler service hosted by svchost.exe. This service opens port 1025 by default. There are two ways to block this traffic:

1) disable task scheduler service and reboot; be aware it is possible that prefetch, system restore and bootvis won't work properly anymore;

2) deny inbound traffic for svchost.exe using TCP on the local ports 1024-65535; you can use a firewall like Agnitum Outpost 1.0 (freeware) to configure your system this way ( http://www.agnitum.com/download/outpost1.html ).

To exploit task scheduler listening on port 1025, you can even download a tool from the net: remoxec from http://www.securityfriday.com/tools/Remoxec.html . This explains probably the amount of scans of port 1025.

 

[Star Fleet Admiral Q]

Question - if task scheduler is using port 1025, then why are you
telling everyone to block all the other ports 1024 and 1026-65535?
They may have other important applications running on those ports and
what you've told them just broke them - and yes, most people on these
groups are not "tech savey" so next there will be a post "My
such-n-such all of sudden quit working" - be mindful of your audience
when suggesting.

--

Star Fleet Admiral Q @ your service
--------------------------------------------------------

Many people seem to have noticed heavy traffic on port 1025. This

traffic is caused by the task scheduler service hosted by svchost.exe.
This service opens port 1025 by default. There are two ways to block
this traffic:

1) disable task scheduler service and reboot; be aware it is

possible that prefetch, system restore and bootvis won't work properly
anymore;

2) deny inbound traffic for svchost.exe using TCP on the local ports

1024-65535; you can use a firewall like Agnitum Outpost 1.0 (freeware)
to configure your system this way (
http://www.agnitum.com/download/outpost1.html ).

To exploit task scheduler listening on port 1025, you can even

download a tool from the net: remoxec from
http://www.securityfriday.com/tools/Remoxec.html . This explains
probably the amount of scans of port 1025.

 

[Doug Knox MS-MVP]

I don't see why, if he's one of these experiencing this issue, he doesn't use

NETSTAT -A -B

To see what program is trying to access port 1025. It may be task scheduler, but I doubt it. Probaly something that's running as a task.

 

[Guest]

Please read carefull: "deny inbound traffic for svchost.exe using TCP on the local ports 1024-65535", this means ONLY for svchost.exe using TCP on the local ports 1024-65535; maybe I didn't emphasize this enough. As said you can do this using a firewall like Agnitum Outpost 1.0 (freeware).

I suggested the whole range of ports above 1024, because svchost.exe USUALLY runs on 1025, but actually it uses the first free port above 1024 when booting. So that can be another port also.

Sir, @ your service, sir.

 

[Guest]

I'm very positive it is task scheduler listening on TCP port 1025. I used Process Explorer (freeware: http://www.sysinternals.com ) to determine this:
1) search for the instance of svchost.exe listening on port 1025 (rightclick the instance/properties/tab "TCP/IP");
2) if you found the instance, look on the tab "services" which services are running under this instance; disable the services one by one: if svchost.exe stops listening, you've got the right one; the only tricky part is that you have to reboot each time you disable a service, otherwise svchost.exe keeps listening.
Other sources also agree it's task scheduler listening on TCP port 1025, for instance http://snakefoot.fateback.com/tweak/winnt/service/stuv.html . If you google for "xp listening 1025" you'll find more sources confirming this.

 

[Star Fleet Admiral Q]

Doug,
The point I was making, he said to blanket close all ports above
1024 - the respected audience if following these instructions,
especially on a networked PC (Home network reference say with a
standalone network printer and/or a few Linux machines), the user
may/may not relate closing the ports to say a database connection to
an MySQL database on another PC quit working, I believe 1040 is used
there, at least mine does, also, I have several other svhost services
running of other ports such as 1034, 1042, etc - which have nothing to
do with "Task Scheduler", which if disabled, completely prevents
connections to VNC hosts on my home network, and access to my
standalone network HP Printer on the router - and many of these
readers have hired people to come setup these home networks and now
they are going to have to pay to have someone fix it - all because
they blindly followed - close all ports above 1024 - true they
shouldn't blindly follow instructions they don't understand, but if
they did that, most of us would be out of a job

--

Star Fleet Admiral Q @ your service
--------------------------------------------------------
I don't see why, if he's one of these experiencing this issue, he
doesn't use

NETSTAT -A -B

To see what program is trying to access port 1025. It may be task
scheduler, but I doubt it. Probaly something that's running as a
task.

 

[Doug Knox MS-MVP]

<G> I see what you're saying, and I agree.