heavy traffic on port 1025

Discussion in 'Windows XP Security' started by Guest, Jul 31, 2004.

  1. Guest

    Guest Guest

    Many people seem to have noticed heavy traffic on port 1025. This traffic is caused by the task scheduler service hosted by svchost.exe. This service opens port 1025 by default. There are two ways to block this traffic:

    1) disable task scheduler service and reboot; be aware it is possible that prefetch, system restore and bootvis won't work properly anymore;

    2) deny inbound traffic for svchost.exe using TCP on the local ports 1024-65535; you can use a firewall like Agnitum Outpost 1.0 (freeware) to configure your system this way ( http://www.agnitum.com/download/outpost1.html ).

    To exploit task scheduler listening on port 1025, you can even download a tool from the net: remoxec from http://www.securityfriday.com/tools/Remoxec.html . This explains probably the amount of scans of port 1025.
     
    Guest, Jul 31, 2004
    #1
    1. Advertisements

  2. Question - if task scheduler is using port 1025, then why are you
    telling everyone to block all the other ports 1024 and 1026-65535?
    They may have other important applications running on those ports and
    what you've told them just broke them - and yes, most people on these
    groups are not "tech savey" so next there will be a post "My
    such-n-such all of sudden quit working" - be mindful of your audience
    when suggesting.

    --

    Star Fleet Admiral Q @ your service
    --------------------------------------------------------
    "Erwin Michiels" <> wrote in
    message news:...
    > Many people seem to have noticed heavy traffic on port 1025. This

    traffic is caused by the task scheduler service hosted by svchost.exe.
    This service opens port 1025 by default. There are two ways to block
    this traffic:
    >
    > 1) disable task scheduler service and reboot; be aware it is

    possible that prefetch, system restore and bootvis won't work properly
    anymore;
    >
    > 2) deny inbound traffic for svchost.exe using TCP on the local ports

    1024-65535; you can use a firewall like Agnitum Outpost 1.0 (freeware)
    to configure your system this way (
    http://www.agnitum.com/download/outpost1.html ).
    >
    > To exploit task scheduler listening on port 1025, you can even

    download a tool from the net: remoxec from
    http://www.securityfriday.com/tools/Remoxec.html . This explains
    probably the amount of scans of port 1025.
     
    Star Fleet Admiral Q, Jul 31, 2004
    #2
    1. Advertisements

  3. I don't see why, if he's one of these experiencing this issue, he doesn't use

    NETSTAT -A -B

    To see what program is trying to access port 1025. It may be task scheduler, but I doubt it. Probaly something that's running as a task.

    --
    Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
    Win 95/98/Me/XP Tweaks and Fixes
    http://www.dougknox.com
    --------------------------------
    Per user Group Policy Restrictions for XP Home and XP Pro
    http://www.dougknox.com/xp/utils/xp_securityconsole.htm
    --------------------------------
    Please reply only to the newsgroup so all may benefit.
    Unsolicited e-mail is not answered.

    "Star Fleet Admiral Q" <Star_Fleet_Admiral_Q(NO-SPAM)@(FORGET-SPAM)hotmail.com> wrote in message news:%...
    > Question - if task scheduler is using port 1025, then why are you
    > telling everyone to block all the other ports 1024 and 1026-65535?
    > They may have other important applications running on those ports and
    > what you've told them just broke them - and yes, most people on these
    > groups are not "tech savey" so next there will be a post "My
    > such-n-such all of sudden quit working" - be mindful of your audience
    > when suggesting.
    >
    > --
    >
    > Star Fleet Admiral Q @ your service
    > --------------------------------------------------------
    > "Erwin Michiels" <> wrote in
    > message news:...
    >> Many people seem to have noticed heavy traffic on port 1025. This

    > traffic is caused by the task scheduler service hosted by svchost.exe.
    > This service opens port 1025 by default. There are two ways to block
    > this traffic:
    >>
    >> 1) disable task scheduler service and reboot; be aware it is

    > possible that prefetch, system restore and bootvis won't work properly
    > anymore;
    >>
    >> 2) deny inbound traffic for svchost.exe using TCP on the local ports

    > 1024-65535; you can use a firewall like Agnitum Outpost 1.0 (freeware)
    > to configure your system this way (
    > http://www.agnitum.com/download/outpost1.html ).
    >>
    >> To exploit task scheduler listening on port 1025, you can even

    > download a tool from the net: remoxec from
    > http://www.securityfriday.com/tools/Remoxec.html . This explains
    > probably the amount of scans of port 1025.
    >
    >
     
    Doug Knox MS-MVP, Jul 31, 2004
    #3
  4. Guest

    Guest Guest

    Please read carefull: "deny inbound traffic for svchost.exe using TCP on the local ports 1024-65535", this means ONLY for svchost.exe using TCP on the local ports 1024-65535; maybe I didn't emphasize this enough. As said you can do this using a firewall like Agnitum Outpost 1.0 (freeware).

    I suggested the whole range of ports above 1024, because svchost.exe USUALLY runs on 1025, but actually it uses the first free port above 1024 when booting. So that can be another port also.

    Sir, @ your service, sir.

    "Star Fleet Admiral Q" wrote:

    > Question - if task scheduler is using port 1025, then why are you
    > telling everyone to block all the other ports 1024 and 1026-65535?
    > They may have other important applications running on those ports and
    > what you've told them just broke them - and yes, most people on these
    > groups are not "tech savey" so next there will be a post "My
    > such-n-such all of sudden quit working" - be mindful of your audience
    > when suggesting.
    >
    >
    > Star Fleet Admiral Q @ your service
    > --------------------------------------------------------
    > "Erwin Michiels" <> wrote in
    > message news:...
    > > Many people seem to have noticed heavy traffic on port 1025. This

    > traffic is caused by the task scheduler service hosted by svchost.exe.
    > This service opens port 1025 by default. There are two ways to block
    > this traffic:
    > >
    > > 1) disable task scheduler service and reboot; be aware it is

    > possible that prefetch, system restore and bootvis won't work properly
    > anymore;
    > >
    > > 2) deny inbound traffic for svchost.exe using TCP on the local ports

    > 1024-65535; you can use a firewall like Agnitum Outpost 1.0 (freeware)
    > to configure your system this way (
    > http://www.agnitum.com/download/outpost1.html ).
    > >
    > > To exploit task scheduler listening on port 1025, you can even

    > download a tool from the net: remoxec from
    > http://www.securityfriday.com/tools/Remoxec.html . This explains
    > probably the amount of scans of port 1025.
     
    Guest, Jul 31, 2004
    #4
  5. Guest

    Guest Guest

    I'm very positive it is task scheduler listening on TCP port 1025. I used Process Explorer (freeware: http://www.sysinternals.com ) to determine this:
    1) search for the instance of svchost.exe listening on port 1025 (rightclick the instance/properties/tab "TCP/IP");
    2) if you found the instance, look on the tab "services" which services are running under this instance; disable the services one by one: if svchost.exe stops listening, you've got the right one; the only tricky part is that you have to reboot each time you disable a service, otherwise svchost.exe keeps listening.
    Other sources also agree it's task scheduler listening on TCP port 1025, for instance http://snakefoot.fateback.com/tweak/winnt/service/stuv.html . If you google for "xp listening 1025" you'll find more sources confirming this.

    "Doug Knox MS-MVP" wrote:

    > I don't see why, if he's one of these experiencing this issue, he doesn't use
    >
    > NETSTAT -A -B
    >
    > To see what program is trying to access port 1025. It may be task scheduler, but I doubt it. Probaly something that's running as a task.
    >
    > --
    > Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
    > Win 95/98/Me/XP Tweaks and Fixes
    > http://www.dougknox.com
    > --------------------------------
    > Per user Group Policy Restrictions for XP Home and XP Pro
    > http://www.dougknox.com/xp/utils/xp_securityconsole.htm
    > --------------------------------
    > Please reply only to the newsgroup so all may benefit.
    > Unsolicited e-mail is not answered.
    >
    > "Star Fleet Admiral Q" <Star_Fleet_Admiral_Q(NO-SPAM)@(FORGET-SPAM)hotmail.com> wrote in message news:%...
    > > Question - if task scheduler is using port 1025, then why are you
    > > telling everyone to block all the other ports 1024 and 1026-65535?
    > > They may have other important applications running on those ports and
    > > what you've told them just broke them - and yes, most people on these
    > > groups are not "tech savey" so next there will be a post "My
    > > such-n-such all of sudden quit working" - be mindful of your audience
    > > when suggesting.
    > >
    > >
    > > Star Fleet Admiral Q @ your service
    > > --------------------------------------------------------
    > > "Erwin Michiels" <> wrote in
    > > message news:...
    > >> Many people seem to have noticed heavy traffic on port 1025. This

    > > traffic is caused by the task scheduler service hosted by svchost.exe.
    > > This service opens port 1025 by default. There are two ways to block
    > > this traffic:
    > >>
    > >> 1) disable task scheduler service and reboot; be aware it is

    > > possible that prefetch, system restore and bootvis won't work properly
    > > anymore;
    > >>
    > >> 2) deny inbound traffic for svchost.exe using TCP on the local ports

    > > 1024-65535; you can use a firewall like Agnitum Outpost 1.0 (freeware)
    > > to configure your system this way (
    > > http://www.agnitum.com/download/outpost1.html ).
    > >>
    > >> To exploit task scheduler listening on port 1025, you can even

    > > download a tool from the net: remoxec from
    > > http://www.securityfriday.com/tools/Remoxec.html . This explains
    > > probably the amount of scans of port 1025.
     
    Guest, Jul 31, 2004
    #5
  6. Doug,
    The point I was making, he said to blanket close all ports above
    1024 - the respected audience if following these instructions,
    especially on a networked PC (Home network reference say with a
    standalone network printer and/or a few Linux machines), the user
    may/may not relate closing the ports to say a database connection to
    an MySQL database on another PC quit working, I believe 1040 is used
    there, at least mine does, also, I have several other svhost services
    running of other ports such as 1034, 1042, etc - which have nothing to
    do with "Task Scheduler", which if disabled, completely prevents
    connections to VNC hosts on my home network, and access to my
    standalone network HP Printer on the router - and many of these
    readers have hired people to come setup these home networks and now
    they are going to have to pay to have someone fix it - all because
    they blindly followed - close all ports above 1024 - true they
    shouldn't blindly follow instructions they don't understand, but if
    they did that, most of us would be out of a job :)

    --

    Star Fleet Admiral Q @ your service
    --------------------------------------------------------
    "Doug Knox MS-MVP" <> wrote in message
    news:...
    I don't see why, if he's one of these experiencing this issue, he
    doesn't use

    NETSTAT -A -B

    To see what program is trying to access port 1025. It may be task
    scheduler, but I doubt it. Probaly something that's running as a
    task.

    --
    Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
    Win 95/98/Me/XP Tweaks and Fixes
    http://www.dougknox.com
    --------------------------------
    Per user Group Policy Restrictions for XP Home and XP Pro
    http://www.dougknox.com/xp/utils/xp_securityconsole.htm
    --------------------------------
    Please reply only to the newsgroup so all may benefit.
    Unsolicited e-mail is not answered.

    "Star Fleet Admiral Q"
    <Star_Fleet_Admiral_Q(NO-SPAM)@(FORGET-SPAM)hotmail.com> wrote in
    message news:%...
    > Question - if task scheduler is using port 1025, then why are you
    > telling everyone to block all the other ports 1024 and 1026-65535?
    > They may have other important applications running on those ports

    and
    > what you've told them just broke them - and yes, most people on

    these
    > groups are not "tech savey" so next there will be a post "My
    > such-n-such all of sudden quit working" - be mindful of your

    audience
    > when suggesting.
    >
    > --
    >
    > Star Fleet Admiral Q @ your service
    > --------------------------------------------------------
    > "Erwin Michiels" <> wrote in
    > message news:...
    >> Many people seem to have noticed heavy traffic on port 1025. This

    > traffic is caused by the task scheduler service hosted by

    svchost.exe.
    > This service opens port 1025 by default. There are two ways to block
    > this traffic:
    >>
    >> 1) disable task scheduler service and reboot; be aware it is

    > possible that prefetch, system restore and bootvis won't work

    properly
    > anymore;
    >>
    >> 2) deny inbound traffic for svchost.exe using TCP on the local

    ports
    > 1024-65535; you can use a firewall like Agnitum Outpost 1.0

    (freeware)
    > to configure your system this way (
    > http://www.agnitum.com/download/outpost1.html ).
    >>
    >> To exploit task scheduler listening on port 1025, you can even

    > download a tool from the net: remoxec from
    > http://www.securityfriday.com/tools/Remoxec.html . This explains
    > probably the amount of scans of port 1025.
    >
    >
     
    Star Fleet Admiral Q, Jul 31, 2004
    #6
  7. <G> I see what you're saying, and I agree.

    --
    Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
    Win 95/98/Me/XP Tweaks and Fixes
    http://www.dougknox.com
    --------------------------------
    Per user Group Policy Restrictions for XP Home and XP Pro
    http://www.dougknox.com/xp/utils/xp_securityconsole.htm
    --------------------------------
    Please reply only to the newsgroup so all may benefit.
    Unsolicited e-mail is not answered.

    "Star Fleet Admiral Q" <Star_Fleet_Admiral_Q(NO-SPAM)@(FORGET-SPAM)hotmail.com> wrote in message news:...
    > Doug,
    > The point I was making, he said to blanket close all ports above
    > 1024 - the respected audience if following these instructions,
    > especially on a networked PC (Home network reference say with a
    > standalone network printer and/or a few Linux machines), the user
    > may/may not relate closing the ports to say a database connection to
    > an MySQL database on another PC quit working, I believe 1040 is used
    > there, at least mine does, also, I have several other svhost services
    > running of other ports such as 1034, 1042, etc - which have nothing to
    > do with "Task Scheduler", which if disabled, completely prevents
    > connections to VNC hosts on my home network, and access to my
    > standalone network HP Printer on the router - and many of these
    > readers have hired people to come setup these home networks and now
    > they are going to have to pay to have someone fix it - all because
    > they blindly followed - close all ports above 1024 - true they
    > shouldn't blindly follow instructions they don't understand, but if
    > they did that, most of us would be out of a job :)
    >
    > --
    >
    > Star Fleet Admiral Q @ your service
    > --------------------------------------------------------
    > "Doug Knox MS-MVP" <> wrote in message
    > news:...
    > I don't see why, if he's one of these experiencing this issue, he
    > doesn't use
    >
    > NETSTAT -A -B
    >
    > To see what program is trying to access port 1025. It may be task
    > scheduler, but I doubt it. Probaly something that's running as a
    > task.
    >
    > --
    > Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
    > Win 95/98/Me/XP Tweaks and Fixes
    > http://www.dougknox.com
    > --------------------------------
    > Per user Group Policy Restrictions for XP Home and XP Pro
    > http://www.dougknox.com/xp/utils/xp_securityconsole.htm
    > --------------------------------
    > Please reply only to the newsgroup so all may benefit.
    > Unsolicited e-mail is not answered.
    >
    > "Star Fleet Admiral Q"
    > <Star_Fleet_Admiral_Q(NO-SPAM)@(FORGET-SPAM)hotmail.com> wrote in
    > message news:%...
    >> Question - if task scheduler is using port 1025, then why are you
    >> telling everyone to block all the other ports 1024 and 1026-65535?
    >> They may have other important applications running on those ports

    > and
    >> what you've told them just broke them - and yes, most people on

    > these
    >> groups are not "tech savey" so next there will be a post "My
    >> such-n-such all of sudden quit working" - be mindful of your

    > audience
    >> when suggesting.
    >>
    >> --
    >>
    >> Star Fleet Admiral Q @ your service
    >> --------------------------------------------------------
    >> "Erwin Michiels" <> wrote in
    >> message news:...
    >>> Many people seem to have noticed heavy traffic on port 1025. This

    >> traffic is caused by the task scheduler service hosted by

    > svchost.exe.
    >> This service opens port 1025 by default. There are two ways to block
    >> this traffic:
    >>>
    >>> 1) disable task scheduler service and reboot; be aware it is

    >> possible that prefetch, system restore and bootvis won't work

    > properly
    >> anymore;
    >>>
    >>> 2) deny inbound traffic for svchost.exe using TCP on the local

    > ports
    >> 1024-65535; you can use a firewall like Agnitum Outpost 1.0

    > (freeware)
    >> to configure your system this way (
    >> http://www.agnitum.com/download/outpost1.html ).
    >>>
    >>> To exploit task scheduler listening on port 1025, you can even

    >> download a tool from the net: remoxec from
    >> http://www.securityfriday.com/tools/Remoxec.html . This explains
    >> probably the amount of scans of port 1025.
    >>
    >>

    >
    >
     
    Doug Knox MS-MVP, Jul 31, 2004
    #7
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. MAP

    port 1025

    MAP, Feb 18, 2004, in forum: Windows XP Help
    Replies:
    0
    Views:
    432
  2. Mewan

    Port 1025 status

    Mewan, Aug 14, 2003, in forum: Windows XP Security
    Replies:
    0
    Views:
    235
    Mewan
    Aug 14, 2003
  3. Pierre

    port 1025

    Pierre, Nov 9, 2003, in forum: Windows XP Security
    Replies:
    2
    Views:
    317
    Brian [MSFT]
    Nov 17, 2003
  4. Wes H

    XP Port 1025

    Wes H, Dec 4, 2003, in forum: Windows XP Security
    Replies:
    1
    Views:
    375
    Brian [MSFT]
    Dec 5, 2003
  5. Fox

    Port 1025 is getting lotsa traffic

    Fox, Apr 12, 2004, in forum: Microsoft Windows 2000 Security
    Replies:
    2
    Views:
    232
Loading...

Share This Page