SP3, svchost.exe and the Internet

[Martyn Tindall]

Please reassure me! I've just installed SP3 (from a Microsoft CD,
whilst not connected to the Internet). As soon as I rebooted, I got
requests for Internet access from svchost.exe, and, later on, a
request to accept a connection from the Internet. I OKed these,
believing them to originate with SP3. Looking on the Web, I read
conflicting claims about this. What is the truth?

My O.S. is XP Pro 2002 OEM SP2 (now SP3)
Full scans by up-to-date Avast!, Spybot and AdAware reveal nothing
suspicious.

TIA,

 

[Lem]

Please reassure me! I've just installed SP3 (from a Microsoft CD,
whilst not connected to the Internet). As soon as I rebooted, I got
requests for Internet access from svchost.exe, and, later on, a
request to accept a connection from the Internet. I OKed these,
believing them to originate with SP3. Looking on the Web, I read
conflicting claims about this. What is the truth?

My O.S. is XP Pro 2002 OEM SP2 (now SP3)
Full scans by up-to-date Avast!, Spybot and AdAware reveal nothing
suspicious.

TIA,

svchost.exe is a generic host process for services that run from *.dll
files. In general, one would expect to see several instances of
svchost.exe running in Task Manager.

Windows Automatic Update is hosted by an instance of svchost.exe, so
it's likely that that's the reason that svchost wanted to have outgoing
access.

A "request from the Internet" is to vague to tell anything.

The real questions are did you have an up-to-date antivirus application
running *when you first connected to the Internet* and are you connected
to the Internet through a router?

 

[Martyn Tindall]

svchost.exe is a generic host process for services that run from *.dll
files. In general, one would expect to see several instances of
svchost.exe running in Task Manager.

Windows Automatic Update is hosted by an instance of svchost.exe, so
it's likely that that's the reason that svchost wanted to have outgoing
access.

A "request from the Internet" is to vague to tell anything.

"accept connections from the internet" is what ZoneAlarm says. If I
OK it, no doubt it will put a tick in the "Server" column.

The real questions are did you have an up-to-date antivirus application
running *when you first connected to the Internet* and are you connected
to the Internet through a router?

Yes and yes.
Thanks for the speedy reply!
MBT

 

[Lem]

"accept connections from the internet" is what ZoneAlarm says. If I
OK it, no doubt it will put a tick in the "Server" column.
Yes and yes.
Thanks for the speedy reply!
MBT

It's been a long time since I used ZA. Didn't it say from *where* on
the Internet the incoming request originated? Or was it that svchost
wanted to be able to accept incoming connections? The latter seems a
bit too broad of an exception, given that svchost is generic and any
malware that manages to sneak in a dll could run under svchost. I
checked my XP system and Windows Firewall (which only blocks unsolicited
incoming requests) does not have an exception for svchost or Windows Update.

In any case, running behind a router (almost all of which these days
implement both Network Address Translation (NAT) and a firewall) is
pretty much sufficient protection from port-scanning bots. Together
with your up-to-date A/V, you should be OK -- but don't push your luck
by deliberately exposing yourself (e.g., by going to suspicious web
sites or opening unknown email attachments or other downloads).

 

[Martyn Tindall]

It's been a long time since I used ZA. Didn't it say from *where* on
the Internet the incoming request originated? Or was it that svchost
wanted to be able to accept incoming connections? The latter seems a

Yes, that's how I read it. Next time, I'll do a screen dump and give
you chapter and verse. I tried denying the outgoing request, and the
connection attempt broke down. Could it be that this is needed just
to establish an IP address or something? I had to reboot before I
could connect to the router. Maybe I had these things allowed
pre-SP3, so was unaware it was happening...

Thanks for your help,
MBT

 

[PA Bear [MS MVP]]

Is Automatic Updates enabled?

Is WUAUCLT.EXE also listed in Task Manager | Processes tab as soon as you
reboot?

Was Avast, Spybot Tea Timer, Ad-Aware Ad-Watch, and/or Zone Alarm running in
the background when you installed SP3?

Has a(another) Norton or McAfee application ever been installed on the
computer (e.g., a free-trial version that came preinstalled when you bought
it)?

 

[Martyn Tindall]

On Fri, 26 Mar 2010 17:03:49 -0400, "PA Bear [MS MVP]"

Thanks for coming in on this.

Is Automatic Updates enabled?

Not at present.

Is WUAUCLT.EXE also listed in Task Manager | Processes tab as soon as you
reboot?
Yes.

Was Avast, Spybot Tea Timer, Ad-Aware Ad-Watch, and/or Zone Alarm running in
the background when you installed SP3?

No. I disconnected from the Internet and shut all of those down (as I
always do when installing programs).

Has a(another) Norton or McAfee application ever been installed on the
computer (e.g., a free-trial version that came preinstalled when you bought
it)?

If it was, it certainly wasn't run. I can't be sure because Vista was
originally installed, but I downgraded to XP SP2.

Regards,
MBT

 

[PA Bear [MS MVP]]

Rather odd to see WUAUCLT.EXE running in Task Manager if Automatic Updates
is disabled. That being said...

Start | Run | services.msc | [OK]

Double-click on the service named Automatic Updates: Is Startup type set to
Automatic and does Service status say Started?

On Fri, 26 Mar 2010 17:03:49 -0400, "PA Bear [MS MVP]"

Thanks for coming in on this.

Is Automatic Updates enabled?

Not at present.

Is WUAUCLT.EXE also listed in Task Manager | Processes tab as soon as you
reboot?
Yes.

Was Avast, Spybot Tea Timer, Ad-Aware Ad-Watch, and/or Zone Alarm running
in the background when you installed SP3?

No. I disconnected from the Internet and shut all of those down (as I
always do when installing programs).

Has a(another) Norton or McAfee application ever been installed on the
computer (e.g., a free-trial version that came preinstalled when you
bought
it)?

If it was, it certainly wasn't run. I can't be sure because Vista was
originally installed, but I downgraded to XP SP2.

Regards,
MBT

 

[Martyn Tindall]

Rather odd to see WUAUCLT.EXE running in Task Manager if Automatic Updates
is disabled. That being said...

Start | Run | services.msc | [OK]

Double-click on the service named Automatic Updates: Is Startup type set to
Automatic and does Service status say Started?

Yes and yes. But in 'Windows Security Centre' Automatic Updates is
OFF, I've got the red shield in the system tray and I get frequent
balloons warning me about it.

Thanks,
MBT

On Fri, 26 Mar 2010 17:03:49 -0400, "PA Bear [MS MVP]"

Thanks for coming in on this.

Is Automatic Updates enabled?

Not at present.

Is WUAUCLT.EXE also listed in Task Manager | Processes tab as soon as you
reboot?
Yes.

Was Avast, Spybot Tea Timer, Ad-Aware Ad-Watch, and/or Zone Alarm running
in the background when you installed SP3?

No. I disconnected from the Internet and shut all of those down (as I
always do when installing programs).

Has a(another) Norton or McAfee application ever been installed on the
computer (e.g., a free-trial version that came preinstalled when you
bought
it)?

If it was, it certainly wasn't run. I can't be sure because Vista was
originally installed, but I downgraded to XP SP2.

Regards,
MBT

--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Client - since 2002


Martyn Tindall wrote:
Please reassure me! I've just installed SP3 (from a Microsoft CD,
whilst not connected to the Internet). As soon as I rebooted, I got
requests for Internet access from svchost.exe, and, later on, a
request to accept a connection from the Internet. I OKed these,
believing them to originate with SP3. Looking on the Web, I read
conflicting claims about this. What is the truth?

My O.S. is XP Pro 2002 OEM SP2 (now SP3)
Full scans by up-to-date Avast!, Spybot and AdAware reveal nothing
suspicious.

TIA,

 

[PA Bear [MS MVP]]

If if Automatic Updates /functionality/ is disabled (turned off), the
Automatic Updates /service/ will connect to the internet (via an instance of
SVCHOST) at Startup if this /service/ is enabled. Why? To keep itself
(i.e., Automatic Updates software) updated.

cf.
http://blogs.technet.com/mu/archive/2009/07/10/upcoming-update-for-windows-update.aspx

cf. http://blogs.technet.com/mu/archive/2008/10/31/client-update.aspx

cf.
http://blogs.technet.com/mu/archive/2008/07/03/upcoming-update-to-windows-update.aspx

Rather odd to see WUAUCLT.EXE running in Task Manager if Automatic
Updates
is disabled. That being said...

Start | Run | services.msc | [OK]

Double-click on the service named Automatic Updates: Is Startup type set
to
Automatic and does Service status say Started?

Yes and yes. But in 'Windows Security Centre' Automatic Updates is
OFF, I've got the red shield in the system tray and I get frequent
balloons warning me about it.

Thanks,
MBT

On Fri, 26 Mar 2010 17:03:49 -0400, "PA Bear [MS MVP]"

Thanks for coming in on this.

Is Automatic Updates enabled?

Not at present.

Is WUAUCLT.EXE also listed in Task Manager | Processes tab as soon as
you
reboot?

Yes.

Was Avast, Spybot Tea Timer, Ad-Aware Ad-Watch, and/or Zone Alarm
running
in the background when you installed SP3?

No. I disconnected from the Internet and shut all of those down (as I
always do when installing programs).

Has a(another) Norton or McAfee application ever been installed on the
computer (e.g., a free-trial version that came preinstalled when you
bought
it)?

If it was, it certainly wasn't run. I can't be sure because Vista was
originally installed, but I downgraded to XP SP2.

Regards,
MBT
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Client - since 2002


Martyn Tindall wrote:
Please reassure me! I've just installed SP3 (from a Microsoft CD,
whilst not connected to the Internet). As soon as I rebooted, I got
requests for Internet access from svchost.exe, and, later on, a
request to accept a connection from the Internet. I OKed these,
believing them to originate with SP3. Looking on the Web, I read
conflicting claims about this. What is the truth?

My O.S. is XP Pro 2002 OEM SP2 (now SP3)
Full scans by up-to-date Avast!, Spybot and AdAware reveal nothing
suspicious.

TIA,

 

[Martyn Tindall]

If if Automatic Updates /functionality/ is disabled (turned off), the
Automatic Updates /service/ will connect to the internet (via an instance of
SVCHOST) at Startup if this /service/ is enabled. Why? To keep itself
(i.e., Automatic Updates software) updated.

I've stopped and disabled Automatic Updates in services.msc (without
restarting Windows) and I'm still getting the following warnings:

Generic Host Process for Win32 Services is trying to access the
Internet - Application: svchost.exe
Generic Host Process for Win32 Services wants to accept connections
from the Internet - Application: svchost.exe

Should I O.K. these?

Regards,
MBT

cf.
http://blogs.technet.com/mu/archive/2009/07/10/upcoming-update-for-windows-update.aspx

cf. http://blogs.technet.com/mu/archive/2008/10/31/client-update.aspx

cf.
http://blogs.technet.com/mu/archive/2008/07/03/upcoming-update-to-windows-update.aspx

Rather odd to see WUAUCLT.EXE running in Task Manager if Automatic
Updates
is disabled. That being said...

Start | Run | services.msc | [OK]

Double-click on the service named Automatic Updates: Is Startup type set
to
Automatic and does Service status say Started?

Yes and yes. But in 'Windows Security Centre' Automatic Updates is
OFF, I've got the red shield in the system tray and I get frequent
balloons warning me about it.

Thanks,
MBT

Martyn Tindall wrote:
On Fri, 26 Mar 2010 17:03:49 -0400, "PA Bear [MS MVP]"

Thanks for coming in on this.

Is Automatic Updates enabled?

Not at present.

Is WUAUCLT.EXE also listed in Task Manager | Processes tab as soon as
you
reboot?

Yes.

Was Avast, Spybot Tea Timer, Ad-Aware Ad-Watch, and/or Zone Alarm
running
in the background when you installed SP3?

No. I disconnected from the Internet and shut all of those down (as I
always do when installing programs).

Has a(another) Norton or McAfee application ever been installed on the
computer (e.g., a free-trial version that came preinstalled when you
bought
it)?

If it was, it certainly wasn't run. I can't be sure because Vista was
originally installed, but I downgraded to XP SP2.

Regards,
MBT
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Client - since 2002


Martyn Tindall wrote:
Please reassure me! I've just installed SP3 (from a Microsoft CD,
whilst not connected to the Internet). As soon as I rebooted, I got
requests for Internet access from svchost.exe, and, later on, a
request to accept a connection from the Internet. I OKed these,
believing them to originate with SP3. Looking on the Web, I read
conflicting claims about this. What is the truth?

My O.S. is XP Pro 2002 OEM SP2 (now SP3)
Full scans by up-to-date Avast!, Spybot and AdAware reveal nothing
suspicious.

TIA,

 

[PA Bear [MS MVP]]

I can't answer your question with the minimal bit of information you've
posted.

If if Automatic Updates /functionality/ is disabled (turned off), the
Automatic Updates /service/ will connect to the internet (via an instance
of SVCHOST) at Startup if this /service/ is enabled. Why? To keep
itself
(i.e., Automatic Updates software) updated.

I've stopped and disabled Automatic Updates in services.msc (without
restarting Windows) and I'm still getting the following warnings:

Generic Host Process for Win32 Services is trying to access the
Internet - Application: svchost.exe
Generic Host Process for Win32 Services wants to accept connections
from the Internet - Application: svchost.exe

Should I O.K. these?

Regards,
MBT

cf.
http://blogs.technet.com/mu/archive/2009/07/10/upcoming-update-for-windows-update.aspx

cf. http://blogs.technet.com/mu/archive/2008/10/31/client-update.aspx

cf.
http://blogs.technet.com/mu/archive/2008/07/03/upcoming-update-to-windows-update.aspx

On Fri, 26 Mar 2010 18:45:35 -0400, "PA Bear [MS MVP]"


Rather odd to see WUAUCLT.EXE running in Task Manager if Automatic
Updates
is disabled. That being said...

Start | Run | services.msc | [OK]

Double-click on the service named Automatic Updates: Is Startup type
set
to
Automatic and does Service status say Started?

Yes and yes. But in 'Windows Security Centre' Automatic Updates is
OFF, I've got the red shield in the system tray and I get frequent
balloons warning me about it.

Thanks,
MBT

Martyn Tindall wrote:
On Fri, 26 Mar 2010 17:03:49 -0400, "PA Bear [MS MVP]"

Thanks for coming in on this.

Is Automatic Updates enabled?

Not at present.

Is WUAUCLT.EXE also listed in Task Manager | Processes tab as soon as
you
reboot?

Yes.

Was Avast, Spybot Tea Timer, Ad-Aware Ad-Watch, and/or Zone Alarm
running
in the background when you installed SP3?

No. I disconnected from the Internet and shut all of those down (as I
always do when installing programs).

Has a(another) Norton or McAfee application ever been installed on
the
computer (e.g., a free-trial version that came preinstalled when you
bought
it)?

If it was, it certainly wasn't run. I can't be sure because Vista was
originally installed, but I downgraded to XP SP2.

Regards,
MBT
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Client - since 2002


Martyn Tindall wrote:
Please reassure me! I've just installed SP3 (from a Microsoft CD,
whilst not connected to the Internet). As soon as I rebooted, I got
requests for Internet access from svchost.exe, and, later on, a
request to accept a connection from the Internet. I OKed these,
believing them to originate with SP3. Looking on the Web, I read
conflicting claims about this. What is the truth?

My O.S. is XP Pro 2002 OEM SP2 (now SP3)
Full scans by up-to-date Avast!, Spybot and AdAware reveal nothing
suspicious.

TIA,