svchost.exe

[William]

I've read Microsoft's report on what svchost.exe is and
that many can run at the same time. I've been told by
Symantec that in WinXP, svchost.exe must have unfettered
access to the internet and it must load before my Norton
Personal Firewall. Because of this I have no idea or
control of what svchost.exe is sending or receiving.
After logging on to the internet via a dialup connection
but "before" starting IE or any other software, I notice
I start receiving data. After a few minutes my firewall
log statistics will then show a couple UDP svchost.exe
sending and receiving data. This concerns me because
I've also been told svchost.exe is what hackers like to
use. I have three questions if someone in the know would
be so kind to answer.
1. Because the svchost.exe loads before my Norton
Personal Firewall and is unprotected, how can I tell if
it is clean or possibly corrupted?
2. Can svchost.exe be replaced with a known clean version
without doing a total format-reinstall?
3. If number 2 can be done, then where does one get a
clean version of svchost.exe and what is the replacement
procedure?
Thanks for your time on this.

 

[Marc Liron]

William,

You do indeed raise some interesting points here, ones
that others may want answers too as well...

I am currently writing an article for my Windows XP
website on this very issue!

Perhaps you might like to read the article when it gets
uploaded sometime this weekend?

http://www.updatexp.com/svchost-exe.html

Now lets try and reassure you:
that many can run at the same time.

Yes. This is the design intent by the development team
who worked on Windows XP. It make it more stable AND is
easier to "de-bug" when there are issues/conflicts.

I've been told by Symantec that in WinXP, svchost.exe

must have unfettered access to the internet and it must
load before my Norton Personal Firewall. Because of this
I have no idea or control of what svchost.exe is sending
or receiving.

SVCHOST.EXE is just a "Generic" windows service... It is
used to load many different services at startup.
These "services" are "grouped" together so you will see
several instances of SVCHOST.EXE running at the same
time...

After logging on to the internet via a dialup connection
but "before" starting IE or any other software, I notice
I start receiving data. After a few minutes my firewall
log statistics will then show a couple UDP svchost.exe
sending and receiving data. This concerns me because
I've also been told svchost.exe is what hackers like to
use. I have three questions if someone in the know

would be so kind to answer.

This is OK... this data or "packets" as we call them are
moving from your PC via your modem all the time.. If you
have a firewall in place (not XP's own one as this is
simply not very good..), you are fine, (assuming you have
it switched on of course!

1. Because the svchost.exe loads before my Norton
Personal Firewall and is unprotected, how can I tell if
it is clean or possibly corrupted?

The SVCHOST.EXE is loading the various services your
systems it needs at this point. As you are NOT yet
connected to the Net at this point - do not worry. If you
did have some virus/trojan that wanted to transmit
any "packets" your firewall would notice this activity
when it does startup!

2. Can svchost.exe be replaced with a known clean

version without doing a total format-reinstall?

3. If number 2 can be done, then where does one get a
clean version of svchost.exe and what is the replacement
procedure?

There is NO need for YOU to do this!

Yes the SVCHOST.EXE can be exploited in some rare
cirumstances. e.g the recent Blaster worm initialy probes
your windows XP system and makes a call on the SVCHOST.EXE

However, if you have:

1) A decent Firewall
2) Up to date AntiVirus
3) ALL the latest patches/hotfix's for Windows XP
4) and run something like SpyBot on your PC occasionaly

YOU will be as protected as you can be!

Another way forward is to get DSL and use a decent Cable
Modem with a built in FireWall and a NAT server....

Thanks for your time on this.

No problem!

Kind Regards

Marc Liron
www.updatexp.com

PS - To any "technical" folks reading this post, it is
explained in layman's terms and is not meant to be an
indepth discussion of the OSI model etc...

 

[William]

Marc thanks for the reply and I will read your article.

However, if you have:
1) A decent Firewall
2) Up to date AntiVirus
3) ALL the latest patches/hotfix's for Windows XP
4) and run something like SpyBot on your PC occasionaly
YOU will be as protected as you can be!

All the above has been done and is current. On Norton
Personal Firewall install I let it auto configure Generic
Host Process for Win32 Services, not knowing exactly what
to let through and what not to.

Yes the SVCHOST.EXE can be exploited in some rare
cirumstances.

If needed, can svchost.exe be replaced with a known clean
version without doing a total format-reinstall?

Take care,
WOJ

 

[Marc Liron]

-----Original Message-----
Marc thanks for the reply and I will read your article.


All the above has been done and is current. On Norton
Personal Firewall install I let it auto configure Generic
Host Process for Win32 Services, not knowing exactly what
to let through and what not to.

If needed, can svchost.exe be replaced with a known clean
version without doing a total format-reinstall?

Take care,
WOJ
.

The SVCHOST.EXE is a kind of "wrapper" for other
services.. It is not something you would try and install
a clean copy of!

Instead subscribe to the email newletter fo your
AntiVirus software company and when they issue an alert
BLOCK access to the ports on your Firewall, when and as
they detail in thees alerts.

Kind Regards

Marc Liron
www.updatexp.com