Computer Help forum

General discussion

9/23/05 Svchost.exe: friend or foe?

by Lee Koo (ADMIN) CNET staff/forum admin / September 22, 2005 6:29 AM PDT

Members, thank for your participation this week. Chuck if you're reading this post, please join us in this week's discussion to let our members know if your question on svchost.exe was answered. If not, please do post your questions so that our members can help you out.

If any of you have additional advice or recommendations you would like to share with us on this topic, please chime on in. Your participation is appreciated by all. Thanks everyone and have a great weekend!
-Lee Koo
CNET Community


Question:

I wish to know what the program svchost.exe wants to do if I give it permission to access the Internet. My firewall tells me that svchost.exe wants to access the Internet. This is not related to my specific request for anything, and my inclination is to say no. But I am not certain that is the right thing to do. I have searched the Internet for svchost and svchost.exe and gotten lots of hits. The Microsoft knowledge base explains svchost but doesn't convince me I want to let it access to the Internet. But it also suggests I might
be wrong (note: W32Time, Dnscache?). I could tell the firewall to never let svchost.exe have Internet access, or I could tell it to always let svchost.exe have Internet access. But I don't understand enough to know which would be best. Please help me out with this sticky security issue.


Submitted by Chuck M.


Answer:

The Microsoft page describing this process is at http://support.Microsoft.com/default.aspx?scid=kb;en-us;314056 and I've wondered this myself in the past. The svchost.exe runs as a request by DLL's (Direct Link Libraries). This can be a legitimate request from your computer's system processes or any other DLL. More often than not, it is always a Microsoft process request, but it can be used by other programs. Most of these requests are not needed for computer operation but may be needed for such things as updates to programs and operating systems.

This process (program) can be used by any other program or DLL on your computer, so it may from time to time be used for not-so-good intentions; but most of the time, traffic to the Internet can be allowed safely from the svchost.exe. The good news is that you have a good firewall, one that does not allow service utilities like this one default access by design. Many people do (I'm a beta tester of these things). I have firewall filters in place for this process to allow outgoing traffic only and only to some sites. When you go to the Microsoft update site, svchost.exe must be allowed, or you cannot update your system. My firewall blocks all traffic in and out for svchost to any site except Microsoft.com for updates.

I, too, was at first concerned about this service, but after putting a few firewall filters in place, it no longer worries me, and I'd say you will feel comfortable after a few well-placed firewall rules (filters). You can do this yourself by choosing to block all requests to or from svchost.exe on your firewall that do not interfere with your Internet requests. It maybe needed for some other programs, though, such as antivirus updates, but normally not. I say, when in doubt, block it and see what happens.

I hope this helps you understand it a little more. This generic process in Windows could be used for bad things, but keeping your firewall in place and well managed, you should be safe and all your privacy intact. At least from this service. Good luck.

Submitted by Mark P.

Post a reply
Discussion is locked
You are posting a reply to: 9/23/05 Svchost.exe: friend or foe?
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: 9/23/05 Svchost.exe: friend or foe?
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Honorable mentions
by Lee Koo (ADMIN) CNET staff/forum admin / September 22, 2005 6:29 AM PDT
Answer:

Chuck M.,
You should make sure that it is actually SvcHost.exe and not SCVHost.exe. SvcHost.exe is the system process that handles executing DLLs. Scvhost.exe is a virus I encountered which seems to be linked to my HP 1310 Printer and its drivers. In my experience, SvcHost.exe has never ever asked for internet access, and that seems quite right because it is an internal system process which I, like you, do not believe needs internet access to work properly. But SCVHost.exe would constantly ask me for internet access (blocked by my firewall).

I think the virus is designed to have you overlook and believe that it is the system process SvcHost.exe and that it needs to access the internet. Most novice computer users would not know the difference and/or wouldn't find it suspicious that it would need internet access (which commends you on being that vigilant of your computer processes). But if you are correct that it is indeed SvcHost.exe that is trying to access the internet, then upon research I've found that "svchost.exe is a process which could be registered as the W32.Welchia.Worm. It takes advantage of the Windows LSASS vulnerability, which creates a buffer overflow and instigates your computer to shut down.

To see more information about this vulnerability please look at the following Microsoft bulletin: http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx."(found from http://www.liutilities.com/products/wintaskspro/processlibrary/svchost/) This might be the cause for it wanting to access the internet and you should look into it and determine if you need to perform a removal process of the Welchia Worm. Here's my 2 cents and I hope that it helps you.

Submitted by: Michael M.

***********************************************************************

Answer:


One of the possibilities is that Chuck M. has a virus as listed in the task list portion of the "Answers That Work" web site as follows:

"You have a virus. It may be one of the following viruses :
Backdoor.IRC.Zcrew, W32.HLLW.Deborms.C, W32.Mimail.J@mm, or the W32.Paylap.@mm virus which mimics a PayPal account renewal screen. Note that there are other lesser known, or newer (!!) viruses which also show as a program called SVCHOST32.EXE."

Another use for the file is a legitimate use by Windows as follows:

"Windows 2000/XP/2003 only. SVCHOST is a generic process which acts as a host for processes that run from DLLs rather than EXEs. At startup SVCHOST checks the Services portion of the Registry to construct a list of DLL-based services that it needs to load, and then loads them. There can be many instances of SVCHOST running, as there will be one instance of SVCHOST for every DLL-based service or grouping of services (the grouping of services is determined by the programmers who wrote the services in question)."

The URL of this very helpful site is:
http://www.answersthatwork.com/home_page.htm

Hope this helps.

Submitted by: Mike L.

***********************************************************************

Answer:


Good Question, Chuck!
One of my favorite web sites to look up things like this is processlibrary.com. The process library says the following about svchost.exe:

"svchost.exe is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs. This program is important for the stable and secure running of your computer and should not be terminated. " Note that this info is
Collapse -
Svc-Who?
by ggood / September 23, 2005 12:14 AM PDT
In reply to: Honorable mentions

Calvin,
I learned quite a bit from your reply but have a question or two that were evoked by it.

You say that svcHost is a legimate win process and other times death or worse.

But is there a way to distinguish readily which one you are dealing with ant any given moment"

also do you know the significance if any of the numbers that appear as part of the process name in these lists eg:
svchost.exe 1016 Alerter, LmHosts, SSDPSRV, WebClient
(The number 1016 in the above example)

TIA,
ggood

Collapse -
The number in the listing
by wwheeler1 / September 23, 2005 12:23 AM PDT
In reply to: Svc-Who?

According to the information I get on Windows XP SP2, that is the PID or process ID. The process ID is simply a unique number used internally to identify the process.

Collapse -
yes....
by funkid7 / September 23, 2005 4:28 AM PDT
In reply to: Svc-Who?

keep track of each running procs PID number. When you boot up to desktop; look at the PId numbers and write them down. If during that time a new one arises with a different PID and it just says under User Name, your name; then it may not be a good one.
My way is to disable its process and wait....if you are correct and it is a bad one it will shut down, but may restart when you access the internet. Then it IS a bad one for sure! svchost or SVCHOST should never start up, when accessing the internet. svchost for the network service is already there doing that. a second one popping up at e-mail time is a bad thing.

Collapse -
Svchost.exe processes.
by Marko Polo / September 23, 2005 9:25 AM PDT
In reply to: Svc-Who?

Realistically it is not possible for a user to know exactly what DLL or other call caused any particular incident of Svchost.exe. That number next to the name is the process ID. It can be used to trace the origin's of any process with one. There are several places and ways to find this but the long and short of it is use common sense when allowing any access to the net in or out of your computer. If you deny it and everything works, then your good to go. As a hint, I set up filter rules for windows update site right after I install the firewall. Once you get rules for the update site in place,(nearly)all other access can be denied. Hav'nt broken any apps yet.
Surf safe, build two walls.
Warmly, Marko

Collapse -
There is a way…
by theUg / September 25, 2005 1:11 PM PDT
In reply to: Svchost.exe processes.

…though I cannot say where you can see it. I assume I have seen command lines for various svchost.exe processes, which clearly state to which DLL it handles in msconfig utility or elswhere.

Collapse -
thank you! very helpful
by Cadillac84 / October 9, 2005 11:28 PM PDT
In reply to: Honorable mentions

I have added both sites to my troubleshooting favorites folder. It is interesting to see how some security threats use names only slightly altered from legitimate programs.

lsas v lsass
scvhost v svchost

I'm sure there are others. Thanks for the tips.

Chuck M.

Collapse -
Other advice from our members
by Lee Koo (ADMIN) CNET staff/forum admin / September 22, 2005 6:29 AM PDT
Answer:

Chuck, first you should have a general understanding of Svchost. The Svchost.exe file checks the services part of the Windows operating system registry to put together a list of services that it must load in order to run properly. There can be multiple instances of Svchost.exe which are running at the same time. Each instance of Svchost.exe session contains a group of services which your operating system is running. By grouping the different, but related services your system runs more efficiently and it makes it easier to find a problem if one arises.

If you stop a session of Svchost from running, (by ending the process), it will only start up again if you need to use any of the services which are needed. Svchost is a benign process run by your operating system. It poses no threat to you and in reality it is one or more of the services which is in you instance you describe, is needed to access the communications protocols needed to access the internet. There is no reason for you not to allow your firewall to permit access.

Good Luck

Submitted by: Barry S. of Lakewood, Ohio

***********************************************************************

Answer:


The answer to your question is simple. SvcHost.exe or ?Service Host? is a built-in part of the Windows operating system. What it is doing is providing a host service (in your case its internet access) to windows services that need it like:

Windows automatic update service
DNScache ?domain name server cache? Essential for browsers to quickly convert a web URL into a direct address to the site server for faster browsing.

It is essential that you grant access to this service if you want these services to function properly on your computer. SvcHost.exe is a very common program on your computer. Just open your task manager and click on the ?Processes Tab?, there you will find several instances of SvcHost.exe running providing a common service to any number of applications. One service would be for audio, another for multimedia. That?s the way windows works, it provides services to the applications that you have installed on it.

It?s very good to be cautious, but it?s better to be informed and to help you with this I recommend a product like WinPatrol. It is free to install and use but there is a Plus version that is worth paying for because with it you can access information about programs, cookies, and services that you have on your computer. This will help you a great deal in deciding if you want to give access to something or not. With this you could have looked up the SvcHost.exe and it would have told you that it is from Microsoft and that it is safe. For more on WinPatrol go to http://winpatrol.com/ .

Submitted by: Tracy E.

***********************************************************************

Answer:


First of all, svchost.exe is usually a windows service that uses the internet to keep updated. It could be windows update, or; if you are running Windows XP it could be the clock trying to sync up the time. There?s several svchost.exe's that could be running on your system. Unfortunately, you can't really tell which one is which, but they almost always are okay to allow to run. If you check your task manager (alt+Ctrl+Del) you'll see in the processes tab that svchost is probably running about 5 or 6 times, it's not the same program running over and over, but simply the same command running for different programs.

If you are still suspicious of the program running, you can set your firewall to ask every time , the downside to that is you'll probably have the pop-up over and over asking you if it should allow it to run. I would suggest trying to turn off automatic updating in your programs that do update (windows update, spyware removal programs, firewall, the clock, anti-virus etc.) and see if you still get the firewall asking you if it should allow it or not. If you do, run a spyware scan and see if anything comes up, (it probably won't). If nothing comes up from a spyware search, and you run your antivirus and that doesn't show anything, I'd say to allow the program to run, I always have and have had no problems.

Submitted by: Chris S.

***********************************************************************

Answer:


Svchost.exe is a part of Windows that runs DLL files as if they were EXE programs. Thus there are several instances of svchost running at any one time, each started by a different DLL. You can see them in TaskManager under the Processes tab. In Windows XP Professional there is a program called TaskList that will show you which DLL started each svchost. Unfortunately this does not exist in the Home version.

Thus each instance of svchost may be doing almost anything. Some may be good and some may not. You can, in a crude way, try to find out what each does by using TaskManager to stop the process, then try to figure out what doesn't work.

You can also see what services use svchost by searching the Registry for svchost. This should come under "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost". I have, for example, eight services listed: DcomLaunch, HTTPFilter, imgsvc, LocalService, netsvcs, NetworkService, rpcss, and termsvcs. However, I only have seven svchost processes running now.

Most of these are obviously critical system functions and should be left alone.

I found the most useful information by searching Microsoft.com for svchost and at AnswersThatWork.com.

Most svchost requests to access the internet are probably ok, but some may not be. I don't know how you can tell the difference.

Submitted by: Ken

***********************************************************************

Answer:


SvcHost.exe is a hosting process that is used to wrap other processes.
It may be used by a legitimate application, and that application may need to access the internet. If that's the case, you should permit the access.

The problem comes from the fact that several spywares, trojans and viruses do hide in instances of that wrapper. To be safe, you must then deny svchost any network access. Then, you can look if legitimate processes and applications can still make normal internet connection.

I suggest that you install, update and run some spyware/adware remover and a good antivirus and do a virus scan, as you may have an infection.

Submitted by: Alain

***********************************************************************

Answer:


Let svchost access the internet. If you suspect that your computer has a problem with malicious software, run cwshredder, ad-aware se, spybot s&d, and avg antivirus. If your primary virus solution is Norton, you can even leave AVG free edition on the PC full time. Basically, if you suspect that something on your computer wants to access the internet that shouldn?t, you either already have malicious software on the system that needs to be cleaned off, or are overly paranoid. I would err on the side of caution. If you are not familiar with how to do a thorough pm (which includes running the aforementioned applications), then hire a professional that provides in-house service.

Submitted by: Ron O.

***********************************************************************

Answer:


SvcHost.exe is simply a task manager. Multiple copies of this can be running at the same. Each iteration of svchost.exe has one or more subtasks associated with it. Note:
1. service 1088 is RpcSs running subordinate to svchost.exe. This is the memory management service which allocates and deallocates memory.
2. service 1008 contains DcomLaunch which is a security enhancement associated with XP XP2 and TermService which Enable the Remote Desktop exception in Windows Firewall
3. service 1180 has several subsets including audio service, browser, encryption, domain host, fast user switching, shared access, etc. Since this service controls the browser, Dhcp, lan?.. etc., it will want access to the web/internet to allow certain functions to be performed.

You mentioned Dnscache which is the cache manager when you are working with a domain server.

I have best luck running McAfee firewall with requiring VPN access to work. I allow/trust svchost.exe and access to the internet. All programs which do not necessarily need internet access or I don?t want to have the access I block.
Image Name PID Services
============================================= =============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 692 N/A
csrss.exe 776 N/A
winlogon.exe 800 N/A
services.exe 844 Eventlog, PlugPlay
lsass.exe 856 PolicyAgent, ProtectedStorage, SamSs
svchost.exe 1008 DcomLaunch, TermService
svchost.exe 1088 RpcSs
svchost.exe 1180 AudioSrv, BITS, Browser, CryptSvc, Dhcp,
dmserver, ERSvc, EventSystem,
FastUserSwitchingCompatibility, helpsvc,
HidServ, lanmanserver, lanmanworkstation,
Netman, Nla, RasMan, Schedule, seclogon,
SENS, SharedAccess, ShellHWDetection,
srservice, TapiSrv, Themes, TrkWks, W32Time,
winmgmt, wscsvc, wuauserv, WZCSVC
svchost.exe 1224 Dnscache
svchost.exe 1264 LmHosts, RemoteRegistry, SSDPSRV, WebClient
spoolsv.exe 1568 Spooler
mainserv.exe 1664 APC UPS Service
cvpnd.exe 1688 CVPND
msssrv.exe 1724 McAfeeAntiSpyware
MDM.EXE 1856 MDM
MpfService.exe 1872 MpfService
MSKSrvr.exe 1900 MskService
nvsvc32.exe 2032 NVSvc
SMAgent.exe 200 SoundMAX Agent Service (default)
svchost.exe 184 stisvc
wdfmgr.exe 268 UMWdf
ups.exe 336 UPS
wdService.exe 364 WebDriveService
alg.exe 980 ALG
mcvsrte.exe 1640 MCVSRte
McShield.exe 1440 McShield
explorer.exe 2168 N/A
ONETOU~2.EXE 1608 N/A
hpcmpmgr.exe 2292 N/A
hpztsb10.exe 2620 N/A
mcvsshld.exe 488 N/A
mcagent.exe 3128 N/A
MSKAgent.exe 2392 N/A
htpatch.exe 1460 N/A
INSTAN~1.EXE 2320 N/A
McVSEscn.exe 276 N/A
msscli.exe 400 N/A
pcx.exe 2156 N/A
DrgToDsc.exe 1084 N/A
SM1bg.exe 2188 N/A
MpfTray.exe 2644 N/A
hpwuSchd2.exe 2452 N/A
jusched.exe 3536 N/A
point32.exe 1388 N/A
rundll32.exe 3332 N/A
MWSOEMON.EXE 3728 N/A
PlgUni.exe 1952 N/A
ctfmon.exe 2252 N/A
PrintScreen.exe 3360 N/A
RegistryRepairPro.exe 3408 N/A
Weather.exe 1456 N/A
OUTLOOK.EXE 444 N/A
MpfAgent.exe 3092 N/A
apcsystray.exe 3036 N/A
WINWORD.EXE 3716 N/A
agentsvr.exe 1204 N/A
iexplore.exe 1128 N/A
cmd.exe 1072 N/A
cmd.exe 3040 N/A
tasklist.exe 3936 N/A
wmiprvse.exe 280 N/A

Submitted by: Norm S.

***********************************************************************

Answer:


Hi,

I have SvcHost.exe as a windows file in the system32 folder . . .on my Win Xp home edition. I also, checked the registry for sure it is a valid file.

So, MORE INFORMATION
The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can run, depending on how and where Svchost.exe is started. This allows for better control and easier debugging.

Now as to why the internet wants to access it, well .. . you are connecting or connected to the net . . . several parts (software) need to be in place with selected services running . . .

Best I can do,

Submitted by: Jerry Z. of South Beach, OR

***********************************************************************

Answer:


Hi there Chuck,

Well, there are numerous worms and viruses that use normal system processes ( like Svchost.exe and others ) to hide themselves from your eyes. I would suggest not giving it access to the Internet, because it might be part of some kind of virus or worm. Be careful about those.

I suggest you go to http://www.processlibrary.com and look for more processes that are a security risk. This is a good site to know more about processes and what they do. It also gives you a list of the good and the bad process and gives you information about them as well.

Forget about Norton or Mcafee to protect your pc, they are worthless, trust me. I hope the site I gave you will help you get more information about some processes.

Submitted by: Pcfreakske2000

***********************************************************************

Answer:


svchost.exe is a system process that is used in the Windows operating system that handles processes from DLLs. svchost is important for the stability and security of your system. To answer your question, when you have automatic time updates turned on, it runs a svchost shared process that connects to the internet to set your clock. It's perfectly fine to allow access to svchost through your firewall but you can also turn that off by right-clicking on the clock in your taskbar, adjust date/time and then selecting the internet time tab.

Submitted by: Matthew O.

***********************************************************************

Answer:


You cannot simply stop any of the svchost processes running.

Some of them are crucial to Windows itself. It is a tricky one and there is no definitive answer. Lots of spyware, adware, viruses etc. will run a process with this name, safe in the knowledge that you can't stop them! Clever stuff, but very annoying!

Think about which processes you have that might want to access the Net.
Probably anti-virus stuff will - media player will - Windows itself WON'T

Try killing the process and see what happens.

Good luck,

Submitted by: Kevin D.
Collapse -
DLL = DYNAMIC link libraries
by longofest / September 22, 2005 8:36 PM PDT

Typo in the post. Setting the record straight.

Collapse -
DLL
by dolbyg / September 22, 2005 11:44 PM PDT

I was about to send the same correction that DLL stands for dynamic-link library, but I am on the West coast. I don't get up that early.

Collapse -
Svchost.exe can be a keylogger
by donmayor / September 22, 2005 8:41 PM PDT

I have seen a keylogger program that names itself as svchost.exe. How to detect if this program of yours is a key logger is this: open your taskmanager and go to processes. You would see more than one svchost.exe, look at the user names beside the svchost.exe; it has to be either of these: network service, local system, system. If it any of it shows the user name logged into the computer, it is probably a spyware or keylogger. Kill it. It is probably located in C:\program files\common files\microsoft shared\dao\svchost.exe

Collapse -
I have seen a good dozen
by funkid7 / September 23, 2005 4:32 AM PDT

These nifty little buggers, will call themselves SVCHOST EXE in all capitals. That shouldn't be all capitals. some of them(keyloggers you call them) will have the gaul to name themselves svchost exe. like your OS does.

I have palyed and played and gambled with SVC's, thru 3 OS's and 4 differnet models of computer. they are one dooddad I know about.

Collapse -
Why so many svchost.exe processes running?
by jasperstones / September 23, 2005 5:31 AM PDT

Can anyone explain why I have so many svchost.exe
processes running at the same time. Windows task
manager currently shows 8 running at the same time:

4 are attributed to SYSTEM
2 are attributed to LOCAL SYSTEM
2 are attributed to NETWORK SERVICE

I realize it depends upon installed softwarre etc.
but is it normal to have so many "multiple versions"
of that process running at the same time?

Any help is genuinely appreciated!

jasperstones

Collapse -
4/2/2
by funkid7 / September 23, 2005 5:42 PM PDT

WinXP? More than one registered administrators log-on? that may explain the double svchosts for network and local. The 4 system svc's, could all be legitimate. As I said here in one other post; each and every personal desktop has it's own variable processes.
One Anti-virus utility may open one, another brand may not.
PhotoShop definitely enables a service; this is because it has a website help link, that executes with the program. MSpaint will share that same svchost, if I leave the host running. Then, if I close MSPaint and shut svc down and then re-open MSPaint again a svchost with a different PID will open.
This is why no one is willing to answer your question; it could mean anything. Crazy crap isn't it?!
That is why I learned what mine were for, specifically and what programs execute them. Mine is different from your, so my experiments won't help you. They only help my tailored sys.

Collapse -
It is Okay.
by theUg / September 25, 2005 1:16 PM PDT

I usualy have 4 to 6 of them. I have seen somwhere (although I cannot recall where exactly, maybe in XP Tweaker) the actual command line arguments showing which applications and DLLs svchost.exe handles in each instance. All looked legit. Happy

Collapse -
procexp.exe from sysinternals
by Pebkac / September 22, 2005 8:57 PM PDT

I am surprised that no one suggested this free program. I find it VERY helpful for a number of reasons. You can see each process under svchost, the dll and directory it is running from. This allows you to see if it is indeed a misnamed version or not, and see where it is being run from.

Although the GUI is a little overwhelming at first, you get used to it and understand why the parts are all there.

It can replace Task manager.

It allows for releasing the "locked" files in XP by forcing the release of the handle w/o killing the process (usually this is explorer!)

You can search for partial location or dll names to find things.

You can also watch individual processes CPU and memory usage. Or see back a bit in history to see what spiked the CPU.

VERY useful tool.

Collapse -
Thanks for the info
by ferante / September 23, 2005 1:45 AM PDT

Procexp looks like a cool useful program!

Collapse -
Be Careful!
by adam_crook / September 23, 2005 2:00 AM PDT
In reply to: Thanks for the info

Apparently there's a bug in versions of process explorer prior to v9.25 that allow a remote user to run their code on your machine. So make sure you have the latest(v9.25) version. Information on this exploit and the fix can be obtained from http://securitytracker.com/alerts/2005/Aug/1014742.html

Regards,
adam_van_2000

Collapse -
procexp.exe from sysinternals
by si / May 2, 2008 1:36 PM PDT

and why is procexp.exe not to be found at DOWNLOAD.COM??

Collapse -
With All-Seeing Eye you can identify if the DLL is malicious
by nchelsey / September 22, 2005 9:05 PM PDT

Just as you say in the article, thee can be any DLL using svchost.exe to communicate on the internet, and therefore what you really want to know is if the DLL is a good or a bad one.

I have found a great tool for authenticating all DLLs that try to communicate like this, and it's called ''All-Seeing Eye'' (http://www.fortego.com/ase) by Fortego Security.

This program does a lot of other things too, and is the ultimate complement to antivirus and antispyware scanners for people who really want a secure computer. I first found this tool when security specialist Ian Kayne recommended it as the tool of the future on his excellent antispyware and antispam course here on CNET, and I've used it ever since with really great results, feeling much safer than before. Among other things due to exactly this problem of DLL files using other processes to communicate stealthily as in the svchost.exe case.

I can really recommend it anyway, safe surfing to you all now!

Collapse -
Yep, no more svchost.exe worries when using All-Seeing Eye!
by SecurityBuff / September 22, 2005 9:18 PM PDT

Just wanted to say I use All-Seeing Eye too, and I've never felt so safe before. I can really recommend it too, it's the ultimate compliment to antivirus/antispyware. You just don't have to worry about problems like this svchost.exe problem anymore with it! And best of all, it's free!

Collapse -
Tool of the Month
by mmccrea / September 23, 2005 2:29 AM PDT

This is the tool I have always been looking for, www.cnet.com, www.techrepublic.com always have the users with the most usefull computer suggestions.

Collapse -
I can do that with my own eyes too
by funkid7 / September 23, 2005 4:37 AM PDT

dll's always show a modification date. this date will reflect install date as same. it will also reflect updates to programs/utilities that need them to run/link to libraries of program information(code).
I find the bad ones by hand and delete them from several different places: Win32 folder is a good spot for them to hide, but you will have to be VERY familiar with those files. I memorized them almost by now. All 2000 or more even.

Collapse -
Also look for...
by funkid7 / September 23, 2005 4:46 AM PDT

authors unsigned in the dll's properties. Or unknown application announcements. that is sometimes helpful but not definite confirmation. Some bad dll's will say they are authored by Microsoft, yet say they are an unknown app and they are not Microsoft at all.

Collapse -
Re: svchost.exe: friend or foe
by dgbvan / September 22, 2005 9:17 PM PDT

If you have a fierwall that you have confidence in, you should read the notice asking for permission for the program to access the internet. Most firewalls will give you some indication as to whether or not the request is of high, medium or low risk; if it is a newly installed program, or if it is a modified program.
I use Zone Alarm and I find that, in more than four years, it has yet to steer me wrong.
Still, remember the old maxim (that I just made up); If in doubt, shut it out!
If you deny a required program, you will soon find out as whatever you are trying to do simply will not be done. At that point, open your permissions database and allow the requested access. Then, see what happens.
If you are suddenly in good shape, you are faced with two options:
1. leave the permission for access in place;
2. remove the permission and only grant such whenever you want to do whatever it allows you to do. Now, I know this sounds messy, but, trust me, it's a heck of a lot less messy than trying to disinfect your hard drive or to (shudder) reconstruct it.
Whatever you decide, good luck! But, if your firewall indicates that there is a low risk associated with granting permission, I would - and then simply forget it.

Collapse -
NO!
by funkid7 / September 23, 2005 4:49 AM PDT

svchost assigned to network, accesses the internet and e-mail at log on time. when you click your internet icon and a new svchost appears assigned to your personal name, then it is a bad one! your firewall is just confusing you worse by asking you that dumb question! I have never once said yes to that question without causing havoc!

Collapse -
How many times do have to say this
by funkid7 / September 23, 2005 4:50 AM PDT
In reply to: NO!

I have done this on purpose for six months once! Never say yes to svchost assigned to you!

Collapse -
Look it up by search engine
by carolina1 / September 25, 2005 11:20 PM PDT

Boy what a wide variety of bogus answers you get. Why doesnt Microsft tag their files, so we know that they are theirs and the give website support to define each operation?
I'm complaining for no reason. I'm testing Mepis and it looks like I'm MS free if it works as well in my laptop. Maybe they could have saved a customer.

Collapse -
(NT) (NT) NT - Cool! Thank you. (if in doubt, shut it out!) :-)
by Cadillac84 / October 9, 2005 11:45 PM PDT
Collapse -
I think that we deal with a more extended problem
by A. Bijker / September 22, 2005 10:15 PM PDT

It is not only svchost.exe, but many other very cryptic names. When the firewall ask me to allow for a certain program to acces to the internet or not, the names of the programs does not give me any information at all when (as in my case) you are no computer nerd at all.
The question should be: How can an average computer user (so not a computer engineer) know if you can allow for a certain program to acces to the internet or not

Popular Forums
icon
Computer Help 49,613 discussions
icon
Computer Newbies 10,349 discussions
icon
Laptops 19,436 discussions
icon
Security 30,426 discussions
icon
TVs & Home Theaters 20,308 discussions
icon
Windows 10 360 discussions
icon
Phones 15,802 discussions
icon
Windows 7 7,351 discussions
icon
Networking & Wireless 14,641 discussions

Tech Tip

Stuck without Internet and want to watch movies?

CNET shows you how to download movies and TV shows onto your device using Amazon Prime so you'll always be entertained.