If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Svchost concerns
I wanted to get someone's else's feedback on this, who might know the inside
story. Am I the only one who gets a bit suspicious or worried when "svchost" shows up at the top of the list in Task Manager, instead of a couple of lines down, like it normally is? This only occasionally happens, and seemingly out of the blue. The reason I ask is because I've been burned before by some svchost related issues, which are really hard to track down. I realize that svchost is just a cover host for some other subprocesses, but I have noticed this "irregularity" from time to time. (I guess some other process is/was going on that required svchost to be at the top of the Task Manager list in these rare instances). Incidentally, when I've closed down this "top" instance of svchost in Task Manager, nothing untoward happens, and I think I found (using svchost viewer) that it was related to some Internet related connectivity. |
Ads |
#2
|
|||
|
|||
Svchost concerns
Bill in Co wrote:
I wanted to get someone's else's feedback on this, who might know the inside story. Am I the only one who gets a bit suspicious or worried when "svchost" shows up at the top of the list in Task Manager, instead of a couple of lines down, like it normally is? This only occasionally happens, and seemingly out of the blue. The reason I ask is because I've been burned before by some svchost related issues, which are really hard to track down. I realize that svchost is just a cover host for some other subprocesses, but I have noticed this "irregularity" from time to time. (I guess some other process is/was going on that required svchost to be at the top of the Task Manager list in these rare instances). Incidentally, when I've closed down this "top" instance of svchost in Task Manager, nothing untoward happens, and I think I found (using svchost viewer) that it was related to some Internet related connectivity. You can set up SVCHOST, so there is only one thing "hiding" inside each one. Kinda blows their cover story. Scroll down half-way, look for text in red. http://blogs.msdn.com/b/spatdsg/arch...-services.aspx sc config service type= own The only one I've had trouble with is wuauserv. At least, recently. You can try putting that one in its own SVCHOST and see what happens. HTH, Paul |
#3
|
|||
|
|||
Svchost concerns
I'm not sure, but I think the order is just order of loading.
It's probably just a case of a service that was only needed after you were up and running. I've never heard of svchost viewer. I gather that lets you see what's running. If not you can get Process Explorer from Sysinternals. When I started using XP I found it unsettling that any service could get online through my firewall by running under svchost, so I wanted to eliminate any of those services. There's no reason for anything to need to go online of its own accord. I don't use Windows Time. I don't allow Windows Update to load at all. It turned out the only thing that actually needed to get through the firewall was DHCP. By using a fixed IP address in network settings I was able to disable DHCP. So now I just block svchost from going online. But MS has a surprising amount of spyware. I've seen both msiexec (runs when an MSI installer file is run) and hh.exe (runs when a CHM help file is opened) try to contact Microsoft URLs for no apparent reason. "Bill in Co" wrote in message ... |I wanted to get someone's else's feedback on this, who might know the inside | story. | | Am I the only one who gets a bit suspicious or worried when "svchost" shows | up at the top of the list in Task Manager, instead of a couple of lines | down, like it normally is? This only occasionally happens, and seemingly | out of the blue. | | The reason I ask is because I've been burned before by some svchost related | issues, which are really hard to track down. I realize that svchost is just | a cover host for some other subprocesses, but I have noticed this | "irregularity" from time to time. (I guess some other process is/was going | on that required svchost to be at the top of the Task Manager list in these | rare instances). Incidentally, when I've closed down this "top" instance of | svchost in Task Manager, nothing untoward happens, and I think I found | (using svchost viewer) that it was related to some Internet related | connectivity. | | |
#4
|
|||
|
|||
Svchost concerns
From: "Bill in Co"
I wanted to get someone's else's feedback on this, who might know the inside story. Am I the only one who gets a bit suspicious or worried when "svchost" shows up at the top of the list in Task Manager, instead of a couple of lines down, like it normally is? This only occasionally happens, and seemingly out of the blue. The reason I ask is because I've been burned before by some svchost related issues, which are really hard to track down. I realize that svchost is just a cover host for some other subprocesses, but I have noticed this "irregularity" from time to time. (I guess some other process is/was going on that required svchost to be at the top of the Task Manager list in these rare instances). Incidentally, when I've closed down this "top" instance of svchost in Task Manager, nothing untoward happens, and I think I found (using svchost viewer) that it was related to some Internet related connectivity. SVCHOST is the Server of services. The daemon of daemons. Also known as the Host Process for Windows Services. Therefore it is not uncommon to see several instances of SVCHOST running representing a different OS Service. There have been instances, such as with Windows Update (WUAUSERV), can cause SVCHOST to have a high CPU utilization. What is REALLY important is the fully qualified path to SVCHOST.EXE. c:\windows\system32\svchost.exe is legitimate c:\windows\svchost.exe is NOT legitimate Malware hides in plain site by this method. Malware will use the legitimate name, SVCHOST.EXE, but will run from illegitimate locations. It will obfuscate its malicious activity by loading and being one of the many instances of SVCHOST shown in Task Manager. SVCHOST.EXE is the most commonly used name for malware for that reason. Also variations upon that name such as SCVHOST.EXE. -- Dave Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk http://www.pctipp.ch/downloads/dl/35905.asp |
#5
|
|||
|
|||
Svchost concerns
Paul wrote:
Bill in Co wrote: I wanted to get someone's else's feedback on this, who might know the inside story. Am I the only one who gets a bit suspicious or worried when "svchost" shows up at the top of the list in Task Manager, instead of a couple of lines down, like it normally is? This only occasionally happens, and seemingly out of the blue. The reason I ask is because I've been burned before by some svchost related issues, which are really hard to track down. I realize that svchost is just a cover host for some other subprocesses, but I have noticed this "irregularity" from time to time. (I guess some other process is/was going on that required svchost to be at the top of the Task Manager list in these rare instances). Incidentally, when I've closed down this "top" instance of svchost in Task Manager, nothing untoward happens, and I think I found (using svchost viewer) that it was related to some Internet related connectivity. You can set up SVCHOST, so there is only one thing "hiding" inside each one. Kinda blows their cover story. Scroll down half-way, look for text in red. http://blogs.msdn.com/b/spatdsg/arch...-services.aspx sc config service type= own The only one I've had trouble with is wuauserv. At least, recently. You can try putting that one in its own SVCHOST and see what happens. Hi Paul, Well, I was able to track this down a bit further by using "Svchost Viewer", and it said the specific service was "HTTPFilter" (it shows up as HTTP SSL in "Services"). Why this particular service only occasionally pops up (and at the top of the Task Manager list) after a fresh boot up is beyond me, however, and I can stop it with no noticeable effect. Svchost Viewer (small freebie app): http://svchostviewer.codeplex.com/ I read a little bit about "HTTPFilter" from some online searches, but the reason still escapes me as to why this service only occasionally pops up at the top of the Task Manager list after booting up before doing anything, and most of the time does not. I'm probably being a bit paranoid about this, but I don't understand why it seems so capricious. Maybe you have some plausible explanations. (?) Here is some more detail from the Svchost Viewer screen (I typed it in): svchost.exe with PID 4020 (process ID) Name: HTTPFilter Service Type: Share Process Start Type: Manual Description: This service implements the secure hypertext transfer protocol (HTTPS) for the HTTP service, using the Secure Socket Layer (SSL). If this service is disabled, any services that explicitly depend on it will fail to start. Any ideas? :-) |
#6
|
|||
|
|||
Svchost concerns
Bill in Co wrote:
Paul wrote: Bill in Co wrote: I wanted to get someone's else's feedback on this, who might know the inside story. Am I the only one who gets a bit suspicious or worried when "svchost" shows up at the top of the list in Task Manager, instead of a couple of lines down, like it normally is? This only occasionally happens, and seemingly out of the blue. The reason I ask is because I've been burned before by some svchost related issues, which are really hard to track down. I realize that svchost is just a cover host for some other subprocesses, but I have noticed this "irregularity" from time to time. (I guess some other process is/was going on that required svchost to be at the top of the Task Manager list in these rare instances). Incidentally, when I've closed down this "top" instance of svchost in Task Manager, nothing untoward happens, and I think I found (using svchost viewer) that it was related to some Internet related connectivity. You can set up SVCHOST, so there is only one thing "hiding" inside each one. Kinda blows their cover story. Scroll down half-way, look for text in red. http://blogs.msdn.com/b/spatdsg/arch...-services.aspx sc config service type= own The only one I've had trouble with is wuauserv. At least, recently. You can try putting that one in its own SVCHOST and see what happens. Hi Paul, Well, I was able to track this down a bit further by using "Svchost Viewer", and it said the specific service was "HTTPFilter" (it shows up as HTTP SSL in "Services"). Why this particular service only occasionally pops up (and at the top of the Task Manager list) after a fresh boot up is beyond me, however, and I can stop it with no noticeable effect. Svchost Viewer (small freebie app): http://svchostviewer.codeplex.com/ I read a little bit about "HTTPFilter" from some online searches, but the reason still escapes me as to why this service only occasionally pops up at the top of the Task Manager list after booting up before doing anything, and most of the time does not. I'm probably being a bit paranoid about this, but I don't understand why it seems so capricious. Maybe you have some plausible explanations. (?) Here is some more detail from the Svchost Viewer screen (I typed it in): svchost.exe with PID 4020 (process ID) Name: HTTPFilter Service Type: Share Process Start Type: Manual Description: This service implements the secure hypertext transfer protocol (HTTPS) for the HTTP service, using the Secure Socket Layer (SSL). If this service is disabled, any services that explicitly depend on it will fail to start. Any ideas? :-) So something is attempting to "dial out" securely ? Like use SSL, so snoopers (like yourself :-) ) can't see what is going on. Mine is set to manual, and HTTPFilter is not running right now. I tried https://www.google.com while in Internet Explorer 6, and it still isn't running. Does the "manual" mean some separate software has to run it ? In WinXP Pro, you can use "tasklist /svc" to list the currently running processes and services. I run that in a Command Prompt. I'm told it doesn't work on WinXP Home, so Home users are out of luck, and need to look to a third-party utility. I bet Process Explorer (sysinternals.com) could give some info too. The only thing that comes to mind, is using Bootvis (if you can find a copy), and see if it's logged in there somewhere during startup. Bootvis records activity at startup, and maybe if a startup item is causing it to run, you'd have a record of it. Support for Bootvis died at Microsoft some time ago, but I didn't seem to have a problem running it on my SP3 system here. https://web.archive.org/web/20100601...otVis-Tool.exe You could also use Autoruns from Sysinternals, and review what is running on your system at startup. Which might be another way of "catching a hint". http://technet.microsoft.com/en-us/s...rnals/bb963902 Lots of software, use update checkers to check whether the applications software is up to date. It could be some crap like that. Paul |
#7
|
|||
|
|||
Svchost concerns
Paul wrote:
Bill in Co wrote: Paul wrote: Bill in Co wrote: I wanted to get someone's else's feedback on this, who might know the inside story. Am I the only one who gets a bit suspicious or worried when "svchost" shows up at the top of the list in Task Manager, instead of a couple of lines down, like it normally is? This only occasionally happens, and seemingly out of the blue. The reason I ask is because I've been burned before by some svchost related issues, which are really hard to track down. I realize that svchost is just a cover host for some other subprocesses, but I have noticed this "irregularity" from time to time. (I guess some other process is/was going on that required svchost to be at the top of the Task Manager list in these rare instances). Incidentally, when I've closed down this "top" instance of svchost in Task Manager, nothing untoward happens, and I think I found (using svchost viewer) that it was related to some Internet related connectivity. You can set up SVCHOST, so there is only one thing "hiding" inside each one. Kinda blows their cover story. Scroll down half-way, look for text in red. http://blogs.msdn.com/b/spatdsg/arch...-services.aspx sc config service type= own The only one I've had trouble with is wuauserv. At least, recently. You can try putting that one in its own SVCHOST and see what happens. Hi Paul, Well, I was able to track this down a bit further by using "Svchost Viewer", and it said the specific service was "HTTPFilter" (it shows up as HTTP SSL in "Services"). Why this particular service only occasionally pops up (and at the top of the Task Manager list) after a fresh boot up is beyond me, however, and I can stop it with no noticeable effect. Svchost Viewer (small freebie app): http://svchostviewer.codeplex.com/ I read a little bit about "HTTPFilter" from some online searches, but the reason still escapes me as to why this service only occasionally pops up at the top of the Task Manager list after booting up before doing anything, and most of the time does not. I'm probably being a bit paranoid about this, but I don't understand why it seems so capricious. Maybe you have some plausible explanations. (?) Here is some more detail from the Svchost Viewer screen (I typed it in): svchost.exe with PID 4020 (process ID) Name: HTTPFilter Service Type: Share Process Start Type: Manual Description: This service implements the secure hypertext transfer protocol (HTTPS) for the HTTP service, using the Secure Socket Layer (SSL). If this service is disabled, any services that explicitly depend on it will fail to start. Any ideas? :-) So something is attempting to "dial out" securely ? Like use SSL, so snoopers (like yourself :-) ) can't see what is going on. Mine is set to manual, and HTTPFilter is not running right now. I tried https://www.google.com while in Internet Explorer 6, and it still isn't running. Does the "manual" mean some separate software has to run it ? In WinXP Pro, you can use "tasklist /svc" to list the currently running processes and services. I run that in a Command Prompt. I'm told it doesn't work on WinXP Home, so Home users are out of luck, and need to look to a third-party utility. I bet Process Explorer (sysinternals.com) could give some info too. The only thing that comes to mind, is using Bootvis (if you can find a copy), and see if it's logged in there somewhere during startup. Bootvis records activity at startup, and maybe if a startup item is causing it to run, you'd have a record of it. Support for Bootvis died at Microsoft some time ago, but I didn't seem to have a problem running it on my SP3 system here. https://web.archive.org/web/20100601...otVis-Tool.exe You could also use Autoruns from Sysinternals, and review what is running on your system at startup. Which might be another way of "catching a hint". http://technet.microsoft.com/en-us/s...rnals/bb963902 Lots of software, use update checkers to check whether the applications software is up to date. It could be some crap like that. Paul Thanks for all this info. And I probably should look into this some more. And yes, I do have some things running at startup that might be causing this, depending on what process loads first thru last at startup, such as the D4 time updater or some other software that wants to check for updates. So I guess that's probably it, based on what you've said. TNX, Paul. |
Thread Tools | |
Display Modes | |
|
|