Svchost concerns

I wanted to get someone's else's feedback on this, who might know the inside
story.

Am I the only one who gets a bit suspicious or worried when "svchost" shows
up at the top of the list in Task Manager, instead of a couple of lines
down, like it normally is? This only occasionally happens, and seemingly
out of the blue.

The reason I ask is because I've been burned before by some svchost related
issues, which are really hard to track down. I realize that svchost is just
a cover host for some other subprocesses, but I have noticed this
"irregularity" from time to time. (I guess some other process is/was going
on that required svchost to be at the top of the Task Manager list in these
rare instances). Incidentally, when I've closed down this "top" instance of
svchost in Task Manager, nothing untoward happens, and I think I found
(using svchost viewer) that it was related to some Internet related
connectivity.

Bill in Co wrote:
I wanted to get someone's else's feedback on this, who might know the inside
story.

Am I the only one who gets a bit suspicious or worried when "svchost" shows
up at the top of the list in Task Manager, instead of a couple of lines
down, like it normally is? This only occasionally happens, and seemingly
out of the blue.

The reason I ask is because I've been burned before by some svchost related
issues, which are really hard to track down. I realize that svchost is just
a cover host for some other subprocesses, but I have noticed this
"irregularity" from time to time. (I guess some other process is/was going
on that required svchost to be at the top of the Task Manager list in these
rare instances). Incidentally, when I've closed down this "top" instance of
svchost in Task Manager, nothing untoward happens, and I think I found
(using svchost viewer) that it was related to some Internet related
connectivity.



You can set up SVCHOST, so there is only one thing "hiding"
inside each one. Kinda blows their cover story.

Scroll down half-way, look for text in red.

http://blogs.msdn.com/b/spatdsg/arch...-services.aspx

sc config service type= own

The only one I've had trouble with is wuauserv. At
least, recently. You can try putting that one in
its own SVCHOST and see what happens.

HTH,
Paul

I'm not sure, but I think the order is just order of loading.
It's probably just a case of a service that was only needed
after you were up and running.

I've never heard of svchost viewer. I gather that lets
you see what's running. If not you can get Process
Explorer from Sysinternals.

When I started using XP I found it unsettling that any
service could get online through my firewall by running
under svchost, so I wanted to eliminate any of those
services. There's no reason for anything to need to go
online of its own accord.
I don't use Windows Time. I don't allow Windows
Update to load at all. It turned out the only thing that
actually needed to get through the firewall was DHCP.
By using a fixed IP address in network settings I was able
to disable DHCP. So now I just block svchost from going
online.
But MS has a surprising amount of spyware. I've seen
both msiexec (runs when an MSI installer file is run) and
hh.exe (runs when a CHM help file is opened) try to
contact Microsoft URLs for no apparent reason.


"Bill in Co" wrote in message
...
|I wanted to get someone's else's feedback on this, who might know the
inside
| story.
|
| Am I the only one who gets a bit suspicious or worried when "svchost"
shows
| up at the top of the list in Task Manager, instead of a couple of lines
| down, like it normally is? This only occasionally happens, and seemingly
| out of the blue.
|
| The reason I ask is because I've been burned before by some svchost
related
| issues, which are really hard to track down. I realize that svchost is
just
| a cover host for some other subprocesses, but I have noticed this
| "irregularity" from time to time. (I guess some other process is/was
going
| on that required svchost to be at the top of the Task Manager list in
these
| rare instances). Incidentally, when I've closed down this "top" instance
of
| svchost in Task Manager, nothing untoward happens, and I think I found
| (using svchost viewer) that it was related to some Internet related
| connectivity.
|
|

From: "Bill in Co"

I wanted to get someone's else's feedback on this, who might know the
inside story.

Am I the only one who gets a bit suspicious or worried when "svchost"
shows up at the top of the list in Task Manager, instead of a couple of
lines down, like it normally is? This only occasionally happens, and
seemingly out of the blue.

The reason I ask is because I've been burned before by some svchost
related issues, which are really hard to track down. I realize that
svchost is just a cover host for some other subprocesses, but I have
noticed this "irregularity" from time to time. (I guess some other
process is/was going on that required svchost to be at the top of the Task
Manager list in these rare instances). Incidentally, when I've closed
down this "top" instance of svchost in Task Manager, nothing untoward
happens, and I think I found (using svchost viewer) that it was related to
some Internet related connectivity.

SVCHOST is the Server of services. The daemon of daemons.

Also known as the Host Process for Windows Services.

Therefore it is not uncommon to see several instances of SVCHOST running
representing a different OS Service.

There have been instances, such as with Windows Update (WUAUSERV), can cause
SVCHOST to have a high CPU utilization.

What is REALLY important is the fully qualified path to SVCHOST.EXE.

c:\windows\system32\svchost.exe is legitimate
c:\windows\svchost.exe is NOT legitimate

Malware hides in plain site by this method. Malware will use the legitimate
name, SVCHOST.EXE, but will run from illegitimate locations. It will
obfuscate its malicious activity by loading and being one of the many
instances of SVCHOST shown in Task Manager.

SVCHOST.EXE is the most commonly used name for malware for that reason.
Also variations upon that name such as SCVHOST.EXE.

--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

Paul wrote:
Bill in Co wrote:
I wanted to get someone's else's feedback on this, who might know the
inside story.

Am I the only one who gets a bit suspicious or worried when "svchost"
shows
up at the top of the list in Task Manager, instead of a couple of lines
down, like it normally is? This only occasionally happens, and seemingly
out of the blue.

The reason I ask is because I've been burned before by some svchost
related
issues, which are really hard to track down. I realize that svchost is
just
a cover host for some other subprocesses, but I have noticed this
"irregularity" from time to time. (I guess some other process is/was
going
on that required svchost to be at the top of the Task Manager list in
these
rare instances). Incidentally, when I've closed down this "top" instance
of
svchost in Task Manager, nothing untoward happens, and I think I found
(using svchost viewer) that it was related to some Internet related
connectivity.


You can set up SVCHOST, so there is only one thing "hiding"
inside each one. Kinda blows their cover story.

Scroll down half-way, look for text in red.

http://blogs.msdn.com/b/spatdsg/arch...-services.aspx

sc config service type= own

The only one I've had trouble with is wuauserv. At
least, recently. You can try putting that one in
its own SVCHOST and see what happens.

Hi Paul,

Well, I was able to track this down a bit further by using "Svchost Viewer",
and it said the specific service was "HTTPFilter" (it shows up as HTTP SSL
in "Services"). Why this particular service only occasionally pops up (and
at the top of the Task Manager list) after a fresh boot up is beyond me,
however, and I can stop it with no noticeable effect.

Svchost Viewer (small freebie app):
http://svchostviewer.codeplex.com/

I read a little bit about "HTTPFilter" from some online searches, but the
reason still escapes me as to why this service only occasionally pops up at
the top of the Task Manager list after booting up before doing anything, and
most of the time does not. I'm probably being a bit paranoid about this,
but I don't understand why it seems so capricious. Maybe you have some
plausible explanations. (?)

Here is some more detail from the Svchost Viewer screen (I typed it in):

svchost.exe with PID 4020 (process ID)
Name: HTTPFilter
Service Type: Share Process
Start Type: Manual
Description: This service implements the secure hypertext transfer protocol
(HTTPS) for the HTTP service, using the Secure Socket Layer (SSL). If this
service is disabled, any services that explicitly depend on it will fail to
start.

Any ideas? :-)

Bill in Co wrote:
Paul wrote:
Bill in Co wrote:
I wanted to get someone's else's feedback on this, who might know the
inside story.

Am I the only one who gets a bit suspicious or worried when "svchost"
shows
up at the top of the list in Task Manager, instead of a couple of lines
down, like it normally is? This only occasionally happens, and seemingly
out of the blue.

The reason I ask is because I've been burned before by some svchost
related
issues, which are really hard to track down. I realize that svchost is
just
a cover host for some other subprocesses, but I have noticed this
"irregularity" from time to time. (I guess some other process is/was
going
on that required svchost to be at the top of the Task Manager list in
these
rare instances). Incidentally, when I've closed down this "top" instance
of
svchost in Task Manager, nothing untoward happens, and I think I found
(using svchost viewer) that it was related to some Internet related
connectivity.

You can set up SVCHOST, so there is only one thing "hiding"
inside each one. Kinda blows their cover story.

Scroll down half-way, look for text in red.

http://blogs.msdn.com/b/spatdsg/arch...-services.aspx

sc config service type= own

The only one I've had trouble with is wuauserv. At
least, recently. You can try putting that one in
its own SVCHOST and see what happens.

Hi Paul,

Well, I was able to track this down a bit further by using "Svchost Viewer",
and it said the specific service was "HTTPFilter" (it shows up as HTTP SSL
in "Services"). Why this particular service only occasionally pops up (and
at the top of the Task Manager list) after a fresh boot up is beyond me,
however, and I can stop it with no noticeable effect.

Svchost Viewer (small freebie app):
http://svchostviewer.codeplex.com/

I read a little bit about "HTTPFilter" from some online searches, but the
reason still escapes me as to why this service only occasionally pops up at
the top of the Task Manager list after booting up before doing anything, and
most of the time does not. I'm probably being a bit paranoid about this,
but I don't understand why it seems so capricious. Maybe you have some
plausible explanations. (?)

Here is some more detail from the Svchost Viewer screen (I typed it in):

svchost.exe with PID 4020 (process ID)
Name: HTTPFilter
Service Type: Share Process
Start Type: Manual
Description: This service implements the secure hypertext transfer protocol
(HTTPS) for the HTTP service, using the Secure Socket Layer (SSL). If this
service is disabled, any services that explicitly depend on it will fail to
start.

Any ideas? :-)


So something is attempting to "dial out" securely ?
Like use SSL, so snoopers (like yourself :-) ) can't
see what is going on.

Mine is set to manual, and HTTPFilter is not running
right now. I tried https://www.google.com while in Internet
Explorer 6, and it still isn't running. Does the "manual" mean some
separate software has to run it ?

In WinXP Pro, you can use "tasklist /svc" to list the currently
running processes and services. I run that in a Command Prompt.
I'm told it doesn't work on WinXP Home, so Home users are out
of luck, and need to look to a third-party utility. I bet
Process Explorer (sysinternals.com) could give some info too.

The only thing that comes to mind, is using Bootvis
(if you can find a copy), and see if it's logged in
there somewhere during startup. Bootvis records activity at startup,
and maybe if a startup item is causing it to run,
you'd have a record of it. Support for Bootvis died at
Microsoft some time ago, but I didn't seem to have a problem
running it on my SP3 system here.

https://web.archive.org/web/20100601...otVis-Tool.exe

You could also use Autoruns from Sysinternals, and review what
is running on your system at startup. Which might be another
way of "catching a hint".

http://technet.microsoft.com/en-us/s...rnals/bb963902

Lots of software, use update checkers to check whether
the applications software is up to date. It could be
some crap like that.

Paul

Paul wrote:
Bill in Co wrote:
Paul wrote:
Bill in Co wrote:
I wanted to get someone's else's feedback on this, who might know the
inside story.

Am I the only one who gets a bit suspicious or worried when "svchost"
shows
up at the top of the list in Task Manager, instead of a couple of lines
down, like it normally is? This only occasionally happens, and
seemingly
out of the blue.

The reason I ask is because I've been burned before by some svchost
related
issues, which are really hard to track down. I realize that svchost is
just
a cover host for some other subprocesses, but I have noticed this
"irregularity" from time to time. (I guess some other process is/was
going
on that required svchost to be at the top of the Task Manager list in
these
rare instances). Incidentally, when I've closed down this "top"
instance
of
svchost in Task Manager, nothing untoward happens, and I think I found
(using svchost viewer) that it was related to some Internet related
connectivity.

You can set up SVCHOST, so there is only one thing "hiding"
inside each one. Kinda blows their cover story.

Scroll down half-way, look for text in red.

http://blogs.msdn.com/b/spatdsg/arch...-services.aspx

sc config service type= own

The only one I've had trouble with is wuauserv. At
least, recently. You can try putting that one in
its own SVCHOST and see what happens.

Hi Paul,

Well, I was able to track this down a bit further by using "Svchost
Viewer",
and it said the specific service was "HTTPFilter" (it shows up as HTTP
SSL
in "Services"). Why this particular service only occasionally pops up
(and
at the top of the Task Manager list) after a fresh boot up is beyond me,
however, and I can stop it with no noticeable effect.

Svchost Viewer (small freebie app):
http://svchostviewer.codeplex.com/

I read a little bit about "HTTPFilter" from some online searches, but the
reason still escapes me as to why this service only occasionally pops up
at
the top of the Task Manager list after booting up before doing anything,
and
most of the time does not. I'm probably being a bit paranoid about
this,
but I don't understand why it seems so capricious. Maybe you have some
plausible explanations. (?)

Here is some more detail from the Svchost Viewer screen (I typed it in):

svchost.exe with PID 4020 (process ID)
Name: HTTPFilter
Service Type: Share Process
Start Type: Manual
Description: This service implements the secure hypertext transfer
protocol
(HTTPS) for the HTTP service, using the Secure Socket Layer (SSL). If
this
service is disabled, any services that explicitly depend on it will fail
to
start.

Any ideas? :-)


So something is attempting to "dial out" securely ?
Like use SSL, so snoopers (like yourself :-) ) can't
see what is going on.

Mine is set to manual, and HTTPFilter is not running
right now. I tried https://www.google.com while in Internet
Explorer 6, and it still isn't running. Does the "manual" mean some
separate software has to run it ?

In WinXP Pro, you can use "tasklist /svc" to list the currently
running processes and services. I run that in a Command Prompt.
I'm told it doesn't work on WinXP Home, so Home users are out
of luck, and need to look to a third-party utility. I bet
Process Explorer (sysinternals.com) could give some info too.

The only thing that comes to mind, is using Bootvis
(if you can find a copy), and see if it's logged in
there somewhere during startup. Bootvis records activity at startup,
and maybe if a startup item is causing it to run,
you'd have a record of it. Support for Bootvis died at
Microsoft some time ago, but I didn't seem to have a problem
running it on my SP3 system here.

https://web.archive.org/web/20100601...otVis-Tool.exe

You could also use Autoruns from Sysinternals, and review what
is running on your system at startup. Which might be another
way of "catching a hint".

http://technet.microsoft.com/en-us/s...rnals/bb963902

Lots of software, use update checkers to check whether
the applications software is up to date. It could be
some crap like that.

Paul

Thanks for all this info. And I probably should look into this some more.
And yes, I do have some things running at startup that might be causing
this, depending on what process loads first thru last at startup, such as
the D4 time updater or some other software that wants to check for updates.
So I guess that's probably it, based on what you've said. TNX, Paul.