Svchost.exe - what's it do .....?

[confus-ed]

What is this doing ...? exactly ....

I know its a network service but its using my ports, how & why I don't know, so I'm askin'...

[NooNoo]

<a href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;q250320" target="_blank">according to ms kb...</a>

So you gotta do a tlist and find out what services you are running and then figure out from there why they have ports open

[freddy]

there has been a link recently on this site listing sevice and dependancies ,,,but after searching for 47 minutes and a walk to blockbusters i gave up. i did find the link noo noo found ,,and in webferrit a lot of listings (mainly forign) however according to this <a href="http://www.winportal.com/chat.asp?ObjectID=4777" target="_blank">http://www.winportal.com/chat.asp?ObjectID=4777</a> this guy is frightened it,s steeling his memory

svchost is in partnership with svhost (from what i gather i,ve two instances of svchost running now ,, and another forum discussing both of them <a href="http://www.linkbyte.com/ubb/Forum6/HTML/000008.html" target="_blank">http://www.linkbyte.com/ubb/Forum6/HTML/000008.html</a>

FtF

[FatalException0E]

This is kind of frightening. Just today I looked at my win2k laptop's 'processes' tab in task mgr, saw two instances of svchost.exe and thought "I wonder what exactly that does?"

[The Rifleman]

I think you have separate instances for each network connection.

I have 5 listed and have often wondered what it was.

[Quiet Thunder]

It does many many different things. I believe at LEAST one can be tied to Norton Antivirus. Also, one or two can be tied to MS, plus, one or more is tied to a service, ect..... Apparently everyone decided to give their process the same name. <img border="0" title="" alt="[Frown]" src="frown.gif" />

[MacGyver]

This page <a href="http://www.blackviper.com/WinXP/service411.htm" target="_blank">http://www.blackviper.com/WinXP/service411.htm</a> explains each service and what it does

[confus-ed]

Well I found this in German, its suffered a little in the translation but it makes as much sense as anything I've read so far </font><blockquote><font size="1" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">quote:</font><hr /><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif"> 3.) svchost.exe
Briefly with my words: The Svchost.exe summarizes several started services in the Registry and emerges therefore in the task manager also more frequently!
Description OF Svchost.exe
<a href="http://support.microsoft.com/support/kb/articles/Q250/3/20.ASP" target="_blank">http://support.microsoft.com/support/kb/articles/Q250/3/20.ASP</a>
and... s.th in english..i to tons lazy ton translate it:
One immediately wonders what thesis of acres. The name, SvcHost, apparently conditions for "service host," since SVC HOST is A towards Eric host process name for services that acres run from DLL files. RK startup, SVC HOST check the Windows Registry ton build A cunning OF services that it needs tons of load. Then it loads them. Several of copies OF SVC HOST May lakes running RK the same time because each group OF services listed into the Registry of trigger A separate SVC HOST session.
By the way: Which stands here is my knowledge after merciless Quatsch!
<a href="http://www.tpffaq.com/cgi-bin/faqmanager.cgi?file=xp&toc=faq#q2" target="_blank">http://www.tpffaq.com/cgi-bin/faqmanager.cgi?file=xp&toc=faq#q2</a>

have their still information?

Greeting
</font><hr /></blockquote><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">I think that means its the equivalent of rundll & rundll32 so it makes dlls go...

so as NooNoo said chase down the processes loaded by it, soooooooo how do I do that....

Whatever the hell this does it sends Zone Alarm potty, more potty than me

[NooNoo]

Confus-ed if you do the tlist - as described in that link, it tells you exactly what it is loading...

[confus-ed]

Apologies, I'm obviously being thick, but when I said </font><blockquote><font size="1" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">quote:</font><hr /><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif"> so as NooNoo said chase down the processes loaded by it, soooooooo how do I do that.... </font><hr /></blockquote><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">I should have said I understand the use of Tlist, as mentioned in the link but how the hey am I gonna figure which one of howevermany processes(dlls)is actually using the port, like in the original q?

[NooNoo]

From the PID - netstat -o -a

[confus-ed]

Ahhh well I'm obviuously busy not saying what I wanted.... what I wanted was that list of ports used by blob-blob like Freddy mentioned , so now I've found it - for future reference - <a href="http://www.iana.org/assignments/port-numbers" target="_blank">Usual port assignmentments</a>

So now with Tlist & nstat & that I ought to be able to work out what service is actually using what port & what shouldn't be using anything, I hope , but thanks all anyways....

[Stalemate]

As we speak, I have 5 instances of SVCHOST.EXE displayed in the task manager.

I know that most are linked to my firewall and network connections, but its still a pain in the but when you're trying to configure applications to be filtered by said firewall.

[Icharus]

I recently discovered that there is a backdoor program called svchost.exe. It shows up exactly like all other instances running in the task list. I noticed it's presence on my machine when I came to use the computer one night, and someone was running an mIRC server on my desktop.

The nasty app had installed itself in a new folder under %systemroot%\system32 in a folder named \system. The backdoor version of this file is significantly larger in size than the Microsoft version. Norton Internet Security also identified it after I ran a virus scan.

[jaredsmith]

I have been concerned about a large SVCHOST.EXE file - my last Norton Virus Scan didn't seem to mind. My laptop hangs up alot - releases when I open the task manager with crtl-alt-del. Do you think this could be related to the SVCHOST.EXE issue?