port 1025 open by svchost.exe, how 2 disable?

Hi,
I use dialup to connect to the Internet.

It appear port 1025 is open and listening on my
XP Home computer. It appears to be associated
with a win os utility called svchost.exe

The problem is I notice various chinese and korean
sites connecting to that port (reasons unknown?)

I notice at least 7 versions of svchost.exe in
the "services" window. Can anyone tell me
which of these services is unnecessary or
the one causing port 1025 to be open and
listening so I can disable it? Or the number
of a MS security update patch that will stop
this? Please reply here.

Thanks for any assistance!
Tony

Tony Martin

"Tony Martin" <> wrote in message
news:...
> Hi,
> I use dialup to connect to the Internet.
>
> It appear port 1025 is open and listening on my
> XP Home computer. It appears to be associated
> with a win os utility called svchost.exe
>
> The problem is I notice various chinese and korean
> sites connecting to that port (reasons unknown?)
>
> I notice at least 7 versions of svchost.exe in
> the "services" window. Can anyone tell me
> which of these services is unnecessary or
> the one causing port 1025 to be open and
> listening so I can disable it? Or the number
> of a MS security update patch that will stop
> this? Please reply here.
>
> Thanks for any assistance!
> Tony

The 'svchost.exe' is the executable name associated with 'Service Host
Process' which is responsible within the Windows O/S for running various
internal processes. It is perfectly normal to have multiple occurrences
of 'svchost.exe' running and this is because each instance is
responsible for running one or more other processes.

Instead I recommend that you leave the 'svchost.exe' files alone and not
continue any efforts to look for ways to disable it. Otherwise you may
find yourself with an unstable system or more probable, a new doorstep
to hold your bedroom door open. Of course the latter is a bit of an
exaggeration, but if I were you I'd focus on ensuring that the system is
secured with a decent firewall, is virus and spyware free.

SPECIAL NOTE: If you're running Windows XP Pro you can open a DOS
window, type TASKLIST /SVC and press Enter. The result is that you'll
receive a listing of all running processes, including the instances of
'svchost.exe' as well as what each is running. Additionally if you want
to know what specific process is responsible for which TCP/IP ports,
type NETSTAT -ANO and press Enter. The result is that you'll receive a
listing of ports and PIDs. With the PIDs compare it to the list of PIDs
from running the TASKLIST command and voila!

--
Best regards, from Don Kelloway of Commodon Communications
Visit http://www.commodon.com to learn about the "Threats to Your
Security on the Internet".

Don Kelloway

Hi Don,

First, thank you for taking time to help!

Your right, stopping svchost kills my
browsers ability to resolve URLs.

My computer is clean as far as BitDefender
and ZoneAlarm will allow.

Here is more background:

Im using a utility called TCPView.exe (from
sysinternals.com) to determine what connection
attempts are coming from the internet.

I can stop the intrusions on port 1025
by setting Internet Zone Security on
Zone Aarm to High. Unfortunately this
also stops several peer to peer chat
utilities that we run, that use other non
common ports.

What I need (guessing?) is a way to
just block this one port 1025. The copy
of ZA Im using (3.7 143) does not appear
to allow the blocking of individual ports.

Could you recommend an easy to use
personal firewall that does? Or??

TIA,
Tony

On Wed, 04 Aug 2004 04:58:49 GMT, "Don Kelloway"
<> wrote:

>"Tony Martin" <> wrote in message
>news:.. .
>> Hi,
>> I use dialup to connect to the Internet.
>>
>> It appear port 1025 is open and listening on my
>> XP Home computer. It appears to be associated
>> with a win os utility called svchost.exe
>>
>> The problem is I notice various chinese and korean
>> sites connecting to that port (reasons unknown?)
>>
>> I notice at least 7 versions of svchost.exe in
>> the "services" window. Can anyone tell me
>> which of these services is unnecessary or
>> the one causing port 1025 to be open and
>> listening so I can disable it? Or the number
>> of a MS security update patch that will stop
>> this? Please reply here.
>>
>> Thanks for any assistance!
>> Tony
>
>The 'svchost.exe' is the executable name associated with 'Service Host
>Process' which is responsible within the Windows O/S for running various
>internal processes. It is perfectly normal to have multiple occurrences
>of 'svchost.exe' running and this is because each instance is
>responsible for running one or more other processes.
>
>Instead I recommend that you leave the 'svchost.exe' files alone and not
>continue any efforts to look for ways to disable it. Otherwise you may
>find yourself with an unstable system or more probable, a new doorstep
>to hold your bedroom door open. Of course the latter is a bit of an
>exaggeration, but if I were you I'd focus on ensuring that the system is
>secured with a decent firewall, is virus and spyware free.
>
>SPECIAL NOTE: If you're running Windows XP Pro you can open a DOS
>window, type TASKLIST /SVC and press Enter. The result is that you'll
>receive a listing of all running processes, including the instances of
>'svchost.exe' as well as what each is running. Additionally if you want
>to know what specific process is responsible for which TCP/IP ports,
>type NETSTAT -ANO and press Enter. The result is that you'll receive a
>listing of ports and PIDs. With the PIDs compare it to the list of PIDs
>from running the TASKLIST command and voila!

Tony Martin

Well ive seen many a plenty a trojan running as svchost.exe or as some
like to hide, scvhost.exe.

There is numerous possibilities here, from basic, "Ag, its nothing" to
"Oh **** I've got a trojan", either of which is to much to guess.
However I suggest amongst your firewall and other preventative
measures, try running some spyware busters, like the elite Ad-Aware.

Some info on port 1025
http://support.microsoft.com/?id=kb;en-us;Q280132


On Tue, 03 Aug 2004 13:59:40 GMT, Tony Martin <>
wrote:

>Hi,
>I use dialup to connect to the Internet.
>
>It appear port 1025 is open and listening on my
>XP Home computer. It appears to be associated
>with a win os utility called svchost.exe
>
>The problem is I notice various chinese and korean
>sites connecting to that port (reasons unknown?)
>
>I notice at least 7 versions of svchost.exe in
>the "services" window. Can anyone tell me
>which of these services is unnecessary or
>the one causing port 1025 to be open and
>listening so I can disable it? Or the number
>of a MS security update patch that will stop
>this? Please reply here.
>
>Thanks for any assistance!
>Tony

Just Wolfie

"Tony Martin" <> wrote in message
news:...
> Hi Don,
>
> First, thank you for taking time to help!
>
> Your right, stopping svchost kills my
> browsers ability to resolve URLs.
>
> My computer is clean as far as BitDefender
> and ZoneAlarm will allow.
>
> Here is more background:
>
> Im using a utility called TCPView.exe (from
> sysinternals.com) to determine what connection
> attempts are coming from the internet.
>
> I can stop the intrusions on port 1025
> by setting Internet Zone Security on
> Zone Aarm to High. Unfortunately this
> also stops several peer to peer chat
> utilities that we run, that use other non
> common ports.
>
> What I need (guessing?) is a way to
> just block this one port 1025. The copy
> of ZA Im using (3.7 143) does not appear
> to allow the blocking of individual ports.
>
> Could you recommend an easy to use
> personal firewall that does? Or??
>
> TIA,
> Tony
>
> On Wed, 04 Aug 2004 04:58:49 GMT, "Don Kelloway"
> <> wrote:
>
> >"Tony Martin" <> wrote in message
> >news:.. .
> >> Hi,
> >> I use dialup to connect to the Internet.
> >>
> >> It appear port 1025 is open and listening on my
> >> XP Home computer. It appears to be associated
> >> with a win os utility called svchost.exe
> >>
> >> The problem is I notice various chinese and korean
> >> sites connecting to that port (reasons unknown?)
> >>
> >> I notice at least 7 versions of svchost.exe in
> >> the "services" window. Can anyone tell me
> >> which of these services is unnecessary or
> >> the one causing port 1025 to be open and
> >> listening so I can disable it? Or the number
> >> of a MS security update patch that will stop
> >> this? Please reply here.
> >>
> >> Thanks for any assistance!
> >> Tony
> >
> >The 'svchost.exe' is the executable name associated with 'Service
Host
> >Process' which is responsible within the Windows O/S for running
various
> >internal processes. It is perfectly normal to have multiple
occurrences
> >of 'svchost.exe' running and this is because each instance is
> >responsible for running one or more other processes.
> >
> >Instead I recommend that you leave the 'svchost.exe' files alone and
not
> >continue any efforts to look for ways to disable it. Otherwise you
may
> >find yourself with an unstable system or more probable, a new
doorstep
> >to hold your bedroom door open. Of course the latter is a bit of an
> >exaggeration, but if I were you I'd focus on ensuring that the system
is
> >secured with a decent firewall, is virus and spyware free.
> >
> >SPECIAL NOTE: If you're running Windows XP Pro you can open a DOS
> >window, type TASKLIST /SVC and press Enter. The result is that
you'll
> >receive a listing of all running processes, including the instances
of
> >'svchost.exe' as well as what each is running. Additionally if you
want
> >to know what specific process is responsible for which TCP/IP ports,
> >type NETSTAT -ANO and press Enter. The result is that you'll receive
a
> >listing of ports and PIDs. With the PIDs compare it to the list of
PIDs
> >from running the TASKLIST command and voila!
>

Tony,

I hope you understand that you're not going to be able to stop persons
on the Internet from *attempting* to connect to port 1025 (or any port
for that matter) on your PC. The 'attempt' is something that will
always exist. Your focus should simply be to ensure that your firewall
is configured to block the attempt.

re: the specifics of port 1025.

It's one of several ports between 1024 through 1030 that are used for
internal communications within the Windows o/s. These communications
are for any one or more of many internal running processes or services.
Trying to stop this port from listening will probably result in breaking
something, which I believe you have already discovered.

With this being said, the best course of action is to do what you are
already doing and that is to ensure that your firewall is configured to
block all inbound traffic to your PC. BTW ensuring your firewall is
configured to block inbound traffic means just that. It means that if
someone on the Internet were to attempt to connect to that port on your
PC, the connection itself would be blocked. You cannot configure your
firewall to stop someone from making the attempt. If that doesn't make
sense, let me try an analogy.

Your front door has a mail slot which can be locked from the inside thus
preventing anyone on the outside from opening the mail slot and slipping
a letter through and dropping it on the floor. Ensuring that the mail
slot is locked is what you want to do to prevent mail from getting
inside. Unfortunately even with the mail slot being locked there is
nothing you can do when someone tries to push on the mail slot from the
outside in their effort to slip a letter in. In other words locking the
mail slot stops the letter from getting inside. It doesn't stop the
person from trying to open the mail slot.

BTW I agree that TCPView from SysInternals is a great freeware utility.


--
Best regards, from Don Kelloway of Commodon Communications
Visit http://www.commodon.com to learn about the "Threats to Your
Security on the Internet".

Don Kelloway

"Just Wolfie" <> wrote in message
news:...
> Well ive seen many a plenty a trojan running as svchost.exe or as some
> like to hide, scvhost.exe.
>
> There is numerous possibilities here, from basic, "Ag, its nothing" to
> "Oh **** I've got a trojan", either of which is to much to guess.
> However I suggest amongst your firewall and other preventative
> measures, try running some spyware busters, like the elite Ad-Aware.
>
> Some info on port 1025
> http://support.microsoft.com/?id=kb;en-us;Q280132
>
>

Mmmm I never stated that you wouldn't or couldn't find instances of
'svchost.exe' or 'scvhost.exe' being a trojan or worm. What I offered
was that the instance of the 'svchost.exe' the poster was seeing was
very likely a legitimate occurrence (something I believe the poster has
confirmed) and that his desire to stop it from listening on a particular
port was not very likely to be successful. And like yourself, I too
offered the recommendation of a firewall, and an AV and spyware scanner.

BTW the article you reference is in regards to MS Exchange 2000.
Instead I would suggest either of the following, depending upon the o/s
being used:

A description of Svchost.exe in Windows XP
http://support.microsoft.com/?kbid=314056

or

A description of Svchost.exe in Windows 2000
http://support.microsoft.com/?kbid=250320


--
Best regards, from Don Kelloway of Commodon Communications
Visit http://www.commodon.com to learn about the "Threats to Your
Security on the Internet".

Don Kelloway

Hi Don,

Ok, I upgraded to Zone Alarm Pro 5.1 which allows
the blocking of internet traffic either coming in
or out of any specified port. I blocked both TCP and
UDP "incoming" on port 1025, and svchost still resolves
URL's ok. All other functions, including my home LAN
seems to be running ok. Furthermore, TCPView no longer
shows any foreign (mostly chinese and korean)
connections on port 1025.

Being an Airline Pilot I suppose my IT jargon was
not precise enough. I know you cannot stop your
system from being probed. However, my reasoning
suggested that I should be at least able to block
incoming on that one listening port.

Its possible the connections on port 1025 were
harmless in as much as nothing there could
be exploited, but since Bill Gates isn't my
neighbor, I had no way of knowing!

Problems solved, thanks again for all your help.
Tony

On Thu, 05 Aug 2004 07:10:06 GMT, "Don Kelloway"
<> wrote:

>"Tony Martin" <> wrote in message
>news:.. .
>> Hi Don,
>>
>> First, thank you for taking time to help!
>>
>> Your right, stopping svchost kills my
>> browsers ability to resolve URLs.
>>
>> My computer is clean as far as BitDefender
>> and ZoneAlarm will allow.
>>
>> Here is more background:
>>
>> Im using a utility called TCPView.exe (from
>> sysinternals.com) to determine what connection
>> attempts are coming from the internet.
>>
>> I can stop the intrusions on port 1025
>> by setting Internet Zone Security on
>> Zone Aarm to High. Unfortunately this
>> also stops several peer to peer chat
>> utilities that we run, that use other non
>> common ports.
>>
>> What I need (guessing?) is a way to
>> just block this one port 1025. The copy
>> of ZA Im using (3.7 143) does not appear
>> to allow the blocking of individual ports.
>>
>> Could you recommend an easy to use
>> personal firewall that does? Or??
>>
>> TIA,
>> Tony
>>
>> On Wed, 04 Aug 2004 04:58:49 GMT, "Don Kelloway"
>> <> wrote:
>>
>> >"Tony Martin" <> wrote in message
>> >news:.. .
>> >> Hi,
>> >> I use dialup to connect to the Internet.
>> >>
>> >> It appear port 1025 is open and listening on my
>> >> XP Home computer. It appears to be associated
>> >> with a win os utility called svchost.exe
>> >>
>> >> The problem is I notice various chinese and korean
>> >> sites connecting to that port (reasons unknown?)
>> >>
>> >> I notice at least 7 versions of svchost.exe in
>> >> the "services" window. Can anyone tell me
>> >> which of these services is unnecessary or
>> >> the one causing port 1025 to be open and
>> >> listening so I can disable it? Or the number
>> >> of a MS security update patch that will stop
>> >> this? Please reply here.
>> >>
>> >> Thanks for any assistance!
>> >> Tony
>> >
>> >The 'svchost.exe' is the executable name associated with 'Service
>Host
>> >Process' which is responsible within the Windows O/S for running
>various
>> >internal processes. It is perfectly normal to have multiple
>occurrences
>> >of 'svchost.exe' running and this is because each instance is
>> >responsible for running one or more other processes.
>> >
>> >Instead I recommend that you leave the 'svchost.exe' files alone and
>not
>> >continue any efforts to look for ways to disable it. Otherwise you
>may
>> >find yourself with an unstable system or more probable, a new
>doorstep
>> >to hold your bedroom door open. Of course the latter is a bit of an
>> >exaggeration, but if I were you I'd focus on ensuring that the system
>is
>> >secured with a decent firewall, is virus and spyware free.
>> >
>> >SPECIAL NOTE: If you're running Windows XP Pro you can open a DOS
>> >window, type TASKLIST /SVC and press Enter. The result is that
>you'll
>> >receive a listing of all running processes, including the instances
>of
>> >'svchost.exe' as well as what each is running. Additionally if you
>want
>> >to know what specific process is responsible for which TCP/IP ports,
>> >type NETSTAT -ANO and press Enter. The result is that you'll receive
>a
>> >listing of ports and PIDs. With the PIDs compare it to the list of
>PIDs
>> >from running the TASKLIST command and voila!
>>
>
>Tony,
>
>I hope you understand that you're not going to be able to stop persons
>on the Internet from *attempting* to connect to port 1025 (or any port
>for that matter) on your PC. The 'attempt' is something that will
>always exist. Your focus should simply be to ensure that your firewall
>is configured to block the attempt.
>
>re: the specifics of port 1025.
>
>It's one of several ports between 1024 through 1030 that are used for
>internal communications within the Windows o/s. These communications
>are for any one or more of many internal running processes or services.
>Trying to stop this port from listening will probably result in breaking
>something, which I believe you have already discovered.
>
>With this being said, the best course of action is to do what you are
>already doing and that is to ensure that your firewall is configured to
>block all inbound traffic to your PC. BTW ensuring your firewall is
>configured to block inbound traffic means just that. It means that if
>someone on the Internet were to attempt to connect to that port on your
>PC, the connection itself would be blocked. You cannot configure your
>firewall to stop someone from making the attempt. If that doesn't make
>sense, let me try an analogy.
>
>Your front door has a mail slot which can be locked from the inside thus
>preventing anyone on the outside from opening the mail slot and slipping
>a letter through and dropping it on the floor. Ensuring that the mail
>slot is locked is what you want to do to prevent mail from getting
>inside. Unfortunately even with the mail slot being locked there is
>nothing you can do when someone tries to push on the mail slot from the
>outside in their effort to slip a letter in. In other words locking the
>mail slot stops the letter from getting inside. It doesn't stop the
>person from trying to open the mail slot.
>
>BTW I agree that TCPView from SysInternals is a great freeware utility.

Tony Martin