port 1025 open by svchost.exe, how 2 disable?

Discussion in 'Computer Security' started by Tony Martin, Aug 3, 2004.

  1. Tony Martin

    Tony Martin Guest

    Hi,
    I use dialup to connect to the Internet.

    It appear port 1025 is open and listening on my
    XP Home computer. It appears to be associated
    with a win os utility called svchost.exe

    The problem is I notice various chinese and korean
    sites connecting to that port (reasons unknown?)

    I notice at least 7 versions of svchost.exe in
    the "services" window. Can anyone tell me
    which of these services is unnecessary or
    the one causing port 1025 to be open and
    listening so I can disable it? Or the number
    of a MS security update patch that will stop
    this? Please reply here.

    Thanks for any assistance!
    Tony
     
    Tony Martin, Aug 3, 2004
    #1
    1. Advertising

  2. Tony Martin

    Don Kelloway Guest

    "Tony Martin" <> wrote in message
    news:...
    > Hi,
    > I use dialup to connect to the Internet.
    >
    > It appear port 1025 is open and listening on my
    > XP Home computer. It appears to be associated
    > with a win os utility called svchost.exe
    >
    > The problem is I notice various chinese and korean
    > sites connecting to that port (reasons unknown?)
    >
    > I notice at least 7 versions of svchost.exe in
    > the "services" window. Can anyone tell me
    > which of these services is unnecessary or
    > the one causing port 1025 to be open and
    > listening so I can disable it? Or the number
    > of a MS security update patch that will stop
    > this? Please reply here.
    >
    > Thanks for any assistance!
    > Tony


    The 'svchost.exe' is the executable name associated with 'Service Host
    Process' which is responsible within the Windows O/S for running various
    internal processes. It is perfectly normal to have multiple occurrences
    of 'svchost.exe' running and this is because each instance is
    responsible for running one or more other processes.

    Instead I recommend that you leave the 'svchost.exe' files alone and not
    continue any efforts to look for ways to disable it. Otherwise you may
    find yourself with an unstable system or more probable, a new doorstep
    to hold your bedroom door open. Of course the latter is a bit of an
    exaggeration, but if I were you I'd focus on ensuring that the system is
    secured with a decent firewall, is virus and spyware free.

    SPECIAL NOTE: If you're running Windows XP Pro you can open a DOS
    window, type TASKLIST /SVC and press Enter. The result is that you'll
    receive a listing of all running processes, including the instances of
    'svchost.exe' as well as what each is running. Additionally if you want
    to know what specific process is responsible for which TCP/IP ports,
    type NETSTAT -ANO and press Enter. The result is that you'll receive a
    listing of ports and PIDs. With the PIDs compare it to the list of PIDs
    from running the TASKLIST command and voila!

    --
    Best regards, from Don Kelloway of Commodon Communications
    Visit http://www.commodon.com to learn about the "Threats to Your
    Security on the Internet".
     
    Don Kelloway, Aug 4, 2004
    #2
    1. Advertising

  3. Tony Martin

    Tony Martin Guest

    Hi Don,

    First, thank you for taking time to help!

    Your right, stopping svchost kills my
    browsers ability to resolve URLs.

    My computer is clean as far as BitDefender
    and ZoneAlarm will allow.

    Here is more background:

    Im using a utility called TCPView.exe (from
    sysinternals.com) to determine what connection
    attempts are coming from the internet.

    I can stop the intrusions on port 1025
    by setting Internet Zone Security on
    Zone Aarm to High. Unfortunately this
    also stops several peer to peer chat
    utilities that we run, that use other non
    common ports.

    What I need (guessing?) is a way to
    just block this one port 1025. The copy
    of ZA Im using (3.7 143) does not appear
    to allow the blocking of individual ports.

    Could you recommend an easy to use
    personal firewall that does? Or??

    TIA,
    Tony

    On Wed, 04 Aug 2004 04:58:49 GMT, "Don Kelloway"
    <> wrote:

    >"Tony Martin" <> wrote in message
    >news:...
    >> Hi,
    >> I use dialup to connect to the Internet.
    >>
    >> It appear port 1025 is open and listening on my
    >> XP Home computer. It appears to be associated
    >> with a win os utility called svchost.exe
    >>
    >> The problem is I notice various chinese and korean
    >> sites connecting to that port (reasons unknown?)
    >>
    >> I notice at least 7 versions of svchost.exe in
    >> the "services" window. Can anyone tell me
    >> which of these services is unnecessary or
    >> the one causing port 1025 to be open and
    >> listening so I can disable it? Or the number
    >> of a MS security update patch that will stop
    >> this? Please reply here.
    >>
    >> Thanks for any assistance!
    >> Tony

    >
    >The 'svchost.exe' is the executable name associated with 'Service Host
    >Process' which is responsible within the Windows O/S for running various
    >internal processes. It is perfectly normal to have multiple occurrences
    >of 'svchost.exe' running and this is because each instance is
    >responsible for running one or more other processes.
    >
    >Instead I recommend that you leave the 'svchost.exe' files alone and not
    >continue any efforts to look for ways to disable it. Otherwise you may
    >find yourself with an unstable system or more probable, a new doorstep
    >to hold your bedroom door open. Of course the latter is a bit of an
    >exaggeration, but if I were you I'd focus on ensuring that the system is
    >secured with a decent firewall, is virus and spyware free.
    >
    >SPECIAL NOTE: If you're running Windows XP Pro you can open a DOS
    >window, type TASKLIST /SVC and press Enter. The result is that you'll
    >receive a listing of all running processes, including the instances of
    >'svchost.exe' as well as what each is running. Additionally if you want
    >to know what specific process is responsible for which TCP/IP ports,
    >type NETSTAT -ANO and press Enter. The result is that you'll receive a
    >listing of ports and PIDs. With the PIDs compare it to the list of PIDs
    >from running the TASKLIST command and voila!
     
    Tony Martin, Aug 4, 2004
    #3
  4. Tony Martin

    Just Wolfie Guest

    Well ive seen many a plenty a trojan running as svchost.exe or as some
    like to hide, scvhost.exe.

    There is numerous possibilities here, from basic, "Ag, its nothing" to
    "Oh shit I've got a trojan", either of which is to much to guess.
    However I suggest amongst your firewall and other preventative
    measures, try running some spyware busters, like the elite Ad-Aware.

    Some info on port 1025
    http://support.microsoft.com/?id=kb;en-us;Q280132


    On Tue, 03 Aug 2004 13:59:40 GMT, Tony Martin <>
    wrote:

    >Hi,
    >I use dialup to connect to the Internet.
    >
    >It appear port 1025 is open and listening on my
    >XP Home computer. It appears to be associated
    >with a win os utility called svchost.exe
    >
    >The problem is I notice various chinese and korean
    >sites connecting to that port (reasons unknown?)
    >
    >I notice at least 7 versions of svchost.exe in
    >the "services" window. Can anyone tell me
    >which of these services is unnecessary or
    >the one causing port 1025 to be open and
    >listening so I can disable it? Or the number
    >of a MS security update patch that will stop
    >this? Please reply here.
    >
    >Thanks for any assistance!
    >Tony
     
    Just Wolfie, Aug 4, 2004
    #4
  5. Tony Martin

    Don Kelloway Guest

    "Tony Martin" <> wrote in message
    news:...
    > Hi Don,
    >
    > First, thank you for taking time to help!
    >
    > Your right, stopping svchost kills my
    > browsers ability to resolve URLs.
    >
    > My computer is clean as far as BitDefender
    > and ZoneAlarm will allow.
    >
    > Here is more background:
    >
    > Im using a utility called TCPView.exe (from
    > sysinternals.com) to determine what connection
    > attempts are coming from the internet.
    >
    > I can stop the intrusions on port 1025
    > by setting Internet Zone Security on
    > Zone Aarm to High. Unfortunately this
    > also stops several peer to peer chat
    > utilities that we run, that use other non
    > common ports.
    >
    > What I need (guessing?) is a way to
    > just block this one port 1025. The copy
    > of ZA Im using (3.7 143) does not appear
    > to allow the blocking of individual ports.
    >
    > Could you recommend an easy to use
    > personal firewall that does? Or??
    >
    > TIA,
    > Tony
    >
    > On Wed, 04 Aug 2004 04:58:49 GMT, "Don Kelloway"
    > <> wrote:
    >
    > >"Tony Martin" <> wrote in message
    > >news:...
    > >> Hi,
    > >> I use dialup to connect to the Internet.
    > >>
    > >> It appear port 1025 is open and listening on my
    > >> XP Home computer. It appears to be associated
    > >> with a win os utility called svchost.exe
    > >>
    > >> The problem is I notice various chinese and korean
    > >> sites connecting to that port (reasons unknown?)
    > >>
    > >> I notice at least 7 versions of svchost.exe in
    > >> the "services" window. Can anyone tell me
    > >> which of these services is unnecessary or
    > >> the one causing port 1025 to be open and
    > >> listening so I can disable it? Or the number
    > >> of a MS security update patch that will stop
    > >> this? Please reply here.
    > >>
    > >> Thanks for any assistance!
    > >> Tony

    > >
    > >The 'svchost.exe' is the executable name associated with 'Service

    Host
    > >Process' which is responsible within the Windows O/S for running

    various
    > >internal processes. It is perfectly normal to have multiple

    occurrences
    > >of 'svchost.exe' running and this is because each instance is
    > >responsible for running one or more other processes.
    > >
    > >Instead I recommend that you leave the 'svchost.exe' files alone and

    not
    > >continue any efforts to look for ways to disable it. Otherwise you

    may
    > >find yourself with an unstable system or more probable, a new

    doorstep
    > >to hold your bedroom door open. Of course the latter is a bit of an
    > >exaggeration, but if I were you I'd focus on ensuring that the system

    is
    > >secured with a decent firewall, is virus and spyware free.
    > >
    > >SPECIAL NOTE: If you're running Windows XP Pro you can open a DOS
    > >window, type TASKLIST /SVC and press Enter. The result is that

    you'll
    > >receive a listing of all running processes, including the instances

    of
    > >'svchost.exe' as well as what each is running. Additionally if you

    want
    > >to know what specific process is responsible for which TCP/IP ports,
    > >type NETSTAT -ANO and press Enter. The result is that you'll receive

    a
    > >listing of ports and PIDs. With the PIDs compare it to the list of

    PIDs
    > >from running the TASKLIST command and voila!

    >


    Tony,

    I hope you understand that you're not going to be able to stop persons
    on the Internet from *attempting* to connect to port 1025 (or any port
    for that matter) on your PC. The 'attempt' is something that will
    always exist. Your focus should simply be to ensure that your firewall
    is configured to block the attempt.

    re: the specifics of port 1025.

    It's one of several ports between 1024 through 1030 that are used for
    internal communications within the Windows o/s. These communications
    are for any one or more of many internal running processes or services.
    Trying to stop this port from listening will probably result in breaking
    something, which I believe you have already discovered.

    With this being said, the best course of action is to do what you are
    already doing and that is to ensure that your firewall is configured to
    block all inbound traffic to your PC. BTW ensuring your firewall is
    configured to block inbound traffic means just that. It means that if
    someone on the Internet were to attempt to connect to that port on your
    PC, the connection itself would be blocked. You cannot configure your
    firewall to stop someone from making the attempt. If that doesn't make
    sense, let me try an analogy.

    Your front door has a mail slot which can be locked from the inside thus
    preventing anyone on the outside from opening the mail slot and slipping
    a letter through and dropping it on the floor. Ensuring that the mail
    slot is locked is what you want to do to prevent mail from getting
    inside. Unfortunately even with the mail slot being locked there is
    nothing you can do when someone tries to push on the mail slot from the
    outside in their effort to slip a letter in. In other words locking the
    mail slot stops the letter from getting inside. It doesn't stop the
    person from trying to open the mail slot.

    BTW I agree that TCPView from SysInternals is a great freeware utility.


    --
    Best regards, from Don Kelloway of Commodon Communications
    Visit http://www.commodon.com to learn about the "Threats to Your
    Security on the Internet".
     
    Don Kelloway, Aug 5, 2004
    #5
  6. Tony Martin

    Don Kelloway Guest

    "Just Wolfie" <> wrote in message
    news:...
    > Well ive seen many a plenty a trojan running as svchost.exe or as some
    > like to hide, scvhost.exe.
    >
    > There is numerous possibilities here, from basic, "Ag, its nothing" to
    > "Oh shit I've got a trojan", either of which is to much to guess.
    > However I suggest amongst your firewall and other preventative
    > measures, try running some spyware busters, like the elite Ad-Aware.
    >
    > Some info on port 1025
    > http://support.microsoft.com/?id=kb;en-us;Q280132
    >
    >


    Mmmm I never stated that you wouldn't or couldn't find instances of
    'svchost.exe' or 'scvhost.exe' being a trojan or worm. What I offered
    was that the instance of the 'svchost.exe' the poster was seeing was
    very likely a legitimate occurrence (something I believe the poster has
    confirmed) and that his desire to stop it from listening on a particular
    port was not very likely to be successful. And like yourself, I too
    offered the recommendation of a firewall, and an AV and spyware scanner.

    BTW the article you reference is in regards to MS Exchange 2000.
    Instead I would suggest either of the following, depending upon the o/s
    being used:

    A description of Svchost.exe in Windows XP
    http://support.microsoft.com/?kbid=314056

    or

    A description of Svchost.exe in Windows 2000
    http://support.microsoft.com/?kbid=250320


    --
    Best regards, from Don Kelloway of Commodon Communications
    Visit http://www.commodon.com to learn about the "Threats to Your
    Security on the Internet".
     
    Don Kelloway, Aug 5, 2004
    #6
  7. Tony Martin

    Tony Martin Guest

    Hi Don,

    Ok, I upgraded to Zone Alarm Pro 5.1 which allows
    the blocking of internet traffic either coming in
    or out of any specified port. I blocked both TCP and
    UDP "incoming" on port 1025, and svchost still resolves
    URL's ok. All other functions, including my home LAN
    seems to be running ok. Furthermore, TCPView no longer
    shows any foreign (mostly chinese and korean)
    connections on port 1025.

    Being an Airline Pilot I suppose my IT jargon was
    not precise enough. I know you cannot stop your
    system from being probed. However, my reasoning
    suggested that I should be at least able to block
    incoming on that one listening port.

    Its possible the connections on port 1025 were
    harmless in as much as nothing there could
    be exploited, but since Bill Gates isn't my
    neighbor, I had no way of knowing! :)

    Problems solved, thanks again for all your help.
    Tony

    On Thu, 05 Aug 2004 07:10:06 GMT, "Don Kelloway"
    <> wrote:

    >"Tony Martin" <> wrote in message
    >news:...
    >> Hi Don,
    >>
    >> First, thank you for taking time to help!
    >>
    >> Your right, stopping svchost kills my
    >> browsers ability to resolve URLs.
    >>
    >> My computer is clean as far as BitDefender
    >> and ZoneAlarm will allow.
    >>
    >> Here is more background:
    >>
    >> Im using a utility called TCPView.exe (from
    >> sysinternals.com) to determine what connection
    >> attempts are coming from the internet.
    >>
    >> I can stop the intrusions on port 1025
    >> by setting Internet Zone Security on
    >> Zone Aarm to High. Unfortunately this
    >> also stops several peer to peer chat
    >> utilities that we run, that use other non
    >> common ports.
    >>
    >> What I need (guessing?) is a way to
    >> just block this one port 1025. The copy
    >> of ZA Im using (3.7 143) does not appear
    >> to allow the blocking of individual ports.
    >>
    >> Could you recommend an easy to use
    >> personal firewall that does? Or??
    >>
    >> TIA,
    >> Tony
    >>
    >> On Wed, 04 Aug 2004 04:58:49 GMT, "Don Kelloway"
    >> <> wrote:
    >>
    >> >"Tony Martin" <> wrote in message
    >> >news:...
    >> >> Hi,
    >> >> I use dialup to connect to the Internet.
    >> >>
    >> >> It appear port 1025 is open and listening on my
    >> >> XP Home computer. It appears to be associated
    >> >> with a win os utility called svchost.exe
    >> >>
    >> >> The problem is I notice various chinese and korean
    >> >> sites connecting to that port (reasons unknown?)
    >> >>
    >> >> I notice at least 7 versions of svchost.exe in
    >> >> the "services" window. Can anyone tell me
    >> >> which of these services is unnecessary or
    >> >> the one causing port 1025 to be open and
    >> >> listening so I can disable it? Or the number
    >> >> of a MS security update patch that will stop
    >> >> this? Please reply here.
    >> >>
    >> >> Thanks for any assistance!
    >> >> Tony
    >> >
    >> >The 'svchost.exe' is the executable name associated with 'Service

    >Host
    >> >Process' which is responsible within the Windows O/S for running

    >various
    >> >internal processes. It is perfectly normal to have multiple

    >occurrences
    >> >of 'svchost.exe' running and this is because each instance is
    >> >responsible for running one or more other processes.
    >> >
    >> >Instead I recommend that you leave the 'svchost.exe' files alone and

    >not
    >> >continue any efforts to look for ways to disable it. Otherwise you

    >may
    >> >find yourself with an unstable system or more probable, a new

    >doorstep
    >> >to hold your bedroom door open. Of course the latter is a bit of an
    >> >exaggeration, but if I were you I'd focus on ensuring that the system

    >is
    >> >secured with a decent firewall, is virus and spyware free.
    >> >
    >> >SPECIAL NOTE: If you're running Windows XP Pro you can open a DOS
    >> >window, type TASKLIST /SVC and press Enter. The result is that

    >you'll
    >> >receive a listing of all running processes, including the instances

    >of
    >> >'svchost.exe' as well as what each is running. Additionally if you

    >want
    >> >to know what specific process is responsible for which TCP/IP ports,
    >> >type NETSTAT -ANO and press Enter. The result is that you'll receive

    >a
    >> >listing of ports and PIDs. With the PIDs compare it to the list of

    >PIDs
    >> >from running the TASKLIST command and voila!

    >>

    >
    >Tony,
    >
    >I hope you understand that you're not going to be able to stop persons
    >on the Internet from *attempting* to connect to port 1025 (or any port
    >for that matter) on your PC. The 'attempt' is something that will
    >always exist. Your focus should simply be to ensure that your firewall
    >is configured to block the attempt.
    >
    >re: the specifics of port 1025.
    >
    >It's one of several ports between 1024 through 1030 that are used for
    >internal communications within the Windows o/s. These communications
    >are for any one or more of many internal running processes or services.
    >Trying to stop this port from listening will probably result in breaking
    >something, which I believe you have already discovered.
    >
    >With this being said, the best course of action is to do what you are
    >already doing and that is to ensure that your firewall is configured to
    >block all inbound traffic to your PC. BTW ensuring your firewall is
    >configured to block inbound traffic means just that. It means that if
    >someone on the Internet were to attempt to connect to that port on your
    >PC, the connection itself would be blocked. You cannot configure your
    >firewall to stop someone from making the attempt. If that doesn't make
    >sense, let me try an analogy.
    >
    >Your front door has a mail slot which can be locked from the inside thus
    >preventing anyone on the outside from opening the mail slot and slipping
    >a letter through and dropping it on the floor. Ensuring that the mail
    >slot is locked is what you want to do to prevent mail from getting
    >inside. Unfortunately even with the mail slot being locked there is
    >nothing you can do when someone tries to push on the mail slot from the
    >outside in their effort to slip a letter in. In other words locking the
    >mail slot stops the letter from getting inside. It doesn't stop the
    >person from trying to open the mail slot.
    >
    >BTW I agree that TCPView from SysInternals is a great freeware utility.
     
    Tony Martin, Aug 5, 2004
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. \Oldschool\ Scotty Flamingo

    What are spoolsv.exe and svchost.exe?

    \Oldschool\ Scotty Flamingo, Oct 10, 2003, in forum: Computer Support
    Replies:
    4
    Views:
    3,003
  2. Jon Watson

    Port 1025

    Jon Watson, Oct 12, 2003, in forum: Computer Support
    Replies:
    10
    Views:
    1,006
    ┬░Mike┬░
    Oct 13, 2003
  3. Bun Mui
    Replies:
    3
    Views:
    8,135
    Duane Arnold
    Apr 30, 2004
  4. Minder

    Port 1025 - opened by "System"

    Minder, Sep 8, 2003, in forum: Computer Security
    Replies:
    2
    Views:
    4,332
    Minder
    Sep 8, 2003
  5. This is my real name, really.

    spoolsv.exe & svchost.exe & internet

    This is my real name, really., Jan 31, 2004, in forum: Computer Security
    Replies:
    1
    Views:
    637
    Mimic
    Jan 31, 2004
Loading...

Share This Page