What Are Generic Host Processes?

Well I know the relevant file is C:\WINNT\system32\svhost.exe. I keep
getting messages from the Firewall, asking whether I should give it
access to the Internet and Server privileges. Can anybody explain
what this is all about? Thanks.

 

You need to give it access. It controls such
things as DNS resolving, DHCP, SSDP discovery
services.

Description of Svchost.exe
http://support.microsoft.com/?kbid=250320

 

Do you have to also let it act as a server? Thanks.

 

Svchost is the messenger for the O/S. Svchost has many tasks and one of
them is being the communication link between programs running between
machines on the LAN and WAN (WAN being the Internet). Not only does the
O/S use Svchost on its behalf to communicate but other programs such as
malware can use Svchost on their behalf too.

If Svchost is communicating to unknown remote IP(s), then one should be
concerned and find out what is using the messenger and kill it instead of
the messenger, because it's never Svchost the messenger that wants to
communicate -- don't kill the messenger.

So, one stops svchost from communicating for some reason (that is
unknown) and then one turns around and allows svchost to communicate for
some other reason. What happened to the reason one stopped svchost? It
did go anywhere and is still there on the machine.

If svchost.exe is not running out of winnt\system32 or windows\system32
on the NT based O/S, then it's a Trojan.

You can use Active Ports (free) to determine inbound and outbound
connections on a routine basis by running processes on the machine,
because malware can easily circumvent and defeat any PFW solution. One
can put a short-cut in the startup folder for Active Ports and it will
give you a clear picture as to what is happening, since malware can beat
any PFW solution at boot and be done before a PFW solution can even get
on the TCP/IP and stop it.

You can use Process Explorer (free) to look inside a running process and
see what processes/programs are using the process.

You're out there on the Internet and they have got to practice on someone
and you're fair game.

http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and
_Rootkit_Tools_in_a_Windows_Environment.html

You should *harden* the XP O/S to attack a little bit. The buck stops at
the O/S and everything else is secondary to it.

http://www.uksecurityonline.com/index5.php

Duane

 

You should allow it:

DHCP...
Protocol UPD
Remote port = BOOTPS (67)
Local port = BOOTPC (68)

DNS...
Protocol UDP
Local port = DNS (53)

HTTP...
Protocol TCP
Direction = Outbound
Remote port = HTTP (80)

HTTPS...
Protocol TCP
Direction = Outbound
Remote port = HTTPS (443)

Time Synchronizer...
Protocol UDP
Remote port = NTP (123)

SSDP Discovery Services (1)...
Protocol UDP
Remote port = 1900

SSDP Discovery Services (2)...
Protocol UDP
Local host = 239.255.255.250 (255.255.255.255)
Local port = 1900

SSDP Discovery Services (3)...
Protocol TCP
Direction = Outbound
Remote port = 5000

MS Remote Desktop
Protocol TCP
Direction = Outbound
Remote port = RDP (3389)

Generic Host Process LDAP
Protocol TCP
Direction = Outbound
Remote port = LDAP (389)