Windows executable components connecting to the internet...to do what??

I noticed today that through my firewall svchost.exe was taking up almost 47 percent of my web traffic at one point and it's very often connected in much smaller amounts, sometimes with multiple connections. I also know that it's a vital windows component and noticed that telling the firewall to block it results in Firefox and Trillian not being able to connect to the internet at all but it doesn't have any affect bittorrent.

Why is svchost.exe connecting to the internet and lsass.exe, services.exe and something called System are also almost always listening in the background?

All three files are located in the win32 directory so i'm not worried about any viruses or malware. Since three of the four are simply port listening, there's not much I can do about that short of disabling the service in windows, is there?

Anyone have any suggestions or info?

Thanks in advance.

 

Since svchost.exe is a generic process that acts for others--and since there can be multiple instances, we need more info.

download process explorer from technet and run it. watch which svchost.exe is consuming cpu time and rest your cursor over it and you will see all the sub processes using svchost.exe at the time.

report back

 

Windows may call "home" for Windows Update or the "Customer Experience data" or whatever its called if you agreed to participate.

But do what gerryf19 suggested - download process explorer.

If you run it as an administrator it has more function than a normal user (some get blocked) - you can check every single .dll that runs under a process - mind you, there are several svchost processes...

 

the svchost processes are in fact the big daddies of your services. each of them runs one or several services in itself. and some of them (like windows update) have to connect to the web to do their work, obviously.

 

I use two freeware programs to monitor my system.
Process Explorer and TCPView

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

Process Explorer can tell you which Services are using the Svchost and lsass exe processes.
Example, when I right click on lsass.exe > Properties > Services.
It shows the following Services are using lsass.exe.



TCPView shows the port number each Process is listening on.
Googling the port numbers will help determine why that Process/Port is active.

 

Svchost.exe is, I believe, the process name that system worker threads run under, which are used to do all manner of scutwork, including a lot of deferred procedure calls that other processes initiate. As a result, you're not really going to be able to identify which specific app is getting work done for it under svchost.exe.

However, from your experience with having firewalled it, you know for a fact that FF and trillian, at least, have stuff getting done for them by those threads. In FF's case, it's quite likely that the browser is "calling home" to see if any updates are available. Another app that is very likely to make heavy use of network-connected worker threads will be your A/V stuff, principally for checking periodically for updated malware definitions and whatnot. Then there is also Windows itself "calling home" to check in for updates. MS Office will also periodically check for updates, I believe. Lastly, there is all manner of other stuff you may have installed on your system that could be calling home to check for updates.

In this case, since you're really interested in what's going out (or coming in) over the wire, rather than trying to use a process explorer or similar utility, you might be better off using something like Microsoft's Network Monitor. That will capture every packet going out or coming in to your NIC, and will identify which process is emitting which packets, thereby letting you figure out what's talking to whom over your NIC. Be warned, however, that there will be a lot more traffic than you'd ever thought possible.