Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TCPView shows svchost.com opening and closing high numbered ports


  • Please log in to reply
5 replies to this topic

#1 user1000000

user1000000

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 11 August 2010 - 04:43 PM

Hi there! I'm posting here because I want to know if a behavior that my PC is showing is normal. I'm using a PC with Windows XP SP3, and I use Mozilla Firefox 4.2 beta as my default browser. I'm using TCPView to monitor connections, and I noticed that each time that I go to a new website, the svchost.exe process shows PID 1600 quickly opening up a high numbered port, say above 50000 and even 60000 and then closing that port instantly. Is this normal? :thumbsup: Thanks a lot for your time and help.

BC AdBot (Login to Remove)

 


#2 Synetech

Synetech

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:09:03 AM

Posted 11 August 2010 - 09:15 PM

If you don’t already have it, go back to Sysinternals and get ProcessExplorer. SVCHOST.EXE is Windows’ generic service host executable, that is, it could be running any number of services. You can use ProcessExplorer to find out exactly which service is the one that is opening the ports (look at the PID of the exe in TCPView and cross-reference it with the same instance of svchost.exe in ProcessExplorer). Once you have figured out which service is the source of the unexpected traffic, then you can more easily determine if it is legitimate or not.

Another tool you can use to check the legitimacy of the traffic is a port sniffer. While there are plenty to choose from (eg MS NetworkMonitor, WireShark, etc.), most of them need to be configured with rules and filters and such, but the one that is easiest to use and lets you do quick, immediate, hit-and-run analysis without configuration or anything (though you can choose to) is Nirsoft’s SmartSniff (I have the others but SMSniff is pretty much always my go-to sniffer).

If it’s not legitimate traffic, then you can disable, stop, and optionally delete the service.
****** *** ****** * ****; * ***** **** ** *** **** ******* *** ****** ************ ****.

-- Synetech

#3 user1000000

user1000000
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 12 August 2010 - 09:40 AM

Hi Synetech! Thanks so much for your quick, clear answer! I downloaded ProcessExplorer and looked up the service that quickly opens up a UDP port in the high rank and then closes it. It turns out it's the DNS Cache Service with the number 1600. It makes sense then that it activates each time I go to a new place in my browser. I will check SmartSniff, though. If I have more doubts, will post them here. Have a great day! :thumbsup:

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,745 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:03 AM

Posted 12 August 2010 - 01:52 PM

Online Port Scan allows you to scan individual TCP ports to determine if the device is listening on that port. Shields Up is an online port scanning service used to alert the users of any ports that have been opened through firewalls or NAT routers. There are other third party utilities that will allow you to manage, block, and view detailed listings of all TCP and UDP endpoints on your system, including local/remote addresses, state of TCP connections and the process that opened the port:Caution: If you're going to start blocking ports, be careful which ones you block or you may lose Internet connectivity.

For a list of TCP/UDP ports and notes about them, please refer to:You can investigate IP addresses and gather additional information at:

Edited by quietman7, 12 August 2010 - 01:56 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 user1000000

user1000000
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 13 August 2010 - 12:18 PM

Whoa, got some heavy reading ahead of me! Thanks a lot for your recommendations, quietman. Will definitely check them all out. I've already downloaded CurrPorts and started fiddling with it. Have a great day! :thumbsup:

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,745 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:03 AM

Posted 13 August 2010 - 03:42 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users