Can anyone tell me what this program dose, Generic Host Process for Win32 Services? It always wants to connect to the net and it is driving my Firewall up the wall.

hello
its part of xp and 2000 o/s it could be a ligitamate application trying to acess the web could allso be a trojin
i did a google search and got many hits heres one

It all starts out with understanding some of the new feature this OS have over previous and even the 2000 series.

You canmost of that information at this link,but you should at least be aware of this.

»msdn.microsoft.com/msdnmag/issues/01/1..[?]

Services Reliability
The last area of reliability improvements is in the area of the services infrastructure. Prior to Windows 2000, some services shared a process with other services and some ran in their own process. Windows 2000 introduced the generic service host process, Svchost.exe. The goal was to reduce system resources by consolidating the various processes hosting built-in operating system services into a single process. Or, it could permit the system administrator to configure the system to run certain services in their own processes, which would prevent one service from corrupting the private memory of other unrelated services (this capability is not documented or supported yet).
If you look at the Windows XP process list in Task Manager , you will notice at least four Svchost.exe processes: two running under the SYSTEM account (sometimes referred to as LocalSystem) and two running under two new service accounts: NETWORK SERVICE and LOCAL SERVICE.

One of the two Svchost processes running under SYSTEM hosts the bulk of the services, 29 of them in total. The second one hosts a single service, Remote Procedure Call (RPCSS). The reason this service needs to be in a separate process is that user-written DLLs are loaded into this process. By having RPC running in its own process, these DLLs cannot adversely affect the operation of the other built-in operating system services. The Svchost process running under NETWORK SERVICE hosts a single service, the DNS Client. The Svchost process running LOCAL SERVICE hosts the TCP/IP NetBIOS Helper, Remote Registry, Simple Service Discovery Protocol, and Web Client services.
The reason for the two new service accounts is to improve system security by reducing the privileges that services run with. LOCAL SERVICE is a built in account that doesn't need a password to log on. The account has only a few privileges, and is not a member of the local administrators group. So, if a service that is running under this account is compromised, it cannot take down the whole machine. LOCAL SERVICE also has no network credentials, so attempts to access a machine on the network will connect with the null session. The NETWORK SERVICE account has the same set of privileges as LOCAL SERVICE, but has access to the machine's credentials for outbound connections, similar to the SYSTEM account.

If you want to know more then read the whole article.

The next key seem to be the need then to understand how and why they end up going out side your system or show up in your firewall logs.

You can get some idea about most of them at this article at Microsoft and I have listed some of the important ones which will show up as process numbers.

»support.microsoft.com/default.aspx?sci..[?]

System Process
8 System
132 smss.exe
160 csrss.exe Title:
180 winlogon.exe Title: NetDDE Agent
208 services.exe Svcs: AppMgmt,Browser,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,LanmanWorkstation,LmHosts,Mes senger,PlugPlay,ProtectedStorage,seclogon,TrkWks,W32Time,Wmi
220 lsass.exe Svcs: Netlogon,PolicyAgent,SamSs
404 svchost.exe Svcs: RpcSs
452 spoolsv.exe Svcs: Spooler
544 cisvc.exe Svcs: cisvc
556 svchost.exe Svcs: EventSystem,Netman,NtmsSvc,RasMan,SENS,TapiSrv
580 regsvc.exe Svcs: RemoteRegistry
596 mstask.exe Svcs: Schedule
660 snmp.exe Svcs: SNMP
728 winmgmt.exe Svcs: WinMgmt
852 cidaemon.exe Title: OleMainThreadWndName
812 explorer.exe Title: Program Manager
1032 OSA.EXE Title: Reminder
1300 cmd.exe Title: D:\WINNT5\System32\cmd.exe - tlist -s
1080 MAPISP32.EXE Title: WMS Idle
1264 rundll32.exe Title:
1000 mmc.exe Title: Device Manager
1144 tlist.exe

Yes those are the numbers that show up with ZA and other logs.
But if you want to find Any process..
Start up MS Info by going to the Run command on the Start button, you will need to type in msinfo32 and then it should fire right up.

Go to the section labeled "Software Environment" and then to the subsection labeled "Running Tasks". This will show all programs and services that are running and their process ID's.

Another Memeber suggested you could also try this.

Easier way: type ctrl+shift+esc to bring up the task manager. Select the processes tab. Locate the process id in the pid column.

The last thing I can think of is the information at this thread.
Some ideas how to close the ports these processes use
»www.dslreports.com/forum/remark,178360..

This post does not hold all the answers for you. As you can see some of you have already helped to brings these thoughts together.

They can be improved upon. So I hope others will post their ideas and tips here also. But for now, if you are running XP and you are still not sure how it all comes together go back to that first link and study it.

Thanks for taking the time to post your response. Many of the Google references to this file talk about Code Blue, which is an IIS virus. As I'm running a fresh install of W2K, I'll trust that this file is doing as advertised by Microsoft and we'll see what happens.

Thanks!

Lord Happy

After reading the two responses on what "Generic Host Process for Win32 Services" does, I am now even more confused. I am not real computer savvy but I know my way around. The request constantly comes up on my computer asking for server and connection rights, but I don't know what to do. Someone please help me figure this out, sometimes I let it and other times I don't. I have noticed, occasionally, I cannot connect to any website even though I am online, could this generic host thing have something to do with it?

thank u

its also bugging my ZoneAlarm

Here's a site that might explain what this "creature" does.

http://www.bugnet.com/analysis/0201/sfxpfbi1.html

This Win32.exe program screwed us up for better part of the day after we installed ZoneAlert!

Whe I denied its access, I was not able to get on my server although I have a Cable Modem. I could not get any email, could not get on anything at all!

For a long time, I did not relate the two. When I finally did and let the Win32 through, everthing worked fine.

This is contrary to what Steve's link says. Can someone give me a better explanation?

#1 Son
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Ditto to Response #6 As soon as I installed Zone-alarm I discovered that SVCHOST.EXE is needed to allow access to the internet. So just go ahead and tell Zone to allways give access. I am thrilled to find this bulletin board, as I have more questions.

I think Generic Host Process for Win32 Services is a transport for dns queries (among other things) this will be why you are not able to access any sites if this service is blocked. After I allowed this through I checked the za log and noticed that the address it was connecting to was a dns server.

Dns server is correct, you need to allow it. Just check the box for always allow on zone and forget about it.

I have been having the same problem where if I deny Generic Host Processes (known as svchost.exe)the right to connect to the internet through ZoneAlarm nothing on the internet works! I have researched this and see that it deals with Universal Plug and Play which has some security issues. Does anyone know why and if I need to let this use the internet? Is it a security risk? If I do not let it connect nothing works, so if anyone out there can help please post.

UPnP is a different process -- you'll see it listening on ports 5000 and 1900.

SSDP and Universal Plug and Play can be disabled independently. Open Control Panel > Admin Tools > Services, right click and stop/disable both 'SSDP Discovery Service' and 'Universal Plug and Play Device Host'.

What bothers me about this Generic Host item is that it's actively listening on UDP 1026.

I have ZA set to Allow Cconnect for Local and Internet, but only Allow Server for Local. I have it prompt me if it wants to act as a Server for Internet. I see no immediate reason why it would have to act as a server and if one does come up I want to know about it. I don't remember ever getting prompted for it to act as a server.

Even after allowing it to always connect to the internet, local - allow to be a server in local and internet it still will cause problems where no internet programs will work like the 3rd time I connect to the internet. The only solution is to reboot. Does anyone know how to solve this?

I upgraded to ZoneAlarm Pro and now the problem is solved. Try the 30 day trial and see if it fixes it for you.

I have a copy of the cracked ZA Pro access to trusted and internet and disabled the servers for both and so far so good. My questions are these...
Am I the only one has the feeling that it's creating a giant hole in the ship for bill and his fello spies on the MSMS (Microsoft mothership) and potential hackers?
By simply blocking server acces in ZA is it securing us from potential threats?
And finally could anything breaching privacy law be leaving my Pc and where would it be going?
Sorry for the length :(

in ZA, I have "Generic Host Process" blocked for everything except trusted access. But, if you right click on it, and go to options, I have everything EXCEPT DNS blocked for it, and things seem to be working. When I find something else it needs to do, then i'll allow those ports as well.

If you just give programs rights to the internet, you are kind of defeating the purpose for zone alarm in my opinion. By only allowing specific ports to specific hosts, I want to make sure theres no spyware talking to anything out there (like the media player spyware stuff). Also, if interested in spyware and running XP, be sure to grab XP-anti-spy, which will disable alot of the XP built in spyware stuff.

One thing that bothers me about GHP for win32 is if you give it full permision it can connect any time it wants... I gave it permision to access the dns but only temporarily... later it came up and asked to connect to 207.46.226.34 which is owned by MS. When I looked it up it says its Time.windows.com, which probly has to do with xp's time sync "Feature"(Control Panel/Date&Time/InternetTime). Sounds harmless but its still kinda scarry when your computer is calling home with out your knowing. What other "features" pop up later?

As Fran, #1 son, Colin and others have said I too am experiencing occasional problems with connecting to any internet web site or my mail. Everything will work fine after a reboot. I leave my PC on all the time, as I am sure alot of you do too. Sometimes, after the computer been idle for awhile, when I return I cannot get to any web sites. This is driving me crazy! I have been trying to figure this out for awhile now. I upgraded from win 98 and have heard the horror stories that accompany upgrading, but this is the only problem I have. I tried so many things to resolve this, Removed my dial upconnections and reinstalled, uninstalled modem and reinstalled, the same for the modem driver. You can dial up and connect to your ISP (Internet service provider) just fine but you have no access to the web period. The only solution is a restart. I too run zonealarm but just the standard version 2.6.362. Now when you click on the programs tab I show 3 instances of GHP for win32 services running designated by the little icons at the top of the screen between the stop button and the zone alarm help button. Mine is set for LOCAL NETWORK allow and allow server and for INTERNET allow and allow server. Also under the lock tab in zonealarm I have mine set to engage internet lock when screen saver activates. I wonder if this is what is causing my trouble. I am hesitant to say the least to allow this program unrestricted access to the net. Until reading all these messages I had no clue as to what my connectivity problem might be. To be honest I came here trying to find out what GHP win32 services was also as it was bugging my firewall as well. It seems It was worht my time coming here. I'm gonna mess around with this a little now and see if I can get reconnected to the internet AFTER my connection problem appears WITHOUT a restart. Then I'll know for sure what is the root cause of the problem. I'm also gonna get the anti spy software which JoeShmo mentioned as well. Colin, after rereading your post you have the exact problem I have. Upgrading to Pro helped you maybe I'll try that too. Thanks for all the help. Im glad I found this board I'm sure I'll be back.

P.S. dale-wwjd - can you e-mail me the crack for ZA Pro? Thanx in advance.

In Windows 2000 and Windows XP computers, the Network Connections list typically includes the SVCHOST.EXE executable file. Windows 2000/XP uses this executable for services that are run from dynamic link library (DLL) files. These other services include operating system services, and can include services that are used by third party programs.

The Network Connections list may include more than one instance of SVCHOST.EXE. Each instance of SVCHOST.EXE hosts one or more services. NIS and NPF do not allow you to terminate this connection.

The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can run, depending on how and where Svchost.exe is started. This allows for better control and easier debugging.

Svchost.exe groups are identified in the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost
Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service names that are extracted from the following registry key, whose Parameters key contains a ServiceDLL value:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ Service
To view the list of services that are running in Svchost:
Click Start on the Windows taskbar, and then click Run .

In the Open box, type CMD , and then press ENTER.

Type Tasklist /SVC , and then press ENTER.

Tasklist displays a list of active processes. The /SVC switch shows the list of active services in each process. For further information about a process, type the following command, and then press ENTER:
Tasklist /FI "PID eq processID " (with the quotation marks)
The following example of Tasklist output shows two instances of Svchost.exe that are running.
Image Name PID Services
========================================================================
System Process 0 N/A
System 8 N/A
Smss.exe 132 N/A
Csrss.exe 160 N/A
Winlogon.exe 180 N/A
Services.exe 208 AppMgmt,Browser,Dhcp,Dmserver,Dnscache,
Eventlog,LanmanServer,LanmanWorkstation,
LmHosts,Messenger,PlugPlay,ProtectedStorage,
Seclogon,TrkWks,W32Time,Wmi
Lsass.exe 220 Netlogon,PolicyAgent,SamSs
Svchost.exe 404 RpcSs
Spoolsv.exe 452 Spooler
Cisvc.exe 544 Cisvc
Svchost.exe 556 EventSystem,Netman,NtmsSvc,RasMan,
SENS,TapiSrv
Regsvc.exe 580 RemoteRegistry
Mstask.exe 596 Schedule
Snmp.exe 660 SNMP
Winmgmt.exe 728 WinMgmt
Explorer.exe 812 N/A
Cmd.exe 1300 N/A
Tasklist.exe 1144 N/A
The registry setting for the two groupings for this example are as follows:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost :
Netsvcs: Reg_Multi_SZ: EventSystem Ias Iprip Irmon Netman Nwsapagent Rasauto Rasman Remoteaccess SENS Sharedaccess Tapisrv Ntmssvc
RApcss :Reg_Multi_SZ: RpcSs

I too have spent many brainstorming hours trying to track this host and it's uses.
I was glad to find this page, for i am not alone in thinking that my pc keeps calling home to the new state of America (microsoft), I dont like it and I will keep on this case untill i am satisfied that i can live without all this host's side kicks. I look forward to hearing more on this subject in this page, keep sniffing hound's.

check this. i've also wondered about these win32 services, svchost.exe. i ended up realising that you cannot tconnect to the net without allowing it in zonealarm. but b ing a quizzical git i decided to disable them in task manager. as some1 mentioned there r at least 4 of them and this stands 4 me 2. i disabled 3 and discovered that disabling 1 (the 1 around 3000k under username system) caused the pc to shut down as it closed the remote call procedure (wtf that is?) neway these other processes start up again. but they dont show up on my zonealarm as connected to the net. around this time some strange things happen, the taskbar flickers and sometimes changes colour to grey, also if I have it set at double size it goes to the default size. I dont know why all this happens (at 1st I thought it was a hack or something) but the strange thing is even though these win32 services are not shown on zonealarm I can still connect to the net with ie6? weird eh?

I never have figured out wtf this is for ,after a year of ZA 2.63 I just block ALL server requests EXCEPT when I need to send a file through Yahoo!™ servers. When you use Yahoo!™ file send ,you end up loading the file to a temp address instead of sending it direct but the intended recipient still gets an address to d/l it from so whatdahey!,who needs servers anyway? I never have a problem connecting to the internet with it blocked but it does slow the loading of web pages considerably. IE6 has some of the phone-home features that Billy Goats and da boyz are so fond of in XP (I think),I sure seem to lose a lot of stuff, with every critical upgrade from MS I seem to lose 1 program. If this keeps up long enough ,all 80 of the proggy's on mah box will be gone,hehehehe :-) (save me a lot of housecleaning) :-))

The svchost.exe file tries to connect on my computer too. Thanks everyone for letting me know I am not alone on this. It has been driving me nuts and has wasted many hours of my time. I also have a file called rundll32.exe that wants to surf the internet also. Would this be a built-in XP feature too?

My system was trying to connect to 239.255.255.250. Using IP Atlas, I found that this address is located at Marina Del Rey, California, United States.

Check it at:

http://www.xpenguin.com/plot.php?address=239.255.255.250

Additionally, my Tiny Firewall reports this suspectous connection:

Application: 'Tcpip Kernel Driver'; protocol: [2]; Remote address IGMP.MCAST.NET [224.0.0.22]: Unknown event
tcpip kernel driver

http://www.xpenguin.com/plot.php?address=224.0.0.22

This address is located at the same place...

Who is spying me?

it's a broad cast message
check out the PDF for learning about the IP's and terms

http://systems.cs.colorado.edu/grunwald/NetworksResources/Slides-stevens-tcpipv1/stevens-chap12-cast.PDF

Hi everyone...interesting reading...i have spent some time sniffing around xp and using various softwear on my system including z/a pro...an easy answer to this win32 process is installing sygate...i have blocked its access from day 1 and left it to remind me when it trys to access and as time goes by it kind of leaves you alone apart from at connections...i can still browse and use ftp's and so on with no problem while this process is denied access...i am using sygate pro and must admit i have not tried standard version...if you would like pro then mail me and i will send you details....dalentrace@msn.com
regards....riz

Blocking it on my machine didn't stop me from connecting to this website.

After installing Norton Antivirus 2002, Zonealarm pro asked me if I want to grant access to Norton Antivirus Agent to access internet. When I clicked "More Information", Zonealarm pro told me that I must grant internet access to "Generic Host Process for Win32 Services". Zone alarm also told me the following:

"Generic Host Process for Win32 is the Microsoft Windows component your browser uses to perform DNS lookups"

I took a screen shot of my desktop when the said messages appeared on my desktop. If you want to see, just give me a mail.

I have Zone Alarm Pro 2.6.231 (no idea if this is up to date?) and Win2000 Pro with SP2 and pretty much most of the “critical” updates since it’s release. I have denied all access by GHP for Win32 and have had no problems access in Internet. In fact (and maybe it’s psychological) after installing Zone Alarm and denying all access for GHP4Win32 my Internet connection seems much faster. However if I deny access for “Services and Control App” (5.00.2195.2780 – are these version numbers or something?) then I get no Internet access. Anyone know what this app is doing? I think it’s supposed to be there, but then Mr T Horse isn’t going to call it’s self “Bad Trojan Horse App for Win32” I guess.

After reading response number 19 (by Bill) I tried typing tasklist on the CMD window and it says it’s not a recognised command, do I need to be in a specific directory to run this?

I’m no windows expert and after following Bill’s registry instructions was certainly interested by the BITSgroup, which transfers files in the background using idle network bandwidth. Now I guess this is what allows things like MSN messenger to work. Could this also allow your comp to be used as say some part of a peer-to-peer network even when you don’t want to be? E.g. don’t they need comps for routing and stuff? Could this explain why my connection seems faster?

Microsoft has a Knowledge Base article (Q250320) that explains what svchost.exe does. Hope this helps.

If you try to go to Administrative Tools->Services and try to see some services that might be running, you will see that its just an svchost.exe is running with different parameters. You might want to disable them (like the Remote Procedure Call or others you don't need) in order to reduce number of svchost.exe processes running.