Spooler
@cableone.net | reply to NetFixer
Re: GHP = Generic Host Process = svchost.exe & mor
NetFixer:
Thank you for the explanation. I follow your posts here and frequently learn from them.
I'm out for the night here and it's even later where you & Dr. Strange are.
Back tomorrow if any more is here. |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
1 edit | Checking Automatic Update
OK had some time to do a couple of tests and check some tools.
You can try turning off automatic update, and then turning it back on, this should cause it to check for updates and may tell you if it is what is causing the connection. When I did this several times, Port Reporter recorded svchost connecting each time to three IPs, in one of the updates the last was a Footprint Server on the Level 3 network.
64.152.17.157
If that doesn't confirm it, you can install and run Port Reporter it may provide enough information to figure it out.
»support.microsoft.com/default.as···d=837243
--
Dog and Butterfly |
|
Spooler
@cableone.net
| ID Serve & Checking Automatic Update
Well, thanks again, Dr. S & WiseGuy:
Went to GRC and downloaded ID serve as suggested. It clearly confirms the ID of the IP in Question as a "Footprint" site.
(see above) Thanks for that tool.
Also turned AutoUpdates off & back on and rebooted.
Computer went to home page first (Yahoo), then to ZA sites, Perhaps AutoUpdates was using Akamai that time rather than Level 3.then to 81.52.249.182 which is identified as an Akamai site.
TCPview showed that site and "System"0 for a while then it disappeared from view.
Raises a new issue though, and that is:
What is the Process reported as "System 0" in TCPview where it normally reports the Service and PID? |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
| said by Spooler:
Also turned AutoUpdates off & back on and rebooted.
I didn't need to reboot, I hit apply (WinXP Home) and it immediately checked for Updates, disabled it, waited a couple of minutes and selected "Notify me but..." again and it connected out again.
I believe PID 0 is normally System Idle process.
--
Dog and Butterfly |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR | PID 0 is actually a port waiting to timeout for its next use, the program that was listening is no longer bound to that port, and these are just past connections, however they do not show which program was listening. |
|
Spooler
@cableone.net
| WiseGuy and Zeus:
Thanks again. Sorry this turned into such a long dialog, but each post resulted in new learning (for me, at least).
----------------
Wise Guy:
I turned Windows Updates off and on without rebooting as you suggested. Kept TCPview on top to see what happened in real time. Three IP's appeared:
Two to MSFT at 64.4.23.156 which is ID'd as v5.windowsupdate.microsoft.com in my router logs.
And then one to 67.72.120.62 which is ID'd as "Footprint Distributor" by the GRC ID Serve utility you suggested.
That's a neat little tool. Thanks for recommending it.
--------------
BlitzenZeus:
Once again, you are right on from the start.
The exercises since your first post confirm the outbound to IP 67.72.4.94 is connected to MSFT Windows AutoUpdates using Level Three and what turned the third party servers - "Footprint".
TCPview caught it in action just as you said it would.
Thanks Everyone.
------------------
Mods - looks like we are done here with this one. |
|
bthielen
join:2004-11-15
| Check out
»headers.bragger.net/info/footpri···tor.html
Leads to sandpiper.net then this..
»www.cw.com/about_us/company_prof···_7a.html |
|
