Backstroke$
join:2001-11-23
North Myrtle Beach, SC
| DESPERATELY NEED HELP WITH WIN XP AND ZA
DESPERATELY NEED HELP WITH WIN XP AND ZA
...and other firewalls because I can't identify this process or I don't not know why this XP OS wants to call out...seems to be the majority of the posts nowdays in this security forum.
Should I allow it, stop it and what the heck is it?
Most of you have figured that all out, but for those of you that have not, I have decided to post here what I think will be valuable for you to decided all this your self.
It all starts out with understanding some of the new feature this OS have over previous and even the 2000 series.
You canmost of that information at this link,but you should at least be aware of this.
»msdn.microsoft.com/msdnmag/issue···rnel.asp
Services Reliability
The last area of reliability improvements is in the area of the services infrastructure. Prior to Windows 2000, some services shared a process with other services and some ran in their own process. Windows 2000 introduced the generic service host process, Svchost.exe. The goal was to reduce system resources by consolidating the various processes hosting built-in operating system services into a single process. Or, it could permit the system administrator to configure the system to run certain services in their own processes, which would prevent one service from corrupting the private memory of other unrelated services (this capability is not documented or supported yet).
If you look at the Windows XP process list in Task Manager , you will notice at least four Svchost.exe processes: two running under the SYSTEM account (sometimes referred to as LocalSystem) and two running under two new service accounts: NETWORK SERVICE and LOCAL SERVICE.
One of the two Svchost processes running under SYSTEM hosts the bulk of the services, 29 of them in total. The second one hosts a single service, Remote Procedure Call (RPCSS). The reason this service needs to be in a separate process is that user-written DLLs are loaded into this process. By having RPC running in its own process, these DLLs cannot adversely affect the operation of the other built-in operating system services. The Svchost process running under NETWORK SERVICE hosts a single service, the DNS Client. The Svchost process running LOCAL SERVICE hosts the TCP/IP NetBIOS Helper, Remote Registry, Simple Service Discovery Protocol, and Web Client services.
The reason for the two new service accounts is to improve system security by reducing the privileges that services run with. LOCAL SERVICE is a built in account that doesn't need a password to log on. The account has only a few privileges, and is not a member of the local administrators group. So, if a service that is running under this account is compromised, it cannot take down the whole machine. LOCAL SERVICE also has no network credentials, so attempts to access a machine on the network will connect with the null session. The NETWORK SERVICE account has the same set of privileges as LOCAL SERVICE, but has access to the machine's credentials for outbound connections, similar to the SYSTEM account.
If you want to know more then read the whole article.
The next key seem to be the need then to understand how and why they end up going out side your system or show up in your firewall logs.
You can get some idea about most of them at this article at Microsoft and I have listed some of the important ones which will show up as process numbers.
»support.microsoft.com/default.as···q2503200
System Process
8 System
132 smss.exe
160 csrss.exe Title:
180 winlogon.exe Title: NetDDE Agent
208 services.exe Svcs: AppMgmt,Browser,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,LanmanWorkstation,LmHosts,Mes senger,PlugPlay,ProtectedStorage,seclogon,TrkWks,W32Time,Wmi
220 lsass.exe Svcs: Netlogon,PolicyAgent,SamSs
404 svchost.exe Svcs: RpcSs
452 spoolsv.exe Svcs: Spooler
544 cisvc.exe Svcs: cisvc
556 svchost.exe Svcs: EventSystem,Netman,NtmsSvc,RasMan,SENS,TapiSrv
580 regsvc.exe Svcs: RemoteRegistry
596 mstask.exe Svcs: Schedule
660 snmp.exe Svcs: SNMP
728 winmgmt.exe Svcs: WinMgmt
852 cidaemon.exe Title: OleMainThreadWndName
812 explorer.exe Title: Program Manager
1032 OSA.EXE Title: Reminder
1300 cmd.exe Title: D:\WINNT5\System32\cmd.exe - tlist -s
1080 MAPISP32.EXE Title: WMS Idle
1264 rundll32.exe Title:
1000 mmc.exe Title: Device Manager
1144 tlist.exe
Yes those are the numbers that show up with ZA and other logs.
But if you want to find Any process..
Start up MS Info by going to the Run command on the Start button, you will need to type in msinfo32 and then it should fire right up.
Go to the section labeled "Software Environment" and then to the subsection labeled "Running Tasks". This will show all programs and services that are running and their process ID's.
Another Memeber suggested you could also try this.
Easier way: type ctrl+shift+esc to bring up the task manager. Select the processes tab. Locate the process id in the pid column.
The last thing I can think of is the information at this thread.
Some ideas how to close the ports these processes use
»Why is port 5000 listening?
This post does not hold all the answers for you. As you can see some of you have already helped to brings these thoughts together.
They can be improved upon. So I hope others will post their ideas and tips here also. But for now, if you are running XP and you are still not sure how it all comes together go back to that first link and study it. |
