XP Generic Host

[Causeican]

Hey Guys
I just recently upgraded to to xp pro. I spend alot of time on Dark age of Camelot (much more than is healthy..hehe) And i found with XP i was getting a major lag hit.
After reinstalling Zonealarm, which i hadnt done yet after the upgrade cause i wanted to play, I discovered these 2 Generic host Processes accessing the net(1 is just listening to a port150 i think), i believ they are in task manager as svchost.
So i set zonealarm loock and allowed the DAoC progs to pass the lock, and boom, no lag, no probs. Yet windows IE will not run if i do not allow these access.
Neither of these were in 98, so
1. Can they be disabled?
2. Are they really required in XP, Why?
3. What the hell are they REALY doing?

Hope someone here has some answers, cause no 1 else seems to know anything.

Tx guys


i LIKED windows 3.xx (cause i didnt HAVE to use it)

 

[kinetic_tw]

Yes, they are required system processes. This article from the MSKB might shed some more light on it for you.

<A HREF="http://support.microsoft.com/?kbid=250320" target="_new">http://support.microsoft.com/?kbid=250320</A>

 

[goblinking]

1. Nope
2. Yep
3. Everything

Okay, here comes the more detailed explanation... Generic Host Process, or svchost.exe, does pretty much everything related to networking as well as a bunch more on XP. Try end-tasking it; you can usually get rid of some of the threads without immediate issue, but some of them force Windows to shut down or crash, similar to what the Blaster worm did.

However, just because they have to be running doesn't mean they have to access the Internet, and I block mine from everything that isn't necessary for web browsing.

When I get home I'll post my firewall settings on here.

 

[goblinking]

Right, I'm using Kerio Personal Firewall (www.kerio.com) and the rules I have set up for svchost.exe are as follows:

(1) Protocol: UDP. Local port: any. Remote endpoint: Address range xxx.xxx.xxx.3 to xxx.xxx.xxx.4, port 53. Permit incoming and outgoing.

Address xxx.xxx.xxx.3/4 is my DNS server, if I block this I can't connect to anything unless I know the IP. If your computer is set to automatically find a DNS, you may find you have to permit a similar rule to *any* address. Your ISP might be able to give you more information.


(2) Protocol: UDP. Local port: any. Remote endpoint: Address 192.168.0.1, port: any. Permit incoming and outgoing.

This is required for any network activity at all; 192.168.0.1 is the address of my router. You probably won't need this rule if you're on a standalone Internet connection.


(3) Protocol: TCP/UDP. Local port: any. Remote endpoint: any, port: any. Deny incoming and outgoing.

Everything else. This rule is placed after 1 and 2, so anything permitted by 1 and 2 isn't denied by 3. If you're not my DNS or my router, there's no need for you to be talking to svchost.exe, is there? Since this process is running on all Internet-connected WinXP PCs, it's a prime target for hackers; plus, God knows what information Microsoft are trying to send down the line.

Hope that's been useful to ya!

gk

 

[Causeican]

Tx guys..very helpful. much apreciated