What is svchost, and why is there more than one copy running?

Read the article that everyone's commenting on.
Subscribe to the RSS Feed for comments on this article.

Over the last few months, with increasing frequency, I receive the following message on my screen. It's in Norton Internet Security, but it's not the usual Alert Tracker screen I get when Norton detects an attempt to hack in. It's more like the screen I get when a new programme - like RealPlayer for example - tries to connect to the internet for the first time.

The message says:
A remote system is attempting to access Generic Host Processes for Win32 on your computer.
Application: C:\WINDOWS\system32\svchost.exe
Protocol: TCP (Inbound)

It also tells me the IP addrss of the computer from which the attempt is being made - I think it's diferent each time.

I have always asumed it's someone trying to hack in or plant a trojan or whatever it is these people do, and refused the connection, but, before I set a rule to always forbid such connections, I just wondered if it is a legitimate programme or something which I ought to be allowing for the good running of the computer.

I'd set that always forbid rule. A remote computer should not be attempting to initate a conversation that way ... they're probably attempting to exploit a vulnerability in Windows (that's since been patched as well).

If you're curious, you can enter the IP address into a "reverse DNS" tool, such as http://ask-leo.com/d-reversedns and see a) if there is a host name for that address, and b) if the host name is something you recognize.

Leo

To post a comment on "What is svchost, and why is there more than one copy running?", please return to that article's main page.