How to see which applications use "Host process for windows services" to eat metered data?

6

1

I have to spend a lot of time on metered connections in a country where data is expensive. I use Glasswire firewall to keep an eye on what software is using my precious data and to throttle programs that are using too much (or, shouldn't be using any). It allows me to see which software is using how much data, and then turn on and off internet access for the data hogs that don't respect my "metered network" setting (e.g. Dropbox).

My problem is, sometimes software sneaks round the back of Glasswire by piggybacking on Host Process for Windows Services. The data usage shows up as being by Host Process for Windows Services with no clue as to which application is using the host process:

Enter image description here

My only options are shut off Host Process completely, or allow the rogue application to eat my data unchecked - and it's depended on by many programs. For example, if I shut it down, access to the Internet through my browser stops working.

Usually, it uses very little data:

Enter image description here

...but occasionally it goes bananas and starts downloading hundreds of megabytes of data for no obvious reason. Sometimes there's a clue in the name of the web host it's accessing, but often it's something generic like akamai.

For example, recently, with no warning or explanation, Host Process for Windows Services downloaded about 250 MB, almost all of which was from akamai, a small amount was from adobe.com (but that might have been a coincidence). I had to choose between shutting off everything that depended on Host Process (which includes my browsers), or, allowing some unknown application to eat an unknown, large amount of data for no apparent reason.

Is there any way I can see what is using Host Process for Windows Services to eat data, and selectively turn off individual uses of Host Process for Windows Services without shutting off the whole thing?

Answers using Glasswire or existing Windows features would be best, but installing additional software is fine too if necessary.

user56reinstatemonica8

Posted 2015-11-03T18:25:38.837

Reputation: 3 946

According to Wikipedia this is an undocumented API. netstat -b displays which service a connection belongs to, so what you want is possible. – Daniel B – 2015-11-13T10:41:27.757

Answers

3

I asked a similar question some time ago, and finally found an answer on a Server Fault question about services memory usage. The answer is to split each plausible services from Host Process so it works for network usage too. (Even after the split, I'm not sure GlassWire distinguishes the different services but Nirsoft CurrPorts or Sysinternals Process Explorer does it)

Peter Mortensen:

Split each service to run in its own SVCHOST.EXE process and the service consuming the CPU cycles will be easily visible in Task Manager or Process Explorer (the space after "=" is required):

SC Config Servicename Type= own

Do this in a command line window or put it into a BAT script. Administrative privileges are required and a restart of the computer is required before it takes effect.

The original state can be restored by:

SC Config Servicename Type= share

Example: to make Windows Management Instrumentation run in a separate SVCHOST.EXE:

SC Config winmgmt Type= own

This technique has no ill effects, except perhaps increasing memory consumption slightly. And apart from observing CPU usage for each service it also makes it easy to observe page faults delta, disk I/O read rate and disk I/O write rate for each service. For Process Explorer, menu View/Select Columns: tab Process Memory/Page Fault Delta, tab Process Performance/IO Delta Write Bytes, tab Process Performance/IO Delta Read Bytes, respectively.

On most systems there is only one SVCHOST.EXE process that has a lot of services. I have used this sequence (it can be pasted directly into a command line window):

rem  1. "Automatic Updates"
SC Config wuauserv Type= own

rem  2. "COM+ Event System"
SC Config EventSystem Type= own

rem  3. "Computer Browser"
SC Config Browser Type= own

rem  4. "Cryptographic Services"
SC Config CryptSvc Type= own

rem  5. "Distributed Link Tracking"
SC Config TrkWks Type= own

rem  6. "Help and Support"
SC Config helpsvc Type= own

rem  7. "Logical Disk Manager"
SC Config dmserver Type= own

rem  8. "Network Connections"
SC Config Netman Type= own

rem  9. "Network Location Awareness"
SC Config NLA Type= own

rem 10. "Remote Access Connection Manager"
SC Config RasMan Type= own

rem 11. "Secondary Logon"
SC Config seclogon Type= own

rem 12. "Server"
SC Config lanmanserver Type= own

rem 13. "Shell Hardware Detection"
SC Config ShellHWDetection Type= own

rem 14. "System Event Notification"
SC Config SENS Type= own

rem 15. "System Restore Service"
SC Config srservice Type= own

rem 16. "Task Scheduler"
SC Config Schedule Type= own

rem 17. "Telephony"
SC Config TapiSrv Type= own

rem 18. "Terminal Services"
SC Config TermService Type= own

rem 19. "Themes"
SC Config Themes Type= own

rem 20. "Windows Audio"
SC Config AudioSrv Type= own

rem 21. "Windows Firewall/Internet Connection Sharing (ICS)"
SC Config SharedAccess Type= own

rem 22. "Windows Management Instrumentation"
SC Config winmgmt Type= own

rem 23. "Wireless Configuration"
SC Config WZCSVC Type= own

rem 24. "Workstation"
SC Config lanmanworkstation Type= own

rem End.

fluxtendu

Posted 2015-11-03T18:25:38.837

Reputation: 6 701

I must have misunderstood the first step, because when I enter SC Config Servicename Type= own into a command prompt (as an admin user, Windows 8.1), it just returns [SC] OpenService FAILED 1060: The specified service does not exist as an installed service. - where should I be putting this command? EDIT oh, I see, Servicename should be an actual service name, haha, oops! So I'll go through the list at the bottom; is there any way to find the other service names on my system? I think my rogue services are non-standard (probably Adobe or Google) – user56reinstatemonica8 – 2015-11-16T08:21:28.633

In services manager (run services.msc) right click the service and select properties – fluxtendu – 2015-11-16T09:32:07.200

Asked: 2015-11-03T18:25:38.837

Viewed: 2 310 times

Active: 2018-06-11T17:57:34.837