Is there a way to determine which service (in svchost.exe) does an outgoing connection?

I'm redoing my firewall configuration with more restrictive policies and I would like to determine the provenance (and/or destination) of some outgoing connections.

I have an issue because they come from svchost.exe and go to web content/application delivery providers - or similar:

5 IP in range: 82.96.58.0 - 82.96.58.255      --> Akamai Technologies         akamaitechnologies.com
3 IP in range: 93.150.110.0 - 93.158.111.255  --> Akamai Technologies         akamaitechnologies.com
2 IP in range: 87.248.194.0 - 87.248.223.255  --> LLNW Europe 2               llnw.net
205.234.175.175                               --> CacheNetworks, Inc.         cachefly.net
188.121.36.239                                --> Go Daddy Netherlands B.V.   secureserver.net

So is it possible to know which service does a particular connection? Or what's your recommendation about the rules applied to these ones?

(Comodo Firewall & Windows 7)

Update:

netstat -ano & tasklist /svc help me a little but they are many services in one svchost.exe so it's still an issue. moreover the service names returned by "tasklist /svc" are not easy readable.

(All the connections are HTTP (port 80) but I don't think it's relevant)

fluxtendu

Posted 2010-03-19T21:01:37.603

Reputation: 6 701

Answers

I have found a method in this Server Fault answer (about services and memory usage) that I could use to analyze individually the network usage of services (with any network tool)

Peter Mortensen:

Split each service to run in its own SVCHOST.EXE process and the service consuming the CPU cycles will be easily visible in Task Manager or Process Explorer (the space after "=" is required):
SC Config Servicename Type= own
Do this in a command line window or put it into a BAT script. Administrative privileges are required and a restart of the computer is required before it takes effect.

The original state can be restored by:
SC Config Servicename Type= share

fluxtendu

Posted 2010-03-19T21:01:37.603

Reputation: 6 701

SysInternals Process Explorer can do this for you.

Open the process properties of the svchost.exe instance you are trying to analyze. Click on the TCP/IP tab. Double click on the connection you are wanting to discover to bring up a stack trace of the connection. You should be able to trace the stack back to the DLL that implements the service. Here is an excerpt from the help file on the topic of Process Properites:

TCP/IP:

Any active TCP and UDP endpoints owned by the process are shown on this page.

On Windows XP SP2 and higher this page includes a Stack button that opens a dialog that shows the stack of the thread that opened the selected endpoint at the time of the open. This is useful for identifying the purpose of endpoints in the System process and Svchost processes because the stack will include the name of the driver or service that is responsible for the endpoint

Also on Configuring Symbols

Configure Symbols: on Windows NT and higher, if you want Process Explorer to resolve addresses for thread start addresses in the threads tab of the process properties dialog and the thread stack window then configure symbols by first downloading the Debugging Tools for Windows package from Microsoft's web site and installing it in its default directory. Open the Configure Symbols dialog and specify the path to the dbghelp.dll that's in the Debugging Tools directory and have the symbol engine download symbols on demand from Microsoft to a directory on your disk by entering a symbol server string for the symbol path. For example, to have symbols download to the c:\symbols directory you would enter this string:

srvc:\symbolshttp://msdl.microsoft.com/download/symbols

Note: You may need to run Process Explorer as administrator to be able to see the thread's stack.

heavyd

Posted 2010-03-19T21:01:37.603

Reputation: 54 755

All you are right. For me this feature works in XP only. It would be nice to investigate on what has changed in w7 in this regard so it doesn't work. – saulius2 – 2015-03-15T09:51:32.887

Very interesting, but unfortunately PE v11.33 appears to not support TCP/IP stacks on Windows 7 :-/ "Stacks not available on this version of Windows". I don't have found confirmation on the web but I'm pretty sure I have configured Symbols correctly... – fluxtendu – 2010-03-24T02:37:51.953

Same result with the new PE 12 :-/ – fluxtendu – 2010-03-26T16:12:27.280

1Hmm.. I get the same on 7. Strange it works fine on XP. – heavyd – 2010-03-26T18:11:13.937

1The TCP/IP tab should have a "Service" column which, for example while looking at an instance of svchost.exe, tells you which service owns each connection (among the services grouped under the same PID).

Right now I'm using PE 12.00, and at this moment I can't check whether the "Service" column was there in the previous version, but it should be worth a try. – TataBlack – 2010-03-28T23:02:32.303

Try using tasklist /svc and netstat or netstat -an from the command line.

This will show you the programs that are using svchost.exe and the ports being. Using the port numbers, you may be able to look up the protocol that commonly uses the number. See List of TCP and UDP port numbers.

bugtussle

Posted 2010-03-19T21:01:37.603

Reputation: 355

Yes, but a single instance of svchost.exe often hosts 10-20 services, and it is difficult find out which service is at fault. There is a way to get that information, though.

– Peter Mortensen – 2018-06-11T18:14:24.943

TCPView is a graphic tool that will show you the service, PID, and TCP connection (both local and remote):

harrymc

Posted 2010-03-19T21:01:37.603

Reputation: 306 093

Downvote as this does not solve the problem – Chris Dale – 2015-05-12T13:00:03.087

@ChrisDale: I don't agree. This answer shows which service is connecting, and so complements the accepted answer. – harrymc – 2015-05-12T13:12:55.687

@Harrymc TCPView only shows svchost.exe listening or making the connections. svchost is not the service, only a container for multiple services. If you need to know which service is making the connections, you are only marginable smarter as you know that one out of many is making the connection. Fair enough, it complements the answer, but just a tad. I had the same problem, and TCPView didn't nail it for me :) Sysinternals Process Explorer did though. – Chris Dale – 2015-05-13T16:43:25.203

1@ChrisDale: It does show the pid, from all else follows. – harrymc – 2015-05-13T16:50:35.237

Like 'netstat -ano & tasklist /svc' this tool distincts different connections in one svchost PID but doesn't show which service is behind them... It's already better because it links PID & connections (and recognize some well-know ports) but it's still not what I'm looking for. (Moreover it lacks of filters and logs features...) – fluxtendu – 2010-03-22T15:30:05.470

Whats the point of the image? It's too small to be of use. – bshea – 2016-09-18T15:22:03.023

@bshea: The original image can be found by following the link. – harrymc – 2016-09-18T16:47:03.293

I know this may be outdated, but still this page ranks high in search for "svchost connections", so I'll toss my input here. There is tool called Svchost Process Analyzer, it may help: http://www.neuber.com/free/svchost-analyzer/index.html

AKsik

Posted 2010-03-19T21:01:37.603

Reputation: 21

As mentioned, find the svchost PID of given svchost process and/or use 3rd party apps like: Currports, ProcessExplorer will help you identify services under the given process (svchost.exe or anything else). Also, Svchost Viewer or Svchost Analyzer will strictly show you svchost info as well.

I also wanted to add: Newer versions of the builtin Windows Task Manager will at least show show you some limited information on services running under svchost (no need to install anything) :

First, pick the svchost process under Processes.
Right-click given svchost process and pick "Go to Service(s)"
It will go directly to services tab and highlight given services running under that svchost process.

Another method:
Using administrator CMD prompt:
tasklist /svc /fi "IMAGENAME eq svchost.exe" > svchost_services.txt
notepad svchost_services.txt
This is also a quick way to get the PID of given svchost/service in question.

bshea

Posted 2010-03-19T21:01:37.603

Reputation: 678

Use the task manager to view the PID columns for each process in the process list. Then run netstat -ano to view the active connections and associated PID (= process id).

hurikhan77

Posted 2010-03-19T21:01:37.603

Reputation: 830

The NirSoft utility CurrPorts does everything you want, including filtering and giving the list of services of a process.

In fact, the only problem with it is how to choose among the enormous number of information columns that it can potentially display.

harrymc

Posted 2010-03-19T21:01:37.603

Reputation: 306 093

It's the best solution so far but doesn't do the essential thing I'm looking for: The "Process Services" column groups all the possible services... – fluxtendu – 2010-03-22T18:24:31.223