1 constant svchost TCP IN connection


Following a cautious reformat, I’m finding myself delving more into net security, and as a matter of interest to me, I notice there is always one svchost with an IN conn running as a child to svchost.exe, with 74Bytes IN, and 78Bytes OUT. Previously this wasn’t the case, I have disabled some non-essential services in msconfig, but still 1 conn runs consistently.

Any advice on this, perhaps it can be disabled to see the effect?


It is a local service through System, I’ve blocked it, and doesn’t have any impact on my net connection

mmm 88)


Svchost,exe (Generic Host Process) typically loads a number of service dlls and is itself called by services.exe during the boot process. Personally, I can’t ever remember seeing, svchost loading an instance of itself.

You could try running the following command from a command prompt, it might provide a little additional insight:

tasklist /svc /fi “imagename eq svchost.exe”

hi guys,

I have similar case that really concerns me if this is a threat: I am working at wireless, I usually see lots of TCP IN connections (image attached). I am not IT guy, but this makes me feel someone link to my laptop and some security compromise? Could anyone please help me on this please? Thank you very much.


[attachment deleted by admin]

Maybe you have trusted the network with Stealth Ports Wizard. Try changing that to Block All Incoming Connections.

Hi James,

Thanks indeed for your instruction.

If blocking all incoming connections, are we safe from wireless attacks? I connecting to unsecure wireless network.

Further I have another issue, I attach picture here, hope to have your examination. It seems to be a attack?

Thanks James.

[attachment deleted by admin]

Svchost (as should be System) should be set to ‘Outgoing Only’

If you want to be safe on unsecure wireless networks you should look at Comodo Trust Connect.

Can you explain how to set as ‘Outgoing Only’? Thanks

scvhost for sure should be denied inbound in the general situation (some applications might need it on a lan, or even on wan, e.g. remote assistance software or rights to upload on a private ftp server).

On the other side, i don’t see why it should be globally allowed outbound: it is very inelegant to everyone if your computer is infected by some trojan/rootkit but, even if not, i see no valid reason for not monitoring the destination of your private data.

My idea of the situation is to monitor every single connexion, in or out, and this goes by setting cis to proactive and custom level, so as to be asked of whatever happens.

Some specific tools can monitor the running services, including scvhost ones (of course, command line syntax as quoted works, but is quite unfriendly); autoruns and procexp are good basic softwares for that.

Last thing, one should never use msconfig to disable whatever service, but disable the service itself (and, when necessary, disabling uneeded entries with autoruns).

To set Svchost.exe and System as Outgoing Only:

Click Firewall/Advanced/Network Security Policy
Under Application Rules,
scroll down to see if Svchost.exe and/or System is already listed (most likely is, and is currently ‘Custom’)
Click on the name (Svchost.exe or System), and click ‘Edit’ (on the right).
Select ‘Use a Predefined Policy’, and select ‘Outgoing Only’ from the Dropdown box. Then click ‘Apply’.

Select and edit the second name the same way.
Click 'Apply, and then click ‘OK’.

If it is not already in the list (strange, but may happen), click Add/Select/Running Processes.
Scroll down the list to locate System and Svchost.exe (possibly will be near the top of the list).
Click on one, and click ‘Select’.
Now click on ‘Use Predefined Policy’ and follow the steps listed above.
Go back and select the other name, and again follow the steps already outlined above.

There you go.
You have now either changed or added these successfully as ‘Outgoing Only’ to your Firewall Rules.


Its by default for both System/svchost.exe

This is ok?

It is but I wasn’t explaining how to edit the rules themselves. Ty, btw.

I am confused now. What to do? Dont touch nothing or to change to Outgoing Only?

Yes, this is OK