,
Unfortunately, what you’re seeing in KillSwitch isn’t quite what you think it is, as a vital piece of information is missing, the process name! The connections with a TIME_WAIT condition actually don’t belong to svchost but to another process called System Idle Process which always has a Process ID of 0 (zero) Basically, when a connection closes, it’s not instantly terminated. The application to which the connection formally belonged, is passed to the operating system (System Idle Process) while the connection is actually terminated. During this time the connection is shown in a TIME_WAIT state.
If you take a look at the images below - one from Kill Switch and one from Netstat, you can see the same TIME_WAIT connections but in the Netstat image you can see the PID (far right)
[attachment deleted by admin]
Ah, indeed! My apologies, during both my observations, the connections were from a blank process, not from svchost. I was just thrown off the first time, as the blank process and its entries were directly below the svchost connections.
I did have a feeling they were firefox connections that were then passed onto a different process. Thanks for clarifcation!