Fighting against Windows built-in spyware

Hello, I moved from WinXP to Win7 not so long ago, and I’ve discovered that there are way more system processes than in WinXP. Their purpose is still not clear for me, and there are only common phrases in the internet I managed to find about them, like “it is window system process, don’t cut it”. They don’t answer what do they do and is their activity spy only or it is useful and the access to connect to internet should be granted to them?

This will be pretty a long thread about different processes.
what does sppsvc.exe do? I don’t get it’s purpose. Is it related to checking certificates of exe-files if they are signed?
This process tries to modify protected file or derictory (C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat in particular.)
Motivate me not to block this activity. Why shouldn’t I block it?

Please refer to:
(including the “software protection” link)

sppsvc is a protection against malware, but also of course an anti-piracy service.

disabling sppsvc results to run win 7 in “notification mode”, of which one can get rid of, but as far as i have seen not by licit means…

thx for the link, but it’s an archive of information about different processes, containing the same information I’ve found by googling.
It is said that if I block that proccess - I may get warnings, I’ve blocked it and nothing bad happens.

I think xpy is what you may be looking for.

svchost.exe (not a virus) tries to connect to whois. Why?

Akamai Technologies
That’s one of there server’s that Microsoft use for Windows Update.

It used to be easy to restrict Windows Update to certain IP’s but they now other’s aswell as there own.

Only port 80 connections go to these server’s all port 443 connections go to Microsoft server’s.


why is svchost doing that? shouldn’t it be wuauclt.exe?

Wuauclt.exe may be part of the update process, but svchost.exe does all the work and for a lot of other things aswell.


[attachment deleted by admin]

I have 24 discrete firewall rules addressing different zones that SVCHost accesses (and on distinct port sets). SVCHost handles in addition to normal WAU processing, updates for Ad-Aware and Adobe ARM (and probably updates other apps if installed on other systems). SVCHost is a service that runs services, that’s all.

I found it highly useful to bookmark a reverse DNS lookup site in order to ascertain the domain name for any arbitrary IP access. For known apps I usually allow - ensure remember this dis-checked - and then refer to the log for app and IP access correlation. I then create specific zones according to app and ports being accessed. Then I create rules for the app using those zones and port src / dest.

What I found out was that Adobe would want to go to a certain IP, and the after approving that, SVCHost would want to go there too. Often the IP address correlated to an Adobe domain name, but quite often it was un-resolvable. But what I found was that after establishing an Adobe domain name IP access attempt, SVCHost would often phone home to that IP on its own (without the initial Adobe app doing so). Why fight it? I just created a rule allowing SVCHost access to that particular Adobe zone. Obviously the Adobe app in question also needed a firewall rule to that zone also.

One thing that needs to be kept a pulse on is the integrity of SVCHost itself. Google SVCHost process tool. As long as the services associated with SVCHost are legit, i.e., not hijacked, then whereever it wants to go should be good to go.

After a while of doing this you get familiar with IP ranges and discover an app attempting to access an IP address already in a zone for another app. Simple matter then to specify that zone for the new app. It eventually shakes out to some IP to 80 only, some to 80 & 443 and some IP to 443 only. SVCHost is the only app that shares IP zones designated to multiple apps (except for apps that hit MSECN zone). Keep in mind that just becasuse an IP address that SVCHost wants access to can’t be resolved to a domain name don’t mean you can deny it access. I have a zone called ‘SVCHost - ???’ with unresolvable addresses in it. And there’s zones for other apps like that too.

Apps dont’ share each other’s zones, but SVCHost will share some apps zones. And there are som MS edge cache network IPs shared by sevral apps, but there are some MSECN IPs that ONLY SVCHost uses.

Zones and port sets are your friends; I hate typing IP addresses in all over the place. Put it in a zone and you’re done w/it (just pick the zone when you need it for a new rule).

Good read - thanks peeps!

Even if, as said, probably most often not being malwares, i am still waiting for a good reason for Adobe or whatever legit software to connect to wan (there also are legit svchost requests on lan) when the user doesn’t know why.

  1. This protection is 100% useless.
  2. It appeared that blocking process C:\Windows\System32\slui.exe from running solves the problem.

Every sh1tty util, no matter how useless it is can run as a service, and then it will look like a prompt from SVCHost to connect to somewhere, which I regard as spying actions against me.
I don’t like the soft that checks for updates without my permission. I hate when they do it stealthily. I usually block such behavior and only allow it in case I initiated this update check.

Again - WRONG!
Take a look at the that topic - I already posted some locations which don’t belong to Microsoft if we judge by whois lookup. Who the hell could know that Microsoft rents other companies’ servers instead of building it’s own ones?

That’s why I started this topic to make things clear for me and for others, who hate all this spyware.

Akamai is a content delivery service. They are fairly widely used. The concept here is that they mirror web content such as downloads or videos from the clients servers and host them in data centers throughout the world.

This way, a company (in this instance Micro$oft) doesn’t need to build data centers all over to service their clients. The client can grab content from a datacenter closer to their location giving quicker access.