How do I block a service

Dear community,

I have a problem with svchost.exe. I am not able to figure out the services behind svchost.exe. I believe you can only determine the service, by looking at the command line. Unfortunately the pop up dialog doesn’t show that information. This way I only can block all or nothing. That is not very useful. I would like to block individual services. Or is that not possible? I guess it is probably more likely that I don’t know how.

Thanks, Dave

Why do you want to do that??? It could risk your computer. Just download process explorer and see what is loaded in svhost. It will show all the DLLs loaded therein and you can kill anything which is not needed. However, I would like to point out that this is a very critical application and should not be toyed without actual knowledge of what you are doing. AFAIK, CIS as a default rule has a protective layer for svhost.

If you really want to do that. Open My Protected Files under CIS>Defense+>Common Tasks>My Protected Files

Remove svhost.exe from that list. Then it will be loaded under CIS>Defense+>Advanced>Computer Security Policy without graying out.You can then instruct CIS what is to be loaded or not. But, I think this is a very risky proportion considering the importance of svhost.

Again, even this you do not try, till anybody else from this forum confirms.

Hi Layman.

thanks for your quick response!

I agree it is not a good idea to block svchost.exe. I only would like to block some services (which are spawned by svchost.exe). Unfortunately this doesn’t seem to be possible.

It is all or nothing, unfortunately.

Thanks, Dave

Read the second and third paras carefully. It should show the DLLs loaded under access rights when loaded in the normal window of computer security policy.

Why don’t you use process explorer to see them?

Hi Layman,

thanks again for your patience!

I indeed read your email too quickly. My apologies!

I tried this, but couldn’t find svchost.exe (it was not in “startup folders”, important folders and so on).

But I had seen it already in CIS>Defense+>Common Tasks>My Protected Files->Groups (windows updater applications) and removed it from there.

Then it will be loaded under CIS>Defense+>Advanced>Computer Security Policy without graying out.You can then instruct CIS what is to be loaded or not. But, I think this is a very risky proportion considering the importance of svhost.

Again, even this you do not try, till anybody else from this forum confirms.

I could not find svchost.exe in the “computer security policy” list. (but I can see services.exe for example). Therefore I could “instruct CIS what is to be loaded or not”. I would be grateful for any pointers.

By the way, I installed CIS 3.9…509 and set CIS to defense±safe-mode and firewall-custom-mode

Thanks,
Dave

Why r u so keen to play with these protected files?

As I have mentioned two times before, you can see all the DLLS loaded to svhost using process explorer Process Explorer - Sysinternals | Microsoft Learn That is much more safer. svhost is an important part. Let that be protected by CIS while for seeing what is loaded use process explorer. This is my suggestion.

Dear Layman,

My apologies again, I forgot to mention. Yes, I am very familiar with procexp. And I can see all services (svchost.exe plus the command line parameter). I was also able to configure CIS in a way, that I get alerts/popup when a service connects to the internet. Unfortunately it doesn’t seem possible to determine which service is connecting through svchost.exe to the internet. I only would like to block (the internet access of) one or two services, not all.

Thanks,
Dave