SVCHost is one of the most mysterious things about windows. The only thing remotely congruent to Windows mysteriousness w/respect to SVCHost is everything else about Windows, except the Start button (used to shutdown), or BSOD
(which definitlely is NOT mysterious because the system just crashed, D’HUH.).
Oh, you want to know the meaning of the cryptic BSOD message from the great CPU beyond (and how to resolve the issue causing them?). Well, IF you knew the answer to the meaning of life, the universe, and everything, well, then you’d be the Man, wouldn’t you? You’d certainly not be on this board. That notwithstanding, I digress…
Suffice it to say that SVCHost is an extremly enigmatic Windows thing that does stuff. It has carte blanche access to pretty much anything it wants, e.g., any file, process or resource on YOUR system, and can phone anywhere it wants, invite friends for a mondo toga party into YOUR system. It has access to your credit card, can siphon out the fuel from your yacht docked some umpteen miles away, and comandeer Lear jets (in your name) to any destination it chooses). Another name for SVCHost is Albert Lindsey Einstein-Lohan
Why? Well, take a look in the Comodo file-groups and examine which group SVCHost belongs in. Now take a look at the access rights that file-group has.
IF - and it’s a virtual guarantee it will - so rather, WHEN SVCHost pesters you ‘bout sumpin, YOU needs to be looking through your electron microscope at it (unless you just grok what’s goin’ on). We can argue which one is best, i.e., either TEM, SEM, REM, STEM or LVEM), but that entirely misses the point. Look, if you check out Comodo ‘Active Process List’, you’ll see several instances of SVCHost. What’s up with that? See. Told ya.
So how do you know that SVCHost is cool or merely Lindsey Lohan?
Well, thanx for askin’. Open a cmd shell and type:
tasklist /F1 “IMAGENAME eq svchost.exe” /svc
That’s just a plain microscope, but you can see that under the purvue of SVCHost is a whole slew of process. Can you trust Lindsey Lohan with your life?
What access permissions does SVCHost have w/in Comodo?
Do yourself a flavor and maek a shortcut on your desktop that links to a CMD file containing ONLY the above mentioned command; you need to be familiar with what is normal SVCHost, and what is Lindsey Lohan SVCHost; you need instant availability to SVCHost services currently running on your system at any arbitrary time of an SVCHost specific alert to discern if it is Lindsey-Lohaning it up (or if it is just doing its ‘normal’ ■■■■■■/Stalin/Ghengis Khan type Einstein/John Kerry thing).
YOU needs to be instantly discerning whether something is not right w/SVCHost at any arbitrary instant. If you want to know what all those things that SVCHost is doing do, then look 'em up (Google is in your head and can make people do Lohandsey things) ; you needs to know what is normal for it though. There is a PowerShell util that’ll flag stuff in various colors and whatnot, drawing attention to things that are Lindsey Lohan SVCHost things (beyond the scope of this post though). Google is your friend…
So. lets talk 'bout hardening Windows, i.e., get a grip on SVChost by riding herd on it with Comodo. You can do what you want: I put it in a straight-jacket, throw it into a isolation room with rubber bumper walls and hand it the nuclear launch buttons.
First thing needed to be done is create a computer security policy rule for:
%windir%\SVCHost.exe
Make sure that all access names are ‘ask’. Then check the ‘allow’ DNS/Client service access name box.
Now you want to configure the security policy with the following:
executable
%PROGRAMFILES%\Common Files\Microsoft Shared\Help 9\dexplore.exe
%PROGRAMFILES%\Internet Explorer\IEXPLORE.EXE
%windir%\PCHealth\HelpCtr\Binaries\helpsvc.exe
‘MS update’ file-group
%SYSROOT32%\wbem\wmiadap.exe
%SYSROOT32%\wbem\wmiprvse.exe
%SYSROOT32%\rsmsink.exe
%SYSROOT32%\wuauclt.exe
E:\Adobe\Reader\AcroRd32Info.exe
protected registry keys
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS\StateIndex
HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates*\Blob
HKLM\SYSTEM\ControlSet???\Services\BITS
HKLM\SYSTEM\ControlSet???\Services\remoteaccess
HKLM\SYSTEM\ControlSet001\Control\BackupRestore\FilesNotToBackup\Registry Writer
HKLM\SYSTEM\ControlSet001\Control\Network{GUID of installed network adapter}{GUID of active network connection, e.g., ‘Local Area Connection’}\Connection\PnpInstanceID
HKLM\SYSTEM\ControlSet001\Services{GUID of active network connection}\Parameters\Tcpip\DhcpDefaultGateway
HKLM\SYSTEM\ControlSet001\Services{GUID of active network connection}\Parameters\Tcpip\DhcpSubnetMaskOpt
HKLM\SYSTEM\ControlSet001\Services\Dhcp\Parameters{GUID of active network connection}
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\Microsoft H.323 Telephony Service Provider\EventMessageFile
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\Microsoft H.323 Telephony Service Provider\TypesSupported
HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\DhcpNodeType
HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\DhcpScopeID
HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces\Tcpip_{GUID of active network connection}\DhcpNameServerList
HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces\Tcpip_{GUID of active network connection}\DhcpNetbiosOptions
HKLM\SYSTEM\ControlSet001\Services\NtmsSvc\Config\Standalone
HKLM\SYSTEM\ControlSet001\Services\NtmsSvc\Config\Standalone\DriveList
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpDomain
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces{GUID of active network connection}\DhcpClassIdBin
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces{GUID of active network connection}\DhcpDefaultGateway
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces{GUID of active network connection}\DhcpDomain
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces{GUID of active network connection}\DhcpNameServer
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces{GUID of active network connection}\DhcpRetryStatus
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces{GUID of active network connection}\DhcpRetryTime
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces{GUID of active network connection}\DhcpSubnetMaskOpt
HKUS.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\Identifier to Host (one of possibly several subkeys)\Blob
If the above is omitted, Comodo will alert on access to the appropriate host local-key. On alert, allow and ‘remember this’ (badda-boom. Bing Bing Bing! and tons of nickles pour out…)
HKUS.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ParseAutoexec