how to tell what service is using services.exe?

forest · June 8, 2007, 7:51am

Comodo periodically tells me that services.exe is trying to reach my DNS server, but it doesn’t give me any help in finding out why. If services.exe is acting on behalf of a system service or other component, it would be very helpful if Comodo would tell me which one. It would also be helpful if Comodo would tell me what domain name it was trying to look up. Without knowing those things, I don’t know if I want to allow it or not.

(I realize that DNS lookups are common, but they are also a form of “leak”, because a clever program can transmit all kinds of information to a remote server via DNS lookups.)

Is there some way I can get Comodo to give me more information here?

kail · June 8, 2007, 2:47pm

Hi forest

That is odd, SERVICES.EXE doesn’t access the Net itself directly, it usually uses SVCHOST.EXE for that. Check CFPs Log (Activity tab) for that Alert & double check that SERVICES is not using SVCHOST. If it is using SVCHOST, the DNS lookup is probably for an MS IP & it’s probably Windows Update trying to check for updates or a time-sync attempt or something similar.

forest · June 13, 2007, 5:26am

From what I see in the log, it doesn’t look like it’s using SVCHOST. Here’s what the log captured:


Date/Time :2007-06-08 19:03:48
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (SERVICES.EXE:208.201.224.11:  :dns(53))
Application: D:\WINNT\system32\SERVICES.EXE
Parent: D:\WINNT\system32\WINLOGON.EXE
Protocol: UDP Out
Destination: 208.201.224.11::dns(53)


Date/Time :2007-06-08 19:03:46
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (SERVICES.EXE:208.201.224.33:  :dns(53))
Application: D:\WINNT\system32\SERVICES.EXE
Parent: D:\WINNT\system32\WINLOGON.EXE
Protocol: UDP Out
Destination: 208.201.224.33::dns(53)

I wish I could tell for sure, regardless of which process is doing the DNS lookup. Wouldn’t it be nice if Comodo would examine the contents of DNS request packets, and show me what domain was being looked up? If it did that, I’d actually know what I’m allowing or denying.

kail · June 13, 2007, 6:48am

WINLOGON.EXE is the parent of SERVICES.EXE, so that’s true. Whilst SERVICES.EXE doesn’t do DNS resolutions in XP, it does, I believe, in W2K. What OS are you running forest?

clluengo · October 20, 2007, 6:21am

That is odd, SERVICES.EXE doesn't access the Net itself directly, it usually uses SVCHOST.EXE for that. Check CFPs Log (Activity tab) for that Alert & double check that SERVICES is not using SVCHOST. If it is using SVCHOST, the DNS lookup is probably for an MS IP & it's probably Windows Update trying to check for updates or a time-sync attempt or something similar.

But still, we see that SERVICES.EXE is accessing the network through SVCHOST.EXE, but there’s no way of knowing which service is accessing the network. Is there no way of specifying, for example, that the Windows Update service can do a TCP out to port 80, the service that checks the time can access the time server at whatever port, and other services should be blocked?

Is it possible for malware to install a service, such that it’s SERVICES.EXE accessing the net through SVCHOST.EXE?

Or does SVCHOST.EXE implement only a fixed number of built-in services?

I don’t know, but I always thought services under Windows were like control panel applets: all run with the same executable. I hope I’m wrong about this…

forest · October 20, 2007, 6:30am

I’m running windows 2000, which would explain it, but my question/suggestion stands. It would be nice if the firewall would inspect DNS queries, and allow me to choose which domain name queries to allow.

Zito · October 20, 2007, 11:51am

The bottom line is, as long as the path is %Systemroot%\System32 (usually C:\Windows\System32), it’s the Microsoft executable which manages DLLs and other services.
If the path is anything other than that location, it’s either a virus or a Trojan.
See also: Microsoft Support