Internet Went Again [Resolved]

This afternoon i got back home to find my internet had gone again. However this time there was a notice for svhostexe trying to gain access to the internet. As i was not at the PC it must of gone down. Can someone tell me should svhostexe have access to the internet and if so is there any spefic bound for it. Its showing as its been trying UDP and UDP/TCP


you said that “svhostexe” has been blocked. Hopefully this is a typographical error, and what you intended was that “svchost.exe” was blocked.

The difference I’m looking at is the “sv” vs “svc” as shown in blue.

svchost.exe is a vital windows service that shouldn’t be blocked, as it will terminate your internet connection. It will be located in c:\windows\system32…

On the other hand, “svhost.exe” is a filename associated with various viruses; it is intended to fool the user into thinking it is the aforementioned Windows service, and be allowed to run.


sorry yes its svchost.exe

Ive set it now to allow OUT but what about IN?

If you set it for TCP/UDP In/Out you’re certainly covered. You could also wait for a popup and create the rule that way, by selecting “Remember”. A popup is pretty much guaranteed if you move Alert Frequency (security/advanced/miscellaneous) to High; click OK and reboot.

After login, you’ll surely get some alerts for svchost.exe to connect on ports 53, 67, 68, which you can “remember” and allow.

Also by way of example, attached is a screenshot of my rules for svchost.exe. I only allow it to connect to renew DNS and DHCP, in order to get & keep the internet connection; thus these rules are sufficient for my purposes.

Hope that helps,


[attachment deleted by admin]

heres what im allowing/denying for svchost

[attachment deleted by admin]

Internet went down again even with that like it is

82...***::dhcp(68) (that IP is mine)
Application Denied

the image shows whats blocked at the time it went down

as i was not at the computer im not 100% sure its the correct timing of it but i think it is

also dont know if this helps :S

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\**>ipconfig/all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : windowsxpsp2
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Unknown
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 4:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Scientific-Atlanta WebSTAR 2000 seri
es Cable Modem
        Physical Address. . . . . . . . . : 00-16-92-5A-5C-67
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 82.**.**.***
        Subnet Mask . . . . . . . . . . . :
        Default Gateway . . . . . . . . . :
        DHCP Server . . . . . . . . . . . :
        DNS Servers . . . . . . . . . . . :
        Lease Obtained. . . . . . . . . . : 07 March 2007 14:00:12
        Lease Expires . . . . . . . . . . : 08 March 2007 14:00:12

taken from IPCONFIG CMD

[attachment deleted by admin]

For your application rule, you’ve got to allow svchost.exe to have an inbound connection, so you’ll need to change that “block” rule to “allow.” Here’s what happens (short version), and why you lost the connection, as it relates to DHCP…

Your computer sends a request to the DHCP server (via svchost.exe), using port 67. The DHCP server responds with the lease renewal (via svchost.exe), using port 68. Since you have the inbound blocked, the DHCP server response is lost. Thus, the DHCP lease does not get renewed, and the connection is dropped.

I know you’re probably concerned about security in this way, but that’s not an issue. With CFP, an application rule giving Inbound access doesn’t mean that the application can somehow generate or accept an unsolicited inbound attempt; it just means what when an authorized Inbound connection occurs for the application, it can accept it.

In order for it to be an authorized Inbound connection, it has to be allowed by the Network Monitor, and the Network Monitor does not accept unsolicited Inbound connections (this is the purpose of the bottom Block All IP In/Out rule) - provided of course that the user doesn’t add a rule to Allow Inbound traffic across the board. When svchost.exe sends out the request for the DHCP lease, the NetMon allows the Outbound traffic. The DCHP server’s response to that, even tho on a different port, is an Inbound response to an Outbound request. This is the same way you are able to browse the internet, access websites, and download stuff.

So all that said, change that block In rule for svchost.exe to allow, and reboot. You should be good to go.


Pardon my barging in here, but I have a question with svchost and App & Net Mon rules. Since I have the certified apps option enabled and no Net Mon rule to allow any incoming TCP or UDP rule allowed (except for uTorrent), how is it that my net access is not blocked?

On a note about svchost, there are a few things it is used for on a regular basis:

Contact your DNS Server(s) (destination port 53), contact your DHCP Server (destination port 67), receive reply from the DHCP Server (destination port 68), and Windows Automatic Updates (sorry, I don’t know the ports there off the top of my head, as I don’t do auto updates any more; I do it manually from the browser/update website).

It uses UDP for the first three items; I’m not sure on the Updates what protocol it uses.

svchost.exe is also used by the majority of Windows Services that might want to contact the internet. This is part of the reason that I have it limited in the Application Monitor; thus, it is only allowed to establish a connection the way those three rules say.

You can tighten your existing svchost.exe rules, if you want, in this way. However, you need to make sure first that you have it working, and understand how to tighten them up.


With the Certified Apps on, svchost.exe alerts are effectively taken out of the picture, provided that you have not at some point created a block…

You don’t have to have an Inbound NetMon rule; see my explanation to willas00…

I’ve changed the color to blue, just for you… :wink:


Thanks. Getting closer to what I thought it was.

Never mind. I just realized that willas00’s pic was on his App Mon rules specifically blocking svchost. It makes sense now since I don’t have blocks from that level.

As I understand it, the localhost loopbacks are used as a means for applications to communicate (that’s the simplified version; I couldn’t easily understand the technical version, which I think must have been written in a some space alien language).

Without the loopbacks skipped, I have seen svchost.exe connections showing up in the Connections tab for the loopback, but this was a while back…


Sorry. I edited my post right after you posted your latest one. I thought willas00’s 2nd pic was on the Net Mon rules, which was what confused me with my setup. (obviously not awake yet :P)

right ive put svchost to allow for both in/out as in the screen shot a couple of posts up but with allow on both. I reset comodo (hope thats ok dont really want to reboot pc) its due to renew at 14.00 UK time so we shall see if its ok…

What i dont understand was it was all working fine the other week (as stated in previous post) now its gone again… i think it all seems to add up that ive been blocking svchost because the comodo popup says it could be an attempt to hijack your PC or could be a trojan. And if there deneyed the IP wont renew… so maybe this should work


Well, this should get your connectivity back. However, the alert you’re describing is part of Application Behavior Analysis and is a different issue… Well, it’s the cause of the block, as you know, but the question that way is, what exactly was the alert that caused you to block svchost.exe?

If you don’t remember, do you still have the entry in the Activity Logs, or the Logfile? It will be an Application Behavior Analysis entry (as opposed to a Network Monitor, Application Monitor, etc). If so, can you copy/paste that specific alert to your post?


Its an alert that says svchost.exe is trying to use Windows Media Player to gain access to the internet.

Thats what i came back to the other day to find it was all dead

Oh, I see. An OLE Automation message, sounds like. In that scenario, WMP was either open, or had been open at some point in the “recent” past (some users report an hour or more, although I usually only experience it within 30 minutes of closing an internet application). Then svchost.exe goes to access the internet for some reason (probably legit). Because of the way internal communications happen, this shows up as svchost using wmp to access the internet. When that happens, you can either Allow (which will be for that session/instance only), or Deny (which will be for that session/instance only). If you tick the “Remember” box, that will create a rule in the Application Monitor.

There’s been a lot of confusion about this from users (myself included), as we non-programmers really don’t understand how that works, and we’re not used to this from a firewall. :wink: The poor development team has really caught grief over this, uh, “feature.” ;D Here’s egemen’s most recent response as to why it’s important:,4728.msg35532.html#msg35532

Hope that helps,


So leave the allowed TCP/UDP In/Out rule for svchost.exe after your destined time. If it works, you can later restrict it like LM’s rules.

Nope it still went down… any suggestions would be great

i can provide logs 2morrow when its due to go down because im going to be here

what if i deleted scvhost as a rule so that it would ask me again?

willas00, what is/was your current application rules on svchost.exe, allow everying in and out? If is so, then it must be something causing this disconnect. You can post your log for the past day or week (edited of course) for us.